Ready for 2.2.7?

Matthew Newton mcn4 at
Tue Mar 31 11:49:22 CEST 2015

On Mon, Mar 30, 2015 at 08:17:03PM -0400, Arran Cudbard-Bell wrote:
> >> Maybe disable TLS v1.2 for compatibility...
> > 
> > Compatibility with what?
> eapol_test, booo.

Hmmm, booo indeed.

> Noticed today that with TLS 1.2 FR and eapol_test 2.4 (and so presumably wpa_supplicant)
> disagreed on the MPPE keys. Not sure where the fault lies there. Both were running on the
> same machine, linked against the same version of OpenSSL.
> Only allowing TLS 1.0 and 1.1 fixed the problem.

That seems like the wrong fix :(

> eapol_test also doesn't send the RFC 5077 session ticket extension in the client hello.
> Stupid eapol_test *grumble*.

Looks like it would be best to try and find what the actual cause
is - if it's eapol_test then that should be fixed, rather than
removing TLS 1.2 from FreeRADIUS.

A config option in FR would IMHO be the best way for this, like
the allow broken openssl one. And something that touches as little
code as possible in the stable release.

> This is true, and it is fixable in the config using some hidden config items :)

I'd document them and leave it as-is :)

I guess the only reason to do otherwise is to stop timewasting
questions being posted to this list...


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list