OpenSUSE 13.2, FreeRadius 3.0.12 and openssl

All,

I have a need to run FreeRadius 3.0.12 on OpenSUSE 13.2.
FreeRadius refuses to run due to outdated openssl.

"Refusing to start with libssl version OpenSSL 1.0.1k-fips 8 Jan 2015 0x100010bf (1.0.1k release)
(in range 1.0.1 release - 1.0.1t rele)
Security advisory CVE-2016-6304 (OCSP status request extension)
For more information see https://www.openssl.org/news/secadv/20160922.txt
Once you have verified ;obssl has been correctly patched, set security.allow_vulnerable_openssl = ‘CVE-2016-6304’

I am unable to find an rpm for openssl 1.0.1u for OpenSUSE which seems to be the latest. In fact, it appears all SUSE variants
even commercial releases do not fulfill the requirements for FreeRadius nor are there any rpms for updating it.

Is there a way to build one for 13.2 via OBS or something? I have no experience with that. I can compile openssl from
scratch but I don’t want to end up with a broken system going forward.

Or if someone knows of a distro shipping the latest updated openssl that will work with FreeRadius I am all ears.

Thanks.

This vulnerability was patched and back-ported, see the following advisory
https://www.suse.com/security/cve/CVE-2016-6304.html

Therefor, provided you are fully updated and have the latest and currently released version of openssl, you can over-ride the warning and error…

  1. First, update your system to make sure your system is fully updated, which would include openssl
zypper up
  1. Now, you can edit your freeradius config file located at
/etc/raddb//radiusd.conf 

In the above file, go down to the “Security” section and find the last line in the section which should currently read

set security.allow_vulnerable_openssl = no

Edit that line to read as follows

set security.allow_vulnerable_openssl = 'CVE-2016-6304'

Save.
Now you can start your freeradius server without issue.

TSU

Ah! I missed that.

Thanks!

Unfortunately this fails with allow_vulnerable_openssl = ‘CVE-2016-6304’.
Returns the exact same message as before.

Question. Why are there two locations for radiusd.conf?

/etc/raddb and /usr/local/etc/raddb?

Is this a result of me compiling 3.0.12? I don’t build a lot of my own apps so this
could be something that I messed up.

Just need some clarification so I can fix it if that is the case.

I can confirm it is now reading its config from /usr/local/etc instead of /etc.
It is all working but it is different than it was.

Your and my versions of freeradius-server 3.0.12 might have been packaged differently.

Mine was installed by first going to https://software.opensuse.org and then finding home:mnhauke in the list of unstable builds.

Also, something to be aware of… The freeradius-server documentation lists a number of different files which can be referenced for its config file.

TSU

I downloaded from freeradius.org and compiled from source.
Yes the config files from the compiled version versus what ships with opensuse contain references to different directories.