Alan DeKok schrieb:
Andreas Hartmann wrote:
Where you file a bug against FreeRADIUS for an OpenSSL issue.
I understand that FreeRADIUS is affected. But...
It does not work for me. There seem to be problems with the session-handling, which should be checked, explained and, if necessary, fixed.
FreeRADIUS does not create, update, or maintain the "session_id" variable. It's created by OpenSSL. If has different values for the "same" session, then file a bug against OpenSSL.
Until I don't have a comprehensibly explanation for the reported session-ID behavior, the current version (and 2.1.8) of freeradius is highly insecure.
I have no idea why you think that's true. Failing to find a previous session means that the new request will be rejected. There are no security issues with rejecting users.
That's right. But: 1. There could be a security issue with parallel handled users during initial login, because they probably have all the same empty session id's at the same time. 2. Session handling does definitely not work at this point (I tried to find the reason today but couldn't get it yet). Why should I believe that it works error free at the other places in freeradius? 3. You are right, that there are probably no security issues with rejected users. But why are you sure, that every session-id you get, does belong to the user you think that it belongs to? It could be the data from another user too. 4. I can't say, if it's an exploitable scenario. May be - may be not. The session-handling in freeradius does not allways work as expected and until now the cause for the not allways working session-handling is unknown. Or in other words: The session-handling works not predictable (sometimes it works as expected - sometimes not - but you can't define "sometimes" - or I didn't found it yet). Unpredictable behavior and security is a contradiction. It's your application that suffers - it's not openssls one. Therefore I can't understand why you don't set everything to get a real solution? And no, I don't want to bash you. I'm willing to help, but I need your support to try to understand what's going on. I am willing to help you to find and fix the problem - even if it is not a bug in freeradius. It is all the same to me, if it's a bug in openssl or in freeradius. I do have just one goal: freeradius should work predictable in that case. That's all and this goal can't be bad for you! I can't file a bug for openssl. What should I wrote? The session handling in openssl does not work with freeradius? They will say: ok, openssl has been patched for EAP or they will ask detailed things about the handling of SSL in freeradius. I think that you are the best person to answer these questions! BTW: During my investigations today, I detected, that the defined callback cbtls_new_session never gets called during an initial session. That corresponds to the thing, that I can't see any session-ID during initial login. I would like to know, why the client suddenly has a session-ID at resumption time? Where do they come from? Kind regards, Andreas