Andreas Hartmann wrote:
Where you file a bug against FreeRADIUS for an OpenSSL issue. I understand that FreeRADIUS is affected. But...
It does not work for me. There seem to be problems with the session-handling, which should be checked, explained and, if necessary, fixed.
FreeRADIUS does not create, update, or maintain the "session_id" variable. It's created by OpenSSL. If has different values for the "same" session, then file a bug against OpenSSL.
Until I don't have a comprehensibly explanation for the reported session-ID behavior, the current version (and 2.1.8) of freeradius is highly insecure.
I have no idea why you think that's true. Failing to find a previous session means that the new request will be rejected. There are no security issues with rejecting users. The patch you suggested in the bug report *bypasses* this session checking, and *CREATES A SECURITY PROBLEM*. You should not use it in any production system. Alan DeKok.