Session resumption problem
I was searching back in the archives, and in September there was a user who reported a problem with session resumption. I'm seeing the exact same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never saw any follow up? Is there a fix known for this? I am using a locally compiled version of FreeRadius 2.1.7. It's linked against the system OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is certainly an option if there is a chance it will help. Here's a snippet from the original thread. I think it was about Sept. 1st 2009. I get similar errors. Sometimes the client (an Ubuntu 9.04 Jaunty laptop) connects, but sometimes I get this resumption error. My other clients (XP, iPhone, etc.) don't seem to ever exhibit the problem.
[peap] Success [peap] FAIL: Forcibly stopping session resumption as it is not allowed. [eap] Freeing handler
Arg. FreeRADIUS tells OpenSSL to *not* allow session resumption, and it still negotiates session resumption. Which OS are you using? Which version of OpenSSL? -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
David Mitchell wrote:
I was searching back in the archives, and in September there was a user who reported a problem with session resumption. I'm seeing the exact same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never saw any follow up? Is there a fix known for this? I am using a locally compiled version of FreeRadius 2.1.7. It's linked against the system OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is certainly an option if there is a chance it will help.
There isn't a lot we can do. It's not clear *why* OpenSSL resumes sessions when session resumption is disabled. Alan DeKok.
Alan DeKok wrote:
David Mitchell wrote:
I was searching back in the archives, and in September there was a user who reported a problem with session resumption. I'm seeing the exact same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never saw any follow up? Is there a fix known for this? I am using a locally compiled version of FreeRadius 2.1.7. It's linked against the system OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is certainly an option if there is a chance it will help.
There isn't a lot we can do. It's not clear *why* OpenSSL resumes sessions when session resumption is disabled.
OK. I can't easily replicate it. At least, I don't know exactly what circumstances cause it. The clients doesn't always cause this error to pop up. Only sometimes. I was hoping their was a known fix. It sounds like I'll have to dig into it deeper if it turns out to be a big issue. Thanks, -David Mitchell
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
Alan DeKok wrote:
David Mitchell wrote:
I was searching back in the archives, and in September there was a user who reported a problem with session resumption. I'm seeing the exact same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never saw any follow up? Is there a fix known for this? I am using a locally compiled version of FreeRadius 2.1.7. It's linked against the system OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is certainly an option if there is a chance it will help.
There isn't a lot we can do. It's not clear *why* OpenSSL resumes sessions when session resumption is disabled.
I did manage to find an easy workaround for this. Simply enabling the cache in eap.conf allows these connections to succeed. I think there may still be a bug somewhere, or maybe more than one. At a minimum it seems a bit foolish for wpa_supplicant to keep trying to do a fast reconnect after getting an Access-Reject. Whatever the root problem is, there is an easy workaround. I wanted to follow up primarily in case others find this thread in the future it will have a workaround. I'm guessing the only real downside to enabling the EAP cache is memory usage, which I'm not too worried about. -David Mitchell
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
David Mitchell <mitchell@ucar.edu> wrote:
Alan DeKok wrote:
David Mitchell wrote:
I was searching back in the archives, and in September there was a user who reported a problem with session resumption. I'm seeing the exact same symptoms I believe, also on Debian 5.0 with OpenSSL 0.9.8g. I never saw any follow up? Is there a fix known for this? I am using a locally compiled version of FreeRadius 2.1.7. It's linked against the system OpenSSL libraries though. Building a local 0.9.8k or even 1.0.0 is certainly an option if there is a chance it will help.
There isn't a lot we can do. It's not clear *why* OpenSSL resumes sessions when session resumption is disabled.
I did manage to find an easy workaround for this. Simply enabling the cache in eap.conf allows these connections to succeed. I think there may still be a bug somewhere, or maybe more than one. At a minimum it seems a bit foolish for wpa_supplicant to keep trying to do a fast reconnect after getting an Access-Reject.
Whatever the root problem is, there is an easy workaround. I wanted to follow up primarily in case others find this thread in the future it will have a workaround. I'm guessing the only real downside to enabling the EAP cache is memory usage, which I'm not too worried about.
Make sure you 'git cherry-pick' the patches related to: https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=15 https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=21 ...if you are using a vanilla 2.1.7. Cheers -- Alexander Clouter .sigmonster says: I'm not laughing with you, I'm laughing at you.
Alexander Clouter wrote:
Make sure you 'git cherry-pick' the patches related to:
https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=15 https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=21
...if you are using a vanilla 2.1.7.
Thanks for the heads up. I'm currently in a testing phase, so I'll probably just grab the current git version and run that. Given the rate things move for me, 2.1.8 will be out by the time I'm ready for production. -David
Cheers
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
participants (3)
-
Alan DeKok -
Alexander Clouter -
David Mitchell