Am 08.04.2014 15:13, schrieb Joe Patterson: > I think that what's being referred to here is that a VPN service with > multiple independent clients could have one nefarious client who used > a valid client key/cert to establish a session, then used that session > plus this vulnerability to compromise the server's private key, plus > usernames, passwords, and session keys of other clients of that VPN > service. But I think this only holds if the ***Server*** openssl library is still vulnerable. The client never gets the server's private key, so it cannot be proliferated in this way. Naturally we all need to update the servers ASAP, but can we continue to use clients with old openssl DLL's?
JC ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
