Hi Arne,

On 22/04/20 10:13, Arne Schwabe wrote:
SSL_check_chain() function".

Which we don't, I just grepped through our source tree.

So, unless I misunderstand something about OpenSSL intricacies, I think
we're safe - no new installers needed, and OpenVPN is not in risk.

the advisory applies only to application that use the SSL_check_chain()
function as part of a TLS 1.3 handshake. AFAIK, iIn OpenVPN 2.4 we don't
do anything with TLS 1.3 just yet, so this security advisory does not
apply to OpenVPN. Also note that this bug appears only in OpenSSL 1.1.1
[d-f] , so anything older is fine as well.
Hu? OpenVPN 2.4 supports TLS 1.3 just fine. We have support for it in
tls-version-min and also tls-ciphersuites which is TLS 1.3 specific.

what I meant was that OpenVPN 2.4 does not do any *specific* with any of the new features of TLS 1.3, like the new psk callbacks etc. If the control session is negotiated using TLS 1.3 then sure, OpenVPN will use that, but other that OpenVPN does not make use of any of the new features or crypto algorithms that come with OpenSSL 1.1.1 or TLS 1.3 (chacha20 anyone ;) ? )



Openvpn-devel mailing list

Reply via email to