Reg Openssl issue unable to start radius version 3.0.8
J@g@dee5h
djfueese at gmail.com
Wed Jul 1 06:46:27 CEST 2015
Hello,
I am unable to start the freeradius due to openssl vulnerability issue.
Please find the debug log.
-----------
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013
0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set
security.allow_vulnerable_openssl = 'CVE-2014-0160'
------------
I have confirmed that I have applied the patch for this bug.
-----------
[root at radius raddb]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root at radius raddb]# rpm -q --changelog openssl | grep CVE-2014-0160
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
[root at radius raddb]#
--------------
Is it safe to enable the allow_vulnerable_openssl = yes in radiusd.conf
file? Otherwise I will update the openssl to OpenSSL 1.0.1g version.
Please suggest.
More information about the Freeradius-Users
mailing list