Date: Tue, 10 Jun 2014 20:15:43 +0100 From: Dave Baxter <g8kbvdave@googlemail.com> To: mark.tinka@seacom.mu, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: freeradius won't start due to heartbleed Message-ID: <CABDW77L6-xp6Y86fQAACQ9S0hEnQ5AurXLY%2BaKGMN1Oq1NE3SQ@mail.gmail.com> In-Reply-To: <201406102044.38276.mark.tinka@seacom.mu> References: <201406091423310190.00939C60@smtp.24cl.home> <201406091607450478.00F30B2B@smtp.24cl.home> <53973182.19458.7050D1E@g8kbvdave.gmail.com> <201406102044.38276.mark.tinka@seacom.mu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 Jun 2014 19:44, "Mark Tinka" <mark.tinka@seacom.mu> wrote: > > On Tuesday, June 10, 2014 06:25:38 PM Dave B wrote: > > > 'scuse my ignorance. > > > > But though I understand how that proves the point, surely > > the correct fix now would be to replace the openssl > > libs' to a version without the vulnerability, and reset > > that configuration option to "no" > > > > AFIK, FBSD 10.0 was released before the HeartBleed bug > > was found, so unles you know you've updated it to a > > fixed version, there could be trouble ahead. > > > > Just curious... > > > > Dave B. (I run '9.2 release' at home, that never had > > the trouble, AFIK.) > > OpenSSL versions 1.0.1 through to 1.0.1f are affected by > Heartbleed, as you already know. > > An interim fix for the base OpenSSL implementation in > FreeBSD-10 (which was 1.0.1e) was pushed out, without > changing the version number. So FreeRADIUS assumes anything > prior to 1.0.1g in the 1.0.1 train is vulnerable, regardless > of whether a fix is actually implemented or not. Hence the > need for this switch in the FreeRADIUS configuration. > > So provided you know this, and provided your base FreeSBD > installation is patched, it's a safe option to use. > > If you use the OpenSSL release in the ports, or when > FreeBSD's base OpenSSL version is 1.0.1g or later, you won't > need that FreeRADIUS option anymore. > > Hope this helps. > > Cheers, > > Mark. Cheers Mark. I do now remember hearing something about a non version'd patch, though even if successful, it only adds to the confusion :) Other than that, you confirmed my suspicions. Best Regards. Dave B.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABDW77L6-xp6Y86fQAACQ9S0hEnQ5AurXLY%2BaKGMN1Oq1NE3SQ>