Warning about OpenSSL 1.0.2
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sat Oct 10 18:54:14 CEST 2015
> On 10 Oct 2015, at 08:57, Alan DeKok <aland at deployingradius.com> wrote:
>
> OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS. None of this is documented by OpenSSL. The result is that instead of successful authentication, you get:
>
> (6) eap_ttls: ERROR: Invalid ACK received: 256
> (6) eap_ttls: ERROR: [eaptls verify] = invalid
> (6) eap_ttls: ERROR: [eaptls process] = invalid
>
> The only solution is to apply the patch in commit b7b5493c61. It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.
>
> This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.
Have to draw a line on 2.2.x this uncertainty undermines people making the case to move to v3.0.x. 1.0.2 is not included by default in any stable releases of FreeBSD, Ubuntu/Debian, Redhat/Centos, OSX.
We experienced it because homebrew has moved to OpenSSL 1.0.2.
In related news, FTP server seems to be broken.
shinyhead:freeradius-server-fork arr2036$ brew install freeradius-server
==> Downloading ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.bz2
curl: (78) RETR response: 550
Trying a mirror...
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151010/1e3805f1/attachment-0001.sig>
More information about the Freeradius-Users
mailing list