FreeRADIUS 3.2.8 Wed 20 Aug 2025 12:00:00 UTC urgency=low
	Configuration changes
	* Replace dictionary.infinera with the correct one.
	* Update dictionary.alteon

	Feature improvements
	* Add support for automated fuzzing.  This doesn't affect
	  normal operations, but it does allow for testing of the
	  RADIUS decoder.
	* Allow tagged attributes to use ":V" as a tag in some cases.
	  The tag is then read from the value which is being assigned
	  to the attribute.  This functionality is allowed in 'update'
	  sections, including 'update' in module configurations.
	  See mods-available/ldap for an example.
	* Add kafka module.  See mods-available/kafka.
	* Allow &control:Packet-SRC-IP-Address to be used when
	  proxying needs a given source address.
	* Change lower limit for reject_delay to 0.5s.  Apparently
	  some NASes will panic and go crazy with a 1s reject_delay.
	* Rate limit complaints when limiting new connections.
	* Update raddb/certs/Makefile to support DER output.
	* Elapsed statistics for packets do not include proxy timers,
	  which helps clarify where any issues are.  The total time
	  is still available by adding "our" time to the "proxy" time.
	* Added kafka module.  See mods-available/kafka.
	* json module can now print dates as integers.
	  See mods-available/json
	* The debug output now points to the online documentation in
	  many cases, when there are syntax errors in the configuration.
	* Add support for 389ds password hashes.  Patch from Gerald Vogt.
	* reject_delay does not _add_ a delay, but instead ensures that
	  the reject is delayed for _at least_ that time.  This change
	  means that reject_delay can be set in more situations, including
	  for proxies.
	* Add delay_proxy_rejects.  By default, proxied rejects are not
	  delayed.  Setting this flag means that reject_delay is applied
	  to proxied rejects, too.
	* The proxy_rate_limit module can now be listed in the
	  "authorize" section.
	* Update dpsk module to be faster, and be easier to configure
	  with databases.  See mods-available/dpsk

	Bug fixes
	* Move assertion in thread / queue code, which only affects
	  debug builds.  Fixes #5512.
	* Update CRL checks to avoid crash in some cases.  Fixes #5515
	* More tweaks to the TEAP code.
	* Allow building when OpenSSL is missing PSK.  Fixes #5520
	* Move assertion so that it isn't triggered when the incoming
	  queue is full, and the server is blocked.  Fixes #5512
	* Fix crash when multiple certs are used along with
	  CRL distribution points.  Fixes #5515
	* Fix typo in rlm_cache which could cause crashes. Fixes #5522
	* Be more forgiving about '%' in strings.  Fixes #5525.
	* Move assertion in threading code.
	* Fixes to interaction with python interpreter
	* Don't crash when setting client hostname in RADIUS/TLS.
	  Fixes #5552
	* Ignore ".dpkg*" and ".rpm*" files when loading configuration
	  directories.  Package managers can leave these around.
	* Complain more loudly if all of the "authorize" etc. sections
	  have been removed, but the server is still configured to
	  process Access-Request packets.
	* Use OCIStmtPrepare2 to prepare Oracle queries. Fixes #5540
	* Allow dynamic clients with TCP listeners.

FreeRADIUS 3.2.7 Fri 31 Jan 2025 12:00:00 UTC urgency=low
	Configuration changes
	* The dpsk module now supports dynamic expansion of the
	  "filename" parameter.
	* radiusd.conf now contains an "unlang" section, which
	  controls new behavior for the "return" statement.
	* New configuration parameters for TEAP which makes it
	  much easier to configure.  See the "teap" section of
	  the "eap" module.
	* Change idle timeout for incoming radsec connections, to
	  better match behavior of radsecproxy.
	* python2 and rlm_couchbase are no longer available in the
	  alpine docker image.
	* utmp files are becoming obsolete due to 32-bit time. unix/radwtmp
	  have been commented out in the default config and "radlast" is
	  no longer installed if "last" is not present on the system.

