Reg Openssl issue unable to start radius version 3.0.8

J@g@dee5h djfueese at gmail.com
Wed Jul 1 06:46:27 CEST 2015


Hello,

I am unable to start the freeradius due to openssl vulnerability issue.
Please find the debug log.

-----------
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set
security.allow_vulnerable_openssl = 'CVE-2014-0160'
------------


I have confirmed that I have applied the patch for this bug.

-----------
[root at radius raddb]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root at radius raddb]# rpm -q --changelog openssl | grep CVE-2014-0160
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
[root at radius raddb]#
--------------


Is it safe to enable the allow_vulnerable_openssl = yes in radiusd.conf
file? Otherwise I will update the openssl to OpenSSL 1.0.1g version.


Please suggest.


More information about the Freeradius-Users mailing list