Nick Lowe wrote:
I agree entirely with what Phil says. Is this not a layering violation? As much as you think you might be helping in this belt-and-braces way, I don't think it should be the concern of FreeRADIUS to care about this - and how far do you take it?
The goal is to have FreeRADIUS be secure. i.e. there is no installation which defaults to insecure. The way we do this is to either disable features, or disable vulnerabilities.
I am also curious who might actually tangibly benefit. Isn't the reality that a version of FreeRADIUS that contains these checks will only ever get packaged by the distributions with a non-vulnerable version of OpenSSL going forward anyway in a new major release that they make?
Most of the time, yes. But not everyone uses packages. Security is about *always* being secure. You don't say "well, this won't happen often, so we can ignore it". Alan DeKok.