freeradius 在编译的时候依托某个openssl的版本,最后建立的文件radiusd在运行的时候可能会出现一些意外.
1)Refusing to start with libssl version OpenSSL 1.0.1h 5 Jun 2014 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 (Heartbleed)
已经升级了openssl ,但还说有问题的openssl版本。
2)libssl version mismatch. built: 1000114f linked: 1000103f
在openssl1.0.1t 下编译的freeradius,到openssl1.0.1h下无法运行,ssl版本不匹配。可能你说重新编译一下就OK,不幸的事情就是某系统中不支持编译,是裁剪过的!
freeradius-2.2.10源代码,version.c 部分代码,检测openssl版本的,修改一下。
int ssl_check_version()
{
long ssl_linked;
ssl_linked = SSLeay();
/*return 0 * / 将BUG提示都隐藏不见的好!
/*
* Status mismatch always triggers error.
*/
if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
mismatch:
radlog(L_ERR, "adjust by minifw@whuashan,libssl version mismatch. built: %lx linked: %lx",
(unsigned long) ssl_built, (unsigned long) ssl_linked);
return 0; /*旧源代码是return -1 ;表示失败 */
}
/*
* Use the OpenSSH approach and relax fix checks after version
* 1.0.0 and only allow moving backwards within a patch
* series.
*/
if (ssl_built & 0xf0000000) {
if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
(ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch;
/*
* Before 1.0.0 we require the same major minor and fix version
* and ignore the patch number.
*/
} else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
return 0;
}
int ssl_check_vulnerable()
{
long ssl_linked;
ssl_linked = SSLeay();
/*return 0 * / 将BUG提示都隐藏不见的好!
/* Check for bad versions */
/* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
if ((ssl_linked >= 0x010001000) && (ssl_linked < 0x010001070)) {
radlog(L_ERR, "Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
"Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
radlog(L_ERR, "For more information see http://heartbleed.com, minifw@wuhuashan");
return 0; /*旧源代码是return -1 ;表示失败 */
}
return 0;
}
下面的地址是freeradius-2.2.10已经编译运行过的版本。在centos6 开发(2.6.32),该tgz还成功运行在深信服AF5.8系列的64位系统中。
链接:http://pan.baidu.com/s/1geMFlz9 密码: 5wst 可以下载X86_64位的glibc版本,支持任意的openssl版本,已经配置好,只需要配置几个*.sql初始化mysql。