Package: freeradius Version: 3.2.1+dfsg-4 Severity: important Dear Maintainer,
We have a setup with TLS authentication where we use the CN of the client certificate ti check in LDAP if that CN has access to our VPN service. This was working fine in bullseye but breaks in bookworm. The reason is that TLS-Client-Cert-Common-Name no longer contains the CN from the client certificate but the CN from the CA certificate. This is a known bug in freeradius 3.2.1 (see https://github.com/FreeRADIUS/freeradius-server/issues/4785) and is fixed in 3.2.2. I REALLY hope this can be fixed ASAP in bookworm because we have had to skip the LDAP check to get our VPN working again and that is not a good thing. -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages freeradius depends on: ii freeradius-common 3.2.1+dfsg-4 ii freeradius-config 3.2.1+dfsg-4 ii libc6 2.36-9+deb12u1 ii libcrypt1 1:4.4.33-2 ii libct4 1.3.17+ds-2 ii libfreeradius3 3.2.1+dfsg-4 ii libgdbm6 1.23-3 ii libjson-c5 0.16-2 ii libpam0g 1.5.2-6 ii libperl5.36 5.36.0-7 ii libreadline8 8.2-1.3 ii libsqlite3-0 3.40.1-2 ii libssl3 3.0.9-1 ii libsystemd0 252.12-1~deb12u1 ii libtalloc2 2.4.0-f2 ii libwbclient0 2:4.17.9+dfsg-0+deb12u3 ii lsb-base 11.6 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages freeradius recommends: ii freeradius-utils 3.2.1+dfsg-4 Versions of packages freeradius suggests: pn freeradius-krb5 <none> ii freeradius-ldap 3.2.1+dfsg-4 pn freeradius-mysql <none> pn freeradius-postgresql <none> pn freeradius-python3 <none> ii snmp 5.9.3+dfsg-2 -- debconf information excluded