Re: [Openvpn-devel] Heartbleed

2014-04-10 Thread Jan Just Keijser
On 09/04/14 12:34, Eike Lohmann wrote: Am 09.04.2014 10:45, schrieb Gert Doering: This is not trivial to set up, and might not be worth for every client out there - but if you're truly concerned about your data, upgrade the client, revoke the old key+certificate, reissue new keys. How does revo

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Marcel Herrguth
Hello, Am 8.4.2014 19:02, schrieb Samuli Seppänen: An updated installer (I004) with OpenSSL 1.0.1g is now out: I smoketested the installers on Windows 7 64-bit and WinXP 32-bit. just wanted to give Feedback... I am running the

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Adriaan de Jong
On 9-4-2014 10:49, Илья Шипицин wrote: > I did not say "nobind protects from everything", but I did mean that > clients with "nobind" are more protected in case of non patched > openssl library shipped with (old) openvpn windows installer. > > > if server is patched (what is rather easy thing compa

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Eike Lohmann
Am 09.04.2014 10:45, schrieb Gert Doering: This is not trivial to set up, and might not be worth for every client out there - but if you're truly concerned about your data, upgrade the client, revoke the old key+certificate, reissue new keys. How does revokation Lists work with openvpn?

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Илья Шипицин
I did not say "nobind protects from everything", but I did mean that clients with "nobind" are more protected in case of non patched openssl library shipped with (old) openvpn windows installer. if server is patched (what is rather easy thing comparing to hundreds windows users), nobody can steal

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Gert Doering
Hi, On Wed, Apr 09, 2014 at 02:32:42PM +0600, ??? wrote: > I used to think that client without "nobind" option binds to 1194/udp > (we encountered that issue with multiple openvpn connection on the > same machine), so, "nobind" tells openvpn instance not to bind to > udp/1194, and so, onl

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Arne Schwabe
Am 09.04.14 10:32, schrieb Илья Шипицин: > I used to think that client without "nobind" option binds to 1194/udp > (we encountered that issue with multiple openvpn connection on the > same machine), so, "nobind" tells openvpn instance not to bind to > udp/1194, and so, only openvpn server can explo

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Илья Шипицин
I used to think that client without "nobind" option binds to 1194/udp (we encountered that issue with multiple openvpn connection on the same machine), so, "nobind" tells openvpn instance not to bind to udp/1194, and so, only openvpn server can exploit heartbleed vulnerability, but not any attacker

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Arne Schwabe
Am 09.04.14 10:25, schrieb Илья Шипицин: > am I right that "nobind" option gives some protection to windows > openvpn client ? > No. Nobind gives no protection. Arne signature.asc Description: OpenPGP digital signature

Re: [Openvpn-devel] Heartbleed

2014-04-09 Thread Илья Шипицин
am I right that "nobind" option gives some protection to windows openvpn client ? 2014-04-08 23:02 GMT+06:00 Samuli Seppänen : > Hi, Am 08.04.2014 15:42, schrieb Steffan Karger: >> Perhaps a dumb question, but if the server instance is linked >> against an older version of o

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Samuli Seppänen
>>> Hi, >>> >>> Am 08.04.2014 15:42, schrieb Steffan Karger: > Perhaps a dumb question, but if the server instance is linked > against an older version of openssl (9.8.x), but the client is > compiled and linked against the vulnerable version, is it still an > issue for both sides,

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Samuli Seppänen
>> Hi, >> >> Am 08.04.2014 15:42, schrieb Steffan Karger: Perhaps a dumb question, but if the server instance is linked against an older version of openssl (9.8.x), but the client is compiled and linked against the vulnerable version, is it still an issue for both sides, or is

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Gert Doering
Hi, On Tue, Apr 08, 2014 at 03:53:05PM +0200, Enno Gröper wrote: > Then OpenVPN should release new Windows Versions. Yeah, always glad to have people tell us what to do. Working on it... gert -- USENET is *not* the non-clickable part of WWW!

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Samuli Seppänen
> Hi, > > Am 08.04.2014 15:42, schrieb Steffan Karger: >>> Perhaps a dumb question, but if the server instance is linked >>> against an older version of openssl (9.8.x), but the client is >>> compiled and linked against the vulnerable version, is it still an >>> issue for both sides, or is the cli

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Enno Gröper
Hi, Am 08.04.2014 15:42, schrieb Steffan Karger: Perhaps a dumb question, but if the server instance is linked against an older version of openssl (9.8.x), but the client is compiled and linked against the vulnerable version, is it still an issue for both sides, or is the client going to leak pr

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Mike Tancsa
On 4/8/2014 10:13 AM, Steffan Karger wrote: On 08/04/2014 16:04, Mike Tancsa wrote: How does one attack the client ? In my case, the client only connects to my servers ? I use a tls-auth key file as well. If I understand correctly, the scenario would be the attacker would have to have the tls-au

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Steffan Karger
On 08/04/2014 16:04, Mike Tancsa wrote: > How does one attack the client ? In my case, the client only connects > to my servers ? I use a tls-auth key file as well. If I understand > correctly, the scenario would be the attacker would have to have the > tls-auth key file, and then do a man in the m

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Mike Tancsa
On 4/8/2014 9:42 AM, Steffan Karger wrote: Perhaps a dumb question, but if the server instance is linked against an older version of openssl (9.8.x), but the client is compiled and linked against the vulnerable version, is it still an issue for both sides, or is the client going to leak private

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Steffan Karger
Hi, On 08/04/2014 13:55, Mike Tancsa wrote: > On 4/8/2014 7:47 AM, Adriaan de Jong wrote: > >> Using the tls-auth option should protect against this vulnerability > (assuming that your tls-auth key is not known to the attacker). > > > >> If you're not using tls-auth and are using a vulnerable ver

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Mike Tancsa
On 4/8/2014 7:47 AM, Adriaan de Jong wrote: Using the tls-auth option should protect against this vulnerability (assuming that your tls-auth key is not known to the attacker). If you're not using tls-auth and are using a vulnerable version of OpenSSL, you should definitely upgrade to OpenSSL

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Adriaan de Jong
-Original Message- From: Davide Brini [mailto:dave...@gmx.com] Sent: dinsdag 8 april 2014 13:26 To: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Heartbleed > On Tue, 08 Apr 2014 11:08:59 +0200, Tore Anderson wrote: > > I'm guessing that everyone

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Davide Brini
On Tue, 08 Apr 2014 11:08:59 +0200, Tore Anderson wrote: > I'm guessing that everyone has seen http://heartbleed.com/ by now. > > My question is simple: Could anyone confirm whether or not OpenVPN is > vulnerable (when linked to a vulnerable version of OpenSSL)? This is James' reply on the dev

[Openvpn-devel] Heartbleed

2014-04-08 Thread Tore Anderson
I'm guessing that everyone has seen http://heartbleed.com/ by now. My question is simple: Could anyone confirm whether or not OpenVPN is vulnerable (when linked to a vulnerable version of OpenSSL)? Tore