Skip to content

3.2.3

Latest
Latest
Compare
Choose a tag to compare
@mcnewton mcnewton released this 26 May 15:03
· 33076 commits to master since this release
release_3_2_3
db3d192
This commit was signed with the committer’s verified signature.
mcnewton Matthew Newton
GPG key ID: D9B933C12AED74F0
Learn about vigilant mode.

Configuration changes

  • The rlm_ldap and rlm_sql modules now have a max_retries configuration item in the pool section. This sets a limit on how many times an operation will be retried if it fails indicating a connection issue.
  • Added check_crl configuration to rlm_ldap. This only works with OpenSSL. Many Linux distributions use other TLS libraries, which won't work.
  • Note that rlm_ldap does not support -= operators. The documentation disagreed with the code, so we fixed the documentation.
  • If checkrad is called from SQL Simultaneous-Use checks it will now be passed NAS-Port-Id (as stored in the database), rather than NAS-Port.

Feature improvements

  • Add max_retries for connection pools. Fixes #4908. Patch from Nick Porter.
  • Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and dictionary.wispr; add dictionary.eleven.
  • You can now list eap in the pre-proxy section. If the packet contains a malformed EAP message, then the request will be rejected. The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios.
  • Show warnings if libldap is not using OpenSSL.
  • Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing --with-radiusv11 to the configure script. For now, this is for testing interoperability.
  • Add extra sanity checks for malformed EAP attributes.
  • More TLS debugging output
  • Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with rlm_files. Patch from Nick Porter.
  • rlm_cache_redis is now included in the freeradius-redis packages.
  • Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was built depending on the system default which led to confusion. We now build both freeradius-python2 and freeradius-python3 packages where possible.

Bug fixes

  • Don't leak MD contexts with OpenSSL 3.0.
  • Increase internal buffer size for TLS connections, which can help with high-load proxies.
  • Send Status-Server checks for TLS connections
  • Give descriptive error if "update CoA" is used with "fake" packets, as it won't work. i.e. inner-tunnel and virtual home servers.
  • Many small ASAN / LSAN fixes from Jorge Pereira.
  • Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection.
  • Fix mutex locking issues on inbound RADIUS/TLS connections. This change avoids random issues with "bad record mac".
  • Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
  • Correctly report the LDAP group a user was found in. Fixes #3084. Patch from Nick Porter.
  • Force correct packet type when running Post-Auth-Type. Helps with #4980
  • Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
  • Fix TCP socket statistics. Closes #4990
  • Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps with #5010
Assets 6