[Pkg-freeradius-maintainers] Bug#1043282: freeradius: TLS-Client-Cert-Common-Name contains incorrect value

Åke Holmlund holm at informatik.umu.se
Tue Aug 8 13:59:03 BST 2023 

Package: freeradius
Version: 3.2.1+dfsg-4
Severity: important

Dear Maintainer,

We have a setup with TLS authentication where we use the CN of the client certificate ti check in LDAP if that CN has access to our VPN service. This was working fine in bullseye but breaks in bookworm. The reason is that TLS-Client-Cert-Common-Name no longer contains the CN from the client certificate but the CN from the CA certificate.

This is a known bug in freeradius 3.2.1 (see https://github.com/FreeRADIUS/freeradius-server/issues/4785) and is fixed in 3.2.2. I REALLY hope this can be fixed ASAP in bookworm because we have had to skip the LDAP check to get our VPN working again and that is not a good thing.

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common          3.2.1+dfsg-4
ii  freeradius-config          3.2.1+dfsg-4
ii  libc6                      2.36-9+deb12u1
ii  libcrypt1                  1:4.4.33-2
ii  libct4                     1.3.17+ds-2
ii  libfreeradius3             3.2.1+dfsg-4
ii  libgdbm6                   1.23-3
ii  libjson-c5                 0.16-2
ii  libpam0g                   1.5.2-6
ii  libperl5.36                5.36.0-7
ii  libreadline8               8.2-1.3
ii  libsqlite3-0               3.40.1-2
ii  libssl3                    3.0.9-1
ii  libsystemd0                252.12-1~deb12u1
ii  libtalloc2                 2.4.0-f2
ii  libwbclient0               2:4.17.9+dfsg-0+deb12u3
ii  lsb-base                   11.6
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.1+dfsg-4

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.1+dfsg-4
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  freeradius-python3     <none>
ii  snmp                   5.9.3+dfsg-2

-- debconf information excluded

More information about the Pkg-freeradius-maintainers mailing list