From owner-freebsd-questions@FreeBSD.ORG Tue Jun 10 18:44:48 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B67F9BFA for ; Tue, 10 Jun 2014 18:44:48 +0000 (UTC) Received: from the-host.seacom.mu (ge-0.ln-01-jnb.za.seacomnet.com [41.87.104.245]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B9AE725EF for ; Tue, 10 Jun 2014 18:44:47 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=the-host.localnet) by the-host.seacom.mu with esmtp (Exim 4.80.1) (envelope-from ) id 1WuR2E-0000UU-Oq; Tue, 10 Jun 2014 20:44:38 +0200 From: Mark Tinka Reply-To: mark.tinka@seacom.mu Organization: SEACOM To: freebsd-questions@freebsd.org Subject: Re: freeradius won't start due to heartbleed Date: Tue, 10 Jun 2014 20:44:34 +0200 User-Agent: KMail/1.13.6 (Linux/2.6.37.6-24-desktop; KDE/4.6.0; i686; ; ) References: <201406091423310190.00939C60@smtp.24cl.home> <201406091607450478.00F30B2B@smtp.24cl.home> <53973182.19458.7050D1E@g8kbvdave.gmail.com> In-Reply-To: <53973182.19458.7050D1E@g8kbvdave.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5757702.ESnIpzvh0q"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201406102044.38276.mark.tinka@seacom.mu> Cc: Dave B X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2014 18:44:48 -0000 --nextPart5757702.ESnIpzvh0q Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote: > 'scuse my ignorance. >=20 > But though I understand how that proves the point, surely > the correct fix now would be to replace the openssl > libs' to a version without the vulnerability, and reset > that configuration option to "no" >=20 > AFIK, FBSD 10.0 was released before the HeartBleed bug > was found, so unles you know you've updated it to a > fixed version, there could be trouble ahead. >=20 > Just curious... >=20 > Dave B. (I run '9.2 release' at home, that never had > the trouble, AFIK.) OpenSSL versions 1.0.1 through to 1.0.1f are affected by=20 Heartbleed, as you already know. An interim fix for the base OpenSSL implementation in=20 =46reeBSD-10 (which was 1.0.1e) was pushed out, without=20 changing the version number. So FreeRADIUS assumes anything=20 prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless=20 of whether a fix is actually implemented or not. Hence the=20 need for this switch in the FreeRADIUS configuration. So provided you know this, and provided your base FreeSBD=20 installation is patched, it's a safe option to use. If you use the OpenSSL release in the ports, or when=20 =46reeBSD's base OpenSSL version is 1.0.1g or later, you won't=20 need that FreeRADIUS option anymore. Hope this helps. Cheers, Mark. --nextPart5757702.ESnIpzvh0q Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iQIcBAABAgAGBQJTl1IWAAoJEGcZuYTeKm+Gz9YP/1vUNosShRduXkTefH6bhZnx I506TjpDmPsVjqgaxzHcTi5XJuywHO/0+hsO00kHVYwJGqTldR8KTxkvO8ZTgGEI EQuUtmDk+BH5bML5zh3OM4ZgPcUcI3LNFRM6/agdmItgbiPIDrz/09Gm9XAi0xHK EdkQCM7rS0+GzZEtRrZtyUZC2drsDwx6cQHlRPo2ofRR5ytvC4Vv6+BjT8r1cBxs xgLWqMNV6Umm8viOcnQflP0rMJx8jfmOU+XcTLuQNrvr0UsZwJoHa8VWk91dLv0b 9DLzmk6W7/8juvCLV1noHyBRfwqeBzZ4qVZ5l/LtZEu59fMpcdN82XMr+aGala+/ /gr+VCnJiUb80iYs9dSkQOHhRYXiS6HonEJ7Tv6l3rcu+I440FaF3j7G90Qd2TTy tzGq/wq01TpKjozLpH5KZEQsNI3f29rbRg11ET5SHGd3ZlW8X4+ezA90Ax1amcd8 GnlDvMgvy7bpOifccha6lLgUHAz09OTIcOUYZWRrD8F7koymshq7c1fOrL811XTV zPAymBf/TeJCO8notiwC+lPaEl7Za3bnV15nn27Yu7fr+1DAoUuEmBQnJBwhsj9b TGxvGAs/KGx7XfPcYfbqznkKSES1Nmt5RGmSdZ6k6Ahgjrh15nEwZkjdRd2Ox80p MQHfro8ZLP2K/rDDH8Pe =VMK8 -----END PGP SIGNATURE----- --nextPart5757702.ESnIpzvh0q--