LDAP (rlm_ldap) Version 3.0.9
I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS. I also installed version 1.0.2d of openssl so I'm not subject to heartbleed. When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install. I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not. So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS. Is there a repo that will provide me with a 3.0.9 version of the ldap module? If not, can I compile and point to my lib directory for openssl 1.0.2d instead? Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists. Don't know where to look for the source(s).
On Jul 20, 2015, at 4:26 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS. I also installed version 1.0.2d of openssl so I'm not subject to heartbleed. When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install.
Which is why you don't install manual packages on top of existing ones. CentOS *should* have a fixed version of OpenSSL.
I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not. So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS. Is there a repo that will provide me with a 3.0.9 version of the ldap module? If not, can I compile and point to my lib directory for openssl 1.0.2d instead? Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists. Don't know where to look for the source(s).
Install the OpenSSL from CentOS. It should have the fix. See the release notes for details. Alan DeKok.
Alan - When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS. But when I fired up freeradius it was still finding/reporting a heartbleed variant. That's what lead me to install the updated version of OpenSSL manually. I did find on the Git repository a script that will add the SSL lib path. This seems like it should work? I never did check the version of OpenSSL shipped with CentOS but as you mention it *should* be a non-heartbleed variant. #!/bin/sh # # The purpose of this script is to forcibly load the *correct* version # of OpenSSL for FreeRADIUS, when you have more than one version of OpenSSL # installed on your system. # # You'll have to edit the directories to the correct location # for your local system. # # $Id: e791dffc2687bdb94bfb0516fff8f4f5b4ec3670 $ # LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/ssl/lib:/usr/local/radius/lib LD_PRELOAD=/usr/local/ssl/lib/libcrypto.so export LD_LIBRARY_PATH LD_PRELOAD exec /usr/local/radius/sbin/radiusd $@ On Monday, July 20, 2015 10:28 AM, Alan DeKok <aland@deployingradius.com> wrote: On Jul 20, 2015, at 4:26 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS. I also installed version 1.0.2d of openssl so I'm not subject to heartbleed. When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install.
Which is why you don't install manual packages on top of existing ones. CentOS *should* have a fixed version of OpenSSL.
I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not. So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS. Is there a repo that will provide me with a 3.0.9 version of the ldap module? If not, can I compile and point to my lib directory for openssl 1.0.2d instead? Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists. Don't know where to look for the source(s).
Install the OpenSSL from CentOS. It should have the fix. See the release notes for details. Alan DeKok.
On Jul 20, 2015, at 7:30 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS. But when I fired up freeradius it was still finding/reporting a heartbleed variant.
The point is that FreeRADIUS can't know if the OpenSSL version is vulnerable or not. CentOS / RedHat have probably patched it, but it's up to *you* to check that. And then set in radiusd.conf "allow_vulnerable_openssl = yes". Alan DeKok.
Ahhh, understood. Thanks. On Monday, July 20, 2015 1:45 PM, Alan DeKok <aland@deployingradius.com> wrote: On Jul 20, 2015, at 7:30 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS. But when I fired up freeradius it was still finding/reporting a heartbleed variant.
The point is that FreeRADIUS can't know if the OpenSSL version is vulnerable or not. CentOS / RedHat have probably patched it, but it's up to *you* to check that. And then set in radiusd.conf "allow_vulnerable_openssl = yes". Alan DeKok.
please don’t send email On Jul 21, 2015, at 01:30, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Alan -
When I installed the ldap module the first time, I was using the version of OpenSSL that shipped with CentOS. But when I fired up freeradius it was still finding/reporting a heartbleed variant. That's what lead me to install the updated version of OpenSSL manually. I did find on the Git repository a script that will add the SSL lib path. This seems like it should work? I never did check the version of OpenSSL shipped with CentOS but as you mention it *should* be a non-heartbleed variant.
#!/bin/sh # # The purpose of this script is to forcibly load the *correct* version # of OpenSSL for FreeRADIUS, when you have more than one version of OpenSSL # installed on your system. # # You'll have to edit the directories to the correct location # for your local system. # # $Id: e791dffc2687bdb94bfb0516fff8f4f5b4ec3670 $ #
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/ssl/lib:/usr/local/radius/lib LD_PRELOAD=/usr/local/ssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_PRELOAD exec /usr/local/radius/sbin/radiusd $@
On Monday, July 20, 2015 10:28 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 20, 2015, at 4:26 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS. I also installed version 1.0.2d of openssl so I'm not subject to heartbleed. When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install.
Which is why you don't install manual packages on top of existing ones. CentOS *should* have a fixed version of OpenSSL.
I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not. So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS. Is there a repo that will provide me with a 3.0.9 version of the ldap module? If not, can I compile and point to my lib directory for openssl 1.0.2d instead? Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists. Don't know where to look for the source(s).
