diff --git a/ChangeLog b/ChangeLog
index 52a741f..734dfde 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -93,5 +93,9 @@
 	  the 0.9.x track.
 	- Detect OpenSSL version at runtime rather than at compile time.
 2011-07-03 1.4.3-dev
+	Notes:
+	- The default secret for TLS and DTLS will change in a future
+	  relase.  Plaese make sure to specify a secret in both client and
+	  server blocks to avoid surprises.
 	Bug fixes:
 	- Debug printout issue.
diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml
index 4024bde..8dfcd58 100644
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -360,7 +360,10 @@ We already discussed the
 one of <literal>udp</literal>, <literal>tcp</literal>, <literal>tls</literal>
 or <literal>dtls</literal>. The value of <literal>secret</literal> is the
 shared RADIUS key used with this client. If the secret contains whitespace,
-the value must be quoted. This option is optional for TLS/DTLS.
+the value must be quoted.  A secret must be supplied for UDP/TCP.  If
+no secret is supplied for TLS/DTLS, a default value of "mysecret" is 
+being used.  This value will change in a future release to match the 
+upcoming standard.
     </para>
     <para>
 For a TLS/DTLS client you may also specify the <literal>tls</literal> option.