	Feature improvements
	* Print MD5 hash of the configuration files in debug mode.
	  This helps people track configuration changes.
	* Add support for IPv6 to "abinary" type.  The fields
	  are the same as for "ip", but use "ipv6", and IPv6
	  formatted addresses.
	* Update radclient to make it clear that Message-Authenticator
	  is added to all Access-Request packets, even if the
	  input file does not contain it.
	* Add support for Subject AltName URI.  Closes #5450.
	* Add python_path_mode option to python3 module.
	* Relax checks on OpenSSL minor versions for OpenSSL 3.x.
	* Add API for deleting dynamic home servers.
	* set SO_KEEPALIVE on outbound sockets, so firewalls are
	  less likly to close TCP connections.
	* Allow querying of statistics when home_server has
	  src_ipaddr set.  See FreeRADIUS-Stats-Server-Src-IP-Address.
	  Fixes #5483
	* Update dictionary "man" page.  Fixes #4346.
	* Change jlibtool to use --show-config, to avoid conflicts with
	  clang --config.  Fixes #5442.
	* RADIUS/TLS clients now support a "tls' subsection.  For
	  connections from this client, this section is used in preference
	  to the "listen" TLS settings.  This allows a server to easily
	  present different identities to different clients.
	* RADIUS/TLS has been updated for TLS-PSK and TLS 1.3.  Tested with
	  radsecproxy.

	Bug fixes
	* For EAP-TLS, send TLS start without a length field.
	  Some clients refuse to do EAP-TLS when this field exists.
	* Avoid blocking TLS sockets on corner cases during session
	  setup.
	* Update home server stats
	* Correct error message about untrusted certs.  Fixes #5466.
	* Use PyEval_RestoreThread to swap to main thread.
	  Fixes #5111
	* Don't run Python detach function on config check
	* Fix a number of issues with TLS connections and
	  "check_client_connections = yes".
	* Be more careful about managing the incoming queue when databases
	  block the server.  The server will still be unable to make
	  progress, but it should crash less.  Whether or not this is a
	  good thing is unknown.
	* Better handler single-character expansions.  Fixes #2216.
	* Correct calculation of EAP length in pre-proxy.  Fixes #5486.
	* Don't segfault when using detail listeners. Fixes #5485
	* Add check for Couchbase v2, rlm_couchbase won't build on v3.

FreeRADIUS 3.2.6 Sat 24 Aug 2024 12:00:00 UTC urgency=low
	Configuration changes
	* require_message_authenticator=auto and limit_proxy_state=auto
	  are not applied for wildcard clients.  This likely will
	  leave your network in an insecure state.  Upgrade all clients!

	Feature improvements
	* Allow for "auth+acct" dynamic home servers.
	* Allow for setting "Home-Server-Pool", etc. for proxying
	  accounting packets, just like authentication packets.
	* Fix spelling in starent SN[1]-Subscriber-Acct-Mode attribute
	  value. Patch from John Thacker.
	* Update dictionary.iea. Patch from John Thacker.
	* Add warning for secrets that are too short.
	* More debugging for SSL ciphers. Patch from Nick Porter.
	* Update 3GPP dictionary. Patch from Nick Porter.
	* Fix ZTE dictionary.
	* Make radsecret more portable and avoid extra dependencies.
	* Add timestamp for Client-Lost so we don't think it's 1970. Patch
	  from Alexander Clouter. #5353

	Bug fixes
	* Dynamic clients now inherit require_message_authenticator
	  and limit_proxy_state from dynamic client {...} definition.
	* Fix radsecret build rules to better support parallel builds.
	* Checkpoint systems should be reconfigured for the BlastRADIUS
	  attack: https://support.checkpoint.com/results/sk/sk182516
	  The Checkpoint systems drop packets containing Message-Authenticator,
	  which violates the RFCs and is completely ridiculous.
	* Fix duplicate CoA packet issue. #5397
	* Several fixes in the event code
	* Don't leak memory in rlm_sql_sqlite. #5392
	* Don't stop processing RadSec data too early.

FreeRADIUS 3.2.5 Tue 09 Jul 2024 12:00:00 UTC urgency=high
	Configuration changes
	* BlastRADIUS mitigations have been added to the "security"
	  section.  See "require_message_authenticator" and also
	  "limit_proxy_state".
	* BlastRADIUS mitigations have been added to radclient.
	  See "man radclient", and the "-b" option.

	Feature improvements
	* TOTP now supports TOTP-Time-Offset for tokens with times that
	  are out of sync.  See mods-available/totp
	* radclient now supports forcing the Request Authenticator and ID
	  for Access-Request packets.
	* Update dictionary.3gpp.
	* Update advice on shared secrets, including suggesting a secure
	  method for generating useful secrets.

