[RADIATOR] Serious Open SSL bug

Heikki Vatiainen hvn at open.com.au
Tue Apr 8 03:02:21 CDT 2014


On 04/08/2014 01:20 AM, Johnson, Neil M wrote:

> Just received notice from our security folks about this bug which may
> lead to leaking of the private key used to sign SSL certs and encrypt
> traffic.

Hello Neil,

thanks for the reminder. This looks like something that will keep people
busy for a while.

> More info can be of found here: http://heartbleed.com/
> 
> Are you guys aware of this and have plans to update the PERL SSL module
> for RADIATOR ?

We became aware of this when it was revealed yesterday. The precompiled
Windows ppms available from OSC's web site use OpenSSL 0.9.8.
Fortunately the problematic TLS extension is not included in 0.9.8.

Radiator itself does not come with OpenSSL. It uses the OpenSSL that the
system Perl uses. When the system OpenSSL receives the patch, Radiator
needs to be restarted so that it will use the patched OpenSSL libraries.

In general, the current Windows and other Perl versions, such as 5.14
and 5.16, available from ActiveState, Strawberry Perl, Ubuntu and such,
have recent enough Net-SSLeay to support everything Radiator requires.
Previously patches were needed to get EAP-FAST working, but this is not
the case anymore.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list