projects / freeradius.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3d6b628)
Don't ignore the fact we've hit vulnerable versions in previous checks
authorArran Cudbard-Bell <a.cudbardb@freeradius.org>
Mon, 26 Sep 2016 15:47:51 +0000 (16:47 +0100)
committerArran Cudbard-Bell <a.cudbardb@freeradius.org>
Mon, 26 Sep 2016 15:47:51 +0000 (16:47 +0100)
src/main/tls.c patch | blob | history

diff --git a/src/main/tls.c b/src/main/tls.c
index 0670986..7cc5f03 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2483,17 +2483,22 @@ int tls_global_version_check(char const *acknowledged)
                        /*
                         *      If the CVE is acknowledged, allow it.
                         */
-                       if (strcmp(acknowledged, defect->id) == 0) return 0;
+                       if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
 
                        ERROR("Refusing to start with libssl version %s (in range %s)",
                              ssl_version(), ssl_version_range(defect->low, defect->high));
                        ERROR("Security advisory %s (%s)", defect->id, defect->name);
                        ERROR("%s", defect->comment);
 
-                       INFO("Once you have verified libssl has been correctly patched, "
-                            "set security.allow_vulnerable_openssl = '%s'", defect->id);
+                       /*
+                        *      Only warn about the first one...
+                        */
+                       if (!bad) {
+                               INFO("Once you have verified libssl has been correctly patched, "
+                                    "set security.allow_vulnerable_openssl = '%s'", defect->id);
 
-                       bad = true;
+                               bad = true;
+                       }
                }
        }
 
Unnamed repository; edit this file 'description' to name the repository.