20 Jul
2015
20 Jul
'15
2:36 p.m.
Ahhh, understood. Thanks. On Monday, July 20, 2015 1:45 PM, Alan DeKok <aland@deployingradius.com> wrote: On Jul 20, 2015, at 7:30 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS. But when I fired up freeradius it was still finding/reporting a heartbleed variant.
The point is that FreeRADIUS can't know if the OpenSSL version is vulnerable or not. CentOS / RedHat have probably patched it, but it's up to *you* to check that. And then set in radiusd.conf "allow_vulnerable_openssl = yes". Alan DeKok.