Backporting TLS fixes to Fedora and RHEL

Antonio Torres antorres at redhat.com
Fri Oct 15 17:16:00 CEST 2021


Hello everyone,

I'm the maintainer for FreeRADIUS in RHEL and Fedora. We have found an
issue when using FreeRADIUS 3.0.21 and OpenSSL 3.0. Running eapol_test
with the attached config (EAP-TTLS-TLS) fails with the following
errors (logs attached):

(9) eap_ttls: ERROR: Invalid ACK received: 256
(9) eap_ttls: ERROR: [eaptls verify] = invalid
(9) eap_ttls: ERROR: [eaptls process] = invalid
(9) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed

Tried updating to 3.0.23 and the issue seems to be fixed. However due
to the updates policy we can't do a full upgrade, so we have to
backport fixes to 3.0.21. I am having issues finding the commit(s)
that fix this issue, so any help would be appreciated.

I'm not sure this is related, but we are hitting an error with the
same error message as this one but using MSCHAPv2. Here's the report:
https://bugzilla.redhat.com/show_bug.cgi?id=2014525
This is still valid in the latest FreeRADIUS release (3.0.25).

Thank you!
-------------- next part --------------
    ctrl_interface=wpa_supplicant.ctrl
    network={
        ssid="QA test 802.1x network"
        key_mgmt=IEEE8021X
        eap=TTLS
        phase2="autheap=TLS"
        identity="testuser"
        anonymous_identity="anonymous"
        client_cert="/etc/raddb/certs/client.pem"
        private_key="/etc/raddb/certs/client.pem"
        private_key_passwd="whatever"
        client_cert2="/etc/raddb/certs/client.pem"
        private_key2="/etc/raddb/certs/client.pem"
        private_key2_passwd="whatever"
        ca_cert="/etc/raddb/certs/ca.pem"
        ca_cert2="/etc/raddb/certs/ca.pem"
    }



More information about the Freeradius-Users mailing list