Bug#1012330: marked as done (freeradius: After upgrade to 3.2.0+dfsg-1 some (older?) client stop connect)

Debian Bug Tracking System Mon, 06 Jan 2025 07:15:23 -0800

Your message dated Mon, 6 Jan 2025 16:13:18 +0100
with message-id <[email protected]>
and subject line Re: Bug#1012330: freeradius: After upgrade to 3.2.0+dfsg-1 
some (older?) client stop connect
has caused the Debian Bug report #1012330,
regarding freeradius: After upgrade to 3.2.0+dfsg-1 some (older?) client stop 
connect
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1012330: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012330
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: freeradius
Version: 3.2.0+dfsg-1
Severity: important
X-Debbugs-Cc: [email protected]


When upgraded to new  version I found that some clients cannot connect.
In logs I have:

Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Expiring EAP session with state 
0xab52c2e6aa35db5e
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Finished EAP session with state 
0xab52c2e6aa35db5e
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Previous EAP request found for 
state 0xab52c2e6aa35db5e, released from the list
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Peer sent packet with method EAP 
PEAP (25)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Calling submodule eap_peap to 
process data
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Continuing ...
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer sent flags --L
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer says that the 
final record size will be 195 bytes
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Got all data (195 
bytes)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Verification says 
length included
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - 
before SSL initialization (0)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - 
Server before SSL initialization (0)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - 
Server before SSL initialization (0)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) recv TLS 1.3 Handshake, 
ClientHello
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) send TLS 1.0 Alert, fatal 
internal_error
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Alert 
write:fatal:internal error
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Server : Error in error
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Failed reading from 
OpenSSL: ../ssl/t1_lib.c[3331]:error:0A000076:SSL routines::no suitable 
signature algorithm
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) System call (I/O) error 
(-1)
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) EAP Receive handshake 
failed during operation
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: [eaptls process] = fail
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap1: Failed continuing EAP PEAP (25) 
session.  EAP sub-module failed

I played with
            cipher_list = 
            tls_min_version= ..
            tls_max_version = ...

in /etc/freeradius/3.0/mods-enabled/eap
file but without success...
before upgrade there were 

            cipher_list = "DEFAULT:TLSv1.0"
            tls_min_version= 1.0


downgrading to 3.0.25 resolves the issue.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common  3.0.25+dfsg-1.1
ii  freeradius-config  3.0.25+dfsg-1.1
ii  libc6              2.33-7
ii  libcrypt1          1:4.4.27-1.1
ii  libct4             1.3.6-1.1
ii  libfreeradius3     3.2.0+dfsg-1
ii  libgdbm6           1.23-1
ii  libjson-c5         0.16-1
ii  libpam0g           1.4.0-13
ii  libperl5.34        5.34.0-4
ii  libreadline8       8.1.2-1.2
ii  libsqlite3-0       3.38.5-1
ii  libssl3            3.0.3-5
ii  libsystemd0        251.1-1
ii  libtalloc2         2.3.3-4
ii  libwbclient0       2:4.16.1+dfsg-4
ii  lsb-base           11.2

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.0+dfsg-1

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.0+dfsg-1
pn  freeradius-mysql       <none>
ii  freeradius-postgresql  3.2.0+dfsg-1
pn  freeradius-python3     <none>
pn  snmp                   <none>

-- Configuration Files:
/etc/default/freeradius changed [not included]
/etc/logrotate.d/freeradius changed [not included]

-- no debconf information

--- End Message ---

--- Begin Message ---

Control: summary -1 TLSv1.0 clients need adjustments to the cipher_list

On 04/06/22 12:59 PM, Kamil Jonca wrote:

> Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) recv TLS 1.3 Handshake, 
> ClientHello
> Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) send TLS 1.0 Alert, 
> fatal internal_error

TLSv1.0 clients need special treatment with recent versions. I think it
will fail to work even with special knobs in the future. 

Bernhard

--- End Message ---

Bug#1012330: marked as done (freeradius: After upgrade to 3.2.0+dfsg-1 some (older?) client stop connect)

Reply via email to