[Ach] 'Heartbleed' and OpenVPN
Adi Kriegisch
adi at kriegisch.at
Wed Apr 9 15:48:48 CEST 2014
Hey!
> > Hm, since the OpenVPN servers configure with TLS Auth do not respond to not
> > authenticated packets, I believe the test tools and attacks fail.
[...]
> https://community.openvpn.net/openvpn/wiki/heartbleed
> is very vague in this regard.
I think, they're very specific when you're using client certificates:
"Do TLS-auth keys protect my setup?
To some extent. You are strongly encouraged to use TLS-auth keys. In this
scenario an attacker can not attack openvpn instances without the TLS-auth
key. With a large user base, you should however consider the possibility of
one (or more) of the openvpn instances being compromised. Such a
compromised instance could attack other instances (including the server)."
So, if you can really trust your clients then your server isn't
compromised; most probably because the heartbeat feature is exposed only
after the key exchange happened.
-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140409/7f71fb3d/attachment.sig>
More information about the Ach
mailing list