From owner-freebsd-questions@FreeBSD.ORG Tue Jun 10 19:13:54 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C0930E22 for ; Tue, 10 Jun 2014 19:13:54 +0000 (UTC) Received: from oneyou.mcmli.com (oneyou.mcmli.com [IPv6:2001:470:1d:8da::100]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "oneyou.mcmli.com", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8867128EB for ; Tue, 10 Jun 2014 19:13:54 +0000 (UTC) Received: from sentry.24cl.com (unknown [IPv6:2001:558:6017:a2:a860:3073:4c46:6ac9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "sentry.24cl.com", Issuer "Mike's Certificate Authority" (verified OK)) by oneyou.mcmli.com (Postfix) with ESMTPS id 3gp1G76Cffz1DPX for ; Tue, 10 Jun 2014 15:13:51 -0400 (EDT) Received: from BigBloat (bigbloat.24cl.home [10.20.1.4]) by sentry.24cl.com (Postfix) with ESMTP id 3gp1G512pFz1Bm9 for ; Tue, 10 Jun 2014 15:13:49 -0400 (EDT) Message-ID: <201406101513450811.0139394E@smtp.24cl.home> In-Reply-To: <53973182.19458.7050D1E@g8kbvdave.gmail.com> References: <201406091423310190.00939C60@smtp.24cl.home> <201406092132.28013.mark.tinka@seacom.mu> <201406091607450478.00F30B2B@smtp.24cl.home> <53973182.19458.7050D1E@g8kbvdave.gmail.com> X-Mailer: Courier 3.50.00.09.1098 (http://www.rosecitysoftware.com) (P) Date: Tue, 10 Jun 2014 15:13:45 -0400 From: "Mike." To: freebsd-questions@freebsd.org Subject: Re: freeradius won't start due to heartbleed Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2014 19:13:54 -0000 On 6/10/2014 at 5:25 PM Dave B wrote: |> On 6/9/2014 at 9:32 PM Mark Tinka wrote: |> |> |On Monday, June 09, 2014 08:23:31 PM Mike. wrote: |> | |> |> I'm sure I'm missing something obvious (again), but I've |> |> been staring at this too long, and the solution eludes |> |> me. |> |> |> |> Why does openssl still have the old version number? What |> |> do I do next, so that radiusd will start up? |> | |> |Go to "radiusd.conf", look for the "# SECURITY |> |CONFIGURATION" section and set: |> | |> | allow_vulnerable_openssl = yes |> | |> ============= |> |> |> Thanks, that did the trick. | | |'scuse my ignorance. | |But though I understand how that proves the point, surely the correct fix |now |would be to replace the openssl libs' to a version without the |vulnerability, and |reset that configuration option to "no" | [ snip] ============= My FreeBSD install was fully patched with all the openssl patches to date. However, those patches do not change the openssl version number. Since freeradius works off the openssl version number, and not whether I installed the patches, the "allow_vulnerable_openssl" configuration parameter allows me to instruct freeradius to "trust me" about openssl being OK to use. I view it as a short-term workaround.