am I right that "nobind" option gives some protection to windows openvpn client ?
2014-04-08 23:02 GMT+06:00 Samuli Seppänen <sam...@openvpn.net>: > >>>> Hi, >>>> >>>> Am 08.04.2014 15:42, schrieb Steffan Karger: >>>>>> Perhaps a dumb question, but if the server instance is linked >>>>>> against an older version of openssl (9.8.x), but the client is >>>>>> compiled and linked against the vulnerable version, is it still an >>>>>> issue for both sides, or is the client going to leak private >>>>>> information ? >>>>> The client can then leak keys (both private master key and session >>>>> keys), which completely breaks your secure connection, for that >>>>> client. >>>>> >>>>> So when the server is not vulnerable, each client has to be attacked >>>>> individually, and not-vulnerable clients have a secure connection to >>>>> the server. As long as there are vulnerable clients, you should >>>>> consider those as potentially malicious, and thus you should consider >>>>> the network as insecure. >>>> Then OpenVPN should release new Windows Versions. >>>> The current binaries are linked against OpenSSL (ssleay32.dll, >>>> libeay32.dll) 1.0.1.5 (-> 1.0.1e). >>>> >>>> >>> Hi all, >>> >>> We'll try to push OpenVPN 2.3.3 out today. The Windows installer will >>> contain OpenSSL 1.0.1g which fixes this particular problem. In addition >>> several other small changes and enhancements will be included. >>> >> Minor correction: I will build and publish OpenVPN 2.3.2 Windows >> installers with OpenSSL 1.0.1g today; this will fix the security problem >> at hand. OpenVPN 2.3.3 will follow on Thursday, if I encounter no big >> problems with the changes it contains. >> > An updated installer (I004) with OpenSSL 1.0.1g is now out: > > <http://openvpn.net/index.php/download/community-downloads.html> > > I smoketested the installers on Windows 7 64-bit and WinXP 32-bit. > > -- > Samuli Seppänen > Community Manager > OpenVPN Technologies, Inc > > irc freenode net: mattock > > > ------------------------------------------------------------------------------ > Put Bad Developers to Shame > Dominate Development with Jenkins Continuous Integration > Continuously Automate Build, Test & Deployment > Start a new project now. Try Jenkins in the cloud. > http://p.sf.net/sfu/13600_Cloudbees > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
