From ca367b0fb687f1fcaf6737b40bc9dacbd14a9ffb Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Mon, 26 Sep 2016 16:47:51 +0100
Subject: [PATCH] Don't ignore the fact we've hit vulnerable versions in
 previous checks

---
 src/main/tls.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/main/tls.c b/src/main/tls.c
index 0670986..7cc5f03 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2483,17 +2483,22 @@ int tls_global_version_check(char const *acknowledged)
 			/*
 			 *	If the CVE is acknowledged, allow it.
 			 */
-			if (strcmp(acknowledged, defect->id) == 0) return 0;
+			if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
 
 			ERROR("Refusing to start with libssl version %s (in range %s)",
 			      ssl_version(), ssl_version_range(defect->low, defect->high));
 			ERROR("Security advisory %s (%s)", defect->id, defect->name);
 			ERROR("%s", defect->comment);
 
-			INFO("Once you have verified libssl has been correctly patched, "
-			     "set security.allow_vulnerable_openssl = '%s'", defect->id);
+			/*
+			 *	Only warn about the first one...
+			 */
+			if (!bad) {
+				INFO("Once you have verified libssl has been correctly patched, "
+				     "set security.allow_vulnerable_openssl = '%s'", defect->id);
 
-			bad = true;
+				bad = true;
+			}
 		}
 	}
 
-- 
2.1.4