Bug#1043282: freeradius: TLS-Client-Cert-Common-Name contains incorrect value

Tue, 08 Aug 2023 06:09:41 -0700 

Package: freeradius
Version: 3.2.1+dfsg-4
Severity: important

Dear Maintainer,

We have a setup with TLS authentication where we use the CN of the client 
certificate ti check in LDAP if that CN has access to our VPN service. This was 
working fine in bullseye but breaks in bookworm. The reason is that 
TLS-Client-Cert-Common-Name no longer contains the CN from the client 
certificate but the CN from the CA certificate.

This is a known bug in freeradius 3.2.1 (see 
https://github.com/FreeRADIUS/freeradius-server/issues/4785) and is fixed in 
3.2.2. I REALLY hope this can be fixed ASAP in bookworm because we have had to 
skip the LDAP check to get our VPN working again and that is not a good thing.

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set 
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common          3.2.1+dfsg-4
ii  freeradius-config          3.2.1+dfsg-4
ii  libc6                      2.36-9+deb12u1
ii  libcrypt1                  1:4.4.33-2
ii  libct4                     1.3.17+ds-2
ii  libfreeradius3             3.2.1+dfsg-4
ii  libgdbm6                   1.23-3
ii  libjson-c5                 0.16-2
ii  libpam0g                   1.5.2-6
ii  libperl5.36                5.36.0-7
ii  libreadline8               8.2-1.3
ii  libsqlite3-0               3.40.1-2
ii  libssl3                    3.0.9-1
ii  libsystemd0                252.12-1~deb12u1
ii  libtalloc2                 2.4.0-f2
ii  libwbclient0               2:4.17.9+dfsg-0+deb12u3
ii  lsb-base                   11.6
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.1+dfsg-4

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.1+dfsg-4
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  freeradius-python3     <none>
ii  snmp                   5.9.3+dfsg-2

-- debconf information excluded

Reply via email to