From didier.raboud at liip.ch  Tue Nov 18 11:19:04 2025
From: didier.raboud at liip.ch (Didier Raboud)
Date: Tue, 18 Nov 2025 12:19:04 +0100
Subject: [Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation
 fault with 3-chain certificate
Message-ID: <176346474419.42364.17994615969384303719.reportbug@turnagra>

Package: freeradius
Version: 3.2.7+dfsg-1+deb13u1
Severity: serious

Dear Maintainer,

Our setup is working fine, with a Sectigo DV certificate chain in
/etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
Radsec setup (so private_key_file and certificate_file are set in
3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).

Today, I had to update that certificate (which is close to expiring), moving
from this chain:

* certificate
* Sectigo ECC Domain Validation Secure Server CA
* USERTrust ECC Certification Authority

to this chain:

* certificate
* Sectigo Public Server Authentication CA DV E36
* Sectigo Public Server Authentication Root E46
* USERTrust ECC Certification Authority

? and it now segfaults whenever we try to access the radius-to-radsec proxy.

In other words, the fullchain.pem which before contained 2 certificates (the
certificate and 1 intermediary), now contains 3 certificates (the certificate,
and 2 intermediaries), and with this the server segfaults.

I have not yet managed to extract a stacktrace or a core dump, I would be all
ears to get this solved.

Best,
OdyX

-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.41+deb13-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common  3.2.7+dfsg-1+deb13u1
ii  freeradius-config  3.2.7+dfsg-1+deb13u1
ii  libc6              2.41-12
ii  libcrypt1          1:4.4.38-1
ii  libct4             1.3.17+ds-2+deb13u1
ii  libfreeradius3     3.2.7+dfsg-1+deb13u1
ii  libgdbm6t64        1.24-2
ii  libjson-c5         0.18+ds-1
ii  libpam0g           1.7.0-5
ii  libperl5.40        5.40.1-6
ii  libreadline8t64    8.2-6
ii  libsqlite3-0       3.46.1-7
ii  libssl3t64         3.5.4-1~deb13u1
ii  libsystemd0        257.9-1~deb13u1
ii  libtalloc2         2:2.4.3+samba4.22.6+dfsg-0+deb13u1
ii  libwbclient0       2:4.22.6+dfsg-0+deb13u1
ii  perl               5.40.1-6

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.7+dfsg-1+deb13u1

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.7+dfsg-1+deb13u1
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  freeradius-python3     <none>
pn  snmp                   <none>

From berni at debian.org  Tue Nov 18 16:12:57 2025
From: berni at debian.org (Bernhard Schmidt)
Date: Tue, 18 Nov 2025 17:12:57 +0100
Subject: [Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation
 fault with 3-chain certificate
In-Reply-To: <176346474419.42364.17994615969384303719.reportbug@turnagra>
References: <176346474419.42364.17994615969384303719.reportbug@turnagra>
 <176346474419.42364.17994615969384303719.reportbug@turnagra>
Message-ID: <ac9668d3-1290-448f-96eb-2c0edf83739d@debian.org>

Dear Didier,

 > Our setup is working fine, with a Sectigo DV certificate chain in
> /etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
> Radsec setup (so private_key_file and certificate_file are set in
> 3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
> verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).
> 
> Today, I had to update that certificate (which is close to expiring), moving
> from this chain:
> 
> * certificate
> * Sectigo ECC Domain Validation Secure Server CA
> * USERTrust ECC Certification Authority
> 
> to this chain:
> 
> * certificate
> * Sectigo Public Server Authentication CA DV E36
> * Sectigo Public Server Authentication Root E46
> * USERTrust ECC Certification Authority
> 
> ? and it now segfaults whenever we try to access the radius-to-radsec proxy.
> 
> In other words, the fullchain.pem which before contained 2 certificates (the
> certificate and 1 intermediary), now contains 3 certificates (the certificate,
> and 2 intermediaries), and with this the server segfaults.
> 
> I have not yet managed to extract a stacktrace or a core dump, I would be all
> ears to get this solved.

This sounds a bit like this problem

https://github.com/FreeRADIUS/freeradius-server/issues/5515
https://github.com/FreeRADIUS/freeradius-server/commit/286415adce9bc9e8cf974810f5be941dc2131056

which is resolved in 3.2.8.

Do you have a chance to check with this patch applied?

