Toke Høiland-Jørgensen toke@toke.dk wrote Mon, 05 Sep 2016 22:32:03 +0200:
Linus Nordberg linus@nordu.net writes:
Hi,
Thanks to Faidon, we've got an issue [1] tracking the work of getting radsecproxy to work with OpenSSL 1.1.
[1] https://project.nordu.net/browse/RADSECPROXY-66%3E The questions now are 1) does the proposed patch work for you and 2) how little backwards compatibility can we get away with?
If you're a radsecproxy user, what version(s) of OpenSSL do you really need support for?
I'm maintaining a radsecproxy package for OpenWRT/LEDE which runs openssl 1.0.2h. Keeping compatibility with that would be nice :)
The least painful way of supporting 1.0.2 that I've found is to stop using libcrypto (from OpenSSL) for MD5 and HMAC(MD5).
The openssl11 branch [1] now uses libnettle instead. Please give it a try with 1.0.2 and let me know if things still work well for you. Don't forget to try to authenticate some users and please test both succesful and failing authentication attempts. There's a chance for actual breakage here.
[1] https://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/openssl11
Thanks, Linus