cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS Startup: Resolving OpenSSL Vulnerability Errors

Moderator

RADIUS Startup: Resolving OpenSSL Vulnerability Errors

When starting RADIUS, if you encounter an error message about an OpenSSL CVE-2014-0160 vulnerability, follow the procedure below to resolve the issue:

 

Error message:

Refusing to start with libssl version OpenSSL 1.0.1 14 Mar 2012 0x01000100f (1.0.1-15) (in range 1.0.1-0 - 1.0.1f-15)

Security advisory CVE-2014-0160 (Heartbleed)

For more information see http://heartbleed.com

Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'

 

Procedure: 

1.  Check current Openssl version

openssl version -a

 

Output:

OpenSSL 1.0.1 14 Mar 2012

built on: Fri Sep 23 12:21:49 UTC 2016

platform: debian-i386

options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx) 

compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

OPENSSLDIR: "/usr/lib/ssl"

 

2. Remove old openssl installation

 

apt-get purge openssl

apt-get autoremove && apt-get autoclean

 

3. Download and compile new openssl

 

wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz

 

or

 

https://ftp.openssl.org/source/old/1.0.1/

 

tar xzvf openssl-1.0.1g.tar.gz

cd  opemssl-1.0.1g

 

./Configure  or  ./config

make

make install

 

cp /usr/local/ssl/bin/openssl /usr/bin/