Bernhard


From owner at bugs.debian.org  Tue Nov 18 17:05:02 2025
From: owner at bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 18 Nov 2025 17:05:02 +0000
Subject: [Pkg-freeradius-maintainers] Processed (with 1 error): Re:
 Bug#1120927: freeradius: Segmentation fault with 3-chain certificate
References: <CAAe0PDyLuey3btKXChjP_9Gz=GubN2Zj=tudZsk-5HkQwuMCNA@mail.gmail.com>
 <176346474419.42364.17994615969384303719.reportbug@turnagra>
Message-ID: <handler.s.B1120927.17634853873677449.transcript@bugs.debian.org>

Processing control commands:

> tags -1 +patch +upstream
Bug #1120927 [freeradius] freeradius: Segmentation fault with 3-chain certificate
Added tag(s) patch.
Bug #1120927 [freeradius] freeradius: Segmentation fault with 3-chain certificate
Added tag(s) upstream.
> forwarded -1
Unknown command or malformed arguments to command.


-- 
1120927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems


From didier.raboud at liip.ch  Tue Nov 18 17:02:52 2025
From: didier.raboud at liip.ch (Didier Raboud)
Date: Tue, 18 Nov 2025 18:02:52 +0100
Subject: [Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation
 fault with 3-chain certificate
References: <176346474419.42364.17994615969384303719.reportbug@turnagra>
Message-ID: <CAAe0PDyLuey3btKXChjP_9Gz=GubN2Zj=tudZsk-5HkQwuMCNA@mail.gmail.com>

Version:  3.2.8+dfsg-1
Control: tags -1 +patch +upstream
Control: forwarded -1
https://github.com/FreeRADIUS/freeradius-server/issues/5515

Hello there Bernhard,

Fantastic! I spent the afternoon trying to reproduce a minimal case in
Docker (and had succeeded just when I saw your email).

It turns out? I have built this patch in a trixie chroot and deployed
it to our production server, and the segfault is gone!

So I'm marking this as fixed in the version in testing/unstable.

Should we get to prepare a stable update? It'd be really nice to get
this fixed for everyone using stable, happy to help!

Best,
OdyX

On Tue, 18 Nov 2025 17:12:57 +0100 Bernhard Schmidt <berni at debian.org> wrote:
>  > Our setup is working fine, with a Sectigo DV certificate chain in
> > /etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
> > Radsec setup (so private_key_file and certificate_file are set in
> > 3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
> > verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).
> >
> > Today, I had to update that certificate (which is close to expiring), moving
> > from this chain:
> >
> > * certificate
> > * Sectigo ECC Domain Validation Secure Server CA
> > * USERTrust ECC Certification Authority
> >
> > to this chain:
> >
> > * certificate
> > * Sectigo Public Server Authentication CA DV E36
> > * Sectigo Public Server Authentication Root E46
> > * USERTrust ECC Certification Authority
> >
> > ? and it now segfaults whenever we try to access the radius-to-radsec proxy.
> >
> > In other words, the fullchain.pem which before contained 2 certificates (the
> > certificate and 1 intermediary), now contains 3 certificates (the certificate,
> > and 2 intermediaries), and with this the server segfaults.
> >
> > I have not yet managed to extract a stacktrace or a core dump, I would be all
> > ears to get this solved.
>
> This sounds a bit like this problem
>
> https://github.com/FreeRADIUS/freeradius-server/issues/5515
> https://github.com/FreeRADIUS/freeradius-server/commit/286415adce9bc9e8cf974810f5be941dc2131056
>
> which is resolved in 3.2.8.
>
> Do you have a chance to check with this patch applied?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius_1120927.debdiff
Type: application/octet-stream
Size: 3082 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/f6efab0d/attachment.obj>

From owner at bugs.debian.org  Tue Nov 18 17:05:04 2025
From: owner at bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 18 Nov 2025 17:05:04 +0000
Subject: [Pkg-freeradius-maintainers] Bug#1120927: marked as done
 (freeradius: Segmentation fault with 3-chain certificate)
References: <CAAe0PDyLuey3btKXChjP_9Gz=GubN2Zj=tudZsk-5HkQwuMCNA@mail.gmail.com>
 <176346474419.42364.17994615969384303719.reportbug@turnagra>
Message-ID: <handler.1120927.D1120927.17634853873677455.ackdone@bugs.debian.org>

Your message dated Tue, 18 Nov 2025 18:02:52 +0100
with message-id <CAAe0PDyLuey3btKXChjP_9Gz=GubN2Zj=tudZsk-5HkQwuMCNA at mail.gmail.com>
and subject line Re: Bug#1120927: freeradius: Segmentation fault with 3-chain certificate
has caused the Debian Bug report #1120927,
regarding freeradius: Segmentation fault with 3-chain certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
1120927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Didier Raboud <didier.raboud at liip.ch>
Subject: freeradius: Segmentation fault with 3-chain certificate
Date: Tue, 18 Nov 2025 12:19:04 +0100
Size: 5604
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/a5c0b03a/attachment-0002.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Didier Raboud <didier.raboud at liip.ch>
Subject: Re: Bug#1120927: freeradius: Segmentation fault with 3-chain certificate
Date: Tue, 18 Nov 2025 18:02:52 +0100
Size: 10842
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/a5c0b03a/attachment-0003.eml>

