summaryrefslogtreecommitdiffstats
path: root/doc/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'doc/ChangeLog')
-rw-r--r--doc/ChangeLog189
1 files changed, 189 insertions, 0 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog
new file mode 100644
index 0000000..6b7006e
--- /dev/null
+++ b/doc/ChangeLog
@@ -0,0 +1,189 @@
+FreeRADIUS 3.2.3 Fri 26 May 2023 12:00:00 EDT urgency=low
+ Configuration changes
+ * The rlm_ldap and rlm_sql modules now have a "max_retries" configuration
+ item in the pool section. This sets a limit on how many times an operation
+ will be retried if it fails indicating a connection issue.
+ * Added "check_crl" configuration to rlm_ldap. This only works with OpenSSL.
+ Many Linux distributions use other TLS libraries, which won't work.
+ * Note that rlm_ldap does not support "-=" operators. The documentation
+ disagreed with the code, so we fixed the documentation.
+ * If checkrad is called from SQL Simultaneous-Use checks it will now be
+ passed NAS-Port-Id (as stored in the database), rather than NAS-Port.
+
+ Feature improvements
+ * Add "max_retries" for connection pools. Fixes #4908. Patch from Nick Porter.
+ * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
+ dictionary.wispr; add dictionary.eleven.
+ * You can now list "eap" in the "pre-proxy" section. If the packet
+ contains a malformed EAP message, then the request will be rejected.
+ The home server will either reject (or discard) this packet anyways,
+ so this change can only help with large proxy scenarios.
+ * Show warnings if libldap is not using OpenSSL.
+ * Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/
+ Disabled by default, can be enabled by passing `--with-radiusv11` to the
+ configure script. For now, this is for testing interoperability.
+ * Add extra sanity checks for malformed EAP attributes.
+ * More TLS debugging output
+ * Clear old module instance data before HUP reload. Avoids burst memory use
+ when e.g. using large data files with rlm_files. Patch from Nick Porter.
+ * `rlm_cache_redis` is now included in the freeradius-redis packages.
+ * Separate out python2/python3 in Debian Packages. Previously python 2 or 3
+ was built depending on the system default which led to confusion. We now build
+ both freeradius-python2 and freeradius-python3 packages where possible.
+
+ Bug fixes
+ * Don't leak MD contexts with OpenSSL 3.0.
+ * Increase internal buffer size for TLS connections, which
+ can help with high-load proxies.
+ * Send Status-Server checks for TLS connections
+ * Give descriptive error if "update CoA" is used with "fake" packets,
+ as it won't work. i.e. inner-tunnel and virtual home servers.
+ * Many small ASAN / LSAN fixes from Jorge Pereira.
+ * Close inbound RADIUS/TLS socket on TLS errors. When a home server
+ sees a TLS error, it will now close the socket, so proxies do not
+ have an open (but dead) TLS connection.
+ * Fix mutex locking issues on inbound RADIUS/TLS connections.
+ This change avoids random issues with "bad record mac".
+ * Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
+ * Correctly report the LDAP group a user was found in. Fixes #3084.
+ Patch from Nick Porter.
+ * Force correct packet type when running Post-Auth-Type. Helps with #4980
+ * Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
+ * Fix TCP socket statistics. Closes #4990
+ * Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use
+ checks. Helps with #5010
+
+FreeRADIUS 3.2.2 Thu 16 Feb 2023 12:00:00 EDT urgency=low
+ Configuration changes
+ * The linelog module now has a "header" configuration item,
+ which places a header in any new file it creates.
+ * The ldap module now supports setting "cipher_list". See
+ mods-available/ldap.
+ * Add "connect_timeout" for outgoing TLS sockets. Helps with #3501.
+ * Add config section for xlats in rlm_rest and an option to
+ control REST body data encoding. Patches by Nick Porter.
+ * Allow Operator-Name and Called-Station-Id in attr_filter when
+ proxying. Helps with less work in Eduroam configurations.
+ * Ensure that the AcctUpdateTime field in SQL is always updated.
+ This is so that we can track when the last packet arrived.
+ * Update the default configuration to reply to NAS when accounting
+ proxying fails, but we still write to the detail file.
+
+ Feature improvements
+ * The "configure" process now gives a much clearer report
+ when it's finished. Patches by Matthew Newton.
+ * Fallback to "uname -n" on missing "hostname". Fixes #4771
+ * Export thread details in radmin "stats threads". Fixes #4770
+ * Improve queries for processing radacct into periodic usage data.
+ Fix from Nick Porter.
+ * Update dictionary.juniper
+ * Add dictionary.calix
+ * Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets"
+ * Update documentation for robust-proxy-accounting, and be more
+ aggressive about sending packets.
+ * Add per-module README.md files in the source.
+ * Add default Visual Studio configuration for developers.
+ * Postgres can now automatically use alternate queries for errors
+ other than duplicate keys.
