[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Recent OpenSSL Vulnerabilities


  • Subject: Re: [Openvpn-users] Recent OpenSSL Vulnerabilities
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Fri, 19 Mar 2004 20:26:32 -0000

"Kevin P. Fleming" <kpfleming@xxxxxxxxxxxxxxxxxxxx> said:

> Doug Lytle wrote:
> 
> > James,
> > 
> > When updating to the current OpenSSL release, does OpenVPN need to be 
> > re-compiled?

The Windows version of OpenVPN is dynamically linked with OpenSSL which means
that you can basically just drop-in new OpenSSL .DLLs to upgrade.

OpenVPN needs libssl32.dll and libeay32.dll to be in the PATH when it is run.
 The OpenVPN self-installer usually puts these in \Program Files\OpenVPN\bin

BTW, this vulnerability appears to be not more serious than DoS.  I didn't see
any mention of a remote code injection exploit.

Also, SSL/TLS vulnerabilities in OpenSSL can be protected against to a large
extent by using --tls-auth.  And if you are using static key mode (--secret),
you will not be affected because static key mode doesn't use SSL/TLS.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users