Re: [Openvpn-users] Does OpenVPN use the TLS heartbeat extension? (OpenSSL Security Advisory CVE-2014-0160)

Thu, 10 Apr 2014 00:28:30 -0700 

Hi,

On Wed, Apr 09, 2014 at 10:24:17PM -0400, Sumit Dahiya wrote:
> 1. After our Windows server has been upgraded to 2.3.3, how can I determine
> if a connecting Windows client is still using older insecure versions? I
> cannot see anything specific in the server log that tells me client’s
> version? Do I need to start the OpenVPN service with specific parameters to
> see that information?

2.3.2 and 2.3.3 will send version information from client to server
(as part of the push-peer-info handshake).  

Unfortunately, on a 2.3.x *server*, you will not see that data, as it is
only exported towards the management interface, and only if the mgmt if
is used for user+pass authentication.  You'd need a git master server to
see that data - it will then look like this in the logs, and in the
"--client-connect" script environment:

Apr 10 09:17:43 ovpn-tun99[16867]: 1.2.3.4 peer info: IV_VER=2.3.3
Apr 10 09:17:43 ovpn-tun99[16867]: 1.2.3.4 peer info: IV_PLAT=win

2.3.x is not overly talkative, though, and it seems the IV_GUI_VER changes
did not work out right (will test later).  

A git master/2.4 or 3.0 client will also tell the server what sort of GUI 
version it has, what compression algorithms are supported, etc. - like this:

Apr 10 09:22:47 ovpn-tun99[16867]: 3.4.5.6 peer info: 
IV_GUI_VER=net.openvpn.connect.ios_1.0.4-140
Apr 10 09:22:47 ovpn-tun99[16867]: 3.4.5.6 peer info: IV_VER=3.0
Apr 10 09:22:47 ovpn-tun99[16867]: 3.4.5.6 peer info: IV_PLAT=ios
Apr 10 09:22:47 ovpn-tun99[16867]: 3.4.5.6 peer info: IV_NCP=1
Apr 10 09:22:47 ovpn-tun99[16867]: 3.4.5.6 peer info: IV_LZO=1



> 2. Heartbleed has no bearing on **production** of certs/keys, correct? Can
> we still use easy-rsa without patching it separately?

Right.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: pgpGtlj0B2_Ho.pgp
Description: PGP signature

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to