+ * %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query
+ This helps the server track the identity of the client which is
+ connecting.
+ * Include thread stats in Status-Server attributes. Fixes #4870.
+ * Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
+ * Remove broken/unsupported Dockerfiles for centos8 and
+ debian9.
+ * Ensure Docker containers have stable uid/gid. Patches
+ from Terry Burton.
+
+ Bug fixes
+ * Preliminary support for non-blocking TLS sockets. Helps with #3501.
+ * Fix support for partial certificate chains after adding reload
+ support. Fixes #4753
+ * Fix handling of debug_condition.
+ * Clean up home server states, and re-sync with the dictionaries.
+ * Correct certificate order when creating TLS-* attributes.
+ Fixes #4785
+ * Update use of isalpha() etc. so broken configurations have less
+ impact on the server.
+ * Outgoing TLS sockets now set SNI correctly from the "hostname"
+ configuration item.
+ * Support Apple Homebrew on the M1. Fixes #4754
+ * Better error messages when %{listen:TLS-...} is used.
+ * Getting statistics via Status-Server can now be done within a
+ virtual server. Fixes #4868
+ * Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878.
+ * Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.
+
+FreeRADIUS 3.2.1 Mon 03 Oct 2022 12:00:00 EDT urgency=low
+ Feature improvements
+ * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries.
+ * Add simultaneous-use queries for MS SQL.
+ * Add radmin command for "stats pool <module-name>"
+ Which prints out statistics about the connection pools
+ * Client statistics now shows "conflicts", to count conflicting
+ packets.
+ * New optional "lightweight accounting-on/off" strategy. When
+ refreshing queries.conf you should also add the new nasreload table
+ and corresponding GRANTs to your DB schema.
+ * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with
+ Eduroam. Suggested by Stefan Winter.
+ * Allow auth+acct for TCP sockets, too.
+ * Add rlm_cache_redis. See raddb/mods-available/cache for details
+ * Allow radmin to look up home servers by name, too.
+ * Ensure that dynamic clients don't create loops on duplicates.
+ Reported by Sam Yee.
+ * Removed rlm_sqlhpwippool. There was no documentation, no configuration,
+ and the module was ~15 years old with no one using it.
+ * Marked rlm_python3 as stable.
+ * Add sigalgs_list. See raddb/mods-available/eap. Patch from
+ Boris Lytochkin.
+ * For rlm_linelog, when opening files in /dev, look at "permissions" to see
+ whether to open them r/w.
+ * More flexibility for dynamic home servers. See doc/configuration/dynamic_home_servers.md
+ and raddb/home_servers/README.md
+ * Allow setting of application_name for PostgreSQL. See mods-available/sql.
+
+ Bug fixes
+ * Correct test for open sessions in radacct for MS SQL.
+ * The linelog module now opens /dev/stdout in "write-only" mode
+ if the permissions are set to "u+w" (0002).
+ * Various fixes to rlm_unbound from Nick Porter.
+ * PEAP now correctly runs Post-Auth-Type Accept
+ * Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
+ Fixes #4698. See sites-available/tls, and fix_cert_order.
+ * Minor updates and fixes to CI, Dockerfiles and packaging.
+ * Fix rlm_python3 build with python >= 3.10. Fixes #4441
+
+FreeRADIUS 3.2.0 Thu 21 Apr 2022 12:00:00 EDT urgency=low
+ Configuration changes
+ * "correct_escapes" has been removed, and is always set to "true"
+ internally. Configuration changes may be required if you are
+ using configurations from before 3.0.5. Other than this
+ difference, 3.2.x is compatible with 3.0.x, and configurations
+ from 3.0.x can be simply copied into a system running 3.2.x.
+
+ Feature improvements
+ * All features from 3.0.x are included in the 3.2.x releases. In addition:
+ * Support PEAP and TTLS with TLS 1.3. This has been
+ tested with wpa_supplicant and Windows 11.
+ * Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which
+ day of the month the counter should be reset.
+ * Partial backport of rlm_json from v4, providing the json_encode xlat.
+ See mods-available/json for documentation.
+ * Support for haproxy "PROXY" protocol.
+ See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/
+ * Support for sending CoA-Request and Disconnect-Request packets
+ in "reverse" down RadSec tunnels. Experimental for now, and
+ undocumented.
+ * It is now possible to run a virtual server when saving / loading
+ TLS cache attributes. See sites-available/tls-cache for
+ more information.
+ * Removed the "cram" module. It was undocumented, and used old
+ and insecure authentication methods.
+ * Remove the "otp" module. The "otpd" program it needs is no longer available,
+ and the module has not been usable since at least 2015.
+ * All features from 3.0.x are included in the 3.2.x releases.
+ * 3.2.0 requires OpenSSL 1.0.2 or greater.
+
+ Bug fixes
+ * All bug fixes from 3.0.x are included in the 3.2.x releases.