FreeRADIUS EAP-TLS Auth. Issues

Alan DeKok aland at
Tue Jan 23 15:03:20 UTC 2024

On Jan 23, 2024, at 9:54 AM, SENECAUX Ludovic <Ludovic.SENECAUX at> wrote:
> I checked again my 2 radius servers ; if I set " reject_unknown_intermediate_ca = yes" :
> - 3.0.20 (PROD) : eap-tls auth. is ok
> - 3.2.3 (DEV): eap-tls auth. is broken
> Same OS version, same OpenSSL version, same Radius config.

  That's unfortunate.

  Looking at the two versions, the TLS code is in src/main/cb.c, and src/main/tls.c

  The "cb.c" file is identical to v3.0, other than some changes to the debug output.

  The "tls.c" file shows a few more differences, but those are largely debug output changes, or new features which don't affect certificate validation.

  I'd double-check the systems.  If this the same machine and the two versions of FreeRADIUS are different, then the issue is FreeRADIUS.

  If the two systems are different (magically somehow), then maybe there's some other OpenSSL issue which is causing the difference.  i.e. it's not enough to say "same version of OpenSSL".  There's all kinds of magic going on behind the scenes that I'm not aware of, such as vendor patches to code, configuration, etc.

  Also, please check that you're running packages from  If you're running packages supplied by the OS vendor, those are very often patched and different (i.e. broken) in odd ways.

  Alan DeKok.

More information about the Freeradius-Users mailing list