Comment 4 for bug 1955009

Hi Sam and Alan,

> Christian> Reproducible in local autopkgtest
>
> Let me make sure I'm understanding.
> You are saying that prior to penssl 3, the test works, but with
> openssl3, the test fails?

Yes that is correct

> What is the ssl version in the successful tests?
> For example from the failing test we have:
> OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)

Good: 1.1.1l-1ubuntu1
Bad: 3.0.0-1ubuntu1

But to be complete, since not all components have let go of libssl1.1 we always have both ssl versions installed. Just freeradius is linking to one or the other.

Good:
ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-===============-============-============================================================
ii freeradius 3.0.21+dfsg-3 amd64 high-performance and highly configurable RADIUS server
ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl3:amd64 3.0.0-1ubuntu1 amd64 Secure Sockets Layer toolkit - shared libraries
ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64 Moonshot Federated Authentication - authentication mechanism
ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl
 libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f0d3a268000)

Bad:
ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-===================-============-============================================================
ii freeradius 3.0.21+dfsg-3build1 amd64 high-performance and highly configurable RADIUS server
ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64 Secure Sockets Layer toolkit - shared libraries
ii libssl3:amd64 3.0.0-1ubuntu1 amd64 Secure Sockets Layer toolkit - shared libraries
ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64 Moonshot Federated Authentication - authentication mechanism
ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl
 libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007f965de31000)

> What's the txver from that message in the successful test?
> Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version
> in use for some annoying standardization reasons.

Interestingly that is the same in both:
Good: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)
Bad: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/)

But that is probably defined by moonshot who in Ubuntu [1] had a no change rebuild against the new openssl.

[1]: https://launchpad.net/ubuntu/+source/moonshot-gss-eap/1.0.1-6ubuntu2

> It looks like things are failing on the server side.
> The autopkgtest produces the freeradius log (which is admittedly huge)
> as a test artifact.
> Could I get a pointer to a failing freeradius log?

Yeah I have thos in my autopkgtest VMs like:
  /tmp/autopkgtest.axJ2k1/gss-client-artifacts/freeradius.log
I'll attach them to the bug in the next update after I copied them.

> I'm also going to bring this bug to the attention of Moonshot upstream.

Thank you

From here Alan's answer:

> My $0.02 is to try the head of v3.0.x. I don't recall if we put in fixes specifically for
> OpenSSL 3, but perhaps.
> We've also *significantly* updated the TLS debugging output. It's a lot clearer, and gives a
> lot more information.

I assume you mean freeradius?
This is already 3.0.21+dfsg-3(build1)