[Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation fault with 3-chain certificate
Bernhard Schmidt
berni at debian.org
Tue Nov 18 16:12:57 GMT 2025
Dear Didier,
> Our setup is working fine, with a Sectigo DV certificate chain in
> /etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
> Radsec setup (so private_key_file and certificate_file are set in
> 3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
> verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).
>
> Today, I had to update that certificate (which is close to expiring), moving
> from this chain:
>
> * certificate
> * Sectigo ECC Domain Validation Secure Server CA
> * USERTrust ECC Certification Authority
>
> to this chain:
>
> * certificate
> * Sectigo Public Server Authentication CA DV E36
> * Sectigo Public Server Authentication Root E46
> * USERTrust ECC Certification Authority
>
> … and it now segfaults whenever we try to access the radius-to-radsec proxy.
>
> In other words, the fullchain.pem which before contained 2 certificates (the
> certificate and 1 intermediary), now contains 3 certificates (the certificate,
> and 2 intermediaries), and with this the server segfaults.
>
> I have not yet managed to extract a stacktrace or a core dump, I would be all
> ears to get this solved.
This sounds a bit like this problem
https://github.com/FreeRADIUS/freeradius-server/issues/5515
https://github.com/FreeRADIUS/freeradius-server/commit/286415adce9bc9e8cf974810f5be941dc2131056
which is resolved in 3.2.8.
Do you have a chance to check with this patch applied?
Bernhard
More information about the Pkg-freeradius-maintainers
mailing list