Warning about OpenSSL 1.0.2

Fajar A. Nugraha list at fajar.net
Tue Oct 13 10:47:15 CEST 2015

On Tue, Oct 13, 2015 at 3:20 PM, Nick Lowe <nick.lowe at gmail.com> wrote:
> Red Hat have an update available for their affected 6.7 release:
> https://rhn.redhat.com/errata/RHBA-2015-1829.html
> If you're running CentOS 6.7, you're likely out of luck until 6.8
> becomes available:
> https://bugs.centos.org/view.php?id=9295
> (That bug report has seemingly been ignored.)
> As this is making a lot of noise with Android 6.0 (Marshmallow),
> please consider releasing a 3.x and discretionary, under protest 2.x
> release sooner rather than later to close the loop of known possible
> issues:
> https://code.google.com/p/android/issues/detail?id=188867
> https://code.google.com/p/android-developer-preview/issues/detail?id=2136
> I agree that there aren't likely to be many sites using OpenSSL 1.0.2
> at this point in time, worth nipping in the bud though.

@Nick: aren't the links you posted a different issues from Alan's original post?

Looking at the dates, as well as Arran's comment on
https://code.google.com/p/android/issues/detail?id=188867#c63, the bug
affecting clients using TLS-1.2 (including android Marshmallow) is
fixed in 2.2.9 and 3.0.10. This should also the one addressed with
RH's errata.

The warning Allan posted was about servers that use openssl-1.0.2,
like debian testing and ubuntu wily (which should be released this
month). The fix is present in git, and will be present in the next
3.0.11 (whenever that is), but there probably won't be any 2.2.10 due
to EOL policy. In which case the "fix" that admins can use is to
- NOT use openssl-1.0.2. Not an issue if they already stick to LTS
release anyway. OR
- Build their own FR version from git, and later upgrade to 3.0.11
when that is released.

I agree with Arran here. Admins wishing to use openssl-1.0.2 on their
server should use the git version or 3.0.11+.


More information about the Freeradius-Users mailing list