Configuration changes
- Replace
dictionary.infinera
with the correct one. - Update
dictionary.alteon
Feature improvements
- Add support for automated fuzzing. This doesn't affect normal operations, but it does allow for testing of the RADIUS decoder.
- Allow tagged attributes to use
:V
as a tag in some cases. The tag is then read from the value which is being assigned to the attribute. This functionality is allowed in 'update' sections, including 'update' in module configurations. See mods-available/ldap for an example. - Add kafka module. See mods-available/kafka.
- Allow
&control:Packet-SRC-IP-Address
to be used when proxying needs a given source address. - Change lower limit for reject_delay to 0.5s. Apparently some NASes will panic and go crazy with a 1s reject_delay.
- Rate limit complaints when limiting new connections.
- Update
raddb/certs/Makefile
to support DER output. - Elapsed statistics for packets do not include proxy timers, which helps clarify where any issues are. The total time is still available by adding "our" time to the "proxy" time.
- json module can now print dates as integers. See mods-available/json
- The debug output now points to the online documentation in many cases, when there are syntax errors in the configuration.
- Add support for 389ds password hashes. Patch from Gerald Vogt.
reject_delay
does not add a delay, but instead ensures that the reject is delayed for at least that time. This change means thatreject_delay
can be set in more situations, including for proxies.- Add
delay_proxy_rejects
. By default, proxied rejects are not delayed. Setting this flag means thatreject_delay
is applied to proxied rejects, too. - The proxy_rate_limit module can now be listed in the "authorize" section.
- Update dpsk module to be faster, and be easier to configure with databases. See mods-available/dpsk
Bug fixes
- Move assertion in thread / queue code, which only affects debug builds. Fixes #5512.
- Update CRL checks to avoid crash in some cases. Fixes #5515
- More tweaks to the TEAP code.
- Allow building when OpenSSL is missing PSK. Fixes #5520
- Move assertion so that it isn't triggered when the incoming queue is full, and the server is blocked. Fixes #5512
- Fix crash when multiple certs are used along with CRL distribution points. Fixes #5515
- Fix typo in
rlm_cache
which could cause crashes. Fixes #5522 - Be more forgiving about '%' in strings. Fixes #5525.
- Move assertion in threading code.
- Fixes to interaction with python interpreter
- Don't crash when setting client hostname in RADIUS/TLS. Fixes #5552
- Ignore
.dpkg*
and.rpm*
files when loading configuration directories. Package managers can leave these around. - Complain more loudly if all of the "authorize" etc. sections have been removed, but the server is still configured to process Access-Request packets.
- Use OCIStmtPrepare2 to prepare Oracle queries. Fixes #5540
- Allow dynamic clients with TCP listeners.