[ANN] Release 3.0.4 rc0
A preview release of 3.0.4 is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_rc0.ta... Were creating a release candidate for 3.0.4 as some of the modifications we needed to make to get attribute indexes and tags to work consistently, were spread throughout the code base, and we want to ensure that those changes have not had side effects. In particular, those of you using CUI, may need to update your policies for them to work correctly, as the type of Chargeable-User-Identity is now an octets, meaning that any expansions which use it, will now print hexits instead of ascii. The changelog so far is: FreeRADIUS 3.0.4 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as the counterpart to "set module status" * Better indentation in debugging mode * Added dictionary ericsson.packet.ccore.networks Bug fixes * make case-insensitive regular expressions work again. * Added tests for the above * A few more talloc parenting issues * Fix delayed proxy reply handling. Closes #637 * Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646 * Don't double-quote strings in debugging messages * Fix foreach / break. Fixes #639 * Chargeable-User-Identifier should be "octets" * Fix typo in mainconfig. Fixes #634 * More rlm_perl fixes. Fixes #635 * Free OpenSSL memory on clean exit. * Fix <attr>[0] !* ANY - Was removing all instances of <attr> * Fix case where multiple attributes were returned from LHS of mapping, as with rlm_ldap. Fixes #652 * Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory. * Don't SEGV if all connections to a database server go away. Fixes #651. * Fix issue where <attr> -= <value> was not removing tagged instances of <attr> equal to <value> (only untagged). * Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks. Please test with your local configuration. If no issues are reported this will become the official 3.0.4 release. If you do find issues, please open tickets @bugs.freeradius.org. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi,
In particular, those of you using CUI, may need to update your policies for them to work correctly, as the type of Chargeable-User-Identity is now an octets, meaning that any expansions which use it, will now print hexits instead of ascii.
for those not part of the code / patch conversation, the RFC uses the word 'string' to define the Type for CUI. but thats actually 'octets' in freeradius language ( 'string' in freeradius is equivalent to the RFC word 'text'). it will be interesting to see what this breaks ;-) alan
Hello, I tried 3.0.4 rc0 radius/tls function. FR segfault during new tls connection to server. 136 ssn->ctx = conf->ctx; (gdb) 138 SSL_CTX_set_mode(ssn->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); (gdb) 140 ssn->ssl = SSL_new(ssn->ctx); (gdb) 147 SSL_set_msg_callback(ssn->ssl, cbtls_msg); (gdb) 140 ssn->ssl = SSL_new(ssn->ctx); (gdb) 147 SSL_set_msg_callback(ssn->ssl, cbtls_msg); (gdb) 148 SSL_set_msg_callback_arg(ssn->ssl, ssn); (gdb) 149 SSL_set_info_callback(ssn->ssl, cbtls_info); (gdb) 154 DEBUG2("Requiring Server certificate"); (gdb) Requiring Server certificate 157 SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify); (gdb) 159 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); (gdb) 160 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); (gdb) 161 SSL_set_fd(ssn->ssl, fd); (gdb) 162 if (SSL_connect(ssn->ssl) <= 0) { (gdb) Program received signal SIGSEGV, Segmentation fault. radlog_request (type=type@entry=L_DBG, lvl=lvl@entry=L_DBG_LVL_2, request=request@entry=0x0, msg=0x444852 "%s: %s") at src/main/log.c:701 701 if (request->log.func == NULL) return; (gdb) [Thread 0x7fffeecd4700 (LWP 32743) exited] [Thread 0x7fffef4d5700 (LWP 32742) exited] [Thread 0x7fffefcd6700 (LWP 32741) exited] [Thread 0x7ffff04d7700 (LWP 32740) exited] [Thread 0x7ffff0cd8700 (LWP 32739) exited] Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. Best regards Polish On Sat, 24 May 2014, Arran Cudbard-Bell wrote:
A preview release of 3.0.4 is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_rc0.ta...
Were creating a release candidate for 3.0.4 as some of the modifications we needed to make to get attribute indexes and tags to work consistently, were spread throughout the code base, and we want to ensure that those changes have not had side effects.
In particular, those of you using CUI, may need to update your policies for them to work correctly, as the type of Chargeable-User-Identity is now an octets, meaning that any expansions which use it, will now print hexits instead of ascii.
