freeradius and heartbleed tests in Debian
Hi, Just to let you know the Debian 7 update version of ssl is 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put allow_vulnerable_openssl in radiusd.conf. Regards, Rui Ribeiro
Rui Ribeiro wrote:
Just to let you know the Debian 7 update version of ssl is 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put allow_vulnerable_openssl in radiusd.conf.
We know. This is intentional. There is NO WAY for FreeRADIUS to determine that OpenSSL has been patched. There is NO WAY for FreeRADIUS to protect against some of the heartbleed attacks. Therefore, the only safe approach is to warn the administrator. The Debian people should issue a package of FreeRADIUS, patched to have "allow_vulnerable_openssl = yes" set by default. Alan DeKok.
On 22 Apr 2014, at 20:28, Alan DeKok <aland@deployingradius.com> wrote:
Rui Ribeiro wrote:
Just to let you know the Debian 7 update version of ssl is 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put allow_vulnerable_openssl in radiusd.conf.
We know. This is intentional.
There is NO WAY for FreeRADIUS to determine that OpenSSL has been patched. There is NO WAY for FreeRADIUS to protect against some of the heartbleed attacks. Therefore, the only safe approach is to warn the administrator.
The Debian people should issue a package of FreeRADIUS, patched to have "allow_vulnerable_openssl = yes" set by default.
No. They should release a version with allow_vulnerable_openssl set to the highest level of acknowledge exploit. Matthew McNewton already contributed the patches to do this. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, Apr 23, 2014 at 02:21:12AM +0100, Arran Cudbard-Bell wrote:
No. They should release a version with allow_vulnerable_openssl set to the highest level of acknowledge exploit. Matthew McNewton already contributed the patches to do this.
/me dances the ceilidh. -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 23 Apr 2014, at 11:16, Matthew Newton <mcn4@LEICESTER.AC.UK> wrote:
On Wed, Apr 23, 2014 at 02:21:12AM +0100, Arran Cudbard-Bell wrote:
No. They should release a version with allow_vulnerable_openssl set to the highest level of acknowledge exploit. Matthew McNewton already contributed the patches to do this.
/me dances the ceilidh.
*Matthew Newton. Damn github username *grumble* Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Rui Ribeiro