On 4/8/2014 7:47 AM, Adriaan de Jong wrote:
Using the tls-auth option should protect against this vulnerability (assuming
that your tls-auth key is not known to the attacker).
If you're not using tls-auth and are using a vulnerable version of OpenSSL, you
should definitely upgrade to OpenSSL 1.0.1g.
Note that you should also replace both server and client private keys, as these
can be read by an attacker.
Perhaps a dumb question, but if the server instance is linked against an
older version of openssl (9.8.x), but the client is compiled and linked
against the vulnerable version, is it still an issue for both sides, or
is the client going to leak private information ?
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
