Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1636811
Summary: | FreeRadius needs to be 3.0.17 or newer to allow wpa_supplicant from F29 to connect due to TLS 1.3 problems (tls_max_version = "1.2" also needs to be set) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Trever Adams <trever> | ||||
Component: | freeradius | Assignee: | Lubomir Rintel <lkundrak> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 29 | CC: | andreas.bierfert, ascheel, bgalvani, blueowl, dcaratti, dcbw, john.j5live, lemenkov, lkundrak, nikolai.kondrashov | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | freeradius-3.0.17-2.fc28 freeradius-3.0.17-2.fc29 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1667841 (view as bug list) | Environment: | |||||
Last Closed: | 2019-01-15 01:53:05 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1667841 | ||||||
Attachments: |
|
Description
Trever Adams
2018-10-07 20:56:17 UTC
It is possible this is a library mismatch. I don't think 1.1.0 and 1.1.1 of OpenSSL are completely ABI compatible. I don't remember where I may have seen this. If I am wrong, ok. Either way, things are broken with WPA2 Enterprise TTLS or PEAP. This is a wpa_supplicant F29 vs. anything else problem. FreeRadius in the last version in F28 still worked. # rpm -q wpa_supplicant --requires | grep ssl libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) # ldd /usr/sbin/wpa_supplicant | grep ssl libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fcf269d3000) # rpm -qf /lib64/libssl.so.1.1 openssl-libs-1.1.1-3.fc29.x86_64 # ldd /usr/sbin/wpa_supplicant | grep ssl libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f24ee359000) # ldd /usr/sbin/radiusd | grep ssl libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fa5cb58f000) # rpm -q freeradius --requires | grep ssl libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) openssl >= 1:1.1.1 Why are both ssl versions required by freeradius? This is fixed by FreeRadius 3.0.17 with tls_max_version = "1.2" in the eap module configuration. I have compiled this with a slightly modified freeradius.spec and the update source tar.bz2. I know the right fix to support TLS v1.3 will be a bit off, but this is a good start and gets people running again. Created attachment 1492299 [details]
3 Changes versus 3.0.15 latest release in Fedora to get it to compile
Can confirm this. Upgrading to 3.0.17-1 from rawhide and adding tls_max_version="1.2" fixes the issue for me. Feel free to test the update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277 freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1bc4a63a4f freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bcf7fd8277 freeradius-3.0.17-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. freeradius-3.0.17-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |