We're going to release 3.0.26 and 3.2.0 in the near future. After months of work, they're finally ready for release. The delays were due to two issues. One was the release of OpenSSL3. It behaves differently than previous versions of OpenSSL, and it took a while to track down exactly what was going on. Thanks to Alex Clouter for patches. The second delay was due to Windows 11 inter-operability. We've been working closely with the Windows team to ensure that their software works with ours, and vice-versa. The use of TLS 1.3 complicates things, as TLS 1.3 is substantially different from earlier versions of TLS. Thanks again to Alex Clouter for testing and patches. We will be releasing 3.2.0 as the "new feature" branch of the v3 series. 3.2 will be 100% configuration compatible with 3.0, but will have new features which are not available in the main 3.0 release. We will be continuing to maintain 3.0 for the forseeable future. However, it will be "feature frozen". The only patches going into 3.0 will be bug fixes. This helps to ensure stability and low cost of maintenance. Matthew Newton is the v3 release manager, and can comment more if needed. Alan DeKok.
On 29/03/2022 16:15, Alan DeKok wrote:
We will be releasing 3.2.0 as the "new feature" branch of the v3 series. 3.2 will be 100% configuration compatible with 3.0, but will have new features which are not available in the main 3.0 release.
We will be continuing to maintain 3.0 for the forseeable future. However, it will be "feature frozen". The only patches going into 3.0 will be bug fixes. This helps to ensure stability and low cost of maintenance.
Unfortunately as Alan said due to OpenSSL 3 we've put more into 3.0.x than planned since 3.0.25 when we announced it would be bug fixes/security only. We felt it was necessary to ensure 3.0.x would continue to work with OpenSSL 3 and TLS 1.3 going forwards, otherwise it would become EOL a lot faster than planned.
Matthew Newton is the v3 release manager, and can comment more if needed.
We have built packages of the current development versions. They are available in the devel repositories here: version 3.0.x: http://packages.networkradius.com/freeradius-devel-3.0/ version 3.2.x: http://packages.networkradius.com/freeradius-devel-3.2/ (Follow the set-up instructions at https://packages.networkradius.com/ as usual, but use the above URLs. Note that the 3.2 packages currently have 3.0+git versions as there hasn't been a 3.2 release yet.) Please test! There are a lot more diverse systems/configurations out there than we are able to test here. These packages are drop-in replacements for current 3.0.x packages (but goes without saying, make backups beforehand, as always). All being well we will release 3.2.0 within the next couple of weeks, and 3.0.26 shortly after. -- Matthew
On Mar 31, 2022, at 7:20 AM, Matthew Newton <mcn@freeradius.org> wrote:
Unfortunately as Alan said due to OpenSSL 3 we've put more into 3.0.x than planned since 3.0.25 when we announced it would be bug fixes/security only.
We felt it was necessary to ensure 3.0.x would continue to work with OpenSSL 3 and TLS 1.3 going forwards, otherwise it would become EOL a lot faster than planned.
OpenSSL3 was *unnecessarily* different from OpenSSL1. And it was difficult to add support for OpenSSL3 without breaking OpenSSL1. TLS 1.3 was similar. And adding OpenSSL3 to that was not fun. That being said, TLS 1.0 and TLS 1.1 have been officially deprecated by the relevant standards bodies. Most operating systems are in the process of removing them or disabling them. OpenSSL is doing something similar. For the short term, TSL 1.2 is really the only option for most deployments. As OS vendors add support for TLS 1.3, that will become more widely used, and preferred.
All being well we will release 3.2.0 within the next couple of weeks, and 3.0.26 shortly after.
And both are frozen until then, for anything other than doc / bug / security fixes. Alan DeKok.
Thank you very much for the release! Question: is the docker "latest" tag going to remain on 3.0.x or will it switch over to 3.2.x ? Thank you, Dave On Thu, Mar 31, 2022 at 9:04 AM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 31, 2022, at 7:20 AM, Matthew Newton <mcn@freeradius.org> wrote:
Unfortunately as Alan said due to OpenSSL 3 we've put more into 3.0.x than planned since 3.0.25 when we announced it would be bug fixes/security only.
