[PATCH 1/1] Just warn if linked libssl is more recent

Matthew Newton mcn4 at leicester.ac.uk
Tue Jun 17 13:02:07 CEST 2014 

Hi,

On Tue, Jun 17, 2014 at 11:39:25AM +0100, Arran Cudbard-Bell wrote:
> 
> On 17 Jun 2014, at 11:01, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:
> > I don't think applications should be enforcing this, full
> > stop. I don't expect you'll agree with me, but never mind.
> 
> No, I don't agree. Developer time is a finite resource. I don't
> want our time wasted helping people debug issues caused by
> libssl compatibility issues.

In a perfect world, I'm with Phil on this one. But as things stand
at present, it's a grey area. Checks cause problems, such as
distros having to remember to recompile FR when new libraries come
out - this would be a right pain if all software did this for all
libraries, and mostly defeat a large point of shared libraries.

The check for heartbeat openssl bug is a case in point; different
distros have crazy policies on library version numbers, which
means the check is rather annoying unless you build yourself. This
then causes other support issues ("my package won't install, I
followed all the right build instructions, what's wrong?").

So it's support problems caused by incompatible libraries, or by
things that stop the server running.

I think I'd go the middle ground - a very large fat warning at the
bottom of the start up debug output and in the main log file, but
still run. Something along the lines of

**********************************************************************
* WARNING! Some library versions may not be compatible with this     *
*          version of FreeRADIUS. If you have problems or crashes,   *
*          please recompile against the current versions or contact  *
*          your distribution for support.                            *
*                                                                    *
*          OpenSSL is version 1.0.4, compiled against 1.0.2          *
*                                                                    *
**********************************************************************

The crash handler should probably print out the same warning.

Then the questions on the mailing lists should appear more when
there are real problems, rather than the drip of "my FR won't
start, helpz!" with the blunt cookie-cut answers that inevitably
arise.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list