FreeRADIUS SSL version check

Alan DeKok aland at deployingradius.com
Thu Jan 8 14:41:44 CET 2015


On Jan 7, 2015, at 8:16 PM, Michael Richardson <mcr at sandelman.ca> wrote:
> It's hard if you also have other things which want *different* versions of
> OpenSSL... really, if they shared libraries are not compatible, the .so files
> should have their version number bumped, but I know that this is hard for
> some distros.

  OpenSSL has a wonderful habit of making header files for (e.g.) 1.0.1 incompatible with the binaries for 1.0.2.  As a result, upgrades can cause your application to crash.

  FreeRADIUS runs into this more than most applications.  Most applications just use the SSL_read() and SSL_write() APIs to deal with TCP connections.  So they don’t need to get into the internals of SSL behaviour.  FreeRADIUS has to extract SSL from EAP, and in turn RADIUS.  So it has to do unusual (but allegedly legal) things with OpenSSL.

  The OpenSSL APIs lie to you.  They say you can do something, which is true.  What they *don’t* say is that they change in random incompatible ways at a moments notice.

  I gave up on APR years ago for similar reasons.

  Alan DeKok.



More information about the Freeradius-Devel mailing list