[Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation fault with 3-chain certificate

Didier Raboud didier.raboud at liip.ch
Tue Nov 18 11:19:04 GMT 2025 

Package: freeradius
Version: 3.2.7+dfsg-1+deb13u1
Severity: serious

Dear Maintainer,

Our setup is working fine, with a Sectigo DV certificate chain in
/etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
Radsec setup (so private_key_file and certificate_file are set in
3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).

Today, I had to update that certificate (which is close to expiring), moving
from this chain:

* certificate
* Sectigo ECC Domain Validation Secure Server CA
* USERTrust ECC Certification Authority

to this chain:

* certificate
* Sectigo Public Server Authentication CA DV E36
* Sectigo Public Server Authentication Root E46
* USERTrust ECC Certification Authority

… and it now segfaults whenever we try to access the radius-to-radsec proxy.

In other words, the fullchain.pem which before contained 2 certificates (the
certificate and 1 intermediary), now contains 3 certificates (the certificate,
and 2 intermediaries), and with this the server segfaults.

I have not yet managed to extract a stacktrace or a core dump, I would be all
ears to get this solved.

Best,
OdyX

-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.41+deb13-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages freeradius depends on:
ii  freeradius-common  3.2.7+dfsg-1+deb13u1
ii  freeradius-config  3.2.7+dfsg-1+deb13u1
ii  libc6              2.41-12
ii  libcrypt1          1:4.4.38-1
ii  libct4             1.3.17+ds-2+deb13u1
ii  libfreeradius3     3.2.7+dfsg-1+deb13u1
ii  libgdbm6t64        1.24-2
ii  libjson-c5         0.18+ds-1
ii  libpam0g           1.7.0-5
ii  libperl5.40        5.40.1-6
ii  libreadline8t64    8.2-6
ii  libsqlite3-0       3.46.1-7
ii  libssl3t64         3.5.4-1~deb13u1
ii  libsystemd0        257.9-1~deb13u1
ii  libtalloc2         2:2.4.3+samba4.22.6+dfsg-0+deb13u1
ii  libwbclient0       2:4.22.6+dfsg-0+deb13u1
ii  perl               5.40.1-6

Versions of packages freeradius recommends:
ii  freeradius-utils  3.2.7+dfsg-1+deb13u1

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
ii  freeradius-ldap        3.2.7+dfsg-1+deb13u1
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  freeradius-python3     <none>
pn  snmp                   <none>

More information about the Pkg-freeradius-maintainers mailing list