2

while running radius server in debugging mode by using the command radiusd -X, i got a problem like this

the error is shown as below:

Refusing to start with libssl version OpenSSL 1.0.1f 6 Jan 2014 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed) For more information see http://heartbleed.com

the installed openssl version is shown below:

OpenSSL 1.0.1g 7 Apr 2014

eventhough i installed/updated OpenSSL 1.0.1g, i got an error called heartbleed. i stucked in this problem ,could any one help me out of this???

prashad
  • 107
  • 2
  • 15

2 Answers2

0

It's not picked up your installed version. You'll need to re-run configure and recompile (if building form source). Verify all other versions have been removed, or pass --with-openssl-include-dir --with-openssl-lib-dir to configure to specify explicit paths.

The debian packages for 3.0.4 already have patches which check for the correct debian packaged version, and alter the config files to ignore the check.

Arran Cudbard-Bell
  • 5,912
  • 2
  • 26
  • 48
-1

Try this

    cd /usr/local/etc/raddb
    vi radiusd.conf

Somwhere in the line no 480 odd in the security subsection, You will find a line like this

    allow_vulnerable_openssl = no

Change it to 

    allow_vulnerable_openssl = yes
Abhay Chennagiri
  • 37
  • 7
  • helllo @Abhay ,the file **radiusd.conf** in the path of **/usr/local/etc/raddb** is shown as *binary file* how would i change/modifie no to yes in the 480th line. – prashad Oct 08 '14 at 20:07
  • u mean radiusd.conf is a binary file run "file usr/local/etc/raddb/radiusd.conf" and tell me the output – Abhay Chennagiri Oct 09 '14 at 10:23
  • It's not a binary file – Arran Cudbard-Bell Oct 09 '14 at 19:41
  • 1
    Once you have *verified* that the version of OpenSSL you're using has been patched you should set ``security`` ``allow_vulnerable_openssl`` to ``CVE-2014-0160`` as per the debug output. You should *NOT* set it to yes. – Arran Cudbard-Bell Oct 09 '14 at 19:44
  • @Arran: allow_vulnerable_openssl = yes worked for me and it is mentioned in the official freeradius website here http://freeradius.org/security.html – Abhay Chennagiri Oct 10 '14 at 03:55
  • @AbhayChennagiri it may work, but it means you won't be notified of future vulnerabilities. I've fixed the webpage to add further clarification. – Arran Cudbard-Bell Oct 10 '14 at 11:17