3.7.62. DisabledRuntimeChecks Previous topic Parent topic Child topic Next topic

Radiator tries to check for commonly required but missing modules, some known security vulnerabilities and possible other runtime parameters when it starts up. Any Hooks may also call the runtime check module functions, as required by the Hook authors. Special formatting characters are supported.
Any checks that do not pass are logged but no other action is taken.
The currently recognised built-in checks are:
  • CVE-2014-0160 - the OpenSSL vulnerability commonly called Heartbleed
  • Digest::MD4 - MD4 is required by MSCHAP and MSCHAP-v2 and their derivatives
The optional DisabledRuntimeChecks parameter allows you to define the checks that should not be run.
Check for CVE-2014-0160 is done by trying to load Net::SSLeay and using the functions it provides to check for vulnerable OpenSSL versions. Many vendors have patched their OpenSSL for CVE-2014-0160 without changing the OpenSSL version number. For this reason the check may report your OpenSSL as vulnerable. The Net::SSLeay functions for reporting OpenSSL version are only present in recent Net::SSLeay versions. For this reason Radiator may log a message about version check not being able to determine OpenSSL version.
Digest::MD4 is required by MSCHAP, MSCHAP-V2 and their derivatives such as EAP-MSHCHAP-V2. We recommend having Radiator Radius::UtilXS or Digest::MD4 installed unless you are sure you will never need to support these authentication protocols. See Section 2.1.9. Radiator Radius::UtilXS and Section 2.1.5. MD4 digest for MSCHAP and MSCHAPv2 for more information.
# Our OpenSSL is patched but still reports vulnerable version
DisabledRuntimeChecks CVE-2014-0160