We rely on file-based cert/key authentication and do not use tls-auth or
other methods. So, just as you recommended, we will need to re-create and
re-issue respective certs and keys to all clients.
Also, can you all help with the following: -
1. After our Windows server has been upgraded to 2.3.3, how can I determine
if a connecting Windows client is still using older insecure versions? I
cannot see anything specific in the server log that tells me clients
version? Do I need to start the OpenVPN service with specific parameters to
see that information?
2. Heartbleed has no bearing on **production** of certs/keys, correct? Can
we still use easy-rsa without patching it separately?
Thanks!
-----Original Message-----
From: Fredrik Strömberg [mailto:stromb...@insto.org]
Sent: Wednesday, April 9, 2014 6:29 AM
To: Gert Doering
Cc: Sumit Dahiya; openvpn users list (openvpn-users@lists.sourceforge.net)
Subject: Re: [Openvpn-users] Does OpenVPN use the TLS heartbeat extension?
(OpenSSL Security Advisory CVE-2014-0160)
>> 3. Do we need to re-generate all keys/certificates (ca, clients etc.)
>> and send them over to all clients after this fix?
>
> Same answer that has been given before - unless you use some sort of
> extra authentication (--tls-auth or one-time-password authentication),
> there is a chance that someone stole your keys -> re-generate
> keys+certs is the most secure approach to it.
And to further complicate the answer. Even if you used tls-auth you were
still vulnerable to getting your keys stolen by anyone that had access to
the tls-auth key.
// Fredrik
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
