On 05/06/14 15:28, Mike Tancsa wrote: > A few more vulnerabilities it would seem. Can anyone shed light on how > this impacts OpenVPN ? > > http://www.openssl.org/news/secadv_20140605.txt > > Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS ?
I don't remember the details around SSL_MODE_RELEASE_BUFFERS. As I understand, it needs to be explicitly enabled. At a very quick glance (git grep), I don't see that being used at all. But OpenVPN does not make use of DTLS. DTLS came 4-5 years (roughly) after the first OpenVPN release. There are currently no immediate plans to move over to DTLS So, as most of these OpenSSL issues: OpenVPN itself is secure, as long as OpenSSL is safe. And in most cases, enabling --tls-auth is an additional security barrier which can often make attacks on OpenVPN tunnels more difficult. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