The changelog so far is:
FreeRADIUS 3.0.4 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as the counterpart to "set module status" * Better indentation in debugging mode * Added dictionary ericsson.packet.ccore.networks
Bug fixes * make case-insensitive regular expressions work again. * Added tests for the above * A few more talloc parenting issues * Fix delayed proxy reply handling. Closes #637 * Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646 * Don't double-quote strings in debugging messages * Fix foreach / break. Fixes #639 * Chargeable-User-Identifier should be "octets" * Fix typo in mainconfig. Fixes #634 * More rlm_perl fixes. Fixes #635 * Free OpenSSL memory on clean exit. * Fix <attr>[0] !* ANY - Was removing all instances of <attr> * Fix case where multiple attributes were returned from LHS of mapping, as with rlm_ldap. Fixes #652 * Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory. * Don't SEGV if all connections to a database server go away. Fixes #651. * Fix issue where <attr> -= <value> was not removing tagged instances of <attr> equal to <value> (only untagged). * Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
Please test with your local configuration. If no issues are reported this will become the official 3.0.4 release.
If you do find issues, please open tickets @bugs.freeradius.org.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 26 May 2014, at 20:03, Polish <pavel.polacek@ujep.cz> wrote:
Hello,
I tried 3.0.4 rc0 radius/tls function. FR segfault during new tls connection to server.
136 ssn->ctx = conf->ctx; (gdb) 138 SSL_CTX_set_mode(ssn->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); (gdb) 140 ssn->ssl = SSL_new(ssn->ctx); (gdb) 147 SSL_set_msg_callback(ssn->ssl, cbtls_msg); (gdb) 140 ssn->ssl = SSL_new(ssn->ctx); (gdb) 147 SSL_set_msg_callback(ssn->ssl, cbtls_msg); (gdb) 148 SSL_set_msg_callback_arg(ssn->ssl, ssn); (gdb) 149 SSL_set_info_callback(ssn->ssl, cbtls_info); (gdb) 154 DEBUG2("Requiring Server certificate"); (gdb) Requiring Server certificate 157 SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify); (gdb) 159 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); (gdb) 160 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); (gdb) 161 SSL_set_fd(ssn->ssl, fd); (gdb) 162 if (SSL_connect(ssn->ssl) <= 0) { (gdb)
Program received signal SIGSEGV, Segmentation fault. radlog_request (type=type@entry=L_DBG, lvl=lvl@entry=L_DBG_LVL_2, request=request@entry=0x0, msg=0x444852 "%s: %s") at src/main/log.c:701 701 if (request->log.func == NULL) return; (gdb) [Thread 0x7fffeecd4700 (LWP 32743) exited] [Thread 0x7fffef4d5700 (LWP 32742) exited] [Thread 0x7fffefcd6700 (LWP 32741) exited] [Thread 0x7ffff04d7700 (LWP 32740) exited] [Thread 0x7ffff0cd8700 (LWP 32739) exited]
Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists.
Could you try with the latest v3.0.x HEAD and provide the backtrace please. Nothing in the area of code you've included calls radlog_request. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hello Arran, latest version from git, backtrace: Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (195.113.187.22, 2083)' Trying SSL to port 2083 Requiring Server certificate Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffeecd4700 (LWP 3123)] radlog_request (type=type@entry=L_DBG, lvl=lvl@entry=L_DBG_LVL_2, request=request@entry=0x0, msg=0x444af2 "%s: %s") at src/main/log.c:705 705 if (request->log.func == NULL) return; (gdb) backtrace #0 radlog_request (type=type@entry=L_DBG, lvl=lvl@entry=L_DBG_LVL_2, request=request@entry=0x0, msg=0x444af2 "%s: %s") at src/main/log.c:705 #1 0x00000000004333ee in cbtls_info (s=0x9d04b0, where=<optimized out>, ret=1) at src/main/cb.c:66 #2 0x00007ffff713ff70 in ?? () from /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 #3 0x00000000004362a0 in tls_new_client_session (conf=0x8424d0, fd=17) at src/main/tls.c:162 #4 0x000000000041a443 in proxy_new_listener (home=0x83f610, src_port=src_port@entry=0) at src/main/listen.c:2664 #5 0x000000000042b4b2 in insert_into_proxy_hash (request=request@entry=0x911cf0) at src/main/process.c:2006 #6 0x000000000042e360 in request_proxy (request=request@entry=0x911cf0, retransmit=retransmit@entry=0) at src/main/process.c:2709 #7 0x000000000042de4b in request_running (action=1, request=0x911cf0) at src/main/process.c:1429 #8 request_running (request=0x911cf0, action=<optimized out>) at src/main/process.c:1369 #9 0x0000000000427d2e in request_handler_thread (arg=0x8d6c70) at src/main/threads.c:685 #10 0x00007ffff66ceb50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #11 0x00007ffff5f9b0ed in clone () from /lib/x86_64-linux-gnu/libc.so.6 #12 0x0000000000000000 in ?? () (gdb) Best regards Polish On Mon, 26 May 2014, Arran Cudbard-Bell wrote:
On 26 May 2014, at 20:03, Polish <pavel.polacek@ujep.cz> wrote:
Hello,
I tried 3.0.4 rc0 radius/tls function. FR segfault during new tls connection to server.
