eap module change between 2.1.11 & 2.1.12 ?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Oct 25 13:33:22 CEST 2011
On 25/10/11 10:54, Fred wrote:
> rlm_eap: SSL error error:140DB111:SSL
> routines:SSL_CTX_set_session_id_context:ssl session id context too
> long
Ugh. OpenSSL really is a horrible, horrible piece of software.
Are you sure there is absolutely no other change than going from 2.1.11
to 2.1.12 - there's nothing in the EAP & SSL routines that should cause
this - or rather, it should break under 2.1.11 just the same.
If you downgrade, using the exact same config as you have now, does it work?
The problem seems to be that OpenSSL has this tedious thing where, if
you are caching sessions, you have to set a "name" for a given SSL
context. Then if the programmer stores a session to e.g. SQL and tries
to re-import it, if the "name" doesn't match, it errors out.
This name field is short, and FreeRADIUS is probably trying to put too
much data into it.
You have two options - name your other EAP module shorter:
eap pt-eap {
...
}
Or, try this:
eap partner-eap {
...
tls {
cache {
name = A
}
}
}
I'll roll a patch up for the underlying issue. It's odd that no-one else
is seeing it though.
More information about the Freeradius-Users
mailing list