Backporting TLS fixes to Fedora and RHEL

Antonio Torres antorres at redhat.com
Fri Oct 15 18:09:58 CEST 2021 

On Fri, Oct 15, 2021 at 5:50 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Oct 15, 2021, at 11:16 AM, Antonio Torres <antorres at redhat.com> wrote:
> > I'm the maintainer for FreeRADIUS in RHEL and Fedora. We have found an
> > issue when using FreeRADIUS 3.0.21 and OpenSSL 3.0. Running eapol_test
> > with the attached config (EAP-TTLS-TLS) fails with the following
> > errors (logs attached):
> >
> > (9) eap_ttls: ERROR: Invalid ACK received: 256
>
>   That's due to magic changes in the internals of OpenSSL 3.0.0.
>
> > (9) eap_ttls: ERROR: [eaptls verify] = invalid
> > (9) eap_ttls: ERROR: [eaptls process] = invalid
> > (9) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
> >
> > Tried updating to 3.0.23 and the issue seems to be fixed. However due
> > to the updates policy we can't do a full upgrade, so we have to
> > backport fixes to 3.0.21. I am having issues finding the commit(s)
> > that fix this issue, so any help would be appreciated.
>
>   I'll echo Matthew here.
>
> > I'm not sure this is related, but we are hitting an error with the
> > same error message as this one but using MSCHAPv2. Here's the report:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2014525
> > This is still valid in the latest FreeRADIUS release (3.0.25).
>
>   We're happy to do bug fixes for our software.  We're rather less happy to do work for free, to debug issues created by corporate policies.  Policies which we have no control over.

The bug report I have linked is for the latest FreeRADIUS release and
the latest OpenSSL release. The updates policy for the distribution
has nothing to do with it. I understand maybe a better approach would
be to directly report this in the issue tracker instead of asking in
the mailing list.

As for the other issue, I haven't asked FreeRADIUS developers to debug
or even investigate. I totally understand that the focus is in the
latest release. My only ask was for help identifying a work that has
already been done.

Once again I am deeply sorry for this situation. Thank you for your
work on FreeRADIUS.

>
>   To be clear: RedHat makes rather a lot more money off of FreeRADIUS than I do.  RedHat has shared precisely *zero* of that revenue with me.  Ever.  RedHat has in fact competed with me for business, and is actively trying to get customers away from me.
>
>   At the same time, we get RedHat customers asking us to help them.  They're usually running versions which are years out of date, due to "no upgrade" policies like the above.  When told "just upgrade to a version WE support", the answer is "No, I'm paying RedHat for support!"  Except RH isn't supporting them, and isn't fixing the bugs.
>
>   All in all, we fix bugs, and we're happy to work with people.  But make no mistake, the corporate approach is to leech off of my work, and then turn around and bill their customers for it.  That's allowed by the GPL, but it doesn't make me inclined to fix issues created by the internal policies of a billion-dollar corporation.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list