Warnings about OpenSSL 1.0.1f and 1.0.1g
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sat Dec 12 16:37:15 CET 2015
> On 11 Dec 2015, at 09:17, Alan DeKok <aland at deployingradius.com> wrote:
>
> Anyone using these versions of OpenSSL should either upgrade them, or set "disable_tlsv1_2" in the EAP TLS module configuration.
>
> To make a long story short, these versions of OpenSSL calculate the WiFi encryption keys incorrectly for TLS 1.2. I've pushed a fix to v3.0 which disables TLS 1.2 when the server is built against those versions of OpenSSL.
>
> The solution is to upgrade to a version of OpenSSL which works, upgrade FreeRADIUS, or to use "disable_tlsv1_2" on existing systems.
There's a stripped down version of the centos OpenSSL 1.0.1 spec files in v3.1.x and i've modified the freeradius spec files to build against them if '--with freeradius-openssl' is passed to rpmbuild.
Should work ok for Centos/RHEL7, not tested on 6. The OpenSSL problems aren't getting any better, and OS vendors lag behind the latest version massively.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151212/df3e6bb7/attachment.sig>
More information about the Freeradius-Users
mailing list