	Bug fixes
	* Allow proxying by pool / home server name to work with auth+acct servers
	* Fix OpenSSL API usage which sometimes caused crash in MS-CHAP
	  Previously it would either always crash immediately, or never crash.
	* Fix packet statistics.  Stop double counting some packets,
	  and track packet statistics even if a socket is closed.
	* Reverted patch in TTLS which broke compatibility with some systems.
	* Don't crash in debug mode when multiple intermediate certs are used
	  Patch from Alexander Chernikov.

FreeRADIUS 3.2.4 Wed 29 May 2024 12:00:00 EDT urgency=low
	Configuration changes
	* Better handle backslashes in strings in the configuration files.
	  If the configuration items contain backslashes, then behavior may change.
	  However, the previous behavior didn't work as expected, and therefore is not
	  likely to be used.
	* reject_delay no longer applies to proxied packets.  All servers should now
	  set "reject_delay = 1" for security and scalability.
	* %{randstr:...} now returns the requested amount of data, instead of
	  one too many bytes.

	Feature improvements
	* Preliminary support for TEAP.
	* Update EAP module pre_proxy checks to make them less restrictive.
	  This prevents the "middle box" effect from affecting future traffic.
	* Many fixes and updates for Docker images
	* Add dpsk module.  See mods-available/dpsk
	* Print out what cause the TLS operations to be made, such as the EAP
	  method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket.
	* Add auto_escape to sample SQL module config
	* Add 'if not exists' to mysql create table queries. ref #5032 (#5137)
	* Update dictionary.aruba; add dictionary.tplink, dictionary.alphion
	* Allow for 'encrypt=1' attributes to be longer than 128 characters.
	* Added "radsecret" program which generates strong secrets.  See the
	  top of the "clients.conf" file for more information.
	* radclient now prints packets as hex when using -xxx.
	* Added "-t timeout" to radsniff.  It will stop processing packets
	  after <timeout> seconds.
	* Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF.
	* The detail module now has a "dates_as_integer" configuration item.
	  See mods-available/detail for more information.
	* Add lookback/lookforward steps and more configuration to totp. See
	  mods-available/totp.
	* Add "time_since" xlat to calculate elapsed time in seconds, milliseconds
	  and microseconds.
	* Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from
	  Alexander Clouter. PR #5320.
	* Add "proxy_dedup_window".  See radiusd.conf.
	* Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf.
	* Add "dedup_key" for misbehaving supplicants.  See mods-available/eap

	Bug fixes
	* Fix corner case with empty defaults in rlm_files.  Fixes #5035
	* When we have multiple attributes of the same name, always use the
	  canonical attribute
	* Make FreeRADIUS-Server-EMA* attributes work again for home server
	  exponential moving average statistics.
	* Don't send the global server stats when asked for client stats. They
	  use the same attributes, so the result is confusing.
	* Fix multiple typos in MongoDB query.conf (#5130)
	* Add define for illumos.  Fixes #5135
	* Add client configuration for TLS PSK.
	* Permit originate CoA after proxying to an internal virtual server
	* Use virtual server "default" when passed "-i" and "-p" on the command line.
	* Fix locking issues with rlm_python3.
	* The detail file reader will catch bad times in the file, and will not
	  update Acct-Delay-Time with extreme values.
	* Fix issue where Message-Authenticator was calculated incorrectly for
	  CoA / Disconnect ACK and NAK packets.
	* Update Python thread and error handling.  Fixes #5208.
	* Fix handling of Session-State when proxying.  Fixes #5288.
	* Run relevant post-proxy Fail-* section on CoA / Disconnect timeout.
	* Add "limit" section to AWS health check configurtion.  Fixes 35300.
	* Use MAX in sqlite queries instead of GREATEST.
	* Fix typo in Mongo queries.  Fixes #5301.
	* Fix occasional crash with bad home servers.  Fixes #5308.
	* Minor bug fixes to the SQL freetds modules.
	* Fix blocking issue with RADIUS/TLS connection checks.
	* Fix run-time crash on configuration typos of %{substr ...} instead
	  of %{substr:...}  Fixes #5321.
	* Fix crash with TLS Status-Server requests. Fixes #5326.

FreeRADIUS 3.2.3 Fri 26 May 2023 12:00:00 EDT urgency=low
	Configuration changes
	* The rlm_ldap and rlm_sql modules now have a "max_retries" configuration
	  item in the pool section.  This sets a limit on how many times an operation
	  will be retried if it fails indicating a connection issue.
	* Added "check_crl" configuration to rlm_ldap.  This only works with OpenSSL.
	  Many Linux distributions use other TLS libraries, which won't work.
	* Note that rlm_ldap does not support "-=" operators.  The documentation
	  disagreed with the code, so we fixed the documentation.
	* If checkrad is called from SQL Simultaneous-Use checks it will now be
	  passed NAS-Port-Id (as stored in the database), rather than NAS-Port.

