Solving the SSL problem in CVS head
Alan DeKok
aland at deployingradius.com
Wed Apr 25 20:07:38 CEST 2007
A.L.M.Buxey at lboro.ac.uk wrote:
> it does sound funky but how does this interact with systems that already
> have signed certs etc etc installed/configured - eg doing a new
> install over older software?
Two answers:
1) Very well, thank you. :)
2) raddb/certs/README
Like everything else in "make install", it does *not* touch your
existing configuration. Programmers that write code to blow away your
existing configuration when installing a new version are *bad* people.
They are *very* bad people, and I don't like them at all.
If /etc/raddb/certs exists, the "make install" process doesn't touch
it. Any existing eap.conf is likewise *not* touched on "make install".
The default for "make_cert_command" is NULL, which means "don't run
it.". Even if you did set "make_cert_command", when the server starts,
it would notice that /etc/raddb/certs/<server-cert> exists, so it won't
do anything on existing installations. And even if the server
certificate didn't exist, it would see that /etc/raddb/certs/bootstrap
doesn't exist, so it wouldn't try to run it.
In the end, this code has *zero* effect on existing installations. It
has *beautiful* effects on brand-new installations. And outside of a
few entries in a "Makefile", the change is about 30 lines of code...
most of which is sanity checking to ensure it doesn't over-write
existing installations, or run at the wrong time.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Devel
mailing list