Warning about OpenSSL 1.0.2
aland at deployingradius.com
Sat Oct 10 14:57:21 CEST 2015
OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS. None of this is documented by OpenSSL. The result is that instead of successful authentication, you get:
(6) eap_ttls: ERROR: Invalid ACK received: 256
(6) eap_ttls: ERROR: [eaptls verify] = invalid
(6) eap_ttls: ERROR: [eaptls process] = invalid
The only solution is to apply the patch in commit b7b5493c61. It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.
This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.
Sadly, this isn't the first time that OpenSSL broke FreeRADIUS, or other applications.
More information about the Freeradius-Users