I just beginning with FreeRadius. I have installed FreeRadius 2.2.9 but when I try to debug with radiusd -X I got this error
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
But when I run openssl version I got the result is
OpenSSL 1.0.2h 3 May 2016
I have no idea why this happen. Can anyone help?
I'm using CentOS release 6.8 (Final).
Thanks.
It seems likely that you have installed freeradius without using the CentOS package manager. The version you have installed is not aware of the backporting activity of many Linux distros and is incorrectly using the reported version number in an attempt to determine the vulnerability state of the system. A CentOS 6.8 system is not vulnerable to CVE-2014-0160. If you want to check then look at the output of
rpm -q --changelog openssl| less
I have freeradius 2.2.6 installed from the CentOS repos on an up-to-date CentOS 6.8 and it works fine. You should remove your freeradius and then install using yum.
If you really need to use a later version of freeradius on CentOS 6.8 then you can set
allow_vulnerable_openssl = yes
in the security section of your radiusd.conf
