freeradius won't start due to heartbleed

Mark Tinka mark.tinka at
Tue Jun 10 18:44:48 UTC 2014

On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote:

> 'scuse my ignorance.
> But though I understand how that proves the point, surely
> the correct fix now would be to replace the openssl
> libs' to a version without the vulnerability, and reset
> that configuration option to "no"
> AFIK, FBSD 10.0 was released before the HeartBleed bug
> was found, so unles you know you've updated it to a
> fixed version, there could be trouble ahead.
> Just curious...
> Dave B.    (I run '9.2 release' at home, that never had
> the trouble, AFIK.)

OpenSSL versions 1.0.1 through to 1.0.1f are affected by 
Heartbleed, as you already know.

An interim fix for the base OpenSSL implementation in 
FreeBSD-10 (which was 1.0.1e) was pushed out, without 
changing the version number. So FreeRADIUS assumes anything 
prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless 
of whether a fix is actually implemented or not. Hence the 
need for this switch in the FreeRADIUS configuration.

So provided you know this, and provided your base FreeSBD 
installation is patched, it's a safe option to use.

If you use the OpenSSL release in the ports, or when 
FreeBSD's base OpenSSL version is 1.0.1g or later, you won't 
need that FreeRADIUS option anymore.

Hope this helps.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the freebsd-questions mailing list