Triple-handshake stuff

Alan DeKok aland at deployingradius.com
Wed Mar 26 19:27:10 CET 2014


Phil Mayers wrote:
> Since this is public - without going into any details on-list, can
> anyone comment if this has been looked at for FR?
> 
> https://secure-resumption.com/

  I talked about this with the TLS chair at the last IETF.  Pretty much
everyone using TLS is vulnerable.

  FreeRADIUS depends on OpenSSL, so we'll need to wait for OpenSSL to
fix the underlying issue.

  Until then, disable "fast session resumption".  That would seem to
avoid the attack.

  Alan DeKok.


More information about the Freeradius-Devel mailing list