Warning about OpenSSL 1.0.2
Alan DeKok
aland at deployingradius.com
Sat Oct 10 19:31:55 CEST 2015
If OpenSSL 1.0.2 isn't in old systems, we can leave 2.2.10 alone.
For the ftp site, old releases are in the "old" directory. :)
Sent from my iPhone
> On Oct 10, 2015, at 12:54 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On 10 Oct 2015, at 08:57, Alan DeKok <aland at deployingradius.com> wrote:
>>
>> OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS. None of this is documented by OpenSSL. The result is that instead of successful authentication, you get:
>>
>> (6) eap_ttls: ERROR: Invalid ACK received: 256
>> (6) eap_ttls: ERROR: [eaptls verify] = invalid
>> (6) eap_ttls: ERROR: [eaptls process] = invalid
>>
>> The only solution is to apply the patch in commit b7b5493c61. It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.
>>
>> This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.
>
> Have to draw a line on 2.2.x this uncertainty undermines people making the case to move to v3.0.x. 1.0.2 is not included by default in any stable releases of FreeBSD, Ubuntu/Debian, Redhat/Centos, OSX.
>
> We experienced it because homebrew has moved to OpenSSL 1.0.2.
>
> In related news, FTP server seems to be broken.
>
> shinyhead:freeradius-server-fork arr2036$ brew install freeradius-server
> ==> Downloading ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.9.tar.bz2
>
> curl: (78) RETR response: 550
> Trying a mirror...
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list