1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
## Verifying
SHA256 checksums can be found in [[sha256.txt]].
PGP signatures can be found below.
## Releases
* [1.6.6](radsecproxy-1.6.6.tar.xz)
([PGP sig](radsecproxy-1.6.6.tar.xz.asc)) from January 19th, 2015
This is the latest release. It fixes
[RADSECPROXY-59](https://project.nordu.net/browse/RADSECPROXY-59)
(use rewriteIn correctly), and
[RADSECPROXY-58](https://project.nordu.net/browse/RADSECPROXY-58)
(handle CHAP when there is no CHAP-Challenge), as well as a number
of security fixes (two use-after-free, one null-pointer dereference,
and three heap overflows). </dd>
* [1.6.5](radsecproxy-1.6.5.tar.gz)
([PGP sig](radsecproxy-1.6.5.tar.gz.asc)) from September 6th, 2013
Fixes a crash bug introduced in 1.6.4. Fixes
[RADSECPROXY-53](https://project.nordu.net/browse/RADSECPROXY-53),
bugfix on 1.6.4.
* 1.6.4 ([PGP sig](radsecproxy-1.6.4.tar.gz.asc)) from September 5th,
2013
Fixes a bug with not keeping Proxy-State attributes in all replies
[RADSECPROXY-52](https://project.nordu.net/browse/RADSECPROXY-52).
* [1.6.3](radsecproxy-1.6.3.tar.gz)
([PGP sig](radsecproxy-1.6.3.tar.gz.asc)) from September 5th, 2013
Fixes bugs vital for dynamic discovery, see ChangeLog for details.
* [1.6.2](radsecproxy-1.6.2.tar.gz)
([PGP sig](radsecproxy-1.6.2.tar.gz.asc)) from October 25th, 2012
Fixes bug regarding certificate authentication for DTLS
[RADSECPROXY-43](https://project.nordu.net/browse/RADSECPROXY-43),
CVE-2012-4566).
* [1.6.1](radsecproxy-1.6.1.tar.gz)
([PGP sig](radsecproxy-1.6.1.tar.gz.asc)) from September 14th, 2012
Fixes a bug regarding certificate authentication
[RADSECPROXY-43](https://project.nordu.net/browse/RADSECPROXY-43),
CVE-2012-4523)
* [1.6](radsecproxy-1.6.tar.gz)
([PGP sig](radsecproxy-1.6.tar.gz.asc)) from April 28th, 2012
Improved support for F-Ticks logging and new option for pidfile.
**Incompatible change**: The default shared secret for TLS and DTLS
connections change from "mysecret" to "radsec" as per
draft-ietf-radext-radsec-12 section 2.3 (4). Please make sure to
specify a secret in both client and server blocks to avoid
unwanted surprises.
The default place to look for a configuration file has changed from
/etc to /usr/local/etc, let radsecproxy know where your
configuration file can be found by using the `-c' command line
option, or configure radsecproxy on with --sysconfdir=/etc when
building to restore old behaviour.
For other changes, see Changelog inside the archive.
* [1.5](radsecproxy-1.5.tar.gz)
([PGP sig](radsecproxy-1.5.tar.gz.asc)) from October 8th, 2011
Introduces support for F-Ticks logging. For other changes, see
Changelog inside the archive.
## Older releases
* [1.4.3](radsecproxy-1.4.3.tar.gz)
([PGP sig](radsecproxy-1.4.3.tar.gz.asc)) from July 22nd, 2011
Fixed a debug printout issue.
* [1.4.2](radsecproxy-1.4.2.tar.gz)
([PGP sig](radsecproxy-1.4.2.tar.gz.asc)) from November 23rd, 2010
Mostly a security update due to a certain vulnerability in how
caching was handled in OpenSSL prior to 0.9.8p and 1.0.0b. If your
OpenSSL is older than those, you should use this one or newer.
* 1.4.1 from November 18th, 2010
This release contained some debug code that caused crashes, and is
hence removed.
* [1.4](radsecproxy-1.4.tar.gz) from June 12th, 2010
The major changes are support for LoopPrevention per server, added
AddVendorAttribute rewrite configuration, new log level DBG_NOTICE,
fixed UDP fragmentation issue, fixed build issues on Solaris and
fixed bug regarding long passwords.
