[Pkg-freeradius-maintainers] Bug#1012330: freeradius: After upgrade to 3.2.0+dfsg-1 some (older?) client stop connect

Kamil Jonca kjonca at poczta.onet.pl
Sat Jun 4 11:59:19 BST 2022 

Package: freeradius
Version: 3.2.0+dfsg-1
Severity: important
X-Debbugs-Cc: kjonca at poczta.onet.pl


When upgraded to new  version I found that some clients cannot connect.
In logs I have:

Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Expiring EAP session with state 0xab52c2e6aa35db5e
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Finished EAP session with state 0xab52c2e6aa35db5e
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Previous EAP request found for state 0xab52c2e6aa35db5e, released from the list
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Peer sent packet with method EAP PEAP (25)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap1: Calling submodule eap_peap to process data
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Continuing ...
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer sent flags --L
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Peer says that the final record size will be 195 bytes
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Got all data (195 bytes)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) EAP Verification says length included
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - before SSL initialization (0)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - Server before SSL initialization (0)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) Handshake state [PINIT] - Server before SSL initialization (0)
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
Sat Jun  4 12:44:50 2022 : Debug: (2) eap_peap: (TLS) send TLS 1.0 Alert, fatal internal_error
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Alert write:fatal:internal error
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Server : Error in error
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) Failed reading from OpenSSL: ../ssl/t1_lib.c[3331]:error:0A000076:SSL routines::no suitable signature algorithm
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) System call (I/O) error (-1)
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: (TLS) EAP Receive handshake failed during operation
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap_peap: [eaptls process] = fail
Sat Jun  4 12:44:50 2022 : ERROR: (2) eap1: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

I played with
            cipher_list = 
            tls_min_version= ..
            tls_max_version = ...

in /etc/freeradius/3.0/mods-enabled/eap
file but without success...
before upgrade there were 

            cipher_list = "DEFAULT:TLSv1.0"
            tls_min_version= 1.0


downgrading to 3.0.25 resolves the issue.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-2-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common  3.0.25+dfsg-1.1
ii  freeradius-config  3.0.25+dfsg-1.1
ii  libc6              2.33-7
ii  libcrypt1          1:4.4.27-1.1
ii  libct4             1.3.6-1.1
ii  libfreeradius3     3.2.0+dfsg-1
ii  libgdbm6           1.23-1
ii  libjson-c5         0.16-1
ii  libpam0g           1.4.0-13
ii  libperl5.34        5.34.0-4
ii  libreadline8       8.1.2-1.2
ii  libsqlite3-0       3.38.5-1
ii  libssl3            3.0.3-5
ii  libsystemd0        251.1-1
ii  libtalloc2         2.3.3-4
ii  libwbclient0       2:4.16.1+dfsg-4
ii  lsb-base           11.2

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.0+dfsg-1

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.0+dfsg-1
pn  freeradius-mysql       <none>
ii  freeradius-postgresql  3.2.0+dfsg-1
pn  freeradius-python3     <none>
pn  snmp                   <none>

-- Configuration Files:
/etc/default/freeradius changed [not included]
/etc/logrotate.d/freeradius changed [not included]

-- no debconf information

More information about the Pkg-freeradius-maintainers mailing list