Building from Source

Herwin Weststrate herwin at quarantainenet.nl
Mon Oct 12 11:29:05 CEST 2015


On 10-10-15 18:44, Alan Buxey wrote:
>> It will also fail to start because of openssl versioning :
> Put : allow_vulnerable_openssl = yes under Security in
> /etc/freeradius/radius.conf
> 
> No.  Read the debug output and see what CVE code is worried about and
> put only that in the allow_vulnerable..... string otherwise your
> leaving yourself open to all kinds of future things if your openssl
> doesn't get patched.  That change certainly isn't going to be
> standard in the distro.  Blame openssl and the distros for their
> naming convention :/

To be honest, these are the kinds of bugs where I trust my distro to
have a fixed version before I've had the chance of compiling a new
FreeRADIUS, just to discover that it won't start because it thinks the
OpenSSL version is vulnerable.

The OpenSSL version check might be useful for installations where you
have a manual installation of OpenSSL, but as long as you're using
OpenSSL from a supported distro (like Debian or Ubuntu), I don't think
the checks in FreeRADIUS have any added value.

-- 
Herwin Weststrate


More information about the Freeradius-Users mailing list