	Feature improvements
	* Add "max_retries" for connection pools. Fixes #4908. Patch from Nick Porter.
	* Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
	  dictionary.wispr; add dictionary.eleven.
	* You can now list "eap" in the "pre-proxy" section.  If the packet
	  contains a malformed EAP message, then the request will be rejected.
	  The home server will either reject (or discard) this packet anyways,
	  so this change can only help with large proxy scenarios.
	* Show warnings if libldap is not using OpenSSL.
	* Support RADIUS/1.1.  See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/
	  Disabled by default, can be enabled by passing `--with-radiusv11` to the
	  configure script. For now, this is for testing interoperability.
	* Add extra sanity checks for malformed EAP attributes.
	* More TLS debugging output
	* Clear old module instance data before HUP reload. Avoids burst memory use
	  when e.g. using large data files with rlm_files. Patch from Nick Porter.
	* `rlm_cache_redis` is now included in the freeradius-redis packages.
	* Separate out python2/python3 in Debian Packages. Previously python 2 or 3
	  was built depending on the system default which led to confusion. We now build
	  both freeradius-python2 and freeradius-python3 packages where possible.

	Bug fixes
	* Don't leak MD contexts with OpenSSL 3.0.
	* Increase internal buffer size for TLS connections, which
	  can help with high-load proxies.
	* Send Status-Server checks for TLS connections
	* Give descriptive error if "update CoA" is used with "fake" packets,
	  as it won't work. i.e. inner-tunnel and virtual home servers.
	* Many small ASAN / LSAN fixes from Jorge Pereira.
	* Close inbound RADIUS/TLS socket on TLS errors.  When a home server
	  sees a TLS error, it will now close the socket, so proxies do not
	  have an open (but dead) TLS connection.
	* Fix mutex locking issues on inbound RADIUS/TLS connections.
	  This change avoids random issues with "bad record mac".
	* Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
	* Correctly report the LDAP group a user was found in. Fixes #3084.
	  Patch from Nick Porter.
	* Force correct packet type when running Post-Auth-Type. Helps with #4980
	* Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
	* Fix TCP socket statistics. Closes #4990
	* Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use
	  checks. Helps with #5010

FreeRADIUS 3.2.2 Thu 16 Feb 2023 12:00:00 EDT urgency=low
	Configuration changes
	* The linelog module now has a "header" configuration item,
	  which places a header in any new file it creates.
	* The ldap module now supports setting "cipher_list".  See
	  mods-available/ldap.
	* Add "connect_timeout" for outgoing TLS sockets.  Helps with #3501.
	* Add config section for xlats in rlm_rest and an option to
	  control REST body data encoding. Patches by Nick Porter.
	* Allow Operator-Name and Called-Station-Id in attr_filter when
	  proxying.  Helps with less work in Eduroam configurations.
	* Ensure that the AcctUpdateTime field in SQL is always updated.
	  This is so that we can track when the last packet arrived.
	* Update the default configuration to reply to NAS when accounting
	  proxying fails, but we still write to the detail file.

	Feature improvements
	* The "configure" process now gives a much clearer report
	  when it's finished.  Patches by Matthew Newton.
	* Fallback to "uname -n" on missing "hostname".  Fixes #4771
	* Export thread details in radmin "stats threads".  Fixes #4770
	* Improve queries for processing radacct into periodic usage data.
	  Fix from Nick Porter.
	* Update dictionary.juniper
	* Add dictionary.calix
	* Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets"
	* Update documentation for robust-proxy-accounting, and be more
	  aggressive about sending packets.
	* Add per-module README.md files in the source.
	* Add default Visual Studio configuration for developers.
	* Postgres can now automatically use alternate queries for errors
	  other than duplicate keys.
	* %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query
	  This helps the server track the identity of the client which is
	  connecting.
	* Include thread stats in Status-Server attributes.  Fixes #4870.
	* Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
	* Remove broken/unsupported Dockerfiles for centos8 and
	  debian9.
	* Ensure Docker containers have stable uid/gid. Patches
	  from Terry Burton.

