-----Original Message----- From: Davide Brini [mailto:dave...@gmx.com] Sent: dinsdag 8 april 2014 13:26 To: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Heartbleed
> On Tue, 08 Apr 2014 11:08:59 +0200, Tore Anderson <t...@fud.no> wrote: > > I'm guessing that everyone has seen http://heartbleed.com/ by now. > > > > My question is simple: Could anyone confirm whether or not OpenVPN is > > vulnerable (when linked to a vulnerable version of OpenSSL)? > This is James' reply on the devel list: > Using the tls-auth option should protect against this vulnerability (assuming > that your tls-auth key is not known to the attacker). > If you're not using tls-auth and are using a vulnerable version of OpenSSL, > you should definitely upgrade to OpenSSL 1.0.1g. Note that you should also replace both server and client private keys, as these can be read by an attacker.
