On 22 Apr 2014, at 20:28, Alan DeKok <aland@deployingradius.com> wrote:
Rui Ribeiro wrote:
Just to let you know the Debian 7 update version of ssl is 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put allow_vulnerable_openssl in radiusd.conf.
We know. This is intentional.
There is NO WAY for FreeRADIUS to determine that OpenSSL has been patched. There is NO WAY for FreeRADIUS to protect against some of the heartbleed attacks. Therefore, the only safe approach is to warn the administrator.
The Debian people should issue a package of FreeRADIUS, patched to have "allow_vulnerable_openssl = yes" set by default.
No. They should release a version with allow_vulnerable_openssl set to the highest level of acknowledge exploit. Matthew McNewton already contributed the patches to do this. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2