136 ssn->ctx = conf->ctx; (gdb) 138 SSL_CTX_set_mode(ssn->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); (gdb) 140 ssn->ssl = SSL_new(ssn->ctx); (gdb) 147 SSL_set_msg_callback(ssn->ssl, cbtls_msg); (gdb) 140 ssn->ssl = SSL_new(ssn->ctx); (gdb) 147 SSL_set_msg_callback(ssn->ssl, cbtls_msg); (gdb) 148 SSL_set_msg_callback_arg(ssn->ssl, ssn); (gdb) 149 SSL_set_info_callback(ssn->ssl, cbtls_info); (gdb) 154 DEBUG2("Requiring Server certificate"); (gdb) Requiring Server certificate 157 SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify); (gdb) 159 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); (gdb) 160 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); (gdb) 161 SSL_set_fd(ssn->ssl, fd); (gdb) 162 if (SSL_connect(ssn->ssl) <= 0) { (gdb)
Program received signal SIGSEGV, Segmentation fault. radlog_request (type=type@entry=L_DBG, lvl=lvl@entry=L_DBG_LVL_2, request=request@entry=0x0, msg=0x444852 "%s: %s") at src/main/log.c:701 701 if (request->log.func == NULL) return; (gdb) [Thread 0x7fffeecd4700 (LWP 32743) exited] [Thread 0x7fffef4d5700 (LWP 32742) exited] [Thread 0x7fffefcd6700 (LWP 32741) exited] [Thread 0x7ffff04d7700 (LWP 32740) exited] [Thread 0x7ffff0cd8700 (LWP 32739) exited]
Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists.
Could you try with the latest v3.0.x HEAD and provide the backtrace please.
Nothing in the area of code you've included calls radlog_request.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 26 May 2014, at 21:54, Polish <pavel.polacek@ujep.cz> wrote:
cbtls_info
That's better. Fixed in v3.0.x head. Thanks. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hello Arran, thanks, git version don't segfault, but tls radsec don't work for me. Incoming tls connection is accepted. Problem is outgoing connection. It looks like FR don't try to connect to home server: .. Listening on auth proto tcp address * port 2083 (TLS) as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 60960 Ready to process requests .. Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (195.113.187.22, 2083)' Waking up in 0.3 seconds. Trying SSL to port 2083 Requiring Server certificate Failed starting SSL to 'proxy (0.0.0.0, 0) -> home_server (195.113.187.22, 2083)' Failed to insert request into the proxy list .. Suppressing attempt to open socket to 'down' home server Failed to insert request into the proxy list .. Could you give me tip for working configuration? In my sites-enabled/tls is: listen { ipaddr = * port = 2083 type = auth # For now, only TCP transport is allowed. proto = tcp # Send packets to the default virtual server virtual_server = default clients = radsec .. tls { private_key_file = ${certdir}/radius.key certificate_file = ${certdir}/radius.crt dh_file = ${certdir}/dh ca_path = ${cadir} .. } } clients radsec { client 127.0.0.1 { ipaddr = 127.0.0.1 proto = tls secret = testing123 } client radius1.eduroam.cz { ipaddr = 195.113.187.22 proto = tls secret = radsec } } home_server tls { ipaddr = 195.113.187.22 port = 2083 type = auth secret = radsecy proto = tcp status_check = none tls { private_key_file = ${certdir}/radius.key certificate_file = ${certdir}/radius.crt dh_file = ${certdir}/dh random_file = ${certdir}/random ca_path = ${cadir} } } home_server_pool tls { type = fail-over home_server = tls } realm DEFAULT { auth_pool = tls nostrip } Thank you Pavel Polacek On Mon, 26 May 2014, Arran Cudbard-Bell wrote:
On 26 May 2014, at 21:54, Polish <pavel.polacek@ujep.cz> wrote:
cbtls_info
That's better. Fixed in v3.0.x head.
Thanks.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Polish wrote:
thanks, git version don't segfault, but tls radsec don't work for me. Incoming tls connection is accepted. Problem is outgoing connection. It looks like FR don't try to connect to home server:
I've pushed a fix to the v3.0.x branch. Please try that. It works for my tests. Alan DeKok.
Hello Alan, On Wed, 28 May 2014, Alan DeKok wrote:
Polish wrote:
thanks, git version don't segfault, but tls radsec don't work for me. Incoming tls connection is accepted. Problem is outgoing connection. It looks like FR don't try to connect to home server:
I've pushed a fix to the v3.0.x branch. Please try that. It works for my tests.
