Package: release.debian.org Control: affects -1 + src:freeradius X-Debbugs-Cc: [email protected] User: [email protected] Usertags: pu Tags: trixie X-Debbugs-Cc: [email protected] Severity: normal
freeradius in Trixie sets an openssl specific option in the wrong way. This had no effect with the openssl version in Trixie (3.5.1) but starting with the following version (3.5.2) it causes a failure freeradius and it can't accept any TLS connection. This has been corrected in freeradius upstream and is in unstable since freeradius 3.2.7+dfsg-2. This is a backport of the fix (as in -2) for Trixie. It will avoid a failure after updating openssl. Please find attached a diff against current version in stable. Sebastian
diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog --- freeradius-3.2.7+dfsg/debian/changelog 2025-02-10 22:50:22.000000000 +0100 +++ freeradius-3.2.7+dfsg/debian/changelog 2025-10-01 19:36:38.000000000 +0200 @@ -1,3 +1,10 @@ +freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * Backport patch to fix compatibility with OpenSSL 3.5.2 (Closes: #1111328) + + -- Sebastian Andrzej Siewior <[email protected]> Wed, 01 Oct 2025 19:36:38 +0200 + freeradius (3.2.7+dfsg-1) unstable; urgency=medium * New upstream version 3.2.7+dfsg diff -Nru freeradius-3.2.7+dfsg/debian/patches/fips.patch freeradius-3.2.7+dfsg/debian/patches/fips.patch --- freeradius-3.2.7+dfsg/debian/patches/fips.patch 1970-01-01 01:00:00.000000000 +0100 +++ freeradius-3.2.7+dfsg/debian/patches/fips.patch 2025-08-21 14:05:00.000000000 +0200 @@ -0,0 +1,16 @@ +Author: Alan T. DeKok <[email protected]> +Description: change "fips=no" to "-fips" +Origin: upstream, https://github.com/FreeRADIUS/freeradius-server/commit/59e262f1134fef8d53d15ae963885a08c9ea8315 +Forwarded: https://github.com/FreeRADIUS/freeradius-server/issues/5631 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111328 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3644,7 +3644,7 @@ + CONF_modules_load_file(NULL, NULL, 0); + + #if OPENSSL_VERSION_NUMBER >= 0x30000000L +- EVP_set_default_properties(NULL, "fips=no"); ++ EVP_set_default_properties(NULL, "-fips"); + #endif + + /* diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series --- freeradius-3.2.7+dfsg/debian/patches/series 2025-02-10 22:50:22.000000000 +0100 +++ freeradius-3.2.7+dfsg/debian/patches/series 2025-10-01 19:31:39.000000000 +0200 @@ -5,3 +5,4 @@ debian-local/0010-version.c-disable-openssl-version-check.patch dont-install-tests.diff snakeoil-certs.diff +fips.patch
