Triple-handshake stuff
Alan DeKok
aland at deployingradius.com
Wed Mar 26 19:27:10 CET 2014
Phil Mayers wrote:
> Since this is public - without going into any details on-list, can
> anyone comment if this has been looked at for FR?
>
> https://secure-resumption.com/
I talked about this with the TLS chair at the last IETF. Pretty much
everyone using TLS is vulnerable.
FreeRADIUS depends on OpenSSL, so we'll need to wait for OpenSSL to
fix the underlying issue.
Until then, disable "fast session resumption". That would seem to
avoid the attack.
Alan DeKok.
More information about the Freeradius-Devel
mailing list