From owner-freebsd-questions@freebsd.org  Wed Jun  7 09:15:58 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 536CDBFF652
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed,  7 Jun 2017 09:15:58 +0000 (UTC)
 (envelope-from Olivier.Nicole@cs.ait.ac.th)
Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 366E3687AF
 for <freebsd-questions@freebsd.org>; Wed,  7 Jun 2017 09:15:58 +0000 (UTC)
 (envelope-from Olivier.Nicole@cs.ait.ac.th)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 32B48BFF651; Wed,  7 Jun 2017 09:15:58 +0000 (UTC)
Delivered-To: questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3066FBFF650
 for <questions@mailman.ysv.freebsd.org>; Wed,  7 Jun 2017 09:15:58 +0000 (UTC)
 (envelope-from Olivier.Nicole@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CB69B687AE
 for <questions@freebsd.org>; Wed,  7 Jun 2017 09:15:57 +0000 (UTC)
 (envelope-from Olivier.Nicole@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (localhost [127.0.0.1])
 by mail.cs.ait.ac.th (Postfix) with ESMTP id F2627D7882;
 Wed,  7 Jun 2017 16:15:54 +0700 (ICT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h=
 content-type:content-type:mime-version:message-id:date:date
 :in-reply-to:subject:subject:from:from:received:received
 :received; s=selector1; t=1496826954; x=1498641355; bh=CmG0w0HaZ
 dBUOttXF4V10p9WkJ9jiOufJU2QJP5rllg=; b=AK8YV2osM6Qtj/kDZgyQaHv6P
 mU0aFlwcyxHQD23iY6v3oLrwlOGLUV+pp/cnunJNbeuqKDBZUk4zrf1Sqouhdjp0
 n5v1cFQdzwiZiBfYImzURcQAznqAEDT3dQrcv3FfPuGDyrR8TKqzbRbYC2NQcGll
 QsWHPpXx79Ykwkx+v8=
X-Virus-Scanned: amavisd-new at cs.ait.ac.th
Received: from mail.cs.ait.ac.th ([127.0.0.1])
 by mail.cs.ait.ac.th (mail.cs.ait.ac.th [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 7cySdMe2se6b; Wed,  7 Jun 2017 16:15:54 +0700 (ICT)
Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.cs.ait.ac.th (Postfix) with ESMTPS id 72B21D7881;
 Wed,  7 Jun 2017 16:15:54 +0700 (ICT)
Received: (from on@localhost)
 by banyan.cs.ait.ac.th (8.15.2/8.15.2/Submit) id v579FswT001501;
 Wed, 7 Jun 2017 16:15:54 +0700 (ICT)
 (envelope-from on@banyan.cs.ait.ac.th)
From: Olivier <Olivier.Nicole@cs.ait.ac.th>
To: frank <frank@undermydesk.org>
Cc: questions@freebsd.org
Subject: Re: FreeRadius3 on FreeBSD 10.3
In-Reply-To: <f73d24e3-9397-b8f5-f71a-03dda84091be@undermydesk.org> (message
 from frank on Wed, 7 Jun 2017 10:46:11 +0200)
Date: Wed, 07 Jun 2017 16:15:54 +0700
Message-ID: <wu71sqww439.fsf@banyan.cs.ait.ac.th>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 09:15:58 -0000

frank <frank@undermydesk.org> writes:

> Hi,
>
> On 6/7/17 9:52 AM, Olivier wrote:
> [...]
>> Anybody has succeeded to run FreeRadius3 on FreeBSD 10.3-RELEASE?
>> 
>> It is complaining that the version of OpenSSL contains bug, but OpenSSl
>> comes with FreeBSD system and i am prety sure I have applied all
>> security patches (last patch regarding OpenSSL is p17, SA published in
>> february this year).
>> 
>> FreeBSD ldap.cs.ait.ac.th 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #5 r314483: Thu Mar  2 13:04:10 ICT 2017     root@ldap.cs.ait.ac.th:/usr/obj/usr/src/sys/GENERIC  i386
>> 
>> freeradius3-3.0.14 compiled from the ports
>> 
>> The error message is:
>> 
>> Error: Refusing to start with libssl version OpenSSL 1.0.1s-freebsd  1 Mar 2016 0x1000113f (1.0.1s release) (in range 1.0.1 release - 1.0.1t rele)
>> Error: Security advisory CVE-2016-6304 (OCSP status request extension)
>> 
>> This error was corrected in FreeBSD-SA-16:26.openssl
>> 
>> Obviously FreeRadius is only comparing the version number of OpenSSL and
>> does not do a good job at checking the fact that the error has been
>> corrected or not.
>> 
>> So how do you run FreeRadius3 on FreeBSD 10.3-RELEASE?
>
> add/enable in radiusd.conf:
>
> allow_vulnerable_openssl = yes

Thank you.

Olivier

> HTH,
> frank\

--