OpenSSL Security issues
Alan DeKok
aland at freeradius.org
Tue Apr 8 22:12:50 CEST 2014
Alan Buxey wrote:
> But sites (well, admins) who are unaware may enable the cache. .. It
> which case there should be an interlock which means they must also turn
> off the openssl version check safety trigger too?
The issue is in the TLS protocol, not in a particular version of OpenSSL.
> As the heartbleed issue isn't as shocking as feared for freeradius is
> there any need for the current check to be so hard on you if you've got
> 1.0.1 < g installed now? (However, I'm guessing yes if you run other
> SSL/TLS services on the same box eg Web server since attacker can scan
> your memory slowly, so just protecting them from themselves)
I've been talking with Jouni Malinen offline. After mutating his
attack, he can read ~1K of data from the stack of FreeRADIUS. So it's
worse than we thought, but not as bad as the attacks on HTTPS servers.
So... the OpenSSL version checks will remain.
Alan DeKok.
More information about the Freeradius-Users
mailing list