diff options
Diffstat (limited to '')
-rw-r--r-- | doc/ChangeLog | 288 |
1 files changed, 288 insertions, 0 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog new file mode 100644 index 0000000..0392c28 --- /dev/null +++ b/doc/ChangeLog @@ -0,0 +1,288 @@ +FreeRADIUS 3.2.5 Tue 09 Jul 2024 12:00:00 UTC urgency=high + Configuration changes + * BlastRADIUS mitigations have been added to the "security" + section. See "require_message_authenticator" and also + "limit_proxy_state". + * BlastRADIUS mitigations have been added to radclient. + See "man radclient", and the "-b" option. + + Feature improvements + * TOTP now supports TOTP-Time-Offset for tokens with times that + are out of sync. See mods-available/totp + * radclient now supports forcing the Request Authenticator and ID + for Access-Request packets. + * Update dictionary.3gpp. + * Update advice on shared secrets, including suggesting a secure + method for generating useful secrets. + + Bug fixes + * Allow proxying by pool / home server name to work with auth+acct servers + * Fix OpenSSL API usage which sometimes caused crash in MS-CHAP + Previously it would either always crash immediately, or never crash. + * Fix packet statistics. Stop double counting some packets, + and track packet statistics even if a socket is closed. + * Reverted patch in TTLS which broke compatibility with some systems. + * Don't crash in debug mode when multiple intermediate certs are used + Patch from Alexander Chernikov. + +FreeRADIUS 3.2.4 Wed 29 May 2024 12:00:00 EDT urgency=low + Configuration changes + * Better handle backslashes in strings in the configuration files. + If the configuration items contain backslashes, then behavior may change. + However, the previous behavior didn't work as expected, and therefore is not + likely to be used. + * reject_delay no longer applies to proxied packets. All servers should now + set "reject_delay = 1" for security and scalability. + * %{randstr:...} now returns the requested amount of data, instead of + one too many bytes. + + Feature improvements + * Preliminary support for TEAP. + * Update EAP module pre_proxy checks to make them less restrictive. + This prevents the "middle box" effect from affecting future traffic. + * Many fixes and updates for Docker images + * Add dpsk module. See mods-available/dpsk + * Print out what cause the TLS operations to be made, such as the EAP + method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket. + * Add auto_escape to sample SQL module config + * Add 'if not exists' to mysql create table queries. ref #5032 (#5137) + * Update dictionary.aruba; add dictionary.tplink, dictionary.alphion + * Allow for 'encrypt=1' attributes to be longer than 128 characters. + * Added "radsecret" program which generates strong secrets. See the + top of the "clients.conf" file for more information. + * radclient now prints packets as hex when using -xxx. + * Added "-t timeout" to radsniff. It will stop processing packets + after <timeout> seconds. + * Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF. + * The detail module now has a "dates_as_integer" configuration item. + See mods-available/detail for more information. + * Add lookback/lookforward steps and more configuration to totp. See + mods-available/totp. + * Add "time_since" xlat to calculate elapsed time in seconds, milliseconds + and microseconds. + * Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from + Alexander Clouter. PR #5320. + * Add "proxy_dedup_window". See radiusd.conf. + * Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf. + * Add "dedup_key" for misbehaving supplicants. See mods-available/eap + + Bug fixes + * Fix corner case with empty defaults in rlm_files. Fixes #5035 + * When we have multiple attributes of the same name, always use the + canonical attribute + * Make FreeRADIUS-Server-EMA* attributes work again for home server + exponential moving average statistics. + * Don't send the global server stats when asked for client stats. They + use the same attributes, so the result is confusing. + * Fix multiple typos in MongoDB query.conf (#5130) + * Add define for illumos. Fixes #5135 + * Add client configuration for TLS PSK. + * Permit originate CoA after proxying to an internal virtual server + * Use virtual server "default" when passed "-i" and "-p" on the command line. + * Fix locking issues with rlm_python3. + * The detail file reader will catch bad times in the file, and will not + update Acct-Delay-Time with extreme values. + * Fix issue where Message-Authenticator was calculated incorrectly for + CoA / Disconnect ACK and NAK packets. + * Update Python thread and error handling. Fixes #5208. + * Fix handling of Session-State when proxying. Fixes #5288. + * Run relevant post-proxy Fail-* section on CoA / Disconnect timeout. + * Add "limit" section to AWS health check configurtion. Fixes 35300. + * Use MAX in sqlite queries instead of GREATEST. + * Fix typo in Mongo queries. Fixes #5301. + * Fix occasional crash with bad home servers. Fixes #5308. + * Minor bug fixes to the SQL freetds modules. + * Fix blocking issue with RADIUS/TLS connection checks. + * Fix run-time crash on configuration typos of %{substr ...