Hi Gert,

On 21/04/20 20:59, Gert Doering wrote:

On Tue, Apr 21, 2020 at 08:37:35PM +0200, Gert Doering wrote:
On Tue, Apr 21, 2020 at 02:15:43PM -0400, mike tancsa wrote:
     Will the sec issue with OpenSSL force a new release of OpenVPN ?

So, speaking to myself again :-) - I've looked at the advisory, and
it talks about "Server or client applications that call the
SSL_check_chain() function".

Which we don't, I just grepped through our source tree.

So, unless I misunderstand something about OpenSSL intricacies, I think
we're safe - no new installers needed, and OpenVPN is not in risk.

the advisory applies only to application that use the SSL_check_chain() function as part of a TLS 1.3 handshake. AFAIK, iIn OpenVPN 2.4 we don't do anything with TLS 1.3 just yet, so this security advisory does not apply to OpenVPN. Also note that this bug appears only in OpenSSL 1.1.1 [d-f] , so anything older is fine as well.



Openvpn-devel mailing list

Reply via email to