Results 1 to 8 of 8

Thread: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

  1. #1
    Join Date
    Jun 2008
    Location
    Delta Quadrant
    Posts
    1,442

    Default OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    All,

    I have a need to run FreeRadius 3.0.12 on OpenSUSE 13.2.
    FreeRadius refuses to run due to outdated openssl.

    "Refusing to start with libssl version OpenSSL 1.0.1k-fips 8 Jan 2015 0x100010bf (1.0.1k release)
    (in range 1.0.1 release - 1.0.1t rele)
    Security advisory CVE-2016-6304 (OCSP status request extension)
    For more information see https://www.openssl.org/news/secadv/20160922.txt
    Once you have verified ;obssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304'

    I am unable to find an rpm for openssl 1.0.1u for OpenSUSE which seems to be the latest. In fact, it appears all SUSE variants
    even commercial releases do not fulfill the requirements for FreeRadius nor are there any rpms for updating it.

    Is there a way to build one for 13.2 via OBS or something? I have no experience with that. I can compile openssl from
    scratch but I don't want to end up with a broken system going forward.

    Or if someone knows of a distro shipping the latest updated openssl that will work with FreeRadius I am all ears.

    Thanks.

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,108
    Blog Entries
    2

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    This vulnerability was patched and back-ported, see the following advisory
    https://www.suse.com/security/cve/CVE-2016-6304.html

    Therefor, provided you are fully updated and have the latest and currently released version of openssl, you can over-ride the warning and error...

    1. First, update your system to make sure your system is fully updated, which would include openssl
    Code:
    zypper up
    2. Now, you can edit your freeradius config file located at
    Code:
    /etc/raddb//radiusd.conf
    In the above file, go down to the "Security" section and find the last line in the section which should currently read
    Code:
    set security.allow_vulnerable_openssl = no
    Edit that line to read as follows
    Code:
    set security.allow_vulnerable_openssl = 'CVE-2016-6304'
    Save.
    Now you can start your freeradius server without issue.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Jun 2008
    Location
    Delta Quadrant
    Posts
    1,442

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    Ah! I missed that.

    Thanks!

  4. #4
    Join Date
    Jun 2008
    Location
    Delta Quadrant
    Posts
    1,442

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    Unfortunately this fails with allow_vulnerable_openssl = 'CVE-2016-6304'.
    Returns the exact same message as before.

  5. #5
    Join Date
    Jun 2008
    Location
    Delta Quadrant
    Posts
    1,442

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    Quote Originally Posted by GofBorg View Post
    Unfortunately this fails with allow_vulnerable_openssl = 'CVE-2016-6304'.
    Returns the exact same message as before.
    Question. Why are there two locations for radiusd.conf?

    /etc/raddb and /usr/local/etc/raddb?

    Is this a result of me compiling 3.0.12? I don't build a lot of my own apps so this
    could be something that I messed up.

    Just need some clarification so I can fix it if that is the case.

  6. #6
    Join Date
    Jun 2008
    Location
    Delta Quadrant
    Posts
    1,442

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    I can confirm it is now reading its config from /usr/local/etc instead of /etc.
    It is all working but it is different than it was.

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,108
    Blog Entries
    2

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    Your and my versions of freeradius-server 3.0.12 might have been packaged differently.

    Mine was installed by first going to https://software.opensuse.org and then finding home:mnhauke in the list of unstable builds.

    Also, something to be aware of... The freeradius-server documentation lists a number of different files which can be referenced for its config file.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Jun 2008
    Location
    Delta Quadrant
    Posts
    1,442

    Default Re: OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

    Quote Originally Posted by tsu2 View Post
    Your and my versions of freeradius-server 3.0.12 might have been packaged differently.

    Mine was installed by first going to https://software.opensuse.org and then finding home:mnhauke in the list of unstable builds.

    Also, something to be aware of... The freeradius-server documentation lists a number of different files which can be referenced for its config file.

    TSU
    I downloaded from freeradius.org and compiled from source.
    Yes the config files from the compiled version versus what ships with opensuse contain references to different directories.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •