Warning about OpenSSL 1.0.2

Alan DeKok aland at deployingradius.com
Sat Oct 10 14:57:21 CEST 2015

  OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS.  None of this is documented by OpenSSL.  The result is that instead of successful authentication, you get:

	(6) eap_ttls: ERROR: Invalid ACK received: 256
	(6) eap_ttls: ERROR: [eaptls verify] = invalid
	(6) eap_ttls: ERROR: [eaptls process] = invalid

  The only solution is to apply the patch in commit b7b5493c61.  It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.

  This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.

  Sadly, this isn't the first time that OpenSSL broke FreeRADIUS, or other applications.

  Alan DeKok.

More information about the Freeradius-Users mailing list