26 Mar
2014
26 Mar
'14
2:27 p.m.
Phil Mayers wrote:
Since this is public - without going into any details on-list, can anyone comment if this has been looked at for FR?
I talked about this with the TLS chair at the last IETF. Pretty much everyone using TLS is vulnerable. FreeRADIUS depends on OpenSSL, so we'll need to wait for OpenSSL to fix the underlying issue. Until then, disable "fast session resumption". That would seem to avoid the attack. Alan DeKok.