Hi, On Wed, Apr 09, 2014 at 02:32:42PM +0600, ???? ??????? wrote: > I used to think that client without "nobind" option binds to 1194/udp > (we encountered that issue with multiple openvpn connection on the > same machine), so, "nobind" tells openvpn instance not to bind to > udp/1194, and so, only openvpn server can exploit heartbleed > vulnerability, but not any attacker.
Well, not "any" attacker, but "any attacker who can see your packets",
either by sitting in the path, or by DNS attacks, misdirecting your
communication attempts to a malicious server.
This is not trivial to set up, and might not be worth for every client
out there - but if you're truly concerned about your data, upgrade the
client, revoke the old key+certificate, reissue new keys.
(If you use an extra username+password authentication with one-time-passwords,
this should be "good enough", provided your openssl is fixed)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpBbf9uzH2M8.pgp
Description: PGP signature
