Warning about OpenSSL 1.0.2

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Oct 10 18:54:14 CEST 2015

> On 10 Oct 2015, at 08:57, Alan DeKok <aland at deployingradius.com> wrote:
>  OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS.  None of this is documented by OpenSSL.  The result is that instead of successful authentication, you get:
> 	(6) eap_ttls: ERROR: Invalid ACK received: 256
> 	(6) eap_ttls: ERROR: [eaptls verify] = invalid
> 	(6) eap_ttls: ERROR: [eaptls process] = invalid
>  The only solution is to apply the patch in commit b7b5493c61.  It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.
>  This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.

Have to draw a line on 2.2.x this uncertainty undermines people making the case to move to v3.0.x.  1.0.2 is not included by default in any stable releases of FreeBSD, Ubuntu/Debian, Redhat/Centos, OSX.

We experienced it because homebrew has moved to OpenSSL 1.0.2.

In related news, FTP server seems to be broken.

shinyhead:freeradius-server-fork arr2036$ brew install freeradius-server
==> Downloading ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.bz2

curl: (78) RETR response: 550
Trying a mirror...


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151010/1e3805f1/attachment-0001.sig>

More information about the Freeradius-Users mailing list