freeradius and heartbleed tests in Debian
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Apr 23 03:21:12 CEST 2014
On 22 Apr 2014, at 20:28, Alan DeKok <aland at deployingradius.com> wrote:
> Rui Ribeiro wrote:
>> Just to let you know the Debian 7 update version of ssl is
>> 1.0.1e-2+deb7u7, and as such FreeRadius refuses to boot unless you put
>> allow_vulnerable_openssl in radiusd.conf.
>
> We know. This is intentional.
>
> There is NO WAY for FreeRADIUS to determine that OpenSSL has been
> patched. There is NO WAY for FreeRADIUS to protect against some of the
> heartbleed attacks. Therefore, the only safe approach is to warn the
> administrator.
>
> The Debian people should issue a package of FreeRADIUS, patched to
> have "allow_vulnerable_openssl = yes" set by default.
No. They should release a version with allow_vulnerable_openssl set to
the highest level of acknowledge exploit. Matthew McNewton already
contributed the patches to do this.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140423/e3a7cf89/attachment.pgp>
More information about the Freeradius-Users
mailing list