[PATCH 1/1] Just warn if linked libssl is more recent
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jun 17 11:10:31 CEST 2014
On 17 Jun 2014, at 08:43, Christian Hesse <list at eworm.de> wrote:
> Arran Cudbard-Bell <a.cudbardb at freeradius.org> on Tue, 2014/06/17 08:31:
>>
>> On 17 Jun 2014, at 07:12, Christian Hesse <list at eworm.de> wrote:
>>
>>> From: Christian Hesse <mail at eworm.de>
>>>
>>> Even if dynamic linking is just fine, radiusd fails after ever openssl
>>> update. (Distribution toolkits do not detect this, so distribution
>>> packages break on a regular basis.)
>>> This changes behavior so that it still fails on library downgrade, but
>>> just warns if openssl library has been upgraded.
>>
>> The point of adding the check, was because even minor versions of libssl
>> had changes which broke ABI compatibility.
>>
>> I'm not sure how your suggestion helps? If there's any change in libssl
>> version it could cause ABI incompatibility, it doesn't matter if it's
>> an upgrade or downgrade.
>
> I had thought this is to fetch cases where libssl version changes and
> introduces any (possibly old) security vulnerabilities.
>
> In theory ABI should stay compatible with minor updates. And major updates
> should break if dynamic linking breaks.
> Or did that happen when system toolchain (gcc and friends) was updated?
>
> Still the question is whether freeradius should break on ABI incompatibility
> change (which should still give a warning with my patch) or break on *every*
> openssl update, regardless of whether or not ABI changed.
>
> Searching for "freeradius libssl version mismatch" gives a lot of matches, so
> looks like this is a real issue.
Some of those aren't for FreeRADIUS.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732940
OpenSSH has also adopted this approach, with a very similar message to us.
Obviously they got annoyed too.
I've changed the behaviour to match theirs.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140617/c081b799/attachment-0001.pgp>
More information about the Freeradius-Devel
mailing list