freeradius 3.0.13 refusing to start with Heartbleed-unaffected OpenSSL version

Herwin Weststrate herwin at quarantainenet.nl
Fri Apr 21 09:02:54 CEST 2017


On 21-04-17 08:50,  Konstantin Knaab-Hinrichs via Freeradius-Users wrote:
> root@$HOSTNAME:/etc/raddb# apt-get update && apt-cache madison libssl-dev
> libssl-dev | 1.0.1t-1+deb8u6 | http://security.debian.org/
> jessie/updates/main amd64 Packages
> libssl-dev | 1.0.1t-1+deb8u5 | http://ftp.de.debian.org/debian/ jessie/main
> amd64 Packages
>    openssl | 1.0.1t-1+deb8u5 | http://ftp.de.debian.org/debian/ jessie/main
> Sources
>    openssl | 1.0.1k-3+deb8u3 | http://security.debian.org/
> jessie/updates/main Sources
>    openssl | 1.0.1t-1+deb8u6 | http://security.debian.org/
> jessie/updates/main Sources
> root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl1
> libssl1.0.0:amd64                               install
> root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl-dev
> root@$HOSTNAME:/etc/raddb# openssl version
> OpenSSL 1.0.2k  26 Jan 2017

There is a difference here, apt shows 1.0.1t-1+deb8u6 as most recent
version (which is the most recent version on my Jessie install too, so
that's fine), but `openssl version` shows a different version (1.0.2
instead of 1.0.1). Did you install openssl from source as well? I
wouldn't be surprised if `which openssl` showed something other than
/usr/bin/openssl which is where the packages are installed.

> According to apt-cache madison and Google there isn't an unblocked
> libssl-dev available to install. Why doesn't it work when
> allow_vulnerable_openssl
> = 'CVE-2016-6304' is set in radiusd.conf - as the debug mode of raddb says?
> Do I have to ./configure with another option saying that I don't want the
> blocked range - because I checked OpenSSL already?

If you're actually using the Debian-packages for OpenSSL, there is not
much added value by letting freeradius check for vulnerabilities. Mostly
OpenSSL of Debian is patched faster than you'd upgrade your RADIUS
server, and because fixes are backported the version check doesn't make
much sense either. You could pass --disable-openssl-version-check to the
build to disable openssl version checks, or build the Debian packages
(http://wiki.freeradius.org/building/Debian-and-Ubuntu) which include
this switch by default.

-- 
Herwin Weststrate


More information about the Freeradius-Users mailing list