eap module change between 2.1.11 & 2.1.12 ?

Phil Mayers p.mayers at imperial.ac.uk
Tue Oct 25 13:33:22 CEST 2011

On 25/10/11 10:54, Fred wrote:
> rlm_eap: SSL error error:140DB111:SSL
> routines:SSL_CTX_set_session_id_context:ssl session id context too
> long

Ugh. OpenSSL really is a horrible, horrible piece of software.

Are you sure there is absolutely no other change than going from 2.1.11 
to 2.1.12 - there's nothing in the EAP & SSL routines that should cause 
this - or rather, it should break under 2.1.11 just the same.

If you downgrade, using the exact same config as you have now, does it work?

The problem seems to be that OpenSSL has this tedious thing where, if 
you are caching sessions, you have to set a "name" for a given SSL 
context. Then if the programmer stores a session to e.g. SQL and tries 
to re-import it, if the "name" doesn't match, it errors out.

This name field is short, and FreeRADIUS is probably trying to put too 
much data into it.

You have two options - name your other EAP module shorter:

eap pt-eap {

Or, try this:

eap partner-eap {
   tls {
     cache {
       name = A

I'll roll a patch up for the underlying issue. It's odd that no-one else 
is seeing it though.

More information about the Freeradius-Users mailing list