Install the OpenSSL from CentOS. It should have the fix. See the release notes for details.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looks like CentOS still supplies a heartbleed variant, no? Am I missing a repository? []# yum search openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.cc.columbia.edu * extras: mirror.es.its.nyu.edu * updates: centos.mirror.constant.com <------------------------------------------------ Am I missing a repository? ===================================================================================== N/S matched: openssl ====================================================================================== apr-util-openssl.x86_64 : APR utility library OpenSSL crytpo support openssl-devel.i686 : Files for development of applications which will use OpenSSL openssl-devel.x86_64 : Files for development of applications which will use OpenSSL openssl-perl.x86_64 : Perl scripts provided with OpenSSL openssl-static.i686 : Libraries for static linking of applications which will use OpenSSL openssl-static.x86_64 : Libraries for static linking of applications which will use OpenSSL perl-Crypt-OpenSSL-Bignum.x86_64 : Perl interface to OpenSSL for Bignum perl-Crypt-OpenSSL-RSA.x86_64 : Perl interface to OpenSSL for RSA perl-Crypt-OpenSSL-Random.x86_64 : Perl interface to OpenSSL for Random pyOpenSSL.x86_64 : Python wrapper module around the OpenSSL library pyOpenSSL-doc.noarch : Documentation for pyOpenSSL xmlsec1-openssl.i686 : OpenSSL crypto plugin for XML Security Library xmlsec1-openssl.x86_64 : OpenSSL crypto plugin for XML Security Library xmlsec1-openssl-devel.i686 : OpenSSL crypto plugin for XML Security Library xmlsec1-openssl-devel.x86_64 : OpenSSL crypto plugin for XML Security Library m2crypto.x86_64 : Support for using OpenSSL in python scripts nss_compat_ossl.i686 : Source-level compatibility library for OpenSSL to NSS porting nss_compat_ossl.x86_64 : Source-level compatibility library for OpenSSL to NSS porting openssl.x86_64 : Utilities from the general purpose cryptography library with TLS implementation openssl-libs.i686 : A general purpose cryptography library with TLS implementation openssl-libs.x86_64 : A general purpose cryptography library with TLS implementation openssl098e.i686 : A compatibility version of a general cryptography and TLS library openssl098e.x86_64 : A compatibility version of a general cryptography and TLS library perl-Crypt-SSLeay.x86_64 : Crypt::SSLeay - OpenSSL glue that provides LWP https support perl-Net-SSLeay.x86_64 : Perl extension for using OpenSSL qca-ossl.i686 : OpenSSL plugin for the Qt Cryptographic Architecture v2 qca-ossl.x86_64 : OpenSSL plugin for the Qt Cryptographic Architecture v2 Name and summary matches only, use "search all" for everything. [root@rochfreeradius Downloads]# yum info openssl-devel.i686 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.cc.columbia.edu * extras: mirror.es.its.nyu.edu * updates: centos.mirror.constant.com Available Packages Name : openssl-devel Arch : i686 Epoch : 1 Version : 1.0.1e <-------------------------------------------------------------------------------------------- Release : 42.el7.9 Size : 1.2 M Repo : updates/7/x86_64 Summary : Files for development of applications which will use OpenSSL URL : http://www.openssl.org/ License : OpenSSL Description : OpenSSL is a toolkit for supporting cryptography. The openssl-devel : package contains include files needed to develop applications which : support various cryptographic algorithms and protocols. [root@rochfreeradius Downloads]# yum info openssl-devel.x86_64 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.cc.columbia.edu * extras: mirror.es.its.nyu.edu * updates: mirrors.centos.webair.com Installed Packages Name : openssl-devel Arch : x86_64 Epoch : 1 Version : 1.0.1e <------------------------------------------------------------------------------------------- Release : 42.el7.9 Size : 2.2 M Repo : installed
From repo : updates Summary : Files for development of applications which will use OpenSSL URL : http://www.openssl.org/ License : OpenSSL Description : OpenSSL is a toolkit for supporting cryptography. The openssl-devel : package contains include files needed to develop applications which : support various cryptographic algorithms and protocols.
On Monday, July 20, 2015 10:28 AM, Alan DeKok <aland@deployingradius.com> wrote: On Jul 20, 2015, at 4:26 PM, Scott Pickles via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm running a CentOS 7 environment and I just did a fresh install of v3.0.9 of FreeRADIUS. I also installed version 1.0.2d of openssl so I'm not subject to heartbleed. When I installed the ldap module, yum downloaded version 3.0.4 and also installed a heartbleed vulnerable version of openssl and broke my install.
Which is why you don't install manual packages on top of existing ones. CentOS *should* have a fixed version of OpenSSL.
I know how to patch radiusd.conf for the heartbleed vulnerability but I'd rather not. So I removed the ldap module, re-installed openssl 1.0.2d and recompiled FreeRADIUS. Is there a repo that will provide me with a 3.0.9 version of the ldap module? If not, can I compile and point to my lib directory for openssl 1.0.2d instead? Yum downloads an RPM and I don't know of a way to simply extract that, so I am looking for a way to compile from source for either version 3.0.4 or 3.0.9 if it exists. Don't know where to look for the source(s).
Install the OpenSSL from CentOS. It should have the fix. See the release notes for details. Alan DeKok.
Hi,
Looks like CentOS still supplies a heartbleed variant, no? Am I missing a repository?
no. they backport fixes. you need to check/read their releasenotes and then edit the radiusd.conf as required.... this is the annoying thing that happens when you can only check an issue by a revision number of the library and they keep it the same... alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Scott Pickles -
Song Zou