Changes between Version 10 and Version 11 of heartbleed
- Timestamp:
- 04/17/14 10:17:01 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
heartbleed
v10 v11 1 1 = OpenSSL vulnerability - Heartbleed = 2 2 3 A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 [#ref1 1]. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too.3 A vulnerability in OpenSSL, nicknamed Heartbleed, was published in April 2014 [#ref1 1]. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too. 4 4 5 5 == What does this mean? == … … 25 25 All OpenVPN Windows client installers are shipped with OpenSSL. However, only installer versions ''2.3-rc2-I001'' through ''2.3.2-I003'' ship a vulnerable version. Installer version ''2.3.2-I004'' fixes this vulnerability by bundling OpenSSL 1.0.1g. The fixed version can be downloaded from [http://openvpn.net/index.php/open-source/downloads.html here]. 26 26 27 If you want to verify whether the version of OpenSSL in your OpenVPN installation is vulnerable, go to ''C:\Program Files\OpenVPN\bin'' using Windows Explorer, right-click on ''libeay32.dll'' and check what ''Details -> Product Version'' says.27 If you want to verify whether the version of OpenSSL in your OpenVPN installation is vulnerable, go to ''C:\Program Files\OpenVPN\bin'' using Windows Explorer, right-click on ''libeay32.dll'', click properties and check what ''Details -> Product Version'' says. 28 28 29 29 == Is Access Server affected? == … … 37 37 38 38 == Do TLS-auth keys protect my setup? == 39 To some extent. You are strongly encouraged to use TLS-auth keys. In this scenario an attacker can not attack openvpn instances without the TLS-auth key. With a large user base, you should however consider the possibility of one (or more) of the openvpninstances being compromised. Such a compromised instance could attack other instances (including the server).39 To some extent. You are strongly encouraged to use TLS-auth keys. In this scenario an attacker can not attack openvpn instances without the TLS-auth key. With a large user base, you should however consider the possibility of one (or more) of the OpenVPN instances being compromised. Such a compromised instance could attack other instances (including the server). 40 40 41 41