22 Apr
2014
22 Apr
'14
3:28 p.m.
Rui Ribeiro wrote:
Just to let you know the Debian 7 update version of ssl is 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put allow_vulnerable_openssl in radiusd.conf.
We know. This is intentional. There is NO WAY for FreeRADIUS to determine that OpenSSL has been patched. There is NO WAY for FreeRADIUS to protect against some of the heartbleed attacks. Therefore, the only safe approach is to warn the administrator. The Debian people should issue a package of FreeRADIUS, patched to have "allow_vulnerable_openssl = yes" set by default. Alan DeKok.