OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: bobbythomas on August 02, 2017, 09:17:27 pm
-
Hi All,
I have just upgraded the firewall to 17.7 and then installed the Freeradius plugin. But I am unable to bring up the Freeradius service. I tried it through gui as well as through cli, it doesn't start. Any help is highly appreciated.
Thank you,
Regards,
Bobby Thomas
-
/var/logs/radius.log shows the below message.
Thu Aug 3 01:02:35 2017 : Info: Debugger not attached
Thu Aug 3 01:02:35 2017 : Error: Refusing to start with libssl version LibreSSL 2.4.5 0x1000107f (1.0.1g release) (in range 1.0.1 release - 1.0.1t rele)
Thu Aug 3 01:02:35 2017 : Error: Security advisory CVE-2016-6304 (OCSP status request extension)
Thu Aug 3 01:02:35 2017 : Error: For more information see https://www.openssl.org/news/secadv/20160922.txt
Thu Aug 3 01:02:35 2017 : Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304'
Looks like a vulnerability in LibreSSL is the root cause. Any fix available?
Thank you,
Regards,
Bobby Thomas
-
Can you switch to OpenSSL just for testing?
-
Switched back to Openssl and it's now working.
Thank you,
Regards,
Bobby Thomas.
-
Can you switch to OpenSSL just for testing?
Yes, it's now working after switching back to OpenSSL. Looks like there is some issue with LibreSSL.
Thank you,
Regards,
Bobby Thomas
-
This is a false-positive in FreeRADIUS:
https://en.wikipedia.org/wiki/LibreSSL#22_September_2016
It sees LibreSSL, but doesn't know they don't change their mocked OpenSSL version number. ;)
As both libraries are safe, we could add this to the default config with a comment that LibreSSL has a false positive and thus isn't vulnerable?
security.allow_vulnerable_openssl = 'CVE-2016-6304'
The problem is that this might not be the only one it complains about...
Cheers,
Franco
-
So we are bumping LibreSSL from 2.4.5 to 2.5.5 with 17.7.1, which has a different method of "advertising" itself which seems to fix this in a local test.
I can't provide a simple test package because LibreSSL has a major version bump so it's not just the FreeRADIUS package that would have to be updated but quite a few.
But feeling lucky so marking this solved. :)
Cheers,
Franco
-
Thanks for the update Franco. Waiting for 17.7.1.
Regards,
Bobby Thomas