} instead + of %{substr:...} Fixes #5321. + * Fix crash with TLS Status-Server requests. Fixes #5326. + +FreeRADIUS 3.2.3 Fri 26 May 2023 12:00:00 EDT urgency=low + Configuration changes + * The rlm_ldap and rlm_sql modules now have a "max_retries" configuration + item in the pool section. This sets a limit on how many times an operation + will be retried if it fails indicating a connection issue. + * Added "check_crl" configuration to rlm_ldap. This only works with OpenSSL. + Many Linux distributions use other TLS libraries, which won't work. + * Note that rlm_ldap does not support "-=" operators. The documentation + disagreed with the code, so we fixed the documentation. + * If checkrad is called from SQL Simultaneous-Use checks it will now be + passed NAS-Port-Id (as stored in the database), rather than NAS-Port. + + Feature improvements + * Add "max_retries" for connection pools. Fixes #4908. Patch from Nick Porter. + * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and + dictionary.wispr; add dictionary.eleven. + * You can now list "eap" in the "pre-proxy" section. If the packet + contains a malformed EAP message, then the request will be rejected. + The home server will either reject (or discard) this packet anyways, + so this change can only help with large proxy scenarios. + * Show warnings if libldap is not using OpenSSL. + * Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ + Disabled by default, can be enabled by passing `--with-radiusv11` to the + configure script. For now, this is for testing interoperability. + * Add extra sanity checks for malformed EAP attributes. + * More TLS debugging output + * Clear old module instance data before HUP reload. Avoids burst memory use + when e.g. using large data files with rlm_files. Patch from Nick Porter. + * `rlm_cache_redis` is now included in the freeradius-redis packages. + * Separate out python2/python3 in Debian Packages. Previously python 2 or 3 + was built depending on the system default which led to confusion. We now build + both freeradius-python2 and freeradius-python3 packages where possible. + + Bug fixes + * Don't leak MD contexts with OpenSSL 3.0. + * Increase internal buffer size for TLS connections, which + can help with high-load proxies. + * Send Status-Server checks for TLS connections + * Give descriptive error if "update CoA" is used with "fake" packets, + as it won't work. i.e. inner-tunnel and virtual home servers. + * Many small ASAN / LSAN fixes from Jorge Pereira. + * Close inbound RADIUS/TLS socket on TLS errors. When a home server + sees a TLS error, it will now close the socket, so proxies do not + have an open (but dead) TLS connection. + * Fix mutex locking issues on inbound RADIUS/TLS connections. + This change avoids random issues with "bad record mac". + * Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950 + * Correctly report the LDAP group a user was found in. Fixes #3084. + Patch from Nick Porter. + * Force correct packet type when running Post-Auth-Type. Helps with #4980 + * Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996 + * Fix TCP socket statistics. Closes #4990 + * Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use + checks. Helps with #5010 + +FreeRADIUS 3.2.2 Thu 16 Feb 2023 12:00:00 EDT urgency=low + Configuration changes + * The linelog module now has a "header" configuration item, + which places a header in any new file it creates. + * The ldap module now supports setting "cipher_list". See + mods-available/ldap. + * Add "connect_timeout" for outgoing TLS sockets. Helps with #3501. + * Add config section for xlats in rlm_rest and an option to + control REST body data encoding. Patches by Nick Porter. + * Allow Operator-Name and Called-Station-Id in attr_filter when + proxying. Helps with less work in Eduroam configurations. + * Ensure that the AcctUpdateTime field in SQL is always updated. + This is so that we can track when the last packet arrived. + * Update the default configuration to reply to NAS when accounting + proxying fails, but we still write to the detail file. + + Feature improvements + * The "configure" process now gives a much clearer report + when it's finished. Patches by Matthew Newton. + * Fallback to "uname -n" on missing "hostname". Fixes #4771 + * Export thread details in radmin "stats threads". Fixes #4770 + * Improve queries for processing radacct into periodic usage data. + Fix from Nick Porter. + * Update dictionary.juniper + * Add dictionary.calix + * Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets" + * Update documentation for robust-proxy-accounting, and be more + aggressive about sending packets. + * Add per-module README.md files in the source. + * Add default Visual Studio configuration for developers. + * Postgres can now automatically use alternate