Certificate problem between 3.0.11 and 3.1.x

Alan DeKok aland at deployingradius.com
Fri Mar 18 01:53:55 CET 2016


  Top posting quickly...

  If you could help narrow down the commit range, that would help enormously.  Even 4 attempts at a binary search of the commit range would take it from a year to  a few weeks. That would likely give us sufficient information to find and fix it. 

  Or, if you have a test client VM, that would help too. 

  EAP interoperability problems are a major problem, and are VERY high priority for us. Many, many people are affected, so the fixes are critical. 


> On Mar 17, 2016, at 7:03 PM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
> 
> Hmm, this thread got me interested - we were running 3.1.0 # 390f216 (around april 2015 I think) up until recently and it was fine with PEAP-EAP-MSCHAPv2/TLS, not that we used it much, but I did test it. 
> Now with our last git pull (64aa7f9) it doesn't work, same message about EAP not finishing. It also behaves the same with PEAP-EAP-TLS. Hopefully that helps a bit, but I understand it's quite a wide time-span.
> 
> eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> eap: !! EAP session 0x17ac0b0 did not finish!                                 !!
> eap: !! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
> eap: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> 
> 
> Thanks
> Andy
> 
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell
> Sent: 16 March 2016 18:38
> To: FreeRadius users mailing list
> Subject: Re: Certificate problem between 3.0.11 and 3.1.x
> 
> 
>> On 16 Mar 2016, at 16:44, Alan DeKok <aland at deployingradius.com> wrote:
>> 
>> On Mar 16, 2016, at 10:23 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
>>> Well, I wasn't able to get any useful debugging information out of Windows so we have reluctantly taken the decision to revert from bleeding-edge 3.1.x to stable 3.0.11 and work around the problem we were having by avoiding it. We'll revisit this when 3.2.x is released.
>> 
>> If you have time... it would help to know when 3.1 stopped working.  You could grab a copy of 3.1 from early 2015, and see if it works.  If so, do a binary search on the commits until you get one which works, and one shortly after that which doesn't.
>> 
>> That would at least help us narrow down what changed.  And would likely allow us to fix the problem.
> 
> Using current v3.1.x HEAD and running with -Xxx or a debug condition with debug level 3 set would also help.
> 
> We could compare the unencrypted tunnel data to what we see with wpa_supplicant and see what's different.
> 
> -Arran
> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org> FreeRADIUS development team
> 
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list