On 22/04/20 10:13, Arne Schwabe wrote:
what I meant was that OpenVPN 2.4 does not do any *specific* with any of
the new features of TLS 1.3, like the new psk callbacks etc. If the
control session is negotiated using TLS 1.3 then sure, OpenVPN will use
that, but other that OpenVPN does not make use of any of the new
features or crypto algorithms that come with OpenSSL 1.1.1 or TLS 1.3
(chacha20 anyone ;) ? )
Which we don't, I just grepped through our source tree.
So, unless I misunderstand something about OpenSSL intricacies, I think
we're safe - no new installers needed, and OpenVPN is not in risk.
the advisory applies only to application that use the SSL_check_chain()
function as part of a TLS 1.3 handshake. AFAIK, iIn OpenVPN 2.4 we don't
do anything with TLS 1.3 just yet, so this security advisory does not
apply to OpenVPN. Also note that this bug appears only in OpenSSL 1.1.1
[d-f] , so anything older is fine as well.
Hu? OpenVPN 2.4 supports TLS 1.3 just fine. We have support for it in
tls-version-min and also tls-ciphersuites which is TLS 1.3 specific.
Openvpn-devel mailing list