|
|
Rob Fowler <Rob.Fowler@xxxxxxxxxxxxxxxxxxxx> said: > Heads up. I don't know if this would affect is, just passing the info along: > > http://www.openssl.org/news/secadv_20030930.txt My reading of this advisory is that it would only affect OpenVPN configurations which use TLS mode without --tls-auth (One of the reasons for implementing --tls-auth in the first place, was to protect against vulnerabilities in OpenSSL's TLS implementation). Nonetheless, it is certainly a good idea to upgrade. As soon as I can manage to download 0.9.7c, I will rebuild a new windows version (1.5-beta9) with updated DLLs. In the mean time you can protect yourselves by either (a) using static keys or (b) using TLS with --tls-auth (provided that the remote VPN peer you are connecting to is trusted). If you are connecting to a remote OpenVPN peer which is untrusted (i.e. one that despite being authorized to connect with you, might also try to attack you), then using static keys would be a better bet, though I imagine that the vast majority of OpenVPN users are connecting to trusted peers. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |