On 17 Jun 2014, at 08:43, Christian Hesse <list@eworm.de> wrote:
Arran Cudbard-Bell <a.cudbardb@freeradius.org> on Tue, 2014/06/17 08:31:
On 17 Jun 2014, at 07:12, Christian Hesse <list@eworm.de> wrote:
From: Christian Hesse <mail@eworm.de>
Even if dynamic linking is just fine, radiusd fails after ever openssl update. (Distribution toolkits do not detect this, so distribution packages break on a regular basis.) This changes behavior so that it still fails on library downgrade, but just warns if openssl library has been upgraded.
The point of adding the check, was because even minor versions of libssl had changes which broke ABI compatibility.
I'm not sure how your suggestion helps? If there's any change in libssl version it could cause ABI incompatibility, it doesn't matter if it's an upgrade or downgrade.
I had thought this is to fetch cases where libssl version changes and introduces any (possibly old) security vulnerabilities.
In theory ABI should stay compatible with minor updates. And major updates should break if dynamic linking breaks. Or did that happen when system toolchain (gcc and friends) was updated?
Still the question is whether freeradius should break on ABI incompatibility change (which should still give a warning with my patch) or break on *every* openssl update, regardless of whether or not ABI changed.
Searching for "freeradius libssl version mismatch" gives a lot of matches, so looks like this is a real issue.
Some of those aren't for FreeRADIUS. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732940 OpenSSH has also adopted this approach, with a very similar message to us. Obviously they got annoyed too. I've changed the behaviour to match theirs. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2