[Ach] 'Heartbleed' and OpenVPN
Ralf Schlatterbeck
rsc at runtux.com
Wed Apr 9 14:58:29 CEST 2014
On Tue, Apr 08, 2014 at 12:45:23PM +0200, René Pfeiffer wrote:
> On Apr 08, 2014 at 1239 +0200, Aaron Zauner appeared and said:
> > https://gist.github.com/takeshixx/10107280
>
> Hm, since the OpenVPN servers configure with TLS Auth do not respond to not
> authenticated packets, I believe the test tools and attacks fail.
How is the status with openvpn, does test-code exist?
Am I vulnerable if I trust all my clients, or put another way, is this
exploitable when the attacker doesn't have a valid certificate?
UDP server should verify each incoming packet against a HMAC (when
configured), so would such a setup be vulnerable?
How about tcp?
https://community.openvpn.net/openvpn/wiki/heartbleed
is very vague in this regard.
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office at runtux.com
allmenda.com member email: rsc at allmenda.com
More information about the Ach
mailing list