On 1 Jul 2015, at 00:46, J@g@dee5h <djfueese@gmail.com> wrote:
Hello,
I am unable to start the freeradius due to openssl vulnerability issue. Please find the debug log.
----------- Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release) Security advisory CVE-2014-0160 (Heartbleed) For more information see http://heartbleed.com Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160' ------------
I have confirmed that I have applied the patch for this bug.
----------- [root@radius raddb]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 [root@radius raddb]# rpm -q --changelog openssl | grep CVE-2014-0160 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension [root@radius raddb]# --------------
Is it safe to enable the allow_vulnerable_openssl = yes in radiusd.conf
No. You should do what the message says and set allow_vulnerable_openssl = 'CVE-2014-0160' -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2