Freeradius server 3.2.3 released

Configuration changes

• The rlm_ldap and rlm_sql modules now have a max_retries configuration item in the pool section. This sets a limit on how many times an operation will be retried if it fails indicating a connection issue.
• Added check_crl configuration to rlm_ldap. This only works with OpenSSL. Many Linux distributions use other TLS libraries, which won’t work.
• Note that rlm_ldap does not support -= operators. The documentation disagreed with the code, so we fixed the documentation.
• If checkrad is called from SQL Simultaneous-Use checks it will now be passed NAS-Port-Id (as stored in the database), rather than NAS-Port.

Feature improvements

• Add max_retries for connection pools. Fixes #4908. Patch from Nick Porter.
• Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and dictionary.wispr; add dictionary.eleven.
• You can now list eap in the pre-proxy section. If the packet contains a malformed EAP message, then the request will be rejected. The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios.
• Show warnings if libldap is not using OpenSSL.
• Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing --with-radiusv11 to the configure script. For now, this is for testing interoperability.
• Add extra sanity checks for malformed EAP attributes.
• More TLS debugging output
• Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with rlm_files. Patch from Nick Porter.
• rlm_cache_redis is now included in the freeradius-redis packages.
• Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was built depending on the system default which led to confusion. We now build both freeradius-python2 and freeradius-python3 packages where possible.

Bug fixes

• Don’t leak MD contexts with OpenSSL 3.0.
• Increase internal buffer size for TLS connections, which can help with high-load proxies.
• Send Status-Server checks for TLS connections
• Give descriptive error if “update CoA” is used with “fake” packets, as it won’t work. i.e. inner-tunnel and virtual home servers.
• Many small ASAN / LSAN fixes from Jorge Pereira.
• Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection.
• Fix mutex locking issues on inbound RADIUS/TLS connections. This change avoids random issues with “bad record mac”.
• Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
• Correctly report the LDAP group a user was found in. Fixes #3084. Patch from Nick Porter.
• Force correct packet type when running Post-Auth-Type. Helps with #4980
• Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
• Fix TCP socket statistics. Closes #4990
• Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps with #5010