Backporting TLS fixes to Fedora and RHEL
Alan DeKok
aland at deployingradius.com
Fri Oct 15 17:49:58 CEST 2021
On Oct 15, 2021, at 11:16 AM, Antonio Torres <antorres at redhat.com> wrote:
> I'm the maintainer for FreeRADIUS in RHEL and Fedora. We have found an
> issue when using FreeRADIUS 3.0.21 and OpenSSL 3.0. Running eapol_test
> with the attached config (EAP-TTLS-TLS) fails with the following
> errors (logs attached):
>
> (9) eap_ttls: ERROR: Invalid ACK received: 256
That's due to magic changes in the internals of OpenSSL 3.0.0.
> (9) eap_ttls: ERROR: [eaptls verify] = invalid
> (9) eap_ttls: ERROR: [eaptls process] = invalid
> (9) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
>
> Tried updating to 3.0.23 and the issue seems to be fixed. However due
> to the updates policy we can't do a full upgrade, so we have to
> backport fixes to 3.0.21. I am having issues finding the commit(s)
> that fix this issue, so any help would be appreciated.
I'll echo Matthew here.
> I'm not sure this is related, but we are hitting an error with the
> same error message as this one but using MSCHAPv2. Here's the report:
> https://bugzilla.redhat.com/show_bug.cgi?id=2014525
> This is still valid in the latest FreeRADIUS release (3.0.25).
We're happy to do bug fixes for our software. We're rather less happy to do work for free, to debug issues created by corporate policies. Policies which we have no control over.
To be clear: RedHat makes rather a lot more money off of FreeRADIUS than I do. RedHat has shared precisely *zero* of that revenue with me. Ever. RedHat has in fact competed with me for business, and is actively trying to get customers away from me.
At the same time, we get RedHat customers asking us to help them. They're usually running versions which are years out of date, due to "no upgrade" policies like the above. When told "just upgrade to a version WE support", the answer is "No, I'm paying RedHat for support!" Except RH isn't supporting them, and isn't fixing the bugs.
All in all, we fix bugs, and we're happy to work with people. But make no mistake, the corporate approach is to leech off of my work, and then turn around and bill their customers for it. That's allowed by the GPL, but it doesn't make me inclined to fix issues created by the internal policies of a billion-dollar corporation.
Alan DeKok.
More information about the Freeradius-Users
mailing list