I do not know why you sent me this. I do not know you. Please do not e-mail me again.
On Tuesday, April 8, 2014 1:31 PM, "openvpn-devel-requ...@lists.sourceforge.net" <openvpn-devel-requ...@lists.sourceforge.net> wrote: Send Openvpn-devel mailing list submissions to openvpn-devel@lists.sourceforge.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/openvpn-devel or, via email, send a message with subject or body 'help' to openvpn-devel-requ...@lists.sourceforge.net You can reach the person managing the list at openvpn-devel-ow...@lists.sourceforge.net When replying, please edit your Subject line so it is more specific than "Re: Contents of Openvpn-devel digest..." Today's Topics: 1. Re: Heartbleed (Mike Tancsa) 2. Re: Heartbleed (Steffan Karger) 3. Re: Heartbleed (Mike Tancsa) 4. Re: Heartbleed (Enno Gr?per) 5. Re: Heartbleed (Samuli Sepp?nen) 6. Re: Heartbleed (Gert Doering) ---------------------------------------------------------------------- Message: 1 Date: Tue, 08 Apr 2014 10:04:06 -0400 From: Mike Tancsa <m...@sentex.net> Subject: Re: [Openvpn-devel] Heartbleed To: Steffan Karger <steffan.kar...@fox-it.com>, Adriaan de Jong <dej...@fox-it.com>, "openvpn-devel@lists.sourceforge.net" <openvpn-devel@lists.sourceforge.net> Message-ID: <534401d6.1080...@sentex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 4/8/2014 9:42 AM, Steffan Karger wrote: >> Perhaps a dumb question, but if the server instance is linked against >> an older version of openssl (9.8.x), but the client is compiled and >> linked against the vulnerable version, is it still an issue for both >> sides, or is the client going to leak private information ? > > The client can then leak keys (both private master key and session keys), > which completely breaks your secure connection, for that client. > > So when the server is not vulnerable, each client has to be attacked > individually, and not-vulnerable clients have a secure connection to the > server. As long as there are vulnerable clients, you should consider those as > potentially malicious, and thus you should consider the network as insecure. Thanks for the replay. I am still trying to understand as it relates to the analysis here http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html How does one attack the client ? In my case, the client only connects to my servers ? I use a tls-auth key file as well. If I understand correctly, the scenario would be the attacker would have to have the tls-auth key file, and then do a man in the middle attack to pretend its the server's IP, and then coax the client into allocating the 64k block of memory as described in the above link ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ------------------------------ Message: 2 Date: Tue, 8 Apr 2014 16:13:59 +0200 From: Steffan Karger <steffan.kar...@fox-it.com> Subject: Re: [Openvpn-devel] Heartbleed To: Mike Tancsa <m...@sentex.net>, Adriaan de Jong <dej...@fox-it.com>, "openvpn-devel@lists.sourceforge.net" <openvpn-devel@lists.sourceforge.net> Message-ID: <1ced409804e2164c8104f9e623b08b90170093c...@foxdft02.fox.local> Content-Type: text/plain; charset="us-ascii" On 08/04/2014 16:04, Mike Tancsa wrote: > How does one attack the client ? In my case, the client only connects > to my servers ? I use a tls-auth key file as well. If I understand > correctly, the scenario would be the attacker would have to have the > tls-auth key file, and then do a man in the middle attack to pretend > its the server's IP, and then coax the client into allocating the 64k > block of memory as described in the above link ? Correct. But man-in-the-middle can also be something like DNS poisoning. If you use TLS-auth, the attacker must have previously obtained the TLS-auth key. When the user base is large, it is not unlikely that one of the users was compromised and should be considered malicious. -Steffan ------------------------------ Message: 3 Date: Tue, 08 Apr 2014 10:23:53 -0400 From: Mike Tancsa <m...@sentex.net> Subject: Re: [Openvpn-devel] Heartbleed To: Steffan Karger <steffan.kar...@fox-it.com>, Adriaan de Jong <dej...@fox-it.com>, "openvpn-devel@lists.sourceforge.net" <openvpn-devel@lists.sourceforge.net> Message-ID: <53440679.8060...