freeradius won't start due to heartbleed
Mark Tinka
mark.tinka at seacom.mu
Tue Jun 10 18:44:48 UTC 2014
On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote:
> 'scuse my ignorance.
>
> But though I understand how that proves the point, surely
> the correct fix now would be to replace the openssl
> libs' to a version without the vulnerability, and reset
> that configuration option to "no"
>
> AFIK, FBSD 10.0 was released before the HeartBleed bug
> was found, so unles you know you've updated it to a
> fixed version, there could be trouble ahead.
>
> Just curious...
>
> Dave B. (I run '9.2 release' at home, that never had
> the trouble, AFIK.)
OpenSSL versions 1.0.1 through to 1.0.1f are affected by
Heartbleed, as you already know.
An interim fix for the base OpenSSL implementation in
FreeBSD-10 (which was 1.0.1e) was pushed out, without
changing the version number. So FreeRADIUS assumes anything
prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless
of whether a fix is actually implemented or not. Hence the
need for this switch in the FreeRADIUS configuration.
So provided you know this, and provided your base FreeSBD
installation is patched, it's a safe option to use.
If you use the OpenSSL release in the ports, or when
FreeBSD's base OpenSSL version is 1.0.1g or later, you won't
need that FreeRADIUS option anymore.
Hope this helps.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140610/f796a965/attachment.sig>
More information about the freebsd-questions
mailing list