Hi, On Mon, Jul 21, 2014 at 07:17:30PM +0200, Lisa Minogue wrote: > Hi Samuli and friends: > > This is what I think.
Don't think so much, use google first :)
> Both of us don't know how long it will take for OpenSSL to fix the long list
> of bugs -some of which are significant- that have accumulated over the years.
> One year or two years?
>
> OpenVPN is in the business of providing software that enables secure
> communications. Can OpenVPN afford to wait one or two years for bugs to be
> fixed?
What makes you assume that any of these bugs are security relevant?
All software has bugs, and of the OpenSSL bugs so far, only two had
really nasty effects on OpenVPN (heartbleed and the most recent weak
crypto one) and heartbleed only affected users that were on 1.0.1, none
that were on 0.9.8. So while one might have opinions on OpenSSL code
quality and maintainability, it's track record is fairly *good* for code
that has been around for so long.
But we don't have to "wait one or two years". PolarSSL support is here
*today* - you can build OpenVPN with PolarSSL just fine. It's just that
the binaries we provide for windows are currently built against OpenSSL,
because nobody extended the windows build environment to build against
PolarSSL.
(If you feel we need windows binaries built with PolarSSL: patches for
the build system are welcome. We are always short on time, so contributions
are welcome)
> How will OpenVPN address the concerns of its Access Server's customers? Do
> Access Server software incorporate OpenSSL or PolarSSL?
AS could be built with PolarSSL mostly fine (some functionality is missing
in PolarSSL), and judging from the patches I've seen from James, he is
working on it. But for AS, ask your commercial channels, not this list.
OpenVPN Connect on iOS uses PolarSSL already today.
> Hackers and agencies sponsored by their respective governments
> will have a field day disrupting secure communications enabled by
> the use of defective VPN software. Economic espionage will wreak
> havoc on the markets and create unfair competition for those
> countries which are technically and scientifically superior. Human
> rights abuses will be on the increase.
You're welcome to funnel your excitement about the poor state of software
into patches that contribute what you think is missing. The rest of us
is already busy doing so.
> I accept that substantial portions of the current software code for
> Windows will have to be rewritten.
Nothing at all of the *code* needs to be rewritten. OpenVPN with PolarSSL
support is here today.
What needs to be done is extend the build system to build windows binaries
with PolarSSL - building so for Linux is very easy today, just call
./configure --with-crypto-library=polarssl
make
and you get a polarssl-enabled OpenVPN binary.
> But aren't you also doing it for Access Server customers? Aren't they
> affected by OpenSSL's bugs?
This is not the AS support channel, so we can't answer questions about AS.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpB3Mfu7r4zB.pgp
Description: PGP signature
