diff options
Diffstat (limited to 'doc/ChangeLog')
| -rw-r--r-- | doc/ChangeLog | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog new file mode 100644 index 0000000..6b7006e --- /dev/null +++ b/doc/ChangeLog @@ -0,0 +1,189 @@ +FreeRADIUS 3.2.3 Fri 26 May 2023 12:00:00 EDT urgency=low + Configuration changes + * The rlm_ldap and rlm_sql modules now have a "max_retries" configuration + item in the pool section. This sets a limit on how many times an operation + will be retried if it fails indicating a connection issue. + * Added "check_crl" configuration to rlm_ldap. This only works with OpenSSL. + Many Linux distributions use other TLS libraries, which won't work. + * Note that rlm_ldap does not support "-=" operators. The documentation + disagreed with the code, so we fixed the documentation. + * If checkrad is called from SQL Simultaneous-Use checks it will now be + passed NAS-Port-Id (as stored in the database), rather than NAS-Port. + + Feature improvements + * Add "max_retries" for connection pools. Fixes #4908. Patch from Nick Porter. + * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and + dictionary.wispr; add dictionary.eleven. + * You can now list "eap" in the "pre-proxy" section. If the packet + contains a malformed EAP message, then the request will be rejected. + The home server will either reject (or discard) this packet anyways, + so this change can only help with large proxy scenarios. + * Show warnings if libldap is not using OpenSSL. + * Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ + Disabled by default, can be enabled by passing `--with-radiusv11` to the + configure script. For now, this is for testing interoperability. + * Add extra sanity checks for malformed EAP attributes. + * More TLS debugging output + * Clear old module instance data before HUP reload. Avoids burst memory use + when e.g. using large data files with rlm_files. Patch from Nick Porter. + * `rlm_cache_redis` is now included in the freeradius-redis packages. + * Separate out python2/python3 in Debian Packages. Previously python 2 or 3 + was built depending on the system default which led to confusion. We now build + both freeradius-python2 and freeradius-python3 packages where possible. + + Bug fixes + * Don't leak MD contexts with OpenSSL 3.0. + * Increase internal buffer size for TLS connections, which + can help with high-load proxies. + * Send Status-Server checks for TLS connections + * Give descriptive error if "update CoA" is used with "fake" packets, + as it won't work. i.e. inner-tunnel and virtual home servers. + * Many small ASAN / LSAN fixes from Jorge Pereira. + * Close inbound RADIUS/TLS socket on TLS errors. When a home server + sees a TLS error, it will now close the socket, so proxies do not + have an open (but dead) TLS connection. + * Fix mutex locking issues on inbound RADIUS/TLS connections. + This change avoids random issues with "bad record mac". + * Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950 + * Correctly report the LDAP group a user was found in. Fixes #3084. + Patch from Nick Porter. + * Force correct packet type when running Post-Auth-Type. Helps with #4980 + * Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996 + * Fix TCP socket statistics. Closes #4990 + * Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use + checks. Helps with #5010 + +FreeRADIUS 3.2.2 Thu 16 Feb 2023 12:00:00 EDT urgency=low + Configuration changes + * The linelog module now has a "header" configuration item, + which places a header in any new file it creates. + * The ldap module now supports setting "cipher_list". See + mods-available/ldap. + * Add "connect_timeout" for outgoing TLS sockets. Helps with #3501. + * Add config section for xlats in rlm_rest and an option to + control REST body data encoding. Patches by Nick Porter. + * Allow Operator-Name and Called-Station-Id in attr_filter when + proxying. Helps with less work in Eduroam configurations. + * Ensure that the AcctUpdateTime field in SQL is always updated. + This is so that we can track when the last packet arrived. + * Update the default configuration to reply to NAS when accounting + proxying fails, but we still write to the detail file. + + Feature improvements + * The "configure" process now gives a much clearer report + when it's finished. Patches by Matthew Newton. + * Fallback to "uname -n" on missing "hostname". Fixes #4771 + * Export thread details in radmin "stats threads". Fixes #4770 + * Improve queries for processing radacct into periodic usage data. + Fix from Nick Porter. + * Update dictionary.juniper + * Add dictionary.calix + * Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets" + * Update documentation for robust-proxy-accounting, and be more + aggressive about sending packets. + * Add per-module README.md files in the source. + * Add default Visual Studio configuration for developers. + * Postgres can now automatically use alternate queries for errors + other than