Hi, On 14-04-14 09:12, Jan Just Keijser wrote: > Gert Doering wrote: >> - if we report it, do we want to report it always (as IV_VER) or only >> if --push-peer-info is set? >> > we're reporting the openvpn version info anyway, so adding the SSL lib > version would not change much; if it is only returned when > --push-peer-info is set then there shouldn't be any privacy/security > concerns, esp if the info is given *AFTER* the initial connection is > made (i.e. after the first certificate handshake).
My thoughts exactly. I think this is useful, but I do not want to tell an eavesdropper whether I'm running a vulnerable SSL library. So, this should really happen *after* the peer authentication, over a secure channel. -Steffan
