Control: affects 976991 src:freeradius
Am 08.01.25 um 13:04 schrieb ATIC Sistemas Rede:
Hi,
We've tested with freeradius 3.2.6 in preproduction enviroment.
We've installed these packages from bookworm-backports target release (*).
In debug mode (freeradius -X) we could see several warnings like this (**).
Authentication EAP-TTLS-PAP seems to work fine.
We could make an effort and test in production next week.
The memory issue manifests after several weeks; we need a guarantee of
proper functionality during this time.
The warning seems serious. Could you give us any advice about this?
(**)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I never noticed it myself (not using rlm_ldap), but it seems like an old
issue (maybe the warning is new). You can find bugs from 2020 against
openldap asking for building against openssl specifically due to
FreeRADIUS warnings.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976991
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000821
However, I'm not aware of any bug report due to this, and
https://wiki.freeradius.org/modules/Rlm_ldap#errors-with-ldap-over-tls-connections
is about building LDAP with Mozilla NSS, not with GnuTLS.
I guess switching openldap to openssl is too late before Trixie,
especially since it may as well affect other openldap reverse
dependencies that use GnuTLS.
I guess you will have to try it.
Bernhard
