FreeRADIUS SSL version check
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jan 13 09:38:35 CET 2015
> On 8 Jan 2015, at 02:00, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jan 7, 2015, at 1:54 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>> Could static linking libssl in be made easier?
>
> Systems ship with static libraries?
>
>> I haven't tried recently, but often it's really hard with autoconf.
>
> Which is why v3 no longer uses libtool, libltdl. In a modern system, they make life *worse*.
>
>> Sure, this means updating freeradius when/if openssl has another security
>> issue, but it also isolates freeradius from system updates.
>
> That’s why it’s configurable.
>
>> Being able to build on one machine and deploy to another machine such that
>> one doesn't have to install a compiler is a big win to me.
>
> Then be sure that both systems have the same version of OpenSSL.
>
> Or, do:
>
> $ ./configure --disable-openssl-version-check
That only disables the check for vulnerable versions of libssl, not the
consistency checks.
The patch counter of the libssl version can be incremented without
triggering the error. This is the same as the checks OpenSSH does IIRC.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Devel
mailing list