@sentex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 4/8/2014 10:13 AM, Steffan Karger wrote: > On 08/04/2014 16:04, Mike Tancsa wrote: >> How does one attack the client ? In my case, the client only connects >> to my servers ? I use a tls-auth key file as well. If I understand >> correctly, the scenario would be the attacker would have to have the >> tls-auth key file, and then do a man in the middle attack to pretend >> its the server's IP, and then coax the client into allocating the 64k >> block of memory as described in the above link ? > > Correct. But man-in-the-middle can also be something like DNS poisoning. > If you use TLS-auth, the attacker must have previously obtained the TLS-auth > key. When the user base is large, it is not unlikely that one of the users > was compromised and should be considered malicious. Thanks! Although we are certainly planing to update the vulnerable clients, this is not quite as dire and urgent as first described in the popular press-- at least as it applies to my client base. We also use IP addresses for the target servers in the client configs. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ------------------------------ Message: 4 Date: Tue, 08 Apr 2014 15:53:05 +0200 From: Enno Gr?per <groep...@cms.hu-berlin.de> Subject: Re: [Openvpn-devel] Heartbleed To: openvpn-devel@lists.sourceforge.net Message-ID: <5343ff41.3080...@cms.hu-berlin.de> Content-Type: text/plain; charset="iso-8859-1" Hi, Am 08.04.2014 15:42, schrieb Steffan Karger: >> Perhaps a dumb question, but if the server instance is linked >> against an older version of openssl (9.8.x), but the client is >> compiled and linked against the vulnerable version, is it still an >> issue for both sides, or is the client going to leak private >> information ? > > The client can then leak keys (both private master key and session > keys), which completely breaks your secure connection, for that > client. > > So when the server is not vulnerable, each client has to be attacked > individually, and not-vulnerable clients have a secure connection to > the server. As long as there are vulnerable clients, you should > consider those as potentially malicious, and thus you should consider > the network as insecure. Then OpenVPN should release new Windows Versions. The current binaries are linked against OpenSSL (ssleay32.dll, libeay32.dll) 1.0.1.5 (-> 1.0.1e). Greetings, Enno -- Enno Gr?per groep...@cms.hu-berlin.de - Raum 2'325, Rudower Chaussee 26 Tel. +49.(0)30.2093.70053 Fax +49.(0)30.2093.2959 Humboldt-Universit?t zu Berlin - http://www.hu-berlin.de/ ZE Computer- und Medienservice - http://www.cms.hu-berlin.de/ Unter den Linden 6, D-10099 Berlin, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4781 bytes Desc: S/MIME Cryptographic Signature ------------------------------ Message: 5 Date: Tue, 08 Apr 2014 18:09:17 +0300 From: Samuli Sepp?nen <sam...@openvpn.net> Subject: Re: [Openvpn-devel] Heartbleed To: Enno Gr?per <groep...@cms.hu-berlin.de>, "openvpn-devel@lists.sourceforge.net" <openvpn-devel@lists.sourceforge.net> Message-ID: <5344111d.3080...@openvpn.net> Content-Type: text/plain; charset=ISO-8859-1 > Hi, > > Am 08.04.2014 15:42, schrieb Steffan Karger: >>> Perhaps a dumb question, but if the server instance is linked >>> against an older version of openssl (9.8.x), but the client is >>> compiled and linked against the vulnerable version, is it still an >>> issue for both sides, or is the client going to leak private >>> information ? >> The client can then leak keys (both private master key and session >> keys), which completely breaks your secure connection, for that >> client. >> >> So when the server is not vulnerable, each client has to be attacked >> individually, and not-vulnerable clients have a secure connection to >> the server. As long as there are vulnerable clients, you should >> consider those as potentially malicious, and thus you should consider >> the network as insecure. > Then OpenVPN should release new Windows Versions. > The current binaries are linked against OpenSSL (ssleay32.dll, > libeay32.dll) 1.0.1.5 (-> 1.0.1e). > > Hi all, We'll try to push OpenVPN 2.3.3 out today. The Windows installer will contain OpenSSL 1.0.1g which fixes this particular problem. In addition several other small changes and enhancements will be included. -- Samuli Sepp?nen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------ Message: 6 Date: Tue, 8 Apr 2014 17:13:15 +0200 From: Gert Doering <g...@greenie.muc.de> Subject: Re: [Openvpn-devel] Heartbleed To: Enno Gr?per <groep...@cms.hu-berlin.de> Cc: openvpn-devel@lists.sourceforge.net Message-ID: <20140408151315.gd16...@greenie.muc.de> Content-Type: text/plain; charset="iso-8859-1" Hi, On Tue, Apr 08, 2014 at 03:53:05PM +0200, Enno Gr?per wrote: > Then OpenVPN should release new Windows Versions. Yeah, always glad to have people tell us what to do. Working on it... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available ------------------------------ ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees ------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel End of Openvpn-devel Digest, Vol 95, Issue 3 ********************************************
