Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
[SOLVED] Freeradius service not starting.
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Freeradius service not starting. (Read 7734 times)
bobbythomas
Full Member
Posts: 134
Karma: 5
[SOLVED] Freeradius service not starting.
«
on:
August 02, 2017, 09:17:27 pm »
Hi All,
I have just upgraded the firewall to 17.7 and then installed the Freeradius plugin. But I am unable to bring up the Freeradius service. I tried it through gui as well as through cli, it doesn't start. Any help is highly appreciated.
Thank you,
Regards,
Bobby Thomas
«
Last Edit: August 04, 2017, 07:18:10 am by franco
»
Logged
bobbythomas
Full Member
Posts: 134
Karma: 5
Re: Freeradius service not starting.
«
Reply #1 on:
August 02, 2017, 09:42:34 pm »
/var/logs/radius.log shows the below message.
Thu Aug 3 01:02:35 2017 : Info: Debugger not attached
Thu Aug 3 01:02:35 2017 : Error: Refusing to start with libssl version LibreSSL 2.4.5 0x1000107f (1.0.1g release) (in range 1.0.1 release - 1.0.1t rele)
Thu Aug 3 01:02:35 2017 : Error: Security advisory CVE-2016-6304 (OCSP status request extension)
Thu Aug 3 01:02:35 2017 : Error: For more information see
https://www.openssl.org/news/secadv/20160922.txt
Thu Aug 3 01:02:35 2017 : Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304'
Looks like a vulnerability in LibreSSL is the root cause. Any fix available?
Thank you,
Regards,
Bobby Thomas
Logged
mimugmail
Hero Member
Posts: 6756
Karma: 494
Re: Freeradius service not starting.
«
Reply #2 on:
August 02, 2017, 10:09:17 pm »
Can you switch to OpenSSL just for testing?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
bobbythomas
Full Member
Posts: 134
Karma: 5
Re: Freeradius service not starting.
«
Reply #3 on:
August 02, 2017, 10:10:01 pm »
Switched back to Openssl and it's now working.
Thank you,
Regards,
Bobby Thomas.
Logged
bobbythomas
Full Member
Posts: 134
Karma: 5
Re: Freeradius service not starting.
«
Reply #4 on:
August 02, 2017, 10:11:15 pm »
Quote from: mimugmail on August 02, 2017, 10:09:17 pm
Can you switch to OpenSSL just for testing?
Yes, it's now working after switching back to OpenSSL. Looks like there is some issue with LibreSSL.
Thank you,
Regards,
Bobby Thomas
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: Freeradius service not starting.
«
Reply #5 on:
August 03, 2017, 07:19:57 am »
This is a false-positive in FreeRADIUS:
https://en.wikipedia.org/wiki/LibreSSL#22_September_2016
It sees LibreSSL, but doesn't know they don't change their mocked OpenSSL version number.
As both libraries are safe, we could add this to the default config with a comment that LibreSSL has a false positive and thus isn't vulnerable?
security.allow_vulnerable_openssl = 'CVE-2016-6304'
The problem is that this might not be the only one it complains about...
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: Freeradius service not starting.
«
Reply #6 on:
August 04, 2017, 07:18:02 am »
So we are bumping LibreSSL from 2.4.5 to 2.5.5 with 17.7.1, which has a different method of "advertising" itself which seems to fix this in a local test.
I can't provide a simple test package because LibreSSL has a major version bump so it's not just the FreeRADIUS package that would have to be updated but quite a few.
But feeling lucky so marking this solved.
Cheers,
Franco
Logged
bobbythomas
Full Member
Posts: 134
Karma: 5
Re: [SOLVED] Freeradius service not starting.
«
Reply #7 on:
August 04, 2017, 08:43:40 pm »
Thanks for the update Franco. Waiting for 17.7.1.
Regards,
Bobby Thomas
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
[SOLVED] Freeradius service not starting.