[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] First OpenVPN 2.0 Release Candidate is available


  • Subject: Re: [Openvpn-users] First OpenVPN 2.0 Release Candidate is available
  • From: Richard Atterer <richard@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 8 Dec 2004 10:55:26 +0100
  • Mail-copies-to: nobody

On Tue, Dec 07, 2004 at 02:37:31PM -0700, James Yonan wrote:
> I would encourage everyone to give it a workout in as many real-world
> situations as possible.

Hi, IMHO there is a problem in the way the recent man-in-the-middle 
vulnerability (you could call it that!) was handled.

AFAICT, neither the program nor the documentation currently prevent users
from making the mistake of not specifying the "tls-verify" option to avoid
this problem. Was the HOWTO updated at all about this?

The problem should also be mentioned prominently on the main web page. 
Additionally, it might even be a good idea to post a summary about this on
Bugtraq.

You may not agree, but I think it would be beneficial to intentionally
break people's setups with 2.0 to force them to fix their setup. For
example, openvpn could demand an explicit "tls-verify any" to continue
working the way it currently does.
OpenVPN's _default_behaviour_ should prevent this vulnerability!

Anyway, thank you for this great piece of software!

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer     |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users