[Ach] 'Heartbleed' and OpenVPN

Ralf Schlatterbeck rsc at runtux.com
Wed Apr 9 14:58:29 CEST 2014


On Tue, Apr 08, 2014 at 12:45:23PM +0200, René Pfeiffer wrote:
> On Apr 08, 2014 at 1239 +0200, Aaron Zauner appeared and said:
> > https://gist.github.com/takeshixx/10107280
> 
> Hm, since the OpenVPN servers configure with TLS Auth do not respond to not
> authenticated packets, I believe the test tools and attacks fail.

How is the status with openvpn, does test-code exist?
Am I vulnerable if I trust all my clients, or put another way, is this
exploitable when the attacker doesn't have a valid certificate?

UDP server should verify each incoming packet against a HMAC (when
configured), so would such a setup be vulnerable?

How about tcp?

https://community.openvpn.net/openvpn/wiki/heartbleed
is very vague in this regard.

Ralf

-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office at runtux.com
allmenda.com member                     email: rsc at allmenda.com



More information about the Ach mailing list