> Jan Just Keijser wrote: >> ouch: >> http://www.openssl.org/news/secadv_20120419.txt >> >> we need to investigate whether and how openvpn is affected. >> >> > did somebody end up writing an 'authoritative' answer to the question if > and how openvpn is affected by this bug? > > cheers, > > JJK > Hi all,
Got a response from James: --- My reading on this is that OpenVPN is probably not vulnerable. Scanning the OpenVPN source for usage of the vulnerable methods (d2i_*_bio or d2i_*_fp), I'm seeing several calls of the methods in ssl.c, however the data passed to these methods is coming from local sources. $ grep -Er '\bd2i_.*_(bio|fp)\b' . ./ssl.c: p12 = d2i_PKCS12_bio(b64, NULL); ./ssl.c: p12 = d2i_PKCS12_fp(fp, NULL); For example, above, we are passing the PKCS12 file to OpenSSL methods that have been cited as vulnerable, however the PKCS12 file is locally obtained so there's no capability for a malicious client or server to try to push a malformed file to its peer as a part of the OpenVPN or SSL/TLS protocols. Aside from this, the vulnerability text says that "In particular the SSL/TLS code of OpenSSL is *not* affected." so the core SSL/TLS implementation in OpenVPN should be immune. And in general, using the "tls-auth" option gives you another level of protection against any OpenSSL issues that would involve a direct attack on the SSL/TLS protocol. James ---
