On Tue, Dec 23, 2014 at 11:35:04AM +0000, Nair, Suraj wrote:
On 2.2.6, I got another error, something similar to this: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) And I was told that rolling back to an older version should solve the problem.
No, it will workaround the "problem" by introducing other security holes. And potentially leave you with the first security problem as well. You need to make sure your openssl is patched for heartbleed. On ubuntu, it's likely that you are patched, but the version number wasn't updated. So look at the openssl release notes / changelog to make sure that it has the heartbleed patch. When you've confirmed that is the patched version, edit raddb/radiusd.conf and set "allow_vulnerable_openssl = yes" in the security section. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>