[SOLVED] Freeradius service not starting.

Started by bobbythomas, August 02, 2017, 09:17:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 02, 2017, 09:17:27 PM Last Edit: August 04, 2017, 07:18:10 AM by franco
Hi All,

I have just upgraded the firewall to 17.7 and then installed the Freeradius plugin. But I am unable to bring up the Freeradius service. I tried it through gui as well as through cli, it doesn't start. Any help is highly appreciated.

Thank you,
Regards,
Bobby Thomas
August 02, 2017, 09:42:34 PM #1
/var/logs/radius.log shows the below message.

Thu Aug  3 01:02:35 2017 : Info: Debugger not attached
Thu Aug  3 01:02:35 2017 : Error: Refusing to start with libssl version LibreSSL 2.4.5 0x1000107f (1.0.1g release) (in range 1.0.1 release - 1.0.1t rele)
Thu Aug  3 01:02:35 2017 : Error: Security advisory CVE-2016-6304 (OCSP status request extension)
Thu Aug  3 01:02:35 2017 : Error: For more information see https://www.openssl.org/news/secadv/20160922.txt
Thu Aug  3 01:02:35 2017 : Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2016-6304'

Looks like a vulnerability in LibreSSL is the root cause. Any fix available?

Thank you,
Regards,
Bobby Thomas
August 02, 2017, 10:09:17 PM #2
Can you switch to OpenSSL just for testing?
August 02, 2017, 10:10:01 PM #3
Switched back to Openssl and it's now working.

Thank you,
Regards,
Bobby Thomas.
August 02, 2017, 10:11:15 PM #4
Quote from: mimugmail on August 02, 2017, 10:09:17 PM
Can you switch to OpenSSL just for testing?

Yes, it's now working after switching back to OpenSSL. Looks like there is some issue with LibreSSL.

Thank you,
Regards,
Bobby Thomas
August 03, 2017, 07:19:57 AM #5
This is a false-positive in FreeRADIUS:

https://en.wikipedia.org/wiki/LibreSSL#22_September_2016

It sees LibreSSL, but doesn't know they don't change their mocked OpenSSL version number. ;)

As both libraries are safe, we could add this to the default config with a comment that LibreSSL has a false positive and thus isn't vulnerable?

security.allow_vulnerable_openssl = 'CVE-2016-6304'

The problem is that this might not be the only one it complains about...


Cheers,
Franco
August 04, 2017, 07:18:02 AM #6
So we are bumping LibreSSL from 2.4.5 to 2.5.5 with 17.7.1, which has a different method of "advertising" itself which seems to fix this in a local test.

I can't provide a simple test package because LibreSSL has a major version bump so it's not just the FreeRADIUS package that would have to be updated but quite a few.

But feeling lucky so marking this solved. :)


Cheers,
Franco
August 04, 2017, 08:43:40 PM #7
Thanks for the update Franco. Waiting for 17.7.1.

Regards,
Bobby Thomas
Print
Go Up Pages1
User actions