When starting RADIUS, if you encounter an error message about an OpenSSL CVE-2014-0160 vulnerability, follow the procedure below to resolve the issue:
Error message:
Refusing to start with libssl version OpenSSL 1.0.1 14 Mar 2012 0x01000100f (1.0.1-15) (in range 1.0.1-0 - 1.0.1f-15)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'
Procedure:
1. Check current Openssl version
openssl version -a
Output:
OpenSSL 1.0.1 14 Mar 2012
built on: Fri Sep 23 12:21:49 UTC 2016
platform: debian-i386
options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
2. Remove old openssl installation
apt-get purge openssl
apt-get autoremove && apt-get autoclean
3. Download and compile new openssl
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
or
https://ftp.openssl.org/source/old/1.0.1/
tar xzvf openssl-1.0.1g.tar.gz
cd opemssl-1.0.1g
./Configure or./config
make
make install
cp /usr/local/ssl/bin/openssl /usr/bin/