	Bug fixes
	* Preliminary support for non-blocking TLS sockets. Helps with #3501.
	* Fix support for partial certificate chains after adding reload
	  support.  Fixes #4753
	* Fix handling of debug_condition.
	* Clean up home server states, and re-sync with the dictionaries.
	* Correct certificate order when creating TLS-* attributes.
	  Fixes #4785
	* Update use of isalpha() etc. so broken configurations have less
	  impact on the server.
	* Outgoing TLS sockets now set SNI correctly from the "hostname"
	  configuration item.
	* Support Apple Homebrew on the M1.  Fixes #4754
	* Better error messages when %{listen:TLS-...} is used.
	* Getting statistics via Status-Server can now be done within a
	  virtual server.  Fixes #4868
	* Make TTLS+MS-CHAP work with TLS 1.3.  Fixes #4878.
	* Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.

FreeRADIUS 3.2.1 Mon 03 Oct 2022 12:00:00 EDT urgency=low
	Feature improvements
	* Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries.
	* Add simultaneous-use queries for MS SQL.
	* Add radmin command for "stats pool <module-name>"
	  Which prints out statistics about the connection pools
	* Client statistics now shows "conflicts", to count conflicting
	  packets.
	* New optional "lightweight accounting-on/off" strategy.  When
	  refreshing queries.conf you should also add the new nasreload table
	  and corresponding GRANTs to your DB schema.
	* Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with
	  Eduroam.  Suggested by Stefan Winter.
	* Allow auth+acct for TCP sockets, too.
	* Add rlm_cache_redis. See raddb/mods-available/cache for details
	* Allow radmin to look up home servers by name, too.
	* Ensure that dynamic clients don't create loops on duplicates.
	  Reported by Sam Yee.
	* Removed rlm_sqlhpwippool.  There was no documentation, no configuration,
	  and the module was ~15 years old with no one using it.
	* Marked rlm_python3 as stable.
	* Add sigalgs_list.  See raddb/mods-available/eap.  Patch from
	  Boris Lytochkin.
	* For rlm_linelog, when opening files in /dev, look at "permissions" to see
	  whether to open them r/w.
	* More flexibility for dynamic home servers.  See doc/configuration/dynamic_home_servers.md
	  and raddb/home_servers/README.md
	* Allow setting of application_name for PostgreSQL.  See mods-available/sql.

	Bug fixes
	* Correct test for open sessions in radacct for MS SQL.
	* The linelog module now opens /dev/stdout in "write-only" mode
	  if the permissions are set to "u+w" (0002).
	* Various fixes to rlm_unbound from Nick Porter.
	* PEAP now correctly runs Post-Auth-Type Accept
	* Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
	  Fixes #4698.  See sites-available/tls, and fix_cert_order.
	* Minor updates and fixes to CI, Dockerfiles and packaging.
	* Fix rlm_python3 build with python >= 3.10. Fixes #4441

FreeRADIUS 3.2.0 Thu 21 Apr 2022 12:00:00 EDT urgency=low
	Configuration changes
	* "correct_escapes" has been removed, and is always set to "true"
	  internally. Configuration changes may be required if you are
	  using configurations from before 3.0.5.  Other than this
	  difference, 3.2.x is compatible with 3.0.x, and configurations
	  from 3.0.x can be simply copied into a system running 3.2.x.

	Feature improvements
	* All features from 3.0.x are included in the 3.2.x releases. In addition:
	* Support PEAP and TTLS with TLS 1.3.  This has been
	  tested with wpa_supplicant and Windows 11.
	* Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which
	  day of the month the counter should be reset.
	* Partial backport of rlm_json from v4, providing the json_encode xlat.
	  See mods-available/json for documentation.
	* Support for haproxy "PROXY" protocol.
	  See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/
	* Support for sending CoA-Request and Disconnect-Request packets
	  in "reverse" down RadSec tunnels.  Experimental for now, and
	  undocumented.
	* It is now possible to run a virtual server when saving / loading
	  TLS cache attributes.  See sites-available/tls-cache for
	  more information.
	* Removed the "cram" module.  It was undocumented, and used old
	  and insecure authentication methods.
	* Remove the "otp" module.  The "otpd" program it needs is no longer available,
	  and the module has not been usable since at least 2015.
	* All features from 3.0.x are included in the 3.2.x releases.
	* 3.2.0 requires OpenSSL 1.0.2 or greater.

	Bug fixes
	* All bug fixes from 3.0.x are included in the 3.2.x releases.
