Am 21.04.2014 06:07, schrieb fausto milinazzo: > In using the heartbleed exploit to obtain the root certificate and > personal keys from an openvpn server was it necessary to have use a > valid certificate? I would guess that to determine whether a > particular server is vulnerable does not require a valid certificate > so it may be possible to carry out such an attack without a valid > certificate. As far as I understand it, the exploit happens during the negotiation of parameters for the connection and thus does not require a valid certificate, i.e. any system trying to establish a connection was able to look into the exposed part of the process memory. Anyway the problem is not the certificate but the fact that the server host key and/or other credentials may have been stolen. If you have a small installation and TLS auth in place, you may get away with leaving things as they are, but the general recommendation in this case is to replace host keys, certificates, and other credentials used in the process.
Best regards, Jakob Curdes ------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
