Statement on OpenSSL security bug
Alan DeKok
aland at deployingradius.com
Tue Apr 8 20:35:08 CEST 2014
We've released a statement on the OpenSSL security issue:
http://freeradius.org/security.html
In short, Version 2 is not vulnerable.
Version 3 using EAP or incoming RadSec is not vulnerable.
Version 3 using outgoing RadSec is vulnerable. i.e. proxying over
RadSec to a home server.
But everyone using OpenSSL for anything *other* than RADIUS should
assume that all secrets have been compromised. e.g. HTTPS user
credentials, cookies, keys, passwords, etc.
Thanks to Jouni Malinen for providing test cases and more detailed
information about the bug.
Alan DeKok.
More information about the Freeradius-Users
mailing list