On 08/15/2015 12:20 AM, Johnson, Neil M wrote: > I removed the OSC NET::SSLeay ppm from my Windows system and now I’m > using the Active States version of OpenSSL, which is OpenSSL 1.0.1e > 11 Feb 2013 and vulnerable to Heartbleed.
Hello Neil and the other list members, I suggest upgrading your ActivePerl to a version that does not come with a vulnerable OpenSSL. ActiveState has published this information about the vulnerable versions: https://community.activestate.com/node/10856 Radiator comes with Win32-Lsa PPMs that work with ActivePerl 5.18. If you'd like to use a more recent ActivePerl, please let us know. Now that ActivePerl 5.22 is out, we can see how the LSA module compiles against it. The compiler changes introduced in ActivePerl 5.20 have hopefully now been settled. Another option is to use Strawberry Perl. The Win32-Lsa modules that come with Radiator 4.15 support Strawberry Perl up to version 5.22. The Heartbleed fix was announced in Strawberry Perl April 2014 release: http://strawberryperl.com/release-notes/5.18.2.2-64bit.html The precompiled Net::SSLeay modules were mainly provided for those who wanted to use EAP-FAST while the extensions EAP-FAST required were not widely available in OpenSSL. When the Heartbleed vulnerability was exposed, they were also useful for a quick mitigation. I recommend using the Net::SSLeay and OpenSSL that come with ActivePerl and Strawberry Perl and keeping track of their releases and upgrading as needed. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
