I have no time to look into this. Can you send a patch please? On Sun, Jan 13, 2019 at 11:33 PM Sam Hartman <hartm...@debian.org> wrote:
> package: freeradius > severity: important > version: 3.0.17+dfsg-1 > justification: regression that totally breaks connectivity > tags: upstream > > > I've cc'd Kurt because he requested openssl 1.3 test results a while > back. > > While writing automated tests for moonshot-gss-eap, I discovered that > by default freeradius will not constrain the version of TLS in use > (probably good), but that its ttls implementation fails with TLS 1.3. > Things work fine if I explicitly set the max TLS version to 1.2. > > Based on the errors I suspect that the issue had to deal with the > handling of the ttls TLS session ticket used by TTLS for fast > reauthentication. > My suspicion (and recollection from the spec) is that ttls knows more > about session internals than it should. > > As a quick fix, I think the ttls code should limit the maximum TLS > version to 1.2 until the code can be fixed to work with 1.3. > > > Please do not limit all freeradius uses of TLS to 1.2: in particular I'd > really like to be able to use tls 1.3 with radsec. > Also, I strongly recommend making this change in code not in config > files. People tend not to update their configs once they get one > working. > > To reproduce, grab the moonshot-gss-eap sources. > Comment out the TLS_MAX_VERSION on line 366 of > debian/tests/freeradius/eap and then rerun autopkgtest on the resulting > source package. > > _______________________________________________ > Pkg-freeradius-maintainers mailing list > pkg-freeradius-maintain...@alioth-lists.debian.net > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-freeradius-maintainers > -- Best regards, Michael