From owner at bugs.debian.org  Tue Nov 18 17:27:02 2025
From: owner at bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 18 Nov 2025 17:27:02 +0000
Subject: [Pkg-freeradius-maintainers] Processed: bug 1120927 is forwarded to
 https://github.com/FreeRADIUS/freeradius-server/issues/5515
References: <1763486341-1300-bts-didier.raboud@liip.ch>
Message-ID: <handler.s.C.17634866903690772.transcript@bugs.debian.org>

Processing commands for control at bugs.debian.org:

> forwarded 1120927 https://github.com/FreeRADIUS/freeradius-server/issues/5515
Bug #1120927 {Done: Didier Raboud <didier.raboud at liip.ch>} [freeradius] freeradius: Segmentation fault with 3-chain certificate
Set Bug forwarded-to-address to 'https://github.com/FreeRADIUS/freeradius-server/issues/5515'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
1120927: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems


From gitlab at salsa.debian.org  Tue Nov 18 20:57:32 2025
From: gitlab at salsa.debian.org (Bernhard Schmidt (@berni))
Date: Tue, 18 Nov 2025 20:57:32 +0000
Subject: [Pkg-freeradius-maintainers] [Git][debian/freeradius] Pushed new
 branch debian/trixie
Message-ID: <691cddbca70c0_57b52447bc11126fd@godard.mail>



Bernhard Schmidt pushed new branch debian/trixie at Debian / freeradius

-- 
View it on GitLab: https://salsa.debian.org/debian/freeradius/-/tree/debian/trixie
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/994a6a91/attachment.htm>

From gitlab at salsa.debian.org  Tue Nov 18 20:57:35 2025
From: gitlab at salsa.debian.org (Bernhard Schmidt (@berni))
Date: Tue, 18 Nov 2025 20:57:35 +0000
Subject: [Pkg-freeradius-maintainers] [Git][debian/freeradius] Pushed new
 tag debian/3.2.7+dfsg-1+deb13u1
Message-ID: <691cddbf457c9_57b45e54581112892@godard.mail>



Bernhard Schmidt pushed new tag debian/3.2.7+dfsg-1+deb13u1 at Debian / freeradius

-- 
View it on GitLab: https://salsa.debian.org/debian/freeradius/-/tree/debian/3.2.7+dfsg-1+deb13u1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/8679d283/attachment.htm>

From berni at debian.org  Tue Nov 18 21:20:53 2025
From: berni at debian.org (Bernhard Schmidt)
Date: Tue, 18 Nov 2025 22:20:53 +0100
Subject: [Pkg-freeradius-maintainers] Bug#1120965: trixie-pu: package
 freeradius/3.2.7+dfsg-1+deb13u2
Message-ID: <176350085350.2330706.9551574289749796184.reportbug@fliwatuet.svr02.mucip.net>

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: freeradius at packages.debian.org
Control: affects -1 + src:freeradius
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
FreeRADIUS 3.2.7 in Trixie contains a bug that causes it to segfault
when a certificate chain with two intermediate certificates are loaded, see

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120927
https://github.com/FreeRADIUS/freeradius-server/issues/5515

It can be fixed by backporting a single commit from 3.2.8, therefor
unstable is already fixed.

The issue was found, the patch prepared and verified by OdyX

[ Impact ]
Segmentation fault when a new certificate chain is loaded

[ Tests ]
Fix verified by Didier 'OdyX' Radoud
FreeRADIUS has some non-trivial autopkgtest, however that does not test
EAP/TLS-related codepaths

[ Risks ]
Verified fix, direct backport of a commit released with a later upstream
version

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- Backporting fix
- Change salsa-ci to run in trixie

[ Other info ]
As CAs tend to change their intermediate structure and may introduce
intermediates with certificate refreshs (as it has happened here for the
original reporter) I consider this somewhat urgent. Therefor I would
like to push this to proposed as soon as possible.
-------------- next part --------------
diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog
--- freeradius-3.2.7+dfsg/debian/changelog	2025-10-01 19:36:38.000000000 +0200
+++ freeradius-3.2.7+dfsg/debian/changelog	2025-11-18 21:51:33.000000000 +0100
@@ -1,3 +1,11 @@
+freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium
+
+  [ Didier Raboud ]
+  * Backport patch to fix segfaults on TLS connections with more than one
+    intermediate certificate (Closes: #1120927)
+
+ -- Bernhard Schmidt <berni at debian.org>  Tue, 18 Nov 2025 21:51:33 +0100
+
 freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium
 
