root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl libssl-dev:amd64 install libssl-doc install libssl1.0.0:amd64 install root@$HOSTNAME:/etc/raddb# apt-get purge libssl-dev [snip] Entfernen von libssl-dev:amd64 (1.0.1t-1+deb8u6) ... dpkg: Warnung: Während Entfernens von libssl-dev:amd64 ist Verzeichnis »/usr/include/openssl« nicht leer, wird daher nicht gelöscht // directory not empty root@$HOSTNAME:/etc/raddb# apt-get autoremove && apt-get autoclean [snip] Die folgenden Pakete werden ENTFERNT: // autoremoved packages libssl-doc zlib1g-dev [snip] root@$HOSTNAME:/etc/raddb# apt-get update && apt-cache madison libssl-dev libssl-dev | 1.0.1t-1+deb8u6 | http://security.debian.org/ jessie/updates/main amd64 Packages libssl-dev | 1.0.1t-1+deb8u5 | http://ftp.de.debian.org/debian/ jessie/main amd64 Packages openssl | 1.0.1t-1+deb8u5 | http://ftp.de.debian.org/debian/ jessie/main Sources openssl | 1.0.1k-3+deb8u3 | http://security.debian.org/ jessie/updates/main Sources openssl | 1.0.1t-1+deb8u6 | http://security.debian.org/ jessie/updates/main Sources root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl1 libssl1.0.0:amd64 install root@$HOSTNAME:/etc/raddb# dpkg --get-selections | grep libssl-dev root@$HOSTNAME:/etc/raddb# openssl version OpenSSL 1.0.2k 26 Jan 2017 -> The only libssl I have installed should be libssl1.0.0 which should not be in the mentioned 1.0.1 - 1.0.1t rule. OpenSSL 1.0.2k shouldn't be in a blocked range too. root@$HOSTNAME:/home/$USER/freeradius3/freeradius-server-3.0.13# ./configure --with-raddbdir=/etc/raddb root@$HOSTNAME:/home/$USER/freeradius3/freeradius-server-3.0.13# make [snip] scripts/boiler.mk:635: recipe for target 'build/objs/src/modules/rlm_eap/libeap/eap_tls.lo' failed make: *** [build/objs/src/modules/rlm_eap/libeap/eap_tls.lo] Error 1 According to apt-cache madison and Google there isn't an unblocked libssl-dev available to install. Why doesn't it work when allow_vulnerable_openssl = 'CVE-2016-6304' is set in radiusd.conf - as the debug mode of raddb says? Do I have to ./configure with another option saying that I don't want the blocked range - because I checked OpenSSL already? Yours, Konstantin 2017-04-20 16:05 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Apr 20, 2017, at 9:56 AM, Konstantin Knaab-Hinrichs via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
having trouble getting radiusd to work because of openssl:
CLI debugging:
root@$HOSTNAME:/etc/raddb# openssl version OpenSSL *1.0.2k* 26 Jan 2017 ... Debugger not attached Refusing to start with libssl version OpenSSL 1.0.1t 3 May 2016
0x1000114f
(1.0.1t release) (in range 1.0.1 release - 1.0.1t rule)
You have multiple versions of OpenSSL installed on your system. Don't do that.
FreeRADIUS doesn't magically detect OpenSSL 1.0.1t when you actually have 1.0.2k installed. It detects 1.0.1t because 1.0.1t *is* installed, and *is* being used by FreeRADIUS.
Do I have to recompile FreeRADIUS after a new installation of OpenSSL?
Yes. Because of historic issues with OpenSSL breaking their APIs in minor releases.
OpenSSL is fixing their APIs. We will likely relax this check for OpenSSL 1.1.0 and later.
Alan DeKok.