I don't believe this issue significantly affects OpenVPN. OpenVPN does
not use the EVP_VerifyFinal function. The issue is that some internal
OpenSSL functions do not properly check the return value of this
function. The issue is primarily of concern if you are using DSA or
ECDSA certificates, however these are not generally used with OpenVPN
(OpenVPN uses RSA certificates and does not currently support DSA or
ECDSA certificates).
James
Michael A. Gütlbauer wrote:
Hallo!
I'm sure, you know the "OpenSSL Security Advisory [07-Jan-2009]"
(http://www.openssl.org/news/secadv_20090107.txt)
Because there's absolutely no information on your website, whether
OpenVPN is affected and/or a bug-fix will be available, I'd like to ask
you to do so.
Many thanks!
Michael
