On Thu, Mar 19, 2015 at 8:01 AM, Jim Pingle <[email protected]> wrote: > On 03/19/2015 06:27 AM, Amit Saxena wrote: >> I am working on pfsense firewall as well as configured as a Opnevpn server >> I got the information that "Freak vulnerable" so i want to know it >> affected to Pfsense box >> My pfsense Detail >> >> Pf sense version 2.1 and opnessl version 0.9.8y
You actually have 2 openssl versions, that's base not ports, where the latter is the one that's relevant to OpenVPN and the web interface. > The firewall GUI itself is not vulnerable as a server, even on that version. > > The OpenSSL library on that version may be vulnerable as a client, > however. If you do not have anything on the firewall that makes outbound > connections to arbitrary servers that would use SSL, it may not be a > factor for you, but upgrading to 2.2.1 is still advised. > Good advice as it pertains to FREAK. But no one mentioned... the real problem here is asking about FREAK on a version that's Heartbleed vulnerable (assuming he's talking about 2.1.0 as it appears to be). Who cares about potential crypto weakening when you're vulnerable to complete system compromise from Heartbleed? Upgrade to 2.2.1, or at a minimum 2.1.5 if you have one of the edge cases (usually hardware-specific) where 2.2x isn't an option for some reason. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
