Text only | Text with Images

OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: bobbythomas on August 02, 2017, 09:17:27 PM

Title: [SOLVED] Freeradius service not starting.
Post by: bobbythomas on August 02, 2017, 09:17:27 PM
Hi All,

I have just upgraded the firewall to 17.7 and then installed the Freeradius plugin. But I am unable to bring up the Freeradius service. I tried it through gui as well as through cli, it doesn't start. Any help is highly appreciated.

Thank you,
Regards,
Bobby Thomas
Title: Re: Freeradius service not starting.
Post by: bobbythomas on August 02, 2017, 09:42:34 PM
/var/logs/radius.log shows the below message.

Thu Aug  3 01:02:35 2017 : Info: Debugger not attached
Thu Aug  3 01:02:35 2017 : Error: Refusing to start with libssl version LibreSSL 2.4.5 0x1000107f (1.0.1g release) (in range 1.0.1 release - 1.0.1t rele)
Thu Aug  3 01:02:35 2017 : Error: Security advisory CVE-2016-6304 (OCSP status request extension)
Thu Aug  3 01:02:35 2017 : Error: For more information see https://www.openssl.org/news/secadv/20160922.txt
Thu Aug  3 01:02:35 2017 : Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304'

Looks like a vulnerability in LibreSSL is the root cause. Any fix available?

Thank you,
Regards,
Bobby Thomas
Title: Re: Freeradius service not starting.
Post by: mimugmail on August 02, 2017, 10:09:17 PM
Can you switch to OpenSSL just for testing?
Title: Re: Freeradius service not starting.
Post by: bobbythomas on August 02, 2017, 10:10:01 PM
Switched back to Openssl and it's now working.

Thank you,
Regards,
Bobby Thomas.
Title: Re: Freeradius service not starting.
Post by: bobbythomas on August 02, 2017, 10:11:15 PM
Quote from: mimugmail on August 02, 2017, 10:09:17 PM
Can you switch to OpenSSL just for testing?

Yes, it's now working after switching back to OpenSSL. Looks like there is some issue with LibreSSL.

Thank you,
Regards,
Bobby Thomas
Title: Re: Freeradius service not starting.
Post by: franco on August 03, 2017, 07:19:57 AM
This is a false-positive in FreeRADIUS:

https://en.wikipedia.org/wiki/LibreSSL#22_September_2016

It sees LibreSSL, but doesn't know they don't change their mocked OpenSSL version number. ;)

As both libraries are safe, we could add this to the default config with a comment that LibreSSL has a false positive and thus isn't vulnerable?

security.allow_vulnerable_openssl = 'CVE-2016-6304'

The problem is that this might not be the only one it complains about...


Cheers,
Franco
Title: Re: Freeradius service not starting.
Post by: franco on August 04, 2017, 07:18:02 AM
So we are bumping LibreSSL from 2.4.5 to 2.5.5 with 17.7.1, which has a different method of "advertising" itself which seems to fix this in a local test.

I can't provide a simple test package because LibreSSL has a major version bump so it's not just the FreeRADIUS package that would have to be updated but quite a few.

But feeling lucky so marking this solved. :)


Cheers,
Franco
Title: Re: [SOLVED] Freeradius service not starting.
Post by: bobbythomas on August 04, 2017, 08:43:40 PM
Thanks for the update Franco. Waiting for 17.7.1.

Regards,
Bobby Thomas
Text only | Text with Images