This release is to respond to the OpenSSL vulnerability CVE-2009-3555.

Some people have worried that the fix made to OpenSSL to address this
vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's
session renegotiation capability. This is not the case. OpenVPN does not rely on the session renegotiation capability that is built into SSL/TLS, and therefore if OpenVPN is linked against an OpenSSL library that disables SSL/TLS renegotiation, there should be no loss of functionality.


2009.11.12 -- Version 2.1_rc21

* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
  CVE-2009-3555.  Note that OpenVPN has never relied on the session
  renegotiation capabilities that are built into the SSL/TLS protocol,
  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
  completely) will not adversely affect OpenVPN mid-session SSL/TLS
  renegotation or any other OpenVPN capabilities.

* Added additional session renegotiation hardening.  OpenVPN has always
  required that mid-session renegotiations build up a new SSL/TLS
  session from scratch.  While the client certificate common name is
  already locked against changes in mid-session TLS renegotiations, we
  now extend this locking to the auth-user-pass username as well as all
  certificate content in the full client certificate chain.


Reply via email to