On Tue, 08 Apr 2014 11:08:59 +0200, Tore Anderson <t...@fud.no> wrote:
> I'm guessing that everyone has seen http://heartbleed.com/ by now. > > My question is simple: Could anyone confirm whether or not OpenVPN is > vulnerable (when linked to a vulnerable version of OpenSSL)? This is James' reply on the devel list: Using the tls-auth option should protect against this vulnerability (assuming that your tls-auth key is not known to the attacker). If you're not using tls-auth and are using a vulnerable version of OpenSSL, you should definitely upgrade to OpenSSL 1.0.1g. -- D.
