From owner-freebsd-questions@freebsd.org Wed Jun 7 09:15:58 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 536CDBFF652 for ; Wed, 7 Jun 2017 09:15:58 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 366E3687AF for ; Wed, 7 Jun 2017 09:15:58 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: by mailman.ysv.freebsd.org (Postfix) id 32B48BFF651; Wed, 7 Jun 2017 09:15:58 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3066FBFF650 for ; Wed, 7 Jun 2017 09:15:58 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB69B687AE for ; Wed, 7 Jun 2017 09:15:57 +0000 (UTC) (envelope-from Olivier.Nicole@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (localhost [127.0.0.1]) by mail.cs.ait.ac.th (Postfix) with ESMTP id F2627D7882; Wed, 7 Jun 2017 16:15:54 +0700 (ICT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-type:content-type:mime-version:message-id:date:date :in-reply-to:subject:subject:from:from:received:received :received; s=selector1; t=1496826954; x=1498641355; bh=CmG0w0HaZ dBUOttXF4V10p9WkJ9jiOufJU2QJP5rllg=; b=AK8YV2osM6Qtj/kDZgyQaHv6P mU0aFlwcyxHQD23iY6v3oLrwlOGLUV+pp/cnunJNbeuqKDBZUk4zrf1Sqouhdjp0 n5v1cFQdzwiZiBfYImzURcQAznqAEDT3dQrcv3FfPuGDyrR8TKqzbRbYC2NQcGll QsWHPpXx79Ykwkx+v8= X-Virus-Scanned: amavisd-new at cs.ait.ac.th Received: from mail.cs.ait.ac.th ([127.0.0.1]) by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 7cySdMe2se6b; Wed, 7 Jun 2017 16:15:54 +0700 (ICT) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.cs.ait.ac.th (Postfix) with ESMTPS id 72B21D7881; Wed, 7 Jun 2017 16:15:54 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id v579FswT001501; Wed, 7 Jun 2017 16:15:54 +0700 (ICT) (envelope-from on@banyan.cs.ait.ac.th) From: Olivier To: frank Cc: questions@freebsd.org Subject: Re: FreeRadius3 on FreeBSD 10.3 In-Reply-To: (message from frank on Wed, 7 Jun 2017 10:46:11 +0200) Date: Wed, 07 Jun 2017 16:15:54 +0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2017 09:15:58 -0000 frank writes: > Hi, > > On 6/7/17 9:52 AM, Olivier wrote: > [...] >> Anybody has succeeded to run FreeRadius3 on FreeBSD 10.3-RELEASE? >> >> It is complaining that the version of OpenSSL contains bug, but OpenSSl >> comes with FreeBSD system and i am prety sure I have applied all >> security patches (last patch regarding OpenSSL is p17, SA published in >> february this year). >> >> FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar 2 13:04:10 ICT 2017 root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC i386 >> >> freeradius3-3.0.14 compiled from the ports >> >> The error message is: >> >> Error: Refusing to start with libssl version OpenSSL 1.0.1s-freebsd 1 Mar 2016 0x1000113f (1.0.1s release) (in range 1.0.1 release - 1.0.1t rele) >> Error: Security advisory CVE-2016-6304 (OCSP status request extension) >> >> This error was corrected in FreeBSD-SA-16:26.openssl >> >> Obviously FreeRadius is only comparing the version number of OpenSSL and >> does not do a good job at checking the fact that the error has been >> corrected or not. >> >> So how do you run FreeRadius3 on FreeBSD 10.3-RELEASE? > > add/enable in radiusd.conf: > > allow_vulnerable_openssl = yes Thank you. Olivier > HTH, > frank\ --