From owner-freebsd-questions@FreeBSD.ORG Tue Jun 10 19:15:44 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5205FE7 for ; Tue, 10 Jun 2014 19:15:44 +0000 (UTC) Received: from mail-qa0-x22d.google.com (mail-qa0-x22d.google.com [IPv6:2607:f8b0:400d:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A3B7A2922 for ; Tue, 10 Jun 2014 19:15:44 +0000 (UTC) Received: by mail-qa0-f45.google.com with SMTP id hw13so9532743qab.4 for ; Tue, 10 Jun 2014 12:15:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=EKzCkHNvKNj6NBhAFiq86AbuQSchnk4NNKilimObfFI=; b=LQI3/aZkbzdeCAJS7MsH88iemwifrkrIqQt8HlcDaVnj/zjbKtOCAfOR+gmMjDSHYR DB+0OCpaL4ScKek1RwOcbPX/0fz0VwKvRepc77c23ZSZNmpYX+c899ngup1IJKhakmZA BhZ6H9j5TqFb4Jqi9SiwHl/nxFuS3qrpaYGsWyAOyUSPREg8Af77H0zlj783ADd5E4jh Ma1elBlv0ycaL41yNgvceDhlZyz7YmjkgpOnOeW6Y/zvxXqLSKF7nAym2TOU1Hq3zwgR SdVmgfmuFzjV/RREFY2Ucyktr1zbafK8SkKSgVRvbCV4fUwPuYx71iHjigqZSaO8JgK+ X11g== MIME-Version: 1.0 X-Received: by 10.224.165.70 with SMTP id h6mr45403813qay.78.1402427743748; Tue, 10 Jun 2014 12:15:43 -0700 (PDT) Received: by 10.96.171.73 with HTTP; Tue, 10 Jun 2014 12:15:43 -0700 (PDT) Received: by 10.96.171.73 with HTTP; Tue, 10 Jun 2014 12:15:43 -0700 (PDT) In-Reply-To: <201406102044.38276.mark.tinka@seacom.mu> References: <201406091423310190.00939C60@smtp.24cl.home> <201406091607450478.00F30B2B@smtp.24cl.home> <53973182.19458.7050D1E@g8kbvdave.gmail.com> <201406102044.38276.mark.tinka@seacom.mu> Date: Tue, 10 Jun 2014 20:15:43 +0100 Message-ID: Subject: Re: freeradius won't start due to heartbleed From: Dave Baxter To: mark.tinka@seacom.mu, FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2014 19:15:45 -0000 On 10 Jun 2014 19:44, "Mark Tinka" wrote: > > On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote: > > > 'scuse my ignorance. > > > > But though I understand how that proves the point, surely > > the correct fix now would be to replace the openssl > > libs' to a version without the vulnerability, and reset > > that configuration option to "no" > > > > AFIK, FBSD 10.0 was released before the HeartBleed bug > > was found, so unles you know you've updated it to a > > fixed version, there could be trouble ahead. > > > > Just curious... > > > > Dave B. (I run '9.2 release' at home, that never had > > the trouble, AFIK.) > > OpenSSL versions 1.0.1 through to 1.0.1f are affected by > Heartbleed, as you already know. > > An interim fix for the base OpenSSL implementation in > FreeBSD-10 (which was 1.0.1e) was pushed out, without > changing the version number. So FreeRADIUS assumes anything > prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless > of whether a fix is actually implemented or not. Hence the > need for this switch in the FreeRADIUS configuration. > > So provided you know this, and provided your base FreeSBD > installation is patched, it's a safe option to use. > > If you use the OpenSSL release in the ports, or when > FreeBSD's base OpenSSL version is 1.0.1g or later, you won't > need that FreeRADIUS option anymore. > > Hope this helps. > > Cheers, > > Mark. Cheers Mark. I do now remember hearing something about a non version'd patch, though even if successful, it only adds to the confusion :) Other than that, you confirmed my suspicions. Best Regards. Dave B.