freeradius and heartbleed tests in Debian

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Apr 23 03:21:12 CEST 2014


On 22 Apr 2014, at 20:28, Alan DeKok <aland at deployingradius.com> wrote:

> Rui Ribeiro wrote:
>> Just to let you know the Debian 7 update version of ssl is
>> 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put
>> allow_vulnerable_openssl in radiusd.conf.
> 
>  We know.  This is intentional.
> 
>  There is NO WAY for FreeRADIUS to determine that OpenSSL has been
> patched.  There is NO WAY for FreeRADIUS to protect against some of the
> heartbleed attacks.  Therefore, the only safe approach is to warn the
> administrator.
> 
>  The Debian people should issue a package of FreeRADIUS, patched to
> have "allow_vulnerable_openssl = yes" set by default.

No. They should release a version with allow_vulnerable_openssl set to
the highest level of acknowledge exploit. Matthew McNewton already 
contributed the patches to do this.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140423/e3a7cf89/attachment.pgp>


More information about the Freeradius-Users mailing list