I've just found this hint on GitHub for the Openvpn compile options for Libressl; https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995
So will try a build later tonight and share back here if that CVE is fixed. Would prefer to rebuild with the same options as the packaged binary, and it occurred to me that I don't know how to find that on OpenBSD? Thanks again :) Sent from a teeny tiny keyboard, so please excuse typos > On 20 Jun 2017, at 20:23, Andrew Lemin <andrew.le...@gmail.com> wrote: > > Hi Misc, > > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? > > I am using an .ovpn file with TLS auth static key and cert inline within the > file, to connect to VPN service. Running openvpn binary from command line > without any special params, just .ovpn file. > > I have tested this is working fine on a Linux server with same config (using > Openssl), so the server side, CA and cert are fine etc. > > I noticed on the Linux server the line; "Control Channel Authentication: > tls-auth using INLINE static key file", but I do not see this debug on the > OpenBSD version. Wondered if Libressl is not negotiating tls properly. > > > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the OpenBSD > trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. > > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. > > It would be great if someone would be kind enough to confirm if this CVE is > indeed the same issue, and if 2.5.4 includes the relevant fixes for it? > > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? > > Thanks for your time. > Kind regards, Andy Lemin > > > > Sent from a teeny tiny keyboard, so please excuse typos
