freeradius and heartbleed tests in Debian

Alan DeKok aland at deployingradius.com
Tue Apr 22 21:28:11 CEST 2014


Rui Ribeiro wrote:
> Just to let you know the Debian 7 update version of ssl is
> 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put
> allow_vulnerable_openssl in radiusd.conf.

  We know.  This is intentional.

  There is NO WAY for FreeRADIUS to determine that OpenSSL has been
patched.  There is NO WAY for FreeRADIUS to protect against some of the
heartbleed attacks.  Therefore, the only safe approach is to warn the
administrator.

  The Debian people should issue a package of FreeRADIUS, patched to
have "allow_vulnerable_openssl = yes" set by default.

  Alan DeKok.


More information about the Freeradius-Users mailing list