Building from Source
Herwin Weststrate
herwin at quarantainenet.nl
Mon Oct 12 11:29:05 CEST 2015
On 10-10-15 18:44, Alan Buxey wrote:
>> It will also fail to start because of openssl versioning :
> Put : allow_vulnerable_openssl = yes under Security in
> /etc/freeradius/radius.conf
>
> No. Read the debug output and see what CVE code is worried about and
> put only that in the allow_vulnerable..... string otherwise your
> leaving yourself open to all kinds of future things if your openssl
> doesn't get patched. That change certainly isn't going to be
> standard in the distro. Blame openssl and the distros for their
> naming convention :/
To be honest, these are the kinds of bugs where I trust my distro to
have a fixed version before I've had the chance of compiling a new
FreeRADIUS, just to discover that it won't start because it thinks the
OpenSSL version is vulnerable.
The OpenSSL version check might be useful for installations where you
have a manual installation of OpenSSL, but as long as you're using
OpenSSL from a supported distro (like Debian or Ubuntu), I don't think
the checks in FreeRADIUS have any added value.
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list