wiki:heartbleed

Version 2 (modified by Steffan Karger, 10 years ago) (diff)

--

Heartbleed

A vulnerability in OpenSSL, nicknamed heartbleed, was published in April 2014 1. OpenVPN uses OpenSSL as its crypto library by default and thus is affected too.

What does this mean?

An attacker can trick OpenSSL into returning a part of your program memory. That memory contains your session keys (the keys used to encrypt your data), and usually your master secret key too. If your OpenVPN is or has been vulnerable to heartbleed you should consider your keys, and the traffic over the VPN tunnel, compromised.

Am I affected too?

Your OpenVPN is affected when your OpenVPN is linked against OpenSSL, versions 1.0.1 through 1.0.1f.

How do I fix this?

  1. Update your OpenSSL library
  2. Revoke your old private keys
  3. Generate new private keys
  4. Create certificates for the new private keys

Is this for clients or servers?

Both. Replace the keys for each peer that was active while linked against a vulnerable OpenSSL.

Are Android client affected too?

Android shipped OpenSSL 1.0.1 as of 4.1, but disable heartbeats since 4.1.2. That means only Android 4.1(.0) and 4.1.1 are vulnerable.

Are PolarSSL builds affected too?

No. See 2.

[1] http://heartbleed.com/

[2] https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-01