New Features Development Question

Alan DeKok aland at
Tue Jul 7 13:32:24 CEST 2020

On Jul 7, 2020, at 6:04 AM, Oleg Pekar <oleg.pekar.2017 at> wrote:
> That's perfectly clear. What is the current schedule for releasing v4?

  It will be released when it's ready.  Sadly, paying work gets in the way of fixing v4.

> Are you also planning to release some beta-version on a feature
> complete milestone before the official release? If I take v4 today as
> a base for my PoC - what is the current stability level of v4?

  v4 is stable, mostly.  We run a suite of tests on it for every build.  We ensure that the tests pass.  But as with software undergoing large changes, there may be issues from time to time.

> I meant a generic ability to work with an external CA server that
> provides Certificate Trusted List services instead of working with the
> local certificate storage.These services include revocation
> configuration (OCSP/CRL) per CA certificate. I don't have any specific
> API in mind, just need to think about such functionality.

  OpenSSL already supports OCSP.  That's supported in v3, too.

>> The better method though, is sending back all the encoded session-state attributes in the ticket, then there's no need for the central database.  That's not done currently unfortunately because of limitations in the OpenSSL API.
> What are those limitations?

  I don't recall.  Maybe Arran can offer opinions.

> Few more questions:
> * Is RadSec over TLS working in v4? My colleague has it working in v3,
> but not in v4. TCP on the other hand is working fine in v4.

  Radsec isn't in v4 yet, mostly due to time.

> * Is it possible to have dynamic authorization messages and responses
> go over the same RadSec tunnel used for authentication and accounting?
> In v3? In v4?

  No.  There is no IETF standard for this, and no RADIUS server supports it.

  We're looking at adding it in v4 for a large WiFi project which is underway.  But even that may take 8 months.

> * Does v4 have backward compatibility for configuration? If we start
> with v3 - what will be the effort to move to v4 (not including any
> code changes we can do)?

  It's not 100% compatible with v3.  That's why it's a major version change.

  But, most things are pretty similar.  The unlang syntax is 99% the same (some new things are added).  The module configurations are 99% the same.  The server comes with an "upgrade" guide which details the differences.  See doc/antora/modules/installation/pages/upgrade.adoc

  It should take less than a day to move a complex v3 configuration to v4.  It's mostly just renaming and testing.

  Alan DeKok.

More information about the Freeradius-Devel mailing list