On 10-10-15 18:44, Alan Buxey wrote:
It will also fail to start because of openssl versioning : Put : allow_vulnerable_openssl = yes under Security in /etc/freeradius/radius.conf
No. Read the debug output and see what CVE code is worried about and put only that in the allow_vulnerable..... string otherwise your leaving yourself open to all kinds of future things if your openssl doesn't get patched. That change certainly isn't going to be standard in the distro. Blame openssl and the distros for their naming convention :/
To be honest, these are the kinds of bugs where I trust my distro to have a fixed version before I've had the chance of compiling a new FreeRADIUS, just to discover that it won't start because it thinks the OpenSSL version is vulnerable. The OpenSSL version check might be useful for installations where you have a manual installation of OpenSSL, but as long as you're using OpenSSL from a supported distro (like Debian or Ubuntu), I don't think the checks in FreeRADIUS have any added value. -- Herwin Weststrate