Warning about OpenSSL 1.0.2
Michael Ströder
michael at stroeder.com
Sat Oct 10 20:40:56 CEST 2015
Arran Cudbard-Bell wrote:
>
>> On 10 Oct 2015, at 08:57, Alan DeKok <aland at deployingradius.com> wrote:
>>
>> OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS. None of this is documented by OpenSSL. The result is that instead of successful authentication, you get:
>>
>> (6) eap_ttls: ERROR: Invalid ACK received: 256
>> (6) eap_ttls: ERROR: [eaptls verify] = invalid
>> (6) eap_ttls: ERROR: [eaptls process] = invalid
>>
>> The only solution is to apply the patch in commit b7b5493c61. It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.
>>
>> This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.
>
> Have to draw a line on 2.2.x this uncertainty undermines people making the case to move to v3.0.x. 1.0.2 is not included by default in any stable releases of FreeBSD, Ubuntu/Debian, Redhat/Centos, OSX.
>
> We experienced it because homebrew has moved to OpenSSL 1.0.2.
Which exact version of OpenSSL 1.0.2?
I'm asking because I'm running FreeRADIUS 3.0.10 (formerly 3.0.9) on openSUSE
Tumbleweed (x86_64 and armv6l) with package openssl-1.0.2d-1.1 using
EAP-TTLS/PAP without issue.
Maybe you're hitting the HMAC ABI incompatibility?
It was fixed in 1.0.2c:
https://www.openssl.org/news/changelog.html#x2
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151010/1550b8d3/attachment.bin>
More information about the Freeradius-Users
mailing list