Issue with intermediate CAs
Alan DeKok
aland at deployingradius.com
Mon Jun 22 21:57:08 CEST 2015
We had a CVE issued today: http://www.ocert.org/advisories/ocert-2015-008.html
OpenSSL doesn't check intermediate CAs for expiry when setting the "check CRL" flag. You need to set another flag saying "I really mean check ALL of the CRLs". FreeRADIUS didn't set that flag.
The impact for 99% of people is nothing. In order to be vulnerable, you have to have all of the following in the configuration:
1) the RADIUS system has to use a public CA
2) use an intermediate CA to issue client certificates
3) enable EAP-TLS
Most people don't have EAP-TLS enabled. A small number of people might be using an intermediate CA. A vanishingly small number of people will be using a public CA for RADIUS.
Using a public CA is a *terrible* idea. We have been recommending against it for years.
The problem got a CERT advisory issued because technically it is a security bug, and the original person who reporting it didn't want to contact security at freeradius.org.
We'll get 2.2.8 and 3.0.9 out soon. In the mean time, most people can ignore this issue.
Alan DeKok.
More information about the Freeradius-Users
mailing list