Hi, On Fri, Aug 01, 2014 at 11:27:26AM +0200, Lisa Minogue wrote: > > people in both OpenBSD and Debian usually (always?) do what they think is > > right. probably, you will get more luck if you ask them directly why do > > they do so. > > I did write to them. Do you remember the Heartbleed vulnerability/bug? Right > after OpenSSL issued a fix for it and OpenVPN upgraded their source code to > 2.3.4, I wrote to both OpenBSD and Debian, asking them whether they would be > upgrading their respective packages to match OpenVPN's version (2.3.4).
Serious misunderstanding here: you do NOT need to update OpenVPN "per se" to be secure from Heartbleed. To the contrary, if you just update OpenVPN to 2.3.4, and leave OpenSSL at a vulnerable version, OpenVPN will *still* be vulnerable. The bug is in OpenSSL, not in OpenVPN. Repeat: the bug is in OpenSSL, not in OpenVPN. The main reason why we released new versions was: - we ship a binary with a bundled openssl library for windows, and that library was vulnerable, so we did an update - but the updated 2.3.2 windows installer with the new OpenSSL library is *safe*, you do not need to go to 2.3.4 - 2.3.3 added "SSL library version" reporting, so you could more easily check which version a given client was using - this is not a security fix, just a convenience for admins. Unfortunately, 2.3.3 had problems connecting to some servers due to a new feature (TLS version negotiation). - 2.3.4 turned off TLS version negotiation by default again 2.3.3 and 2.3.4 releases contain useful stuff and bugfixes to other bugs, but they are NOT needed to fix heartbleed, as that bug is not in OpenVPN (and there is nothing in OpenVPN that we could do to work around it if the system library is broken). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpNRBlg5uyp2.pgp
Description: PGP signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users