With this patch https://github.com/FreeRADIUS/freeradius- server/commit/a1f5fd2213c0104d0e124d804ab8c210c9fedb18:
From a1f5fd2213c0104d0e124d804ab8c210c9fedb18 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" <al...@freeradius.org> Date: Thu, 30 Dec 2021 15:31:55 -0500 Subject: [PATCH] OpenSSL3 sends invalid content types all of the time... --- src/main/cb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/cb.c b/src/main/cb.c index 372b8fa8228..0796914b41f 100644 --- a/src/main/cb.c +++ b/src/main/cb.c @@ -132,11 +132,11 @@ void cbtls_msg(int write_p, int msg_version, int content_type, tls_session_t *state = (tls_session_t *)arg; /* - * OpenSSL 1.0.2 calls this function with 'pseudo' - * content types. Which breaks our tracking of - * the SSL Session state. + * OpenSSL calls this function with 'pseudo' content + * types. Which breaks our tracking of the SSL Session + * state. */ - if ((msg_version == 0) && (content_type > UINT8_MAX)) { + if ((msg_version == 0) || (content_type >= UINT8_MAX)) { DEBUG4("(TLS) Ignoring cbtls_msg call with pseudo content type %i, version %i", content_type, msg_version); return; The test passes, and it does log "Ignoring cbtls_msg call ..." multiple times: ... Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Authenticate Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Continuing EAP-TLS Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Peer sent flags --- Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: [eaptls verify] = ok Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Done initial handshake Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: (other): before SSL initialization Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL initialization Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 769 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL initialization Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: <<< recv TLS 1.3 [length 00b7] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS read client hello Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 003d] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write server hello Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0345] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write certificate Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 014d] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0004] ... I thought this would also be needed https://github.com/FreeRADIUS/freeradius-server/commit/cbbbd30f84a5b2a7d435ce0da765796ee3987e21, but the test passes without it. The point is that current 3.0.x branch has a few more openssl-3-related commits. We can cherry pick the one needed for this test, or all of them, or do that and wait for a 3.0.26 release and then remove the patches. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs