On Fri, Oct 15, 2021 at 5:50 PM Alan DeKok <aland@deployingradius.com> wrote:
On Oct 15, 2021, at 11:16 AM, Antonio Torres <antorres@redhat.com> wrote:
I'm the maintainer for FreeRADIUS in RHEL and Fedora. We have found an issue when using FreeRADIUS 3.0.21 and OpenSSL 3.0. Running eapol_test with the attached config (EAP-TTLS-TLS) fails with the following errors (logs attached):
(9) eap_ttls: ERROR: Invalid ACK received: 256
That's due to magic changes in the internals of OpenSSL 3.0.0.
(9) eap_ttls: ERROR: [eaptls verify] = invalid (9) eap_ttls: ERROR: [eaptls process] = invalid (9) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
Tried updating to 3.0.23 and the issue seems to be fixed. However due to the updates policy we can't do a full upgrade, so we have to backport fixes to 3.0.21. I am having issues finding the commit(s) that fix this issue, so any help would be appreciated.
I'll echo Matthew here.
I'm not sure this is related, but we are hitting an error with the same error message as this one but using MSCHAPv2. Here's the report: https://bugzilla.redhat.com/show_bug.cgi?id=2014525 This is still valid in the latest FreeRADIUS release (3.0.25).
We're happy to do bug fixes for our software. We're rather less happy to do work for free, to debug issues created by corporate policies. Policies which we have no control over.
The bug report I have linked is for the latest FreeRADIUS release and the latest OpenSSL release. The updates policy for the distribution has nothing to do with it. I understand maybe a better approach would be to directly report this in the issue tracker instead of asking in the mailing list. As for the other issue, I haven't asked FreeRADIUS developers to debug or even investigate. I totally understand that the focus is in the latest release. My only ask was for help identifying a work that has already been done. Once again I am deeply sorry for this situation. Thank you for your work on FreeRADIUS.
To be clear: RedHat makes rather a lot more money off of FreeRADIUS than I do. RedHat has shared precisely *zero* of that revenue with me. Ever. RedHat has in fact competed with me for business, and is actively trying to get customers away from me.
At the same time, we get RedHat customers asking us to help them. They're usually running versions which are years out of date, due to "no upgrade" policies like the above. When told "just upgrade to a version WE support", the answer is "No, I'm paying RedHat for support!" Except RH isn't supporting them, and isn't fixing the bugs.
All in all, we fix bugs, and we're happy to work with people. But make no mistake, the corporate approach is to leech off of my work, and then turn around and bill their customers for it. That's allowed by the GPL, but it doesn't make me inclined to fix issues created by the internal policies of a billion-dollar corporation.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html