[Ach] 'Heartbleed' and OpenVPN

Adi Kriegisch adi at kriegisch.at
Wed Apr 9 15:48:48 CEST 2014


Hey!

> > Hm, since the OpenVPN servers configure with TLS Auth do not respond to not
> > authenticated packets, I believe the test tools and attacks fail.
[...]
> https://community.openvpn.net/openvpn/wiki/heartbleed
> is very vague in this regard.
I think, they're very specific when you're using client certificates:
"Do TLS-auth keys protect my setup?

To some extent. You are strongly encouraged to use TLS-auth keys. In this
scenario an attacker can not attack openvpn instances without the TLS-auth
key. With a large user base, you should however consider the possibility of
one (or more) of the openvpn instances being compromised. Such a
compromised instance could attack other instances (including the server)."

So, if you can really trust your clients then your server isn't
compromised; most probably because the heartbeat feature is exposed only
after the key exchange happened.

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140409/7f71fb3d/attachment.sig>


More information about the Ach mailing list