Hi Sam and Alan,
> Christian> Reproducible in local autopkgtest
>
> Let me make sure I'm understanding.
> You are saying that prior to penssl 3, the test works, but with
> openssl3, the test fails?
Yes that is correct
> What is the ssl version in the successful tests?
> For example from the failing test we have:
> OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)
Good: 1.1.1l-1ubuntu1
Bad: 3.0.0-1ubuntu1
But to be complete, since not all components have let go of libssl1.1 we
always have both ssl versions installed. Just freeradius is linking to
one or the other.
Good:
ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-===============-============-============================================================
ii freeradius 3.0.21+dfsg-3 amd64 high-performance and highly
configurable RADIUS server
ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64 Secure Sockets Layer toolkit
- shared libraries
ii libssl3:amd64 3.0.0-1ubuntu1 amd64 Secure Sockets Layer toolkit
- shared libraries
ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64 Moonshot Federated
Authentication - authentication mechanism
ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1
(0x00007f0d3a268000)
Bad:
ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-===================-============-============================================================
ii freeradius 3.0.21+dfsg-3build1 amd64 high-performance and
highly configurable RADIUS server
ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64 Secure Sockets Layer
toolkit - shared libraries
ii libssl3:amd64 3.0.0-1ubuntu1 amd64 Secure Sockets Layer
toolkit - shared libraries
ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64 Moonshot Federated
Authentication - authentication mechanism
ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl
libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007f965de31000)
> What's the txver from that message in the successful test?
> Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version
> in use for some annoying standardization reasons.
Interestingly that is the same in both:
Good: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
Bad: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
But that is probably defined by moonshot who in Ubuntu [1] had a no
change rebuild against the new openssl.
[1]: https://launchpad.net/ubuntu/+source/moonshot-gss-
eap/1.0.1-6ubuntu2
> It looks like things are failing on the server side.
> The autopkgtest produces the freeradius log (which is admittedly huge)
> as a test artifact.
> Could I get a pointer to a failing freeradius log?
Yeah I have thos in my autopkgtest VMs like:
/tmp/autopkgtest.axJ2k1/gss-client-artifacts/freeradius.log
I'll attach them to the bug in the next update after I copied them.
> I'm also going to bring this bug to the attention of Moonshot
upstream.
Thank you
From here Alan's answer:
> My $0.02 is to try the head of v3.0.x. I don't recall if we put in fixes
> specifically for
> OpenSSL 3, but perhaps.
> We've also *significantly* updated the TLS debugging output. It's a lot
> clearer, and gives a
> lot more information.
I assume you mean freeradius?
This is already 3.0.21+dfsg-3(build1)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1955009
Title:
Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
