Hi,
Thanks to Faidon, we've got an issue [1] tracking the work of getting
radsecproxy to work with OpenSSL 1.1.
[1] https://project.nordu.net/browse/RADSECPROXY-66
The questions now are 1) does the proposed patch work for you and 2) how
little backwards compatibility can we get away with?
If you're a radsecproxy user, what version(s) of OpenSSL do you really
need support for?
If you know how to build radsecproxy from source, please test the
'openssl11' branch [2] with OpenSSL 1.1.0 and let us know if it works
for you.
[2] git clone -b openssl11 https://git.nordu.net/radsecproxy.git
Thanks,
Linus
Hi,
radsecproxy-1.6.8 is now a thing. From the ChangeLog file:
--8<---------------cut here---------------start------------->8---
2016-09-21 1.6.8
Bug fixes:
- Stop waiting on writable when reading a TCP socket.
- Stomp less on the memory of other threads (RADSECPROXY-64).
--8<---------------cut here---------------end--------------->8---
You can pick it up at https://software.nordu.net/radsecproxy/download/
as usual.
Hi All,
There is a race condition in both the tcp and tls code (in functions tcplistener and tlslistener) when accepting new connections.
If new connections arrive in very short succession, and the second (or any further) accept() call returns before the previously created thread has actually started off, these threads operate on the wrong socket.
(the pointer handed to the thread points to the local variable s in [tcp|tls]listener() which gets its new value before the thread could copy its value)
Proposed change: copy the variable to the heap and use this as argument to the new thread; also new thread is responsible for the memory if spawn is successful.
Additional side-fix:
tcpreadtimeout() does a select() on a write-fd with the intention to wait for readable bytes.
This was fixed in 1.6.3 for tls code, but not tcp.
Patch is attached.
Best regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 30, direct +41 44 268 15 39
fabian.mauchle(a)switch.ch, www.switch.ch
Hi All,
The git repository (tag radsecproxy-1.6.7) does not compile on RedHat, due to docbook2x_man tool detection fails.
The tool is called during compile, regardless of whether it was not found or provided manually to configure.
Also, docbook2man on RedHat is not happy with the radsecproxy.conf.5.xml (see patch).
docbook2man version info:
usr/bin/db2x_docbook2man (part of docbook2X 0.8.8)
$Revision: 1.12 $ $Date: 2006/04/14 17:29:04 $
Patch is attached.
Please verify if this works on other platforms.
Best regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 30, direct +41 44 268 15 39
fabian.mauchle(a)switch.ch, www.switch.ch
