On 21-04-17 08:50, Konstantin Knaab-Hinrichs via Freeradius-Users wrote:
root@$HOSTNAME:/etc/raddb# apt-get update && apt-cache madison libssl-dev libssl-dev | 1.0.1t-1+deb8u6 | http://security.debian.org/ jessie/updates/main amd64 Packages libssl-dev | 1.0.1t-1+deb8u5 | http://ftp.de.debian.org/debian/ jessie/main amd64 Packages openssl | 1.0.1t-1+deb8u5 | http://ftp.de.debian.org/debian/ jessie/main Sources openssl | 1.0.1k-3+deb8u3 | http://security.debian.org/ jessie/updates/main Sources openssl | 1.0.1t-1+deb8u6 | http://security.debian.org/ jessie/updates/main Sources root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl1 libssl1.0.0:amd64 install root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl-dev root@$HOSTNAME:/etc/raddb# openssl version OpenSSL 1.0.2k 26 Jan 2017
There is a difference here, apt shows 1.0.1t-1+deb8u6 as most recent version (which is the most recent version on my Jessie install too, so that's fine), but `openssl version` shows a different version (1.0.2 instead of 1.0.1). Did you install openssl from source as well? I wouldn't be surprised if `which openssl` showed something other than /usr/bin/openssl which is where the packages are installed.
According to apt-cache madison and Google there isn't an unblocked libssl-dev available to install. Why doesn't it work when allow_vulnerable_openssl = 'CVE-2016-6304' is set in radiusd.conf - as the debug mode of raddb says? Do I have to ./configure with another option saying that I don't want the blocked range - because I checked OpenSSL already?
If you're actually using the Debian-packages for OpenSSL, there is not much added value by letting freeradius check for vulnerabilities. Mostly OpenSSL of Debian is patched faster than you'd upgrade your RADIUS server, and because fixes are backported the version check doesn't make much sense either. You could pass --disable-openssl-version-check to the build to disable openssl version checks, or build the Debian packages (http://wiki.freeradius.org/building/Debian-and-Ubuntu) which include this switch by default. -- Herwin Weststrate