please don’t send email On Jul 21, 2015, at 01:30, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Alan -
When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS. But when I fired up freeradius it was still finding/reporting a heartbleed variant. That's what lead me to install the updated version of OpenSSL manually. I did find on the Git repository a script that will add the SSL lib path. This seems like it should work? I never did check the version of OpenSSL shipped with CentOS but as you mention it *should* be a non-heartbleed variant.
#!/bin/sh # # The purpose of this script is to forcibly load the *correct* version # of OpenSSL for FreeRADIUS, when you have more than one version of OpenSSL # installed on your system. # # You'll have to edit the directories to the correct location # for your local system. # # $Id: e791dffc2687bdb94bfb0516fff8f4f5b4ec3670 $ #
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/ssl/lib:/usr/local/radius/lib LD_PRELOAD=/usr/local/ssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD exec /usr/local/radius/sbin/radiusd $@
On Monday, July 20, 2015 10:28 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 20, 2015, at 4:26 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS. I also installed version 1.0.2d of openssl so I'm not subject to heartbleed. When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install.
Which is why you don't install manual packages on top of existing ones. CentOS *should* have a fixed version of OpenSSL.
I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not. So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS. Is there a repo that will provide me with a 3.0.9 version of the ldap module? If not, can I compile and point to my lib directory for openssl 1.0.2d instead? Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists. Don't know where to look for the source(s).
Install the OpenSSL from CentOS. It should have the fix. See the release notes for details.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html