* [1.3.1](radsecproxy-1.3.1.tar.gz) from July 22nd, 2009
Last release of 1.3. The main change is an important fix for
multiple UDP servers with the same IP address, which solves
accounting problems experienced by many. Thanks alot to Simon
Leinen for submitting the patch for this. Default log level is 2,
while it was 3 previously. also, some log messages have changed log
levels. you should be fine using this in production, although 1.2
may be safer (as it has been through more testing) if you don't need
the new features.
* [1.2](radsecproxy-1.2.tar.gz) from October 7th, 2008
Perhaps the most stable "old" release so far. If you do not need
the new features in 1.3+, then this may be the best option. Some
issues with earlier releases are fixed and there are also a number
of new useful features like more message rewrite options and
regularly refreshing CRLs.
* [1.3-beta](radsecproxy-1.3-beta.tar.gz) from February 18th, 2009
This is only a beta release and needs more testing to be as mature as
1.2, so be careful about using this in production. But if you can,
please help test this release to speed its way towards the 1.3
release. The only new feature since the alpha release is that client
and server blocks can contain multiple host options. There have also
been some minor bug fixes, and it is now possible when compiling to
select which transports to support.
* [1.3-alpha](radsecproxy-1.3-alpha.tar.gz) from December 4th, 2008
Many new features were introduced in 1.3. The major ones are TCP and
DTLS transport, and dynamic server discovery. Other minor features
are TTL (hopcount) support for RADIUS messages and PolicyOID for
checking certificate policies.
* [1.1](radsecproxy-1.1.tar.gz) from July 24th, 2008
This release has proven to be fairly stable, but an upgrade to 1.2
is recommended. Some issues with earlier releases are fixed and
there are also a number of new useful features like failover when
not using Status-Server, limited loop prevention and CRL
checking. This is also the first version where accounting works
properly.
* [1.1-beta](radsecproxy-1.1-beta.tar.gz) from May 14th, 2008
The main new features since 1.1-alpha were attribute filtering,
accounting support and improved certificate matching.
* [1.1-alpha](radsecproxy-1.1-alpha.tar.gz) from December 24th, 2007
There are some known problems with this release, so you should be
using the most recent 1.1 release instead. The new features were in
short: pretend option for validating configuration; include option
for including additional config files; clients can be configured by
IP prefix, allowing dynamic clients; server failover support; source
address and port can be specified for requests; and finally optional
rewriting of the username attribute.
* [1.0p1](radsecproxy-1.0p1.tar.gz) from October 16th, 2007
Since 1.0 a bug was fixed where the proxy was likely to crash if any
servers were configured after the first realm block. Since the
alpha release the certificate validation was improved and some minor
bugs have been fixed.
* [1.0](radsecproxy-1.0.tar.gz) from September 21st, 2007
* [1.0-alpha-p1](radsecproxy-1.0-alpha-p1.tar.gz) from June 13th, 2007
* [1.0-alpha](radsecproxy-1.0-alpha.tar.gz) from June 5th, 2007
## Access via git
The developer tree of radsecproxy is available as a
[tar archive](https://git.nordu.net/?p=radsecproxy.git;a=snapshot;h=HEAD;sf=tgz)
or you use git. To checkout the current version of the tree, enter
the following command:
git clone https://git.nordu.net/radsecproxy.git
If you want to contribute code, you need to get in
[contact with the developers](?page=contact).
Note that there is also a
[web interface](http://git.nordu.net/?p=radsecproxy.git;a=summary) to
the repository.
## Linux packages
Various people have kindly contributed packages for various Linux
distributions.
### Debian
* Since Debian release 5 (Lenny), radsecproxy is included in the
distribution.
* 1.2 for CentOS 5 / Red Hat Enterprise Linux 5
[radsecproxy-1.2-1.i386.rpm](packages/radsecproxy-1.2-1.i386.rpm)
[radsecproxy-1.2-1.src.rpm](packages/radsecproxy-1.2-1.src.rpm)
* 1.0 for openSUSE, Fedora and Mandriva openSUSE should be available
from various mirrors, but all of these can also be downloaded from
[download.opensuse.org](http://download.opensuse.org/repositories/network:/aaa/).
The Fedora and Mandriva packages have not yet been tested (AFAIK),
please let me know whether they work for you or not.
* 1.0p1 for [OpenSDE](http://opensde.org/)
Part of the distribution, see the site
|