Hi,
I'm testing the v3.0.x branch - FreeRADIUS Version 3.1.0 (git #21acbbf) on CentOS 6.5 with system openssl and all patches:
thats the 3.1.x release which isnt the future 3.0.3 ;-) but still...
rpm -q --changelog openssl | grep CVE-2014-0160 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
I'm getting Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x01000105f (1.0.1e-15) (in range 1.0.1-0 - 1.0.1f-15)
yes - 1.0.1e could be affected.... unfortunately theres no way of actually checking if the code is safe - there was a discussion about this feature. you just need to disable the OpenSSL check (as per the docs). allow_vulnerable_openssl = yes in radiusd.conf
The other problem I ran into is that when the cui is enabled then the server fails when trying to remove an empty value:
that looks like a big bang....which with the new panic action code means that gdb can be immediately attached onto it - worth looking at using the new panic action on this and seeing what the values/issues are - in the usual docs/bugs method alan