   * Non-maintainer upload.
diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series
--- freeradius-3.2.7+dfsg/debian/patches/series	2025-10-01 19:31:39.000000000 +0200
+++ freeradius-3.2.7+dfsg/debian/patches/series	2025-11-18 21:51:33.000000000 +0100
@@ -6,3 +6,4 @@
 dont-install-tests.diff
 snakeoil-certs.diff
 fips.patch
+wrap-crl_dp-checks-in-if-certs--lookup-=.patch
diff -Nru freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
--- freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch	1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch	2025-11-18 21:51:33.000000000 +0100
@@ -0,0 +1,63 @@
+From: Alan T. DeKok <aland at freeradius.org>
+Date: Wed, 12 Feb 2025 07:03:13 -0500
+X-Dgit-Generated: 3.2.7+dfsg-1+deb13u1+OdyX0 05125f178649b7af17a1dc81642b91c937f4d93a
+Subject: wrap crl_dp checks in if (certs && (lookup <= 1). Fixes #5515
+
+
+---
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 2e97940..2821b93 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3077,30 +3077,33 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ 	/*
+ 	 *	Get the Certificate Distribution points
+ 	 */
+-	crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+-	if (crl_dp) {
+-		DIST_POINT *dp;
+-		const char *url_ptr;
++	if (certs && (lookup <= 1)) {
++		crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+ 
+-		for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+-			size_t len;
+-			char cdp[1024];
++		if (crl_dp) {
++			DIST_POINT *dp;
++			const char *url_ptr;
+ 
+-			dp = sk_DIST_POINT_value(crl_dp, i);
+-			if (!dp) continue;
++			for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
++				size_t len;
++				char cdp[1024];
+ 
+-			url_ptr = get_cdp_url(dp);
+-			if (!url_ptr) continue;
++				dp = sk_DIST_POINT_value(crl_dp, i);
++				if (!dp) continue;
+ 
+-			len = strlen(url_ptr);
+-			if (len >= sizeof(cdp)) continue;
++				url_ptr = get_cdp_url(dp);
++				if (!url_ptr) continue;
+ 
+-			memcpy(cdp, url_ptr, len + 1);
++				len = strlen(url_ptr);
++				if (len >= sizeof(cdp)) continue;
+ 
+-			vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+-			rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++				memcpy(cdp, url_ptr, len + 1);
++
++				vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
++				rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++			}
++			sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ 		}
+-		sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ 	}
+ 
+ 	/*
diff -Nru freeradius-3.2.7+dfsg/debian/salsa-ci.yml freeradius-3.2.7+dfsg/debian/salsa-ci.yml
--- freeradius-3.2.7+dfsg/debian/salsa-ci.yml	2025-02-10 22:50:22.000000000 +0100
+++ freeradius-3.2.7+dfsg/debian/salsa-ci.yml	2025-11-18 21:51:33.000000000 +0100
@@ -3,7 +3,7 @@
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
 variables:
-  RELEASE: 'unstable'
+  RELEASE: 'trixie'
 
 # mark currently failing tests as allowed to fail
 blhc:

From berni at debian.org  Tue Nov 18 21:25:08 2025
From: berni at debian.org (Bernhard Schmidt)
Date: Tue, 18 Nov 2025 22:25:08 +0100
Subject: [Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation
 fault with 3-chain certificate
In-Reply-To: <CAAe0PDyLuey3btKXChjP_9Gz=GubN2Zj=tudZsk-5HkQwuMCNA@mail.gmail.com>
References: <176346474419.42364.17994615969384303719.reportbug@turnagra>
 <CAAe0PDyLuey3btKXChjP_9Gz=GubN2Zj=tudZsk-5HkQwuMCNA@mail.gmail.com>
 <176346474419.42364.17994615969384303719.reportbug@turnagra>
Message-ID: <aRzkNBt89DdD01ma@fliwatuet.svr02.mucip.net>

> Fantastic! I spent the afternoon trying to reproduce a minimal case in
> Docker (and had succeeded just when I saw your email).
> 
> It turns out? I have built this patch in a trixie chroot and deployed
> it to our production server, and the segfault is gone!

Thanks for testing! Do you have a chance to test 3.2.7+dfsg-1 as well? I
assume it hits the same issue, as +deb13u1 only changes a single compile
flag

> So I'm marking this as fixed in the version in testing/unstable.
> 
> Should we get to prepare a stable update? It'd be really nice to get
> this fixed for everyone using stable, happy to help!

Yeah, definitely. I just imported your patch and filed #1120965

Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/56256330/attachment-0001.sig>