back to article Popular RADIUS server exploitable with TLS session caching

Sysadmins with FreeRADIUS – the most widely deployed Remote Authentication Dial-In User Service server – in their boxen need to run an upgrade because there's a bug in its TTLS and PEAP implementations. Stefan Winter, who works for Luxembourg's high-speed academic network RESTENA, discovered FreeRADIUS's broken TLS session …

  1. Gary 20

    freeradius default

    FreeRADIUS Version 2.2.5 on Debian 8.7



    eap {


    tls {


    cache {

    # Enable it. The default is "no".

    # Deleting the entire "cache" subsection

    # Also disables caching.


    # You can disallow resumption for a

    # particular user by adding the following

    # attribute to the control item list:


    # Allow-Session-Resumption = No


    # If "enable = no" below, you CANNOT

    # enable resumption for just one user

    # by setting the above attribute to "yes".


    enable = no

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020