Date: Tue, 10 Jun 2014 20:44:34 +0200 From: Mark Tinka <mark.tinka@seacom.mu> To: freebsd-questions@freebsd.org Cc: Dave B <g8kbvdave@googlemail.com> Subject: Re: freeradius won't start due to heartbleed Message-ID: <201406102044.38276.mark.tinka@seacom.mu> In-Reply-To: <53973182.19458.7050D1E@g8kbvdave.gmail.com> References: <201406091423310190.00939C60@smtp.24cl.home> <201406091607450478.00F30B2B@smtp.24cl.home> <53973182.19458.7050D1E@g8kbvdave.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart5757702.ESnIpzvh0q Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote: > 'scuse my ignorance. >=20 > But though I understand how that proves the point, surely > the correct fix now would be to replace the openssl > libs' to a version without the vulnerability, and reset > that configuration option to "no" >=20 > AFIK, FBSD 10.0 was released before the HeartBleed bug > was found, so unles you know you've updated it to a > fixed version, there could be trouble ahead. >=20 > Just curious... >=20 > Dave B. (I run '9.2 release' at home, that never had > the trouble, AFIK.) OpenSSL versions 1.0.1 through to 1.0.1f are affected by=20 Heartbleed, as you already know. An interim fix for the base OpenSSL implementation in=20 =46reeBSD-10 (which was 1.0.1e) was pushed out, without=20 changing the version number. So FreeRADIUS assumes anything=20 prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless=20 of whether a fix is actually implemented or not. Hence the=20 need for this switch in the FreeRADIUS configuration. So provided you know this, and provided your base FreeSBD=20 installation is patched, it's a safe option to use. If you use the OpenSSL release in the ports, or when=20 =46reeBSD's base OpenSSL version is 1.0.1g or later, you won't=20 need that FreeRADIUS option anymore. Hope this helps. Cheers, Mark. --nextPart5757702.ESnIpzvh0q Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iQIcBAABAgAGBQJTl1IWAAoJEGcZuYTeKm+Gz9YP/1vUNosShRduXkTefH6bhZnx I506TjpDmPsVjqgaxzHcTi5XJuywHO/0+hsO00kHVYwJGqTldR8KTxkvO8ZTgGEI EQuUtmDk+BH5bML5zh3OM4ZgPcUcI3LNFRM6/agdmItgbiPIDrz/09Gm9XAi0xHK EdkQCM7rS0+GzZEtRrZtyUZC2drsDwx6cQHlRPo2ofRR5ytvC4Vv6+BjT8r1cBxs xgLWqMNV6Umm8viOcnQflP0rMJx8jfmOU+XcTLuQNrvr0UsZwJoHa8VWk91dLv0b 9DLzmk6W7/8juvCLV1noHyBRfwqeBzZ4qVZ5l/LtZEu59fMpcdN82XMr+aGala+/ /gr+VCnJiUb80iYs9dSkQOHhRYXiS6HonEJ7Tv6l3rcu+I440FaF3j7G90Qd2TTy tzGq/wq01TpKjozLpH5KZEQsNI3f29rbRg11ET5SHGd3ZlW8X4+ezA90Ax1amcd8 GnlDvMgvy7bpOifccha6lLgUHAz09OTIcOUYZWRrD8F7koymshq7c1fOrL811XTV zPAymBf/TeJCO8notiwC+lPaEl7Za3bnV15nn27Yu7fr+1DAoUuEmBQnJBwhsj9b TGxvGAs/KGx7XfPcYfbqznkKSES1Nmt5RGmSdZ6k6Ahgjrh15nEwZkjdRd2Ox80p MQHfro8ZLP2K/rDDH8Pe =VMK8 -----END PGP SIGNATURE----- --nextPart5757702.ESnIpzvh0q--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406102044.38276.mark.tinka>