This release is to respond to the OpenSSL vulnerability CVE-2009-3555.
Some people have worried that the fix made to OpenSSL to address this
vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's
session renegotiation capability. This is not the case. OpenVPN does
not rely on the session renegotiation capability that is built into
SSL/TLS, and therefore if OpenVPN is linked against an OpenSSL library
that disables SSL/TLS renegotiation, there should be no loss of
functionality.
Changes:
2009.11.12 -- Version 2.1_rc21
* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
CVE-2009-3555. Note that OpenVPN has never relied on the session
renegotiation capabilities that are built into the SSL/TLS protocol,
therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
completely) will not adversely affect OpenVPN mid-session SSL/TLS
renegotation or any other OpenVPN capabilities.
* Added additional session renegotiation hardening. OpenVPN has always
required that mid-session renegotiations build up a new SSL/TLS
session from scratch. While the client certificate common name is
already locked against changes in mid-session TLS renegotiations, we
now extend this locking to the auth-user-pass username as well as all
certificate content in the full client certificate chain.
James
