Releasing 3.0.17?

Arran Cudbard-Bell a.cudbardb at
Thu Mar 29 20:12:02 CEST 2018

> On Mar 29, 2018, at 3:24 PM, Alan DeKok <aland at> wrote:
>  There are a few issues found && fixed since 3.0.16.  Unless there are major objections, I think we can release 3.0.17 next week.
>  The next step after that would be to add support for multiple kinds of certificates at the same time.  e.g. RSA and ECC.

As discussed offline, there are some side effects which makes this difficult to do whilst maintaining backwards compatibility.

The big one is that using the 1.0.2 API to do certificate chaining seems to effectively disable auto chaining, as certs are no longer taken from the top level ca_file.

The change to how chaining works between OpenSSL < 1.0.2 and >= 1.0.2 is so major I'm tempted to suggest that we have a hard dependency on 1.0.2 in the FreeRADIUS v4.0.x branch to avoid confusion.

With FreeRADIUS 4 and < 1.0.2
- When auto_chain = yes (current default) is set, missing certs used to specify the complete certificate chain are take from those specified in ca_file.
- Certs specified in certificate_file must be in exactly the right order
- Server certificate chain not pre-compiled
- Toggle to omit root CA is non-functional
- ca_file in the chain {} section is non-functional, which means chains can't be built with DER certs (only one cert allowed per file).
- Key agility is non-functional

With FreeRADIUS 4 and >= 1.0.2
- Certificates never pass between the stores used for client validation and building the server certificate chain.
- OpenSSL will automatically re-order certificates for you within the chain you're building.
- OpenSSL verifies that you have a complete chain from RootCA to server cert.
- Chain is pre-compiled.  Without this the chain is compiled for every new SSL session.
- Toggle to omit root CA is functional (and defaults to true).
- ca_file in chain sections works, meaning you can build chains with DER certs too, and keep your CAs and intermediaries as separate files on  disk.
- Key agility works as expected.


More information about the Freeradius-Users mailing list