Very true. I mean, a malicious server could compromise clients, but I was
thinking more along the lines of malicious clients compromising servers,
which would require the server to be un-patched. If you run a server,
definitely patch. If you're a client, patch anyway, for reasons beyond
openvpn. But the frustrating thing here is that, as a client, it's hard to
be certain that the server you are connecting to has been patched, or even
if it has been, that its key was not compromised before it was patched.
On Tue, Apr 8, 2014 at 9:48 AM, Jakob Curdes <j...@info-systems.de> wrote:
>
> Am 08.04.2014 15:13, schrieb Joe Patterson:
>
> I think that what's being referred to here is that a VPN service with
>> multiple independent clients could have one nefarious client who used a
>> valid client key/cert to establish a session, then used that session plus
>> this vulnerability to compromise the server's private key, plus usernames,
>> passwords, and session keys of other clients of that VPN service.
>>
> But I think this only holds if the ***Server*** openssl library is still
> vulnerable. The client never gets the server's private key, so it cannot be
> proliferated in this way. Naturally we all need to update the servers ASAP,
> but can we continue to use clients with old openssl DLL's?
>
> JC
>
>
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
