Verify certificate chains starting from the root CA certificate and
moving towards the leaf/user certificate.
Also update TKM-RPC and TKM in testing scripts to version supporting the
reworked CC handling.
If we check out and build a certain revision of a dependency in a branch and
switch to another that requires a different revision and then switch back,
the previous approach installed the wrong revision as it would incorrectly
assume the required revision was already built and ready to install.
Apparently, djangorestframework-camel-case, in the referenced version,
uses `six` but does not itself require/install it (later versions removed
Python 2 support altogether).
While we could continue to use FreeRADIUS 2.x that branch is officially EOL.
So instead of investing time and effort in updating/migrating the patches to
FreeRADIUS 3.x (the module changed quite significantly as it relies solely on
the naeap library in that release), for a protocol that is superseded anyway,
we just remove these scenarios and the dependencies. Actually, the
complete rlm_eap_tnc module will be removed with FreeRADIUS 4.0.
ldconfig is required, otherwise the library won't be found by
strongSwan in the same session.
Should later be changed to 2.8.0 or a newer stable release.
This was only required when we initially started and OpenSSL was built
from sources, which was changed with b97dd59ba8 ("install FIPS-aware
OpenSSL Debian packages").
While this is not the latest 2.x release it is the latest in /old.
Upgrading to 3.0 might be possible, not sure if the TNC-FHH patches could
be easily updated, though. Upgrading to 3.1 will definitely not be possible
directly as that version removes the EAP-TNC module. So we'd first have to
get rid of the TNC-FHH stuff.
There is a bug (fix at [1]) in hostapd 2.1-2.3 that let it crash when used
with the wired driver. The package in jessie (and sid) is affected, so we
build it from sources (same, older, version as wpa_supplicant).
[1] http://w1.fi/cgit/hostap/commit/?id=e9b783d58c23a7bb50b2f25bce7157f1f3
We will use this to set some defaults (e.g. timeouts to make testing
negative tests quicker). We don't want these settings to show up in the
configs of the actual scenarios though.
Adds XFRM state/policy flush when terminating which caused tests to fail
due to the check added with 9086f060d3 ("testing: Let test scenarios
fail if IPsec SAs or policies are not removed").
Tobias Brunner