On Thu, Jan 8, 2009 at 8:46 PM, JJB <[email protected]> wrote: > So does OpenVPN on pfsense have a known vulnerability,
Maybe. This: http://security.freebsd.org/advisories/FreeBSD-SA-09:02.openssl.asc --- III. Impact For applications using OpenSSL for SSL connections, an invalid SSL certificate may be interpreted as valid. This could for example be used by an attacker to perform a man-in-the-middle attack. --- could potentially impact OpenVPN, allowing someone the ability to see your OpenVPN traffic, unencrypted. But it requires being able to intercept your traffic, which is difficult unless the attacker is on the same network or has already compromised your network. And I'm not aware of any remotely easy means of exploiting this, even for someone that can intercept your traffic. > and if so, can we > patch the pfsense servers (running 1.2) as described in the advisory? > No. 1.2.2 is coming. This issue isn't anything to be concerned about. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
