# See also raddb/sites-available/status
#
status_server = yes
+
+ #
+ # allow_vulnerable_openssl: Allow the server to start with
+ # versions of OpenSSL known to have critical vulnerabilities.
+ #
+ # This check is based on the version number reported by libssl
+ # and may not reflect patches applied to libssl by
+ # distribution maintainers.
+ #
+ allow_vulnerable_openssl = no
}
# PROXY CONFIGURATION
#endif
int reject_delay;
bool status_server;
+ bool allow_vulnerable_openssl;
+
int max_request_time;
int cleanup_delay;
int max_requests;
/* version.c */
int rad_check_lib_magic(uint64_t magic);
-int ssl_check_version(void);
+int ssl_check_consistency(void);
char const *ssl_version(void);
void version(void);
int cbtls_verify(int ok, X509_STORE_CTX *ctx);
/* TLS */
-int tls_global_init(void);
+int tls_global_init(bool allow_vulnerable);
tls_session_t *tls_new_session(fr_tls_server_conf_t *conf, REQUEST *request,
int client_cert);
tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd);
{ "max_attributes", PW_TYPE_INTEGER, 0, &fr_max_attributes, STRINGIFY(0) },
{ "reject_delay", PW_TYPE_INTEGER, 0, &mainconfig.reject_delay, STRINGIFY(0) },
{ "status_server", PW_TYPE_BOOLEAN, 0, &mainconfig.status_server, "no"},
+ { "allow_vulnerable_openssl", PW_TYPE_BOOLEAN, 0, &mainconfig.allow_vulnerable_openssl, "no"},
{ NULL, -1, 0, NULL, NULL }
};
* better to die here than segfault later.
*/
#ifdef HAVE_OPENSSL_CRYPTO_H
- if (ssl_check_version() < 0) {
- exit(EXIT_FAILURE);
- }
-
- /*
- * Initialising OpenSSL once, here, is safer than having individual
- * modules do it.
- */
- if (tls_global_init() < 0) {
+ if (ssl_check_consistency() < 0) {
exit(EXIT_FAILURE);
}
#endif
exit(EXIT_FAILURE);
}
+ /*
+ * Initialising OpenSSL once, here, is safer than having individual
+ * modules do it.
+ */
+#ifdef HAVE_OPENSSL_CRYPTO_H
+ if (tls_global_init(mainconfig.allow_vulnerable_openssl) < 0) {
+ exit(EXIT_FAILURE);
+ }
+#endif
+
/* Set the panic action (if required) */
if (mainconfig.panic_action &&
#ifndef NDEBUG
*
* This should be called exactly once from main.
*/
-int tls_global_init(void)
+int tls_global_init(bool allow_vulnerable)
{
long v;
OpenSSL_add_all_algorithms(); /* required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */
#endif
- /* Check for bad versions */
- v = SSLeay();
+ if (!allow_vulnerable) {
+ /* Check for bad versions */
+ v = SSLeay();
- /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
- if ((v >= 0x010001000) && (v < 0x010001070)) {
- ERROR("Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
- "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
- ERROR("For more information see http://heartbleed.com");
+ /* 1.0.1 - 1.0.1f CVE-2014-0160 http://heartbleed.com */
+ if ((v >= 0x010001000) && (v < 0x010001070)) {
+ ERROR("Refusing to start with libssl version %s (in range 1.0.1 - 1.0.1f). "
+ "Security advisory CVE-2014-0160 (Heartbleed)", ssl_version());
+ ERROR("For more information see http://heartbleed.com");
- return -1;
+ return -1;
+ }
}
return 0;
*
* @return 0 if ok, else -1
*/
-int ssl_check_version(void)
+int ssl_check_consistency(void)
{
long ssl_linked;
return buffer;
}
# else
-int ssl_check_version(void) {
+int ssl_check_consistency(void) {
return 0;
}
modconfdir = ${raddb}/mods-config
+security {
+ allow_vulnerable_openssl = yes
+}
+
modules {
$INCLUDE ${raddb}/mods-enabled/always