On Jan 14, 2019, at 7:48 AM, Alex Perez-Mendez <Alex.Perez-Mendez@jisc.ac.uk> wrote:
as you know, Moonshot and the Trust Router use dynamically established TLS PSK for allowing communication between RADIUS servers. This has been working nicely so far, but I've started testing with Debian Buster, which ships OpenSSL 1.1 which defaults to TLS 1.3 and I've found some issues with both, 3.0.17 and 3.0.18.
The 3.0.17 issue was due to a typo in a macro. See commit fd803c9d35592 The 3.0.18 issue is due to trying to fix other issues. :( And, OpenSSL seems to change its behaviour rather a lot. Things which work in one version don't work in another.
In this case, the issue seems to have been caused by this commit https://github.com/FreeRADIUS/freeradius-server/commit/f2d93cffbd1a78ae2dbf1..., as reverting it reverts to the previous issue with 3.0.17.
That commit should still be done, as it fixes other issues... I've pushed a fix to the v3.0.x branch which turns that check into a soft fail. I think that should fix it, while also initializing the ssl_session variable. Alan DeKok.