Hi, Am 08.04.2014 15:42, schrieb Steffan Karger:
Perhaps a dumb question, but if the server instance is linked against an older version of openssl (9.8.x), but the client is compiled and linked against the vulnerable version, is it still an issue for both sides, or is the client going to leak private information ?The client can then leak keys (both private master key and session keys), which completely breaks your secure connection, for that client. So when the server is not vulnerable, each client has to be attacked individually, and not-vulnerable clients have a secure connection to the server. As long as there are vulnerable clients, you should consider those as potentially malicious, and thus you should consider the network as insecure.
Then OpenVPN should release new Windows Versions.The current binaries are linked against OpenSSL (ssleay32.dll, libeay32.dll) 1.0.1.5 (-> 1.0.1e).
Greetings, Enno -- Enno Gröper groep...@cms.hu-berlin.de - Raum 2'325, Rudower Chaussee 26 Tel. +49.(0)30.2093.70053 Fax +49.(0)30.2093.2959 Humboldt-Universität zu Berlin - http://www.hu-berlin.de/ ZE Computer- und Medienservice - http://www.cms.hu-berlin.de/ Unter den Linden 6, D-10099 Berlin, Germany
smime.p7s
Description: S/MIME Cryptographic Signature
