From owner-freebsd-ports@FreeBSD.ORG  Sat May 17 01:00:23 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AAF13D02
 for <freebsd-ports@freebsd.org>; Sat, 17 May 2014 01:00:23 +0000 (UTC)
Received: from smtp-auth.serv.Uni-Osnabrueck.DE (vm135.rz.uni-osnabrueck.de
 [131.173.16.10])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2932B2B0D
 for <freebsd-ports@freebsd.org>; Sat, 17 May 2014 01:00:22 +0000 (UTC)
Received: from spock.drpetervoigt.private (p5DC4D8E8.dip0.t-ipconnect.de
 [93.196.216.232]) (authenticated bits=0)
 by smtp-auth.serv.Uni-Osnabrueck.DE (8.13.8/8.13.8) with ESMTP id
 s4H100e0018524
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
 for <freebsd-ports@freebsd.org>; Sat, 17 May 2014 03:00:01 +0200
Received: from tiger2008.drpetervoigt.private (tiger2008.drpetervoigt.private
 [192.168.1.96])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested) (Authenticated sender: pvoigt)
 by spock.drpetervoigt.private (Postfix) with ESMTPSA id 501F650D34A
 for <freebsd-ports@freebsd.org>; Sat, 17 May 2014 02:59:03 +0200 (CEST)
Date: Sat, 17 May 2014 02:59:02 +0200
From: "Dr. Peter Voigt" <pvoigt@uos.de>
To: freebsd-ports@freebsd.org
Subject: Re: freeradius2 2.2.5 refuses to start when built against patched
 base openssl 1.0.1e
Message-ID: <20140517025902.785070ef@tiger2008.drpetervoigt.private>
In-Reply-To: <30586_1400285428_s4H0AQ3o012297_20140517020907.6b14584b@tiger2008.drpetervoigt.private>
References: <30586_1400285428_s4H0AQ3o012297_20140517020907.6b14584b@tiger2008.drpetervoigt.private>
Reply-To: "Dr. Peter Voigt" <pvoigt@uos.de>
Organization: =?UTF-8?B?VW5pdmVyc2l0w6R0IE9zbmFicsO8Y2s=?=
X-Mailer: Claws Mail 3.9.3 (GTK+ 2.22.1; x86_64-unknown-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
 Antispam-Data: 2014.5.17.2117 (Univ. Osnabrueck)
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=
 HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0,
 BODY_SIZE_1500_1599 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
 BODY_SIZE_7000_LESS 0, FROM_NAME_PHRASE 0, RDNS_POOLED 0, RDNS_SUSP 0,
 RDNS_SUSP_SPECIFIC 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
 __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0,
 __CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_MSGID 0,
 __HAS_REPLYTO 0, __HAS_X_MAILER 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0,
 __MIME_VERSION 0, __RDNS_POOLED_10 0, __REPLYTO_SAMEAS_FROM 0,
 __REPLYTO_SAMEAS_FROM_ACC 0, __REPLYTO_SAMEAS_FROM_ADDY 0,
 __REPLYTO_SAMEAS_FROM_DOMAIN 0, __SANE_MSGID 0, __SUBJ_ALPHA_NEGATE 0,
 __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS 
X-PMX-Spam-Level: IIIIIIII
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 May 2014 01:00:23 -0000

Am Sat, 17 May 2014 02:09:07 +0200
schrieb "Dr. Peter Voigt" <pvoigt@uos.de>:

> I have just noticed that my freeradius2 2.2.5 server refuses to start
> with the following message:
> 
> radiusd: Refusing to start with libssl version OpenSSL 1.0.1e-freebsd
> 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160
> (Heartbleed)
> radiusd: For more information see http://heartbleed.com
> 
> My freeradius2 package is built against the openssl version of the
> base system:
> 
> # openssl version
> OpenSSL 1.0.1e-freebsd 11 Feb 2013
> 
> The base openssl version did not change after applying the various
> security patches, where "FreeBSD Security Advisory
> FreeBSD-SA-14:06.openssl" in particular solved the heartbleed issue:
> 
> # uname -r
> 10.0-RELEASE-p3
> 
> So how can I tell freeradius2 that it is built against a heardbleed
> save, e.g. patched, openssl version in spite of the low version
> number?
> 
> Regards,
> Peter

Well, I just found the solution after studying the freeradius
changelog:

FreeRADIUS 2.2.5 Monday 28 Apr 2014 15:20:00 EDT, urgency=medium
 ...
 * Forbid running with vulnerable versions of OpenSSL.
   See "allow_vulnerable_openssl" in the "security"
   subsection of "radiusd.conf"
 ...

My radius server is now starting again. Sorry for the noise but I used
portmaster to upgrade from version 2.2.4 and this usually deletes the
sources including the changelog. And my radiusd.conf remained untouched
with no hint the the new available switch.

Regards,
Peter