back to article Popular RADIUS server exploitable with TLS session caching

Sysadmins with FreeRADIUS – the most widely deployed Remote Authentication Dial-In User Service server – in their boxen need to run an upgrade because there's a bug in its TTLS and PEAP implementations. Stefan Winter, who works for Luxembourg's high-speed academic network RESTENA, discovered FreeRADIUS's broken TLS session …

  1. Gary 20

    freeradius default

    FreeRADIUS Version 2.2.5 on Debian 8.7

    /etc/freeradius/eap.conf

    has

    eap {

    ...

    tls {

    ...

    cache {

    # Enable it. The default is "no".

    # Deleting the entire "cache" subsection

    # Also disables caching.

    #

    # You can disallow resumption for a

    # particular user by adding the following

    # attribute to the control item list:

    #

    # Allow-Session-Resumption = No

    #

    # If "enable = no" below, you CANNOT

    # enable resumption for just one user

    # by setting the above attribute to "yes".

    #

    enable = no

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020