From 97376e916ef75c5bf823fcedbfdee6f03af15f96 Mon Sep 17 00:00:00 2001
From: Liu Yiding <liuyd.fnst@fujitsu.com>
Date: Mon, 22 Sep 2025 11:58:02 +0800
Subject: [PATCH] freeradius: Fix service start error

Following error occurred while starting this service.
 Error: tls: (TLS) Failed reading certificate file "/etc/raddb/certs/server.pem"
 Error: tls: (TLS) error:03000072:digital envelope routines::decode error
 Error: tls: (TLS) error:0A00018F:SSL routines::ee key too small
 Error: rlm_eap_tls: Failed initializing SSL context
 Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
 Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 .../files/0018-Fix-Service-start-error.patch  | 33 +++++++++++++++++++
 .../freeradius/freeradius_3.2.7.bb            |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0018-Fix-Service-start-error.patch

diff --git a/meta-networking/recipes-connectivity/freeradius/files/0018-Fix-Service-start-error.patch b/meta-networking/recipes-connectivity/freeradius/files/0018-Fix-Service-start-error.patch
new file mode 100644
index 0000000000..f1ec181bc1
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0018-Fix-Service-start-error.patch
@@ -0,0 +1,33 @@
+From e97ffc1f820beff12bb8084e6337168a1cd27540 Mon Sep 17 00:00:00 2001
+From: Liu Yiding <liuyd.fnst@fujitsu.com>
+Date: Sat, 20 Sep 2025 06:50:17 +0000
+Subject: [PATCH] Fix Service start error
+
+change "fips=no" to "-fips"
+based on discussions with the OpenSSL developers in
+https://github.com/FreeRADIUS/freeradius-server/issues/5631
+
+Upstream-Status: Backport
+https://github.com/FreeRADIUS/freeradius-server/commit/59e262f1134fef8d53d15ae963885a08c9ea8315
+
+Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
+---
+ src/main/tls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 2a348eb9bb..02a4c24f70 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3644,7 +3644,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
+ 	CONF_modules_load_file(NULL, NULL, 0);
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	EVP_set_default_properties(NULL, "fips=no");
++	EVP_set_default_properties(NULL, "-fips");
+ #endif
+ 
+ 	/*
+-- 
+2.43.0
+
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb
index fea4d858ed..181d9e5d18 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.2.x;lfs=0
     file://0015-bootstrap-check-commands-of-openssl-exist.patch \
     file://0016-version.c-don-t-print-build-flags.patch \
     file://0017-Add-acinclude.m4-to-include-required-macros.patch \
+    file://0018-Fix-Service-start-error.patch \
 "
 
 raddbdir = "${sysconfdir}/${MLPREFIX}raddb"