Warning about OpenSSL 1.0.2

Michael Ströder michael at stroeder.com
Sat Oct 10 20:40:56 CEST 2015


Arran Cudbard-Bell wrote:
> 
>> On 10 Oct 2015, at 08:57, Alan DeKok <aland at deployingradius.com> wrote:
>>
>>  OpenSSL 1.0.2 changes the way it interacts with FreeRADIUS.  None of this is documented by OpenSSL.  The result is that instead of successful authentication, you get:
>>
>> 	(6) eap_ttls: ERROR: Invalid ACK received: 256
>> 	(6) eap_ttls: ERROR: [eaptls verify] = invalid
>> 	(6) eap_ttls: ERROR: [eaptls process] = invalid
>>
>>  The only solution is to apply the patch in commit b7b5493c61.  It doesn't fix the underlying OpenSSL problem, but it makes FreeRADIUS ignore the broken API calls.
>>
>>  This problem is serious enough that we may have to issue 3.0.11, and possibly 2.2.10, also.
> 
> Have to draw a line on 2.2.x this uncertainty undermines people making the case to move to v3.0.x.  1.0.2 is not included by default in any stable releases of FreeBSD, Ubuntu/Debian, Redhat/Centos, OSX.
> 
> We experienced it because homebrew has moved to OpenSSL 1.0.2.

Which exact version of OpenSSL 1.0.2?

I'm asking because I'm running FreeRADIUS 3.0.10 (formerly 3.0.9) on openSUSE
Tumbleweed (x86_64 and armv6l) with package openssl-1.0.2d-1.1 using
EAP-TTLS/PAP without issue.

Maybe you're hitting the HMAC ABI incompatibility?
It was fixed in 1.0.2c:
https://www.openssl.org/news/changelog.html#x2

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151010/1550b8d3/attachment.bin>


More information about the Freeradius-Users mailing list