Understanding the basic concept and how to test a server for heartbleed that you do not operate yourself?

This forum is for general conversation and user-user networking.
Post Reply
regger
OpenVPN User
Posts: 10
Joined: Tue Sep 04, 2018 6:52 pm

Understanding the basic concept and how to test a server for heartbleed that you do not operate yourself?

Post by regger » Thu Jan 31, 2019 6:24 pm

On https://openvpn.net/community-resources ... -protocol/ the website states "In SSL/TLS mode" - for me this means that there is at least one other mode, which is it/are they and how do I select between them?
EDIT: Just after writing this I found out there are two modes, TLS and common secret mode (non-TLS static key encryption mode). this are all modes, as manpage states "both modes". and tls is used if no "secret file" is defined which enables the non-TLS mode. The other questions still apply:

My understanding of TLS mode is: OpenVPN server waits for incoming TCP-TLS-connections on the defined port, checks certificates on both sides, agrees on a session key,crypto-algorithm and port-pair (client-port and server-port) for the actual tunnel which is either transfered udp or tcp defined by the proto parameter.
tls-auth is a little misleading as TLS does authentication as well, but tls-auth is an optional HMAC used to be able to drop illegitimate packets faster and prevent for example DoS. tls-auth applies only to the signaling channel, not to the tunnel.
The tunnel is encrypted by a stream cipher without TLS overhead.
Is that correct?

- If I do not define tls-cipher on the client side (config file), OpenSSL version uses EFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA
as stated on the man page. Does this include ciphers that one would want to avoid?

Can I test a server for heartbleed besides checking the installed version on the system? (I would like to ensure my VPN provider uses an up-to-date server)
A related topic is here from 2014 about knowing the version of the other sites OpenVPN software: viewtopic.php?f=4&t=15548&p=42485&hilit ... eed#p42485


regger
OpenVPN User
Posts: 10
Joined: Tue Sep 04, 2018 6:52 pm

Re: Understanding the basic concept and how to test a server for heartbleed that you do not operate yourself?

Post by regger » Fri Feb 01, 2019 1:36 pm

Thank you, I read this before. However this page only tells you that OpenVPN in older versions is vulnerable and that you should upgrade (and replace certs). It does not tell you how to find out weather the other site of the tunnel was patched, does it?!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5320
Joined: Fri Jun 03, 2016 1:17 pm

Re: Understanding the basic concept and how to test a server for heartbleed that you do not operate yourself?

Post by TinCanTech » Fri Feb 01, 2019 5:51 pm

The solution you are looking for is to contact your Provider.

regger
OpenVPN User
Posts: 10
Joined: Tue Sep 04, 2018 6:52 pm

Re: Understanding the basic concept and how to test a server for heartbleed that you do not operate yourself?

Post by regger » Mon Feb 04, 2019 10:45 am

This is not a solution. Just consider a provider that accidentally forgot to patch one of the servers. Or an update failed on one server. Or or or ......

The provider will tell you its patched. The provider is not malicious, he just doesn't know any better.... Yet your security is at risk.

Post Reply