FR 3.0.21 on Debian Buster delivering strange cert+chain?

Alan DeKok aland at
Wed Jul 15 17:13:39 CEST 2020

On Jul 15, 2020, at 6:33 AM, Martin Pauly <pauly at> wrote:
> I'm getting an obscure effect with FR 3.0.21 on a fresh Debian Buster installation
> (I compiled myself from the download package).

  I suggest using the packages from our web site:,

> Despite an identical config (as compared to the predecessor with FR 3.017 on Debian Jessie),
> some clients will not match the server cert to the chain provided.

  FreeRADIUS uses OpenSSL to implement all certificate handling.  By switching versions of OpenSSL, you change the behaviour of certificate handling.

> Seemingly, these are all Apple supplicants and also eapol_test, see attached output
> Any idea what's going wrong?
> I've just seen there is FR 3.0.21 on buster-backports, are there any related changes
> in there?

  See the "auto_chain" configuration as previously suggested.  OpenSSL does some "inventive" things  :(

  Alan DeKok.

More information about the Freeradius-Users mailing list