queries for errors + other than duplicate keys. + * %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query + This helps the server track the identity of the client which is + connecting. + * Include thread stats in Status-Server attributes. Fixes #4870. + * Mark rlm_unbound stable and add to packages. Patches by Nick Porter. + * Remove broken/unsupported Dockerfiles for centos8 and + debian9. + * Ensure Docker containers have stable uid/gid. Patches + from Terry Burton. + + Bug fixes + * Preliminary support for non-blocking TLS sockets. Helps with #3501. + * Fix support for partial certificate chains after adding reload + support. Fixes #4753 + * Fix handling of debug_condition. + * Clean up home server states, and re-sync with the dictionaries. + * Correct certificate order when creating TLS-* attributes. + Fixes #4785 + * Update use of isalpha() etc. so broken configurations have less + impact on the server. + * Outgoing TLS sockets now set SNI correctly from the "hostname" + configuration item. + * Support Apple Homebrew on the M1. Fixes #4754 + * Better error messages when %{listen:TLS-...} is used. + * Getting statistics via Status-Server can now be done within a + virtual server. Fixes #4868 + * Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878. + * Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton. + +FreeRADIUS 3.2.1 Mon 03 Oct 2022 12:00:00 EDT urgency=low + Feature improvements + * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries. + * Add simultaneous-use queries for MS SQL. + * Add radmin command for "stats pool <module-name>" + Which prints out statistics about the connection pools + * Client statistics now shows "conflicts", to count conflicting + packets. + * New optional "lightweight accounting-on/off" strategy. When + refreshing queries.conf you should also add the new nasreload table + and corresponding GRANTs to your DB schema. + * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with + Eduroam. Suggested by Stefan Winter. + * Allow auth+acct for TCP sockets, too. + * Add rlm_cache_redis. See raddb/mods-available/cache for details + * Allow radmin to look up home servers by name, too. + * Ensure that dynamic clients don't create loops on duplicates. + Reported by Sam Yee. + * Removed rlm_sqlhpwippool. There was no documentation, no configuration, + and the module was ~15 years old with no one using it. + * Marked rlm_python3 as stable. + * Add sigalgs_list. See raddb/mods-available/eap. Patch from + Boris Lytochkin. + * For rlm_linelog, when opening files in /dev, look at "permissions" to see + whether to open them r/w. + * More flexibility for dynamic home servers. See doc/configuration/dynamic_home_servers.md + and raddb/home_servers/README.md + * Allow setting of application_name for PostgreSQL. See mods-available/sql. + + Bug fixes + * Correct test for open sessions in radacct for MS SQL. + * The linelog module now opens /dev/stdout in "write-only" mode + if the permissions are set to "u+w" (0002). + * Various fixes to rlm_unbound from Nick Porter. + * PEAP now correctly runs Post-Auth-Type Accept + * Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-* + Fixes #4698. See sites-available/tls, and fix_cert_order. + * Minor updates and fixes to CI, Dockerfiles and packaging. + * Fix rlm_python3 build with python >= 3.10. Fixes #4441 + +FreeRADIUS 3.2.0 Thu 21 Apr 2022 12:00:00 EDT urgency=low + Configuration changes + * "correct_escapes" has been removed, and is always set to "true" + internally. Configuration changes may be required if you are + using configurations from before 3.0.5. Other than this + difference, 3.2.x is compatible with 3.0.x, and configurations + from 3.0.x can be simply copied into a system running 3.2.x. + + Feature improvements + * All features from 3.0.x are included in the 3.2.x releases. In addition: + * Support PEAP and TTLS with TLS 1.3. This has been + tested with wpa_supplicant and Windows 11. + * Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which + day of the month the counter should be reset. + * Partial backport of rlm_json from v4, providing the json_encode xlat. + See mods-available/json for documentation. + * Support for haproxy "PROXY" protocol. + See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/ + * Support for sending CoA-Request and Disconnect-Request packets + in "reverse" down RadSec tunnels. Experimental for now, and + undocumented. + * It is now possible to run a virtual server when saving / loading + TLS cache attributes. See sites-available/tls-cache for + more information. + * Removed the "cram" module. It was undocumented, and used old + and insecure authentication methods. + * Remove the "otp" module. The "otpd" program it needs is no longer available, + and the module has not been usable since at least 2015. + * All features from 3.0.x are included in the 3.2.x releases. + * 3.2.0 requires OpenSSL 1.0.2 or greater. + + Bug fixes + * All bug fixes from 3.0.x are included in the 3.2.x releases. |