After Upgrade to 21.7 - freeradius fail to start

[Ralf_s]

Hi,

the freeradius wouldn't start with the error message:

Error: /usr/local/etc/raddb/mods-enabled/pap[13]: Failed to link to module 'rlm_pap': Cannot open "/usr/local/lib/freeradius-3*/rlm_pap.so"

Could you please help

best regards,

Ralf

[franco]

I think the latest FreeRADIUS does not like LibreSSL anymore.. switching to OpenSSL should fix this.


Cheers,
Franco

[Ralf_s]

switching to OpenSSL - reboot - freeradius is working again. TOP!!!

many thanks,

Ralf

[franco]

Hi Ralf,

Glad to hear :)

I'll be watching for changes there. It's a bit unusual because previously it has always played nice with LibreSSL except for some compile errors.


Cheers,
Franco

[Christian]

Hi Franco,

just to confirm that this is not a one-off: I am seeing the same error as Ralf (I also saw it with 21.7 as documented here  https://forum.opnsense.org/index.php?PHPSESSID=mqo6ikmrudta2di05im45v616g&topic=23556.msg112148#msg112148).

I can also confirm that switching from LibreSSL to OpenSSL is a working workaround ;). So it looks as if the LibreSSL-build of the freeradius3 package is broken.

Cheers
Christian

[tom.goes.open]

Hi,

as there are lots of problems using LibreSSL in the past months (OpenVPN, CertManager/PHP, FreeRADIUS), do you recommend chaning to OpenSSL in general?

Thanks.

[franco]

It's never been much different to be honest. We recommend upstream projects to support LibreSSL proper, but if they don't this is always going to happen.

In the grand scheme of things LibreSSL popularity slowly declined over the past couple of years and we don't have it in the business edition to avoid such unfortunate (but avoidable) issues by using OpenSSL.

The slow adaptation of CMS and TLS 1.3 probably play a role here coupled with the release cycle and ABI breakage that only fits the OpenBSD release cycle.

Don't get me wrong. I'm a huge fan of the LibreSSL effort and we have been helping with FreeBSD ports integration and patching since 2015. This is just my personal observation of the topic.


Cheers,
Franco

[fabian]

The nginx plugin also has some small issues when it runs on LibreSSL.

Handshakes: Curves are missing (defined variables are not filled with values)
General: TLS 1.3 support

So I guess that even if such major software struggles with LibreSSL, then the support in smaller projects is even worse.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

For example, $ssl_Curves is as far as I know, only supported by OpenSSL, while  $ssl_ciphers is supported by both of them. Those variables are used to build the browser fingerprint together with the UA.