The OpenSSL versions bundled in official OpenVPN Windows installers prior to 2.3.6-I002/I602 are vulnerable to FREAK. All users of the official OpenVPN Windows installers are encouraged to upgrade their OpenVPN installations or to take other measures (see below) to mitigate the attack. OpenVPN users on *NIX typically get an updated OpenSSL version through their package management system and do not need to update OpenVPN.
Fortunately the vulnerability's impact on OpenVPN is fairly small:
- If enabled, OpenVPN's tls-auth feature prevents this attack
- Adding !EXP to the server side tls-cipher is enough to mitigate attacks. The suggested tls-cipher string is DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA. This disallows export ciphers, weak ciphers (e.g. DES), and RSA key exchange (note: not RSA authentication), but allows any future, stronger cipher suites.
- Clients who wish to rule out this attack on clients prior to 2.3.6-I002/I603 can add !kRSA to their tls-cipher string
- An attacker requires a man-in-the-middle position.
- An attacker has to invest time and money per OpenVPN instance (restart) to attack a connection, which makes this relevant for targeted attacks only.
- OpenVPN always provides PFS with its own key exchange mechanism, making it impossible to decrypt sessions prior to a successful factorization of the temporary export key, even if those connections already used an RSA_EXPORT cipher.