On behalf of users of OpenVPN software, I request its developers (such as Samuli) to quickly fix the OpenSSL bug present in the current version of OpenVPN (Community Edition), which is 2.3.2-I003.
The exploit is very serious and has been out in the wild for over two years now (see http://heartbleed.com/)
For further information about the exploit, see:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-0160
http://www.openssl.org/news/secadv_20140407.txt
There is no time to lose now.
OpenVPN developers should also seriously consider whether they ought to provide a fix for the vulnerability discovered by Tor developers (see my other post on topic15306.html)
On behalf of users of OpenVPN software, I thank in advance for the developers' sense of responsibility and commitment to making their software secure and robust.
URGENT: OpenVPN software needs to be fixed due to this bug
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
innogen
- OpenVPN Power User
- Posts: 87
- Joined: Sun May 22, 2011 8:14 am
-
nrUCm
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Oct 24, 2013 5:07 pm
Re: URGENT: OpenVPN software needs to be fixed due to this b
as far as i can tell, people that have been using the additional TLS-Auth option should be safe, correct?
-
innogen
- OpenVPN Power User
- Posts: 87
- Joined: Sun May 22, 2011 8:14 am
Re: URGENT: OpenVPN software needs to be fixed due to this b
No. TLS and OpenSSL are two different concepts.nrUCm wrote:as far as i can tell, people that have been using the additional TLS-Auth option should be safe, correct?
-
innogen
- OpenVPN Power User
- Posts: 87
- Joined: Sun May 22, 2011 8:14 am
Re: URGENT: OpenVPN software needs to be fixed due to this b
At the time of this writing ALL *nix distros have already issued patches to fix the security flaw.
We will see how long OpenVPN developers take to issue a fix.
We will see how long OpenVPN developers take to issue a fix.
-
nrUCm
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Oct 24, 2013 5:07 pm
Re: URGENT: OpenVPN software needs to be fixed due to this b
but shouldn't that option stop anything reaching the TLS handshake layer?
see https://openvpn.net/index.php/open-sour ... l#security
please note that i am not trying to correct you; i simply do not know...
see https://openvpn.net/index.php/open-sour ... l#security
please note that i am not trying to correct you; i simply do not know...
-
innogen
- OpenVPN Power User
- Posts: 87
- Joined: Sun May 22, 2011 8:14 am
Re: URGENT: OpenVPN software needs to be fixed due to this b
Look, a majority of OpenVPN users do not use tls-auth option.
Besides a cardinal rule in developing software is to patch security holes when the latter are discovered. It will instill in users confidence in using the product, am I right? (As long as OpenVPN makes use of OpenSSL, the former should issue fixes.)
Besides a cardinal rule in developing software is to patch security holes when the latter are discovered. It will instill in users confidence in using the product, am I right? (As long as OpenVPN makes use of OpenSSL, the former should issue fixes.)
-
aperson
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Apr 08, 2014 4:02 pm
Re: URGENT: OpenVPN software needs to be fixed due to this b
I do use the tls-auth option and am trying to determine exploitability. Upgrading all users would be a significantly disruptive task, and if it can be performed in a more controlled and less hectic manner it will be a better experience for everyone.innogen wrote:Look, a majority of OpenVPN users do not use tls-auth option.
The literature I found online indicates the _server_ would be protected from the client when it is used, but I am not 100% certain.
What I am even less certain of is if the _client_ is protected from a malicious server who attempts to exploit it before the handshake completes. Are all of the server's handshake messages similarly protected for the client?