freeradius won't start due to heartbleed
g8kbvdave at googlemail.com
Tue Jun 10 19:15:45 UTC 2014
On 10 Jun 2014 19:44, "Mark Tinka" <mark.tinka at seacom.mu> wrote:
> On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote:
> > 'scuse my ignorance.
> > But though I understand how that proves the point, surely
> > the correct fix now would be to replace the openssl
> > libs' to a version without the vulnerability, and reset
> > that configuration option to "no"
> > AFIK, FBSD 10.0 was released before the HeartBleed bug
> > was found, so unles you know you've updated it to a
> > fixed version, there could be trouble ahead.
> > Just curious...
> > Dave B. (I run '9.2 release' at home, that never had
> > the trouble, AFIK.)
> OpenSSL versions 1.0.1 through to 1.0.1f are affected by
> Heartbleed, as you already know.
> An interim fix for the base OpenSSL implementation in
> FreeBSD-10 (which was 1.0.1e) was pushed out, without
> changing the version number. So FreeRADIUS assumes anything
> prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless
> of whether a fix is actually implemented or not. Hence the
> need for this switch in the FreeRADIUS configuration.
> So provided you know this, and provided your base FreeSBD
> installation is patched, it's a safe option to use.
> If you use the OpenSSL release in the ports, or when
> FreeBSD's base OpenSSL version is 1.0.1g or later, you won't
> need that FreeRADIUS option anymore.
> Hope this helps.
I do now remember hearing something about a non version'd patch, though
even if successful, it only adds to the confusion :)
Other than that, you confirmed my suspicions.
More information about the freebsd-questions