duplicate keys. + * %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query + This helps the server track the identity of the client which is + connecting. + * Include thread stats in Status-Server attributes. Fixes #4870. + * Mark rlm_unbound stable and add to packages. Patches by Nick Porter. + * Remove broken/unsupported Dockerfiles for centos8 and + debian9. + * Ensure Docker containers have stable uid/gid. Patches + from Terry Burton. + + Bug fixes + * Preliminary support for non-blocking TLS sockets. Helps with #3501. + * Fix support for partial certificate chains after adding reload + support. Fixes #4753 + * Fix handling of debug_condition. + * Clean up home server states, and re-sync with the dictionaries. + * Correct certificate order when creating TLS-* attributes. + Fixes #4785 + * Update use of isalpha() etc. so broken configurations have less + impact on the server. + * Outgoing TLS sockets now set SNI correctly from the "hostname" + configuration item. + * Support Apple Homebrew on the M1. Fixes #4754 + * Better error messages when %{listen:TLS-...} is used. + * Getting statistics via Status-Server can now be done within a + virtual server. Fixes #4868 + * Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878. + * Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton. + +FreeRADIUS 3.2.1 Mon 03 Oct 2022 12:00:00 EDT urgency=low + Feature improvements + * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries. + * Add simultaneous-use queries for MS SQL. + * Add radmin command for "stats pool <module-name>" + Which prints out statistics about the connection pools + * Client statistics now shows "conflicts", to count conflicting + packets. + * New optional "lightweight accounting-on/off" strategy. When + refreshing queries.conf you should also add the new nasreload table + and corresponding GRANTs to your DB schema. + * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with + Eduroam. Suggested by Stefan Winter. + * Allow auth+acct for TCP sockets, too. + * Add rlm_cache_redis. See raddb/mods-available/cache for details + * Allow radmin to look up home servers by name, too. + * Ensure that dynamic clients don't create loops on duplicates. + Reported by Sam Yee. + * Removed rlm_sqlhpwippool. There was no documentation, no configuration, + and the module was ~15 years old with no one using it. + * Marked rlm_python3 as stable. + * Add sigalgs_list. See raddb/mods-available/eap. Patch from + Boris Lytochkin. + * For rlm_linelog, when opening files in /dev, look at "permissions" to see + whether to open them r/w. + * More flexibility for dynamic home servers. See doc/configuration/dynamic_home_servers.md + and raddb/home_servers/README.md + * Allow setting of application_name for PostgreSQL. See mods-available/sql. + + Bug fixes + * Correct test for open sessions in radacct for MS SQL. + * The linelog module now opens /dev/stdout in "write-only" mode + if the permissions are set to "u+w" (0002). + * Various fixes to rlm_unbound from Nick Porter. + * PEAP now correctly runs Post-Auth-Type Accept + * Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-* + Fixes #4698. See sites-available/tls, and fix_cert_order. + * Minor updates and fixes to CI, Dockerfiles and packaging. + * Fix rlm_python3 build with python >= 3.10. Fixes #4441 + +FreeRADIUS 3.2.0 Thu 21 Apr 2022 12:00:00 EDT urgency=low + Configuration changes + * "correct_escapes" has been removed, and is always set to "true" + internally. Configuration changes may be required if you are + using configurations from before 3.0.5. Other than this + difference, 3.2.x is compatible with 3.0.x, and configurations + from 3.0.x can be simply copied into a system running 3.2.x. + + Feature improvements + * All features from 3.0.x are included in the 3.2.x releases. In addition: + * Support PEAP and TTLS with TLS 1.3. This has been + tested with wpa_supplicant and Windows 11. + * Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which + day of the month the counter should be reset. + * Partial backport of rlm_json from v4, providing the json_encode xlat. + See mods-available/json for documentation. + * Support for haproxy "PROXY" protocol. + See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/ + * Support for sending CoA-Request and Disconnect-Request packets + in "reverse" down RadSec tunnels. Experimental for now, and + undocumented. + * It is now possible to run a virtual server when saving / loading + TLS cache attributes. See sites-available/tls-cache for + more information. + * Removed the "cram" module. It was undocumented, and used old + and insecure authentication methods. + * Remove the "otp" module. The "otpd" program it needs is no longer available, + and the module has not been usable since at least 2015. + * All features from 3.0.x are included in the 3.2.x releases. + * 3.2.0 requires OpenSSL 1.0.2 or greater. + + Bug fixes + * All bug fixes from 3.0.x are included in the 3.2.x releases. |