8 Apr
2014
8 Apr
'14
2:35 p.m.
We've released a statement on the OpenSSL security issue: http://freeradius.org/security.html In short, Version 2 is not vulnerable. Version 3 using EAP or incoming RadSec is not vulnerable. Version 3 using outgoing RadSec is vulnerable. i.e. proxying over RadSec to a home server. But everyone using OpenSSL for anything *other* than RADIUS should assume that all secrets have been compromised. e.g. HTTPS user credentials, cookies, keys, passwords, etc. Thanks to Jouni Malinen for providing test cases and more detailed information about the bug. Alan DeKok.