Hi, OpenVPN does not currently report the version of the SSL library it is using - which I'm not sure whether it's by design or just because nobody ever added it. Anyway, right now I think we need it, to help future cases.
There are a few questions that go along with that, which I want to discuss
here :-)
- shall we report compile-time versions as well, or only run-time version?
Like:
OpenSSL compile version='OpenSSL 1.0.1f 6 Jan 2014'
library version='OpenSSL 1.0.1g 7 Apr 2014'
(this is on one of my test systems where I discovered an old OpenSSL
installation, and upgraded *after* I built the OpenVPN binary)
While I always like seeing numbers, I think the compile-time version is
not actually that useful - if the ABI is not compatible, it will break,
and if it is, the library version is what is relevant.
- how do I get the library version for PolarSSL?
- shall we report the library version to the server, e.g. in the form of
IV_SSL=OpenSSL 1.0.1f
IV_SSL=PolarSSL 1.2.8
as a sysadmin on the server side, I'd welcome this ("show me what my
users are running"). From a security geek side, I'm not sure whether
there is potential for abuse, so "please give me your input"
- if we report it, do we want to report it always (as IV_VER) or only
if --push-peer-info is set?
feedback, please! :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpeQ1Fh95jRc.pgp
Description: PGP signature
