freeradius and openssl exception

Nicolas Baradakis nbk at
Wed Jul 26 15:55:55 CEST 2006

Stephen Gran wrote:

> I'm sorry in advance if this is something that has already been discussed
> to death.

Indeed, it was discussed many times.

The OpenSSL advertising clause was also discussed a few months ago on
the openssl-users mailing list, and it seems unlikely they'll ever
change their licence.

> I have been googling around, and I do see some discussion about an openssl
> exception that took place in 2005, but I don't see any resolution, nor
> do I see any actual exception in COPYING.  Is this something, first
> of all, that people are either interested in or amenable to?  If so,
> has any progress been made?

In short: nothing has been done yet, but there's no strong objection
to the exception.

Speaking personally, I'd prefer a GnuTLS solution but I won't go against
everybody else.

> I ask all this because I recently took over comaintenance of the
> package for Debian, and there are several modules that we can't ship
> precompiled right now, as I understand it (eap being the most common,
> but for some reason postgres is also currently disabled - that needs
> seperate investigation).

The problem with the module rlm_sql_postgresql is the Debian package
libpq4 depends on libssl. A user installing freeradius-postgresql also
installs libssl through apt-get mechanism.

$ apt-cache show libpq4 | grep Depends
Depends: libc6 (>= 2.3.6-6), libcomerr2 (>= 1.33-3), libkrb53 (>= 1.4.2), libssl0.9.8 (>= 0.9.8b-1)

> If no progress has been made, I would be willing to do some of the
> leg work sending around a sort of form email to contributors asking
> for an exception, or whatever you all thought was the best way of
> handling this.

The PostgreSQL project has a pending patch for GnuTLS support, but I
don't know the status of this patch. (there is a problem with psqlODBC)

When PostgreSQL completes their GnuTLS patch, it could be added
as a dpatch in the postgresql source package, so the PostgreSQL
client library doesn't depend on libssl anymore, and the
freeradius-postgresql package can enter the Debian archive.

Nicolas Baradakis

More information about the Freeradius-Devel mailing list