[Openvpn-devel] OpenVPN and BEAST
We've gotten some questions about whether OpenVPN is vulnerable to the "BEAST" exploit. At the time of this writing, the details of the "BEAST" exploit haven't been released yet, but the general consensus is that it exploits the known-IV weakness in SSL and TLS 1.0 that is discussed by Bard back in 2004: http://eprint.iacr.org/2004/111.pdf The vulnerability is present in all versions of SSL and TLS 1.0 but not TLS 1.1 or higher (OpenVPN currently uses TLS 1.0). One of the common workarounds for this vulnerability is to have the SSL implementation add empty fragments into the application data stream. OpenSSL has implemented this workaround since 0.9.6d (9 May 2002). See http://www.openssl.org/~bodo/tls-cbc.txt So the bottom line is that even though OpenVPN uses TLS 1.0 which is technically vulnerable, the OpenSSL workaround added in 0.9.6d effectively protects TLS 1.0 from this vulnerability, and hence OpenVPN as well. Now if OpenSSL patched this back in 2002, you might be wondering why it's an exploitable vulnerability today. I think the answer is that while OpenSSL patched the vulnerability, NSS did not (NSS is an alternative to OpenSSL that is widely used in web browsers). In fact, if you look at this recent commit to NSS by the Chromium project (presumably to address the BEAST exploit), you see the same workaround being added to NSS that was added to OpenSSL 9 years ago. https://src.chromium.org/viewvc/chrome?view=rev=90643 James
Re: [Openvpn-devel] NetBSD platform cleanup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/09/11 20:00, Gert Doering wrote: > Hi, > > testing today's "master" for problems due to the SVN merger (what bit > ecrist on FreeBSD), I noticed a number of problems on NetBSD with the > way tun/tap devices are handled, and (not) cleaned up at session end. > > The attached patch cleans up the tun.c code for NetBSD, and has been > tested with IPv4 + IPv6, TUN mode, TUN/top-subnet mode and TAP mode, > and passes all tests *except* TAP+IPv6 (and that one seems to be a > NetBSD kernel side issue, still investigating). > > David, please ACK and merge :-) > ACK. Applied to testing and stable master branches. commit 8ca19c014c149cf69257798afa6c75d1ff8f11a7 kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk555jUACgkQDC186MBRfrq4QQCaApUgHs7lVi9hPDFwfN7aarp3 H7wAoLF7l7SY7hdcT047SIy6HsxZmWPz =WCZq -END PGP SIGNATURE-