Your message dated Tue, 07 Mar 2023 22:23:51 +0000
with message-id <[email protected]>
and subject line Bug#919234: fixed in freeradius 3.2.1+dfsg-2
has caused the Debian Bug report #919234,
regarding ttls fails with tls 1.3, enabled by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
919234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: freeradius
severity: important
version: 3.0.17+dfsg-1
justification: regression that totally breaks connectivity
tags: upstream
I've cc'd Kurt because he requested openssl 1.3 test results a while
back.
While writing automated tests for moonshot-gss-eap, I discovered that
by default freeradius will not constrain the version of TLS in use
(probably good), but that its ttls implementation fails with TLS 1.3.
Things work fine if I explicitly set the max TLS version to 1.2.
Based on the errors I suspect that the issue had to deal with the
handling of the ttls TLS session ticket used by TTLS for fast
reauthentication.
My suspicion (and recollection from the spec) is that ttls knows more
about session internals than it should.
As a quick fix, I think the ttls code should limit the maximum TLS
version to 1.2 until the code can be fixed to work with 1.3.
Please do not limit all freeradius uses of TLS to 1.2: in particular I'd
really like to be able to use tls 1.3 with radsec.
Also, I strongly recommend making this change in code not in config
files. People tend not to update their configs once they get one
working.
To reproduce, grab the moonshot-gss-eap sources.
Comment out the TLS_MAX_VERSION on line 366 of
debian/tests/freeradius/eap and then rerun autopkgtest on the resulting
source package.
--- End Message ---
--- Begin Message ---
Source: freeradius
Source-Version: 3.2.1+dfsg-2
Done: Bernhard Schmidt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
freeradius, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated freeradius package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Mar 2023 22:51:06 +0100
Source: freeradius
Architecture: source
Version: 3.2.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeRADIUS Packaging Team
<[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 919234
Changes:
freeradius (3.2.1+dfsg-2) unstable; urgency=medium
.
* Cherry-pick upstream fix for EAP-TTLS-MSCHAPv2 with TLSv1.3
(Closes: #919234)
Checksums-Sha1:
1ddb56340095db90c5d2b65200d5021d5b321413 3613 freeradius_3.2.1+dfsg-2.dsc
4a6ccb2768031461c8238069179eaac8ec263613 57880
freeradius_3.2.1+dfsg-2.debian.tar.xz
9d3a820dd8d2525f1d63b8e63f328cfeedbdbdad 19423
freeradius_3.2.1+dfsg-2_amd64.buildinfo
Checksums-Sha256:
00de5cd330414ae1a8c236cc1950710cc4a11e4415ea99e5cf24020a74cd775f 3613
freeradius_3.2.1+dfsg-2.dsc
af1dba5fbbfa7eefe0787cbc5362394b6c069ca024385a3bcb296ca383337808 57880
freeradius_3.2.1+dfsg-2.debian.tar.xz
93a12313c99d7daa5bba03dc08cc43674b7d568ba69a01fcaa21338764f71bc2 19423
freeradius_3.2.1+dfsg-2_amd64.buildinfo
Files:
5b2869f3207ac6a96eaf4ce0251f6db4 3613 net optional freeradius_3.2.1+dfsg-2.dsc
a3f56f8671a7a7337ce089b3c36a9689 57880 net optional
freeradius_3.2.1+dfsg-2.debian.tar.xz
cc076079cdcc6fb1d67039537b2a01c9 19423 net optional
freeradius_3.2.1+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmQHsugRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNDOg//SKG6DhRqkUo0zYXsV5MCPd6WfEx5QyTP
+LZcjzEAReOykKnqn7hdVvo6bikufXVxx+Lx6fTZpNBDw7d1MlHgV5k8mGgeNMPu
hhQt5RMBhunAOLhu2zvmuy+Ji3Lf0czJjjm3J0IJ94XcbFIG82Ky5GCka829BYgk
3MXLgiGIFC8uM4VrzWMWKWYSs/uamsi3oU8VNTXrAmk9PFiCXkXxLnCk13KBMxlN
X4N4ff0X/6bZxj2gAdTt6VJdcvkk+7vOS+pt6gSsvUjCHUQ9zYueD1HqfqCeq8bl
b5iiM1P76eU68THBb9Y7OA7cqodSCuudjxma6trT22qXVsMCZXdjnSza2czzP44j
C9zmyGjlpp3/W24kSRlIEsvrBgrEnHpRoHyV14GYNeh5r2TwIuf8ZyQ5hoaFddW4
AUtFaUE+lUbyrPv7TuO7fruA9S1380S44+flA4AUixMTqvIlxt0adsv/yDmAQeA2
HR1BomhVTCu/Yyoa/Cgi1/+FDIXZnr9VtOGxbHqXuws1k2e1CioCSV8qe5odtryb
GdxG/uMLM9kooyoOOyMBYCyQA44Cja1RcGiaBmmPuv6Qo9N6s/apCaaiS/OnamOQ
NzL2XU3IGakF6yzGRjvXLW2RmG0HGYzab6pTItaYMa02fhrMYWOa3HIqvQvvmsJM
Q4NfpTEEixE=
=6qU7
-----END PGP SIGNATURE-----
--- End Message ---