We felt it was necessary to ensure 3.0.x would continue to work with OpenSSL 3 and TLS 1.3 going forwards, otherwise it would become EOL a lot faster than planned.
OpenSSL3 was *unnecessarily* different from OpenSSL1. And it was difficult to add support for OpenSSL3 without breaking OpenSSL1.
TLS 1.3 was similar. And adding OpenSSL3 to that was not fun.
That being said, TLS 1.0 and TLS 1.1 have been officially deprecated by the relevant standards bodies. Most operating systems are in the process of removing them or disabling them. OpenSSL is doing something similar.
For the short term, TSL 1.2 is really the only option for most deployments. As OS vendors add support for TLS 1.3, that will become more widely used, and preferred.
All being well we will release 3.2.0 within the next couple of weeks, and 3.0.26 shortly after.
And both are frozen until then, for anything other than doc / bug / security fixes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On 3/31/22 13:20, Matthew Newton wrote:
We have built packages of the current development versions. They are available in the devel repositories here:
version 3.0.x:
http://packages.networkradius.com/freeradius-devel-3.0/
version 3.2.x:
http://packages.networkradius.com/freeradius-devel-3.2/
(Follow the set-up instructions at https://packages.networkradius.com/ as usual, but use the above URLs. Note that the 3.2 packages currently have 3.0+git versions as there hasn't been a 3.2 release yet.)
Please test! There are a lot more diverse systems/configurations out there than we are able to test here. These packages are drop-in replacements for current 3.0.x packages (but goes without saying, make backups beforehand, as always).
All being well we will release 3.2.0 within the next couple of weeks, and 3.0.26 shortly after.
Is there a release date for version 3.0.26 ? Thanks, Arnaud
FYI, in terms of OpenSSL3 compatibility, I have not run into this w/ FreeRadius, but on my personal laptop, I ran into an incompatibility with AWS VPN software when I upgraded Ubuntu to 22.04, which switched to OpenSSL3. I was going to be stuck with a broken AWS VPN until AWS came out with a new release that specifically addressed the issue. I found a pretty simple workaround. I grabbed the openssl1.1 DEB from Ubuntu 20.04 and manually installed it on 22.04. It co-exists with OpenSSL3 with no problem (that I have found yet), and allows AWS VPN to work on 22.04. Perhaps a similar workaround would work with FreeRadius on an OpenSSL3 system? Not that it's required anymore, as you now have official patches that support OpenSSL3, but I thought it was worth mentioning. -Mark On Fri, Jun 10, 2022 at 3:40 AM Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
Hi,
On 3/31/22 13:20, Matthew Newton wrote:
We have built packages of the current development versions. They are available in the devel repositories here:
version 3.0.x:
http://packages.networkradius.com/freeradius-devel-3.0/
version 3.2.x:
http://packages.networkradius.com/freeradius-devel-3.2/
(Follow the set-up instructions at https://packages.networkradius.com/ as usual, but use the above URLs. Note that the 3.2 packages currently have 3.0+git versions as there hasn't been a 3.2 release yet.)
Please test! There are a lot more diverse systems/configurations out there than we are able to test here. These packages are drop-in replacements for current 3.0.x packages (but goes without saying, make backups beforehand, as always).
All being well we will release 3.2.0 within the next couple of weeks, and 3.0.26 shortly after.
Is there a release date for version 3.0.26 ?
Thanks,
Arnaud - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10/06/2022 21:37, Mark J. Bobak wrote:
Perhaps a similar workaround would work with FreeRadius on an OpenSSL3 system?
Not that it's required anymore, as you now have official patches that support OpenSSL3, but I thought it was worth mentioning.
Yes, 3.0.26 will have openssl 3 support. I wouldn't personally go mixing openssl versions on a system, you're asking for a headache. So far I don't need any fingers to count the number of people who replied to my last message about "please test this" :( -- Matthew
participants (5)
-
Alan DeKok -
Arnaud LAURIOU -
Dave Macias -
Mark J. Bobak -
Matthew Newton