Certificate problem between 3.0.11 and 3.1.x

Scott Armitage S.P.Armitage at lboro.ac.uk
Fri Mar 18 10:23:20 CET 2016 

> On 17 Mar 2016, at 23:03, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
> 
> Hmm, this thread got me interested - we were running 3.1.0 # 390f216 (around april 2015 I think) up until recently and it was fine with PEAP-EAP-MSCHAPv2/TLS, not that we used it much, but I did test it.
> Now with our last git pull (64aa7f9) it doesn't work, same message about EAP not finishing. It also behaves the same with PEAP-EAP-TLS. Hopefully that helps a bit, but I understand it's quite a wide time-span.
> 
> eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> eap: !! EAP session 0x17ac0b0 did not finish!                                 !!
> eap: !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
> eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> 
> 
> Thanks
> Andy
> 
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell
> Sent: 16 March 2016 18:38
> To: FreeRadius users mailing list
> Subject: Re: Certificate problem between 3.0.11 and 3.1.x
> 
> 
>> On 16 Mar 2016, at 16:44, Alan DeKok <aland at deployingradius.com> wrote:
>> 
>> On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
>>> Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
>> 
>> If you have time... it would help to know when 3.1 stopped working.  You could grab a copy of 3.1 from early 2015, and see if it works.  If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
>> 
>> That would at least help us narrow down what changed.  And would likely allow us to fix the problem.



Alan Buxey and myself have spent some time and believe we have tracked down the commit which broke EAP:


commit 8a7f6e330f45439d333f61dde7ee0982ebcc2a29
Author: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
Date:   Sun Dec 6 00:34:21 2015 -0500

    Add additional debugging so we can track TLS fragments sent

:100644 100644 084fb69... aa50e65... M  src/modules/rlm_eap/libeap/eap_tls.c
:100644 100644 a9ce517... 800fc77... M  src/modules/rlm_eap/libeap/eap_tls.h
:100644 100644 cb0a560... 8d64335... M  src/modules/rlm_eap/libeap/eapcommon.c
:100644 100644 b418f31... 87fd937... M  src/modules/rlm_eap/rlm_eap.c
:100644 100644 becfa6c... 504ed01... M  src/modules/rlm_eap/types/rlm_eap_peap/peap.c
:100644 100644 887d0d1... 5958f0d... M  src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c





works immediately before this commit, doesn’t work after.


Regards

Scott Armitage
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160318/3c562791/attachment-0001.sig>

More information about the Freeradius-Users mailing list