> Hi, > > Am 08.04.2014 15:42, schrieb Steffan Karger: >>> Perhaps a dumb question, but if the server instance is linked >>> against an older version of openssl (9.8.x), but the client is >>> compiled and linked against the vulnerable version, is it still an >>> issue for both sides, or is the client going to leak private >>> information ? >> The client can then leak keys (both private master key and session >> keys), which completely breaks your secure connection, for that >> client. >> >> So when the server is not vulnerable, each client has to be attacked >> individually, and not-vulnerable clients have a secure connection to >> the server. As long as there are vulnerable clients, you should >> consider those as potentially malicious, and thus you should consider >> the network as insecure. > Then OpenVPN should release new Windows Versions. > The current binaries are linked against OpenSSL (ssleay32.dll, > libeay32.dll) 1.0.1.5 (-> 1.0.1e). > > Hi all,
We'll try to push OpenVPN 2.3.3 out today. The Windows installer will contain OpenSSL 1.0.1g which fixes this particular problem. In addition several other small changes and enhancements will be included. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
