| 1 | The OpenSSL versions bundled in official ''Windows installers'' prior to 2.3.6-I002/I602 of OpenVPN are vulnerable to [https://www.smacktls.com/ FREAK]. OpenVPN users on *NIX typically get an updated OpenSSL version through their package management system and do not need to update OpenVPN. |
| 2 | |
| 3 | Fortunately the vulnerability's impact on OpenVPN is fairly small: |
| 4 | |
| 5 | * OpenVPN's tls-auth feature prevents this attack |
| 6 | * Adding ''!EXP'' to the server side tls-cipher is enough to mitigate attacks. The suggested tls-cipher string is ''DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA''. This disallows export ciphers, weak ciphers (e.g. DES), and RSA key exchange (note: not RSA authentication), but allows any future, stronger cipher suites. |
| 7 | * Clients who wish to rule out this attack before next week can add ''!kRSA'' to their tls-cipher |
| 8 | * An attacker requires a man-in-the-middle position |
| 9 | * An attacker has to invest time (~7.5 hrs) and money (~$100) per OpenVPN instance (restart) to attack a connection, which makes this relevant for targeted attacks only. |
| 10 | * OpenVPN always provides PFS with its own key exchange mechanism, making it impossible to decrypt sessions prior to a successful factorization of the temporary export key, even if those connections already used an RSA_EXPORT cipher. |