Can't get rid of OpenSSL-message

Philipp Trenz mail at philipptrenz.de
Fri Sep 23 11:59:41 CEST 2016


Hi there,

I newly compiled 3.0.12 for the upcoming release, but I can't get rid of 
the issue messages of openssl. openssl is already patched, 
allow_vulnerable_openssl = 'CVE-2016-6304' and allow_vulnerable_openssl 
= 'CVE-2014-0160' are added at the end of security {}. Running 
freeradius on a CentOS 7.
Is this a bug or am I missing something?


Thanks for help!

radiusd -X last output:
Debugger not attached
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 
0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set 
security.allow_vulnerable_openssl = 'CVE-2014-0160'
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 
0x1000105f (1.0.1e release) (in range 1.0.1 release - 1.0.1t rele)
Security advisory CVE-2016-6304 (OCSP status request extension)
For more information see 
https://www.openssl.org/news/secadv/20160922.txt
Once you have verified libssl has been correctly patched, set 
security.allow_vulnerable_openssl = 'CVE-2016-6304'


More information about the Freeradius-Users mailing list