Solving the SSL problem in CVS head

Alan DeKok aland at deployingradius.com
Wed Apr 25 20:07:38 CEST 2007


A.L.M.Buxey at lboro.ac.uk wrote:
> it does sound funky but how does this interact with systems that already
> have signed certs etc etc installed/configured - eg doing a new
> install over older software?

  Two answers:

  1) Very well, thank you. :)

  2) raddb/certs/README

  Like everything else in "make install", it does *not* touch your
existing configuration.  Programmers that write code to blow away your
existing configuration when installing a new version are *bad* people.
They are *very* bad people, and I don't like them at all.

  If /etc/raddb/certs exists, the "make install" process doesn't touch
it.  Any existing eap.conf is likewise *not* touched on "make install".
 The default for "make_cert_command" is NULL, which means "don't run
it.".  Even if you did set "make_cert_command", when the server starts,
it would notice that /etc/raddb/certs/<server-cert> exists, so it won't
do anything on existing installations.  And even if the server
certificate didn't exist, it would see that /etc/raddb/certs/bootstrap
doesn't exist, so it wouldn't try to run it.

  In the end, this code has *zero* effect on existing installations.  It
has *beautiful* effects on brand-new installations.  And outside of a
few entries in a "Makefile", the change is about 30 lines of code...
most of which is sanity checking to ensure it doesn't over-write
existing installations, or run at the wrong time.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Devel mailing list