[Pkg-freeradius-maintainers] Bug#1120927: freeradius: Segmentation fault with 3-chain certificate

Didier Raboud didier.raboud at liip.ch
Tue Nov 18 17:02:52 GMT 2025 

Version:  3.2.8+dfsg-1
Control: tags -1 +patch +upstream
Control: forwarded -1
https://github.com/FreeRADIUS/freeradius-server/issues/5515

Hello there Bernhard,

Fantastic! I spent the afternoon trying to reproduce a minimal case in
Docker (and had succeeded just when I saw your email).

It turns out… I have built this patch in a trixie chroot and deployed
it to our production server, and the segfault is gone!

So I'm marking this as fixed in the version in testing/unstable.

Should we get to prepare a stable update? It'd be really nice to get
this fixed for everyone using stable, happy to help!

Best,
OdyX

On Tue, 18 Nov 2025 17:12:57 +0100 Bernhard Schmidt <berni at debian.org> wrote:
>  > Our setup is working fine, with a Sectigo DV certificate chain in
> > /etc/freeradius/ssl/fullchain.pem & /etc/freeradius/ssl/privkey.pem, with a
> > Radsec setup (so private_key_file and certificate_file are set in
> > 3.0/sites-available/tls, as well as in 3.0/mods-available/eap), we routinely
> > verify this via a distant rad_eap test (doing Radius-over-Radsec-over-Radius).
> >
> > Today, I had to update that certificate (which is close to expiring), moving
> > from this chain:
> >
> > * certificate
> > * Sectigo ECC Domain Validation Secure Server CA
> > * USERTrust ECC Certification Authority
> >
> > to this chain:
> >
> > * certificate
> > * Sectigo Public Server Authentication CA DV E36
> > * Sectigo Public Server Authentication Root E46
> > * USERTrust ECC Certification Authority
> >
> > … and it now segfaults whenever we try to access the radius-to-radsec proxy.
> >
> > In other words, the fullchain.pem which before contained 2 certificates (the
> > certificate and 1 intermediary), now contains 3 certificates (the certificate,
> > and 2 intermediaries), and with this the server segfaults.
> >
> > I have not yet managed to extract a stacktrace or a core dump, I would be all
> > ears to get this solved.
>
> This sounds a bit like this problem
>
> https://github.com/FreeRADIUS/freeradius-server/issues/5515
> https://github.com/FreeRADIUS/freeradius-server/commit/286415adce9bc9e8cf974810f5be941dc2131056
>
> which is resolved in 3.2.8.
>
> Do you have a chance to check with this patch applied?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius_1120927.debdiff
Type: application/octet-stream
Size: 3082 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeradius-maintainers/attachments/20251118/f6efab0d/attachment.obj>

More information about the Pkg-freeradius-maintainers mailing list