[openssl-users] OpenSSL and detecting whether bugs have been patched

Graham Leggett minfrin at sharp.fm
Thu Mar 5 11:28:00 UTC 2015

Hi all,

I just tried out the most recent version of freeradius (v3.0.7), and it failed to start up with the following message:

Thu Mar  5 11:12:33 2015 : Info: Debugger not attached
Thu Mar  5 11:12:33 2015 : Error: Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
Thu Mar  5 11:12:33 2015 : Error: Security advisory CVE-2014-0160 (Heartbleed)
Thu Mar  5 11:12:33 2015 : Error: For more information see http://heartbleed.com
Thu Mar  5 11:12:33 2015 : Info: Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160’

While the idea behind the check is sound (it would be great if people cared about this stuff) the implementation is rather crude - all freeradius has to go on to implement a check like this is to compare version numbers, and in this case the version numbers tell us it is unpatched when in reality this CentOS7 provided openssl package actually is patched.

Would it be a good idea to add a simple API to the openssl code that define whether specific security flaws are patched or not, allowing other software to explicitly check for them? A vendor like Redhat then has the chance to patch the older version and add the extra detail to indicate that the particular vulnerability is patched in this particular version, like this:

int openssl_is_patched(const char *cve);

if (!openssl_is_patched("CVE-2014-0160”)) {

Thoughts? Glaring holes I have not thought of?


More information about the openssl-users mailing list