Alan DeKok.
works well. Thank you Pavel Polacek
Hello Alan, tls tunnel is down after day (FR started 29.5. at 9:55am). No connection to home server. I make core dump of FR in this state. Could you need more info? Fri May 30 12:25:58 2014 : Auth: (27258) Login OK: [test@neco.cas.cz] (from client ermon port 0 cli 70-6F-6C-69-73-68) Fri May 30 12:26:02 2014 : Info: ... shutting down socket proxy (195.113.136.14, 51014) -> home_server (195.113.187.22, 2083) Fri May 30 12:26:02 2014 : Info: ... shutting down socket auth from client (195.113.187.22, 37509) -> (*, 2083, virtual-server=default) Fri May 30 12:26:04 2014 : Info: ... adding new socket auth from client (195.113.187.22, 40779) -> (*, 2083, virtual-server=default) Fri May 30 12:26:10 2014 : Info: ... shutting down socket auth from client (195.113.187.22, 40779) -> (*, 2083, virtual-server=default) Fri May 30 12:26:10 2014 : Info: ... adding new socket auth from client (195.113.187.22, 52936) -> (*, 2083, virtual-server=default) Fri May 30 12:26:40 2014 : Info: ... shutting down socket auth from client (195.113.187.22, 52936) -> (*, 2083, virtual-server=default) Fri May 30 12:26:44 2014 : Info: ... adding new socket auth from client (195.113.187.22, 36510) -> (*, 2083, virtual-server=default) Fri May 30 12:26:45 2014 : Info: Home server tls has too many open connections (16) Fri May 30 12:26:45 2014 : Error: Failed to insert request into the proxy list Fri May 30 12:27:14 2014 : Info: ... shutting down socket auth from client (195.113.187.22, 36510) -> (*, 2083, virtual-server=default) Fri May 30 12:27:19 2014 : Info: ... adding new socket auth from client (195.113.187.22, 49017) -> (*, 2083, virtual-server=default) #netstat -tn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 195.113.136.14:2083 195.113.187.22:59852 ESTABLISHED tcp 0 0 195.113.136.14:22 195.113.136.29:50072 ESTABLISHED tcp 0 0 195.113.136.14:2083 195.113.187.22:53846 TIME_WAIT Pavel Polacek On Thu, 29 May 2014, Polish wrote:
Hello Alan,
On Wed, 28 May 2014, Alan DeKok wrote:
Polish wrote:
thanks, git version don't segfault, but tls radsec don't work for me. Incoming tls connection is accepted. Problem is outgoing connection. It looks like FR don't try to connect to home server:
I've pushed a fix to the v3.0.x branch. Please try that. It works for my tests.
Alan DeKok.
works well.
Thank you Pavel Polacek
And another segfault, which actually has been fixed in master with commit 87fa8ec09d5be6dbcbf7574080f38beaab71cdaa. Could that one be included in the next RC? On 24-05-14 14:08, Arran Cudbard-Bell wrote:
A preview release of 3.0.4 is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_4_rc0.ta...
Were creating a release candidate for 3.0.4 as some of the modifications we needed to make to get attribute indexes and tags to work consistently, were spread throughout the code base, and we want to ensure that those changes have not had side effects.
In particular, those of you using CUI, may need to update your policies for them to work correctly, as the type of Chargeable-User-Identity is now an octets, meaning that any expansions which use it, will now print hexits instead of ascii.
The changelog so far is:
FreeRADIUS 3.0.4 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as the counterpart to "set module status" * Better indentation in debugging mode * Added dictionary ericsson.packet.ccore.networks
Bug fixes * make case-insensitive regular expressions work again. * Added tests for the above * A few more talloc parenting issues * Fix delayed proxy reply handling. Closes #637 * Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646 * Don't double-quote strings in debugging messages * Fix foreach / break. Fixes #639 * Chargeable-User-Identifier should be "octets" * Fix typo in mainconfig. Fixes #634 * More rlm_perl fixes. Fixes #635 * Free OpenSSL memory on clean exit. * Fix <attr>[0] !* ANY - Was removing all instances of <attr> * Fix case where multiple attributes were returned from LHS of mapping, as with rlm_ldap. Fixes #652 * Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory. * Don't SEGV if all connections to a database server go away. Fixes #651. * Fix issue where <attr> -= <value> was not removing tagged instances of <attr> equal to <value> (only untagged). * Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
Please test with your local configuration. If no issues are reported this will become the official 3.0.4 release.
If you do find issues, please open tickets @bugs.freeradius.org.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Herwin Weststrate Software Developer Quarantainenet BV T: 053-7503070 www.quarantainenet.nl
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Herwin Weststrate -
Polish