-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello!
A CVE for mbed TLS has been published, CVE-2025-27809. The issue is
that mbed TLS silently skips validating the hostname on the server
certificate if the expected hostname is not provided via a call to the
function mbedtls_ssl_set_hostname().
OpenVPN does not use the TLS library to validate hostnames. Instead,
OpenVPN itself validates the name on the peer's certificate if the
configuration option --verify-x509-name is given. This check is
performed independently of mbed TLS and is not affected by the CVE.
If you do not use this option, the name of the certificate can not be
validated because OpenVPN does not know what the expected name is. The
deployment advisory (inzetadvies) for OpenVPN-NL requires clients to use
this option to validate server certificates. (Appendix 1)
Best regards,
Max Fillinger
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEXj3Vjj5AbsDlPfHO5IsYow7qaagFAmflPOYACgkQ5IsYow7q
aajgMQv/Ww3KQP2IFFoTqBWCqGNmeUtCunH/x6K87K4ifim99bnd1p7El0xrG6B0
2/BbVsrefmO0jdnsM9erCPxdt8EDnHHt+Sc+Xuk6DCGGfzRZuPhPDj4wU1XXvsJ0
xIEvDO7wz1LuWPI9iPQ8oswjjluA9pwfU5g+J7I34MIa7I2jvOoKyGb7p1uMPbzK
qeUfjUaWCsjoRUtY36qZDOj50BR9JJnC1IvoGAXx1UQl7zzB5edL41W2Teu5MSXh
hxRsEjfMZTMGE0/u2WuOaGGzltx1zeRoERdk8AOBsKdlC4C1Ue4lcCzfJ4vWGE7f
UAtvWRX3oVLOHB1mi1fMaXxUo1GkvglxNpcfc05eTV0vxvJNhnc+kyF4ui0u/BFZ
jLxaw0CgDmWaoUA3UF1G/OvE8OyktpSWOVp2JP0cQG0lwyDKGlb474u7jYo82v4/
tTPdaiJlkNPnZT7XiRlj6JO61zizVUNCybR6469vXtZUdLDaSATPq1r3PFDVaHsy
Ll+6k6Bp
=Izyt
-----END PGP SIGNATURE-----
