list-openvpn-nl

list-openvpn-nl@lists.fox-it.com

34 discussions

OpenVPN-NL 2.3.8-nl1 released
by Steffan Karger 21 Aug '15

21 Aug '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A new version of OpenVPN-NL (2.3.8-nl1) is available on the OpenVPN-NL site [1]. This version is based on OpenVPN 2.3.8 [2], and PolarSSL 1.2.15 [3]. This new version of OpenVPN-NL includes fixes for a number of minor security issues in PolarSSL [4][5]. If the recommended tls-auth mechanism is used in an OpenVPN-NL configuration, an attacker can only use these to attack such an OpenVPN-NL instance if (s)he is in possession of the tls-auth key. Users are advised to upgrade both OpenVPN-NL clients and servers to 2.3.8-nl1. Important: with this release, the code signing keys have changed, to move to SHA256 instead of SHA1 signature digests. The old keys are _not_ compromised. We now use keys with the following fingerprints to sign OpenVPN-NL releases: Linux: 6A11 9596 8DDC A349 4E7C 598C 43CF 15D3 54E0 3E30 Windows: 0456 cab6 4107 209a 470d 4439 09c5 cee5 576f 9000 Debian/Ubuntu users should import the new keys by: wget https://openvpn.fox-it.com/repos/fox-crypto-gpg.asc gpg --with-fingerprint fox-crypto-gpg.asc # (verify fingerprint) sudo apt-key add fox-crypto-gpg.asc Red Hat / SuSE users should import new keys by: wget https://openvpn.fox-it.com/repos/fox-crypto-gpg.asc gpg --with-fingerprint fox-crypto-gpg.asc # (verify fingerprint) sudo rpm --import fox-crypto-gpg.asc Windows users should verify the key fingerprint through properties->digital signatures before starting the installer. References - ---------- [1] https://openvpn.fox-it.com/ [2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 [3] https://tls.mbed.org/tech-updates/releases/polarssl-1.2.15-released [4] https://tls.mbed.org/tech-updates/releases/polarssl-1.2.14-released [5] https://tls.mbed.org/tech-updates/releases/polarssl-1.2.13-released -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJV1yq+AAoJEEEwndWOY1w5FTUH/2YaJi4RsdUve3536/G1qraQ Q/Fu0J1YLkvnJp/pP8kwiLNj2XCNFiu+F6CqfCyOoUXyIIn3CtSfHhS6TiYctuj0 TtlWXPMeA051AaCPq4YNaen6xLB/j9vRpFPge3rmgWoJ3LcpqRvLhSSfnr9PhYnZ t2tXAb/QlUQ7wdjOV3aIKl1OWaxIYSz75lw1PHv4aaV+kygM8+a4NsxCKE8vb4O9 Cmy/HQhwZLF57P6BIfB5SCw8mhLygmfezaTj91kcl64drLD8c/6YN+KUiG4Ee8kO laUtyXQilpCJdBedcAuXDNdMbZOIAOqopphx8ooVxSVSwB11Kn4nMuNM/IoIdx4= =v2Mm -----END PGP SIGNATURE-----

1 0

Security advisory: Logjam / weakdh
by Steffan Karger 20 May '15

20 May '15

Summary: OpenVPN-NL is not vulnerable to the Logjam attack [logjam] and no action is required from OpenVPN-NL administrators or users. Full description: Critical vulnerabilities in Diffie-Hellman key-exchanges and the TLS protocol, dubbed 'Logjam', have been published this morning [logjam]. The authors of [logjam] show a man-in-the-middle attack on TLS that downgrades the DH parameters used for key-exchange to EXPORT-grade (512-bits) parameters, if both client and server have support for export-grade parameters. Furthermore, the authors show they can break 512-bits DH key exchanges, based on a known DH group, within 90 seconds. They argue the scientific community should be able to break 768-bits parameters and state actors might be able to break 1024-bits parameters. OpenVPN-NL is not vulnerable to Logjam for the following reasons: 1) OpenVPN encourages users to generate their own DH-parameters, rather than using a known DH-group. 2) OpenVPN-NL enforces the use of 2048-bit DH parameters, which is considered large enough to be infeasible to break. 3) OpenVPN-NL can not be configured to support export-grade DH parameters. Furthermore, use of the recommended tls-auth feature would block the man-in-the-middle downgrade attack. [logjam] https://weakdh.org/

1 0

OpenVPN-NL v2.3.5-nl3 released
by Steffan Karger 19 Jan '15

19 Jan '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A new version of OpenVPN-NL (2.3.5-nl3) is available on the OpenVPN-NL site [1]. This version is based on OpenVPN 2.3.5 [2], and PolarSSL 1.2.12 [3]. This new version of OpenVPN-NL fixes a potential double free vulnerability in PolarSSL [4]. The vulnerability enables an attacker that can send TLS messages to an OpenVPN-NL instance to trick that instance to free an uninitialized pointer. This enables an attacker to mount a denial of service attack, and could potentially lead to remote code execution. If the recommended tls-auth mechanism is used in an OpenVPN-NL configuration, an attacker can only attack such an OpenVPN-NL instance if (s)he is in possession of the tls-auth key. We have not (yet) seen any exploits targeting this vulnerability. Users are advised to upgrade both OpenVPN-NL clients and servers to 2.3.5-nl3. References - ---------- [1] https://openvpn.fox-it.com/ [2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 [3] https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released [4] https://polarssl.org/tech-updates/security-advisories/polarssl-security-adv… -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUvSPCAAoJEEEwndWOY1w59Y4H/jQP2fqvCDzLc5D0syd650tP sqo6jW2WLxvLTF0bPKYyyy3A1V2Uu+SKjAwcCmA2+UbFjpFlHW28yFeaMclgrHrm 9DWKIXfSaCgal6VWYTuzFmz+z3KhmCLnOBfjHehDw2bPsfFkbb+ILbZbZ2MLowud jlnPISOwwuQdeXZTRJRScGhO6iY87DR4QpMnIRYtFsnqKoW4jEF1Ij4naELS8Mxf jSJZU87/MQsCM3gSAUfAtfV8KFV/AA6nVRg9b459oyOan4eQ2IaYpFZZrIP1Cmy6 U2C8aq4LsIz+WaIIJBoyVqYPeFH6vzWW2me+3heSOIRANWNWHMSoJ/VCH6t2uBI= =kBi3 -----END PGP SIGNATURE-----

1 0

OpenVPN-NL v2.3.5-nl2 released
by Steffan Karger 01 Dec '14

01 Dec '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A new version of OpenVPN-NL (2.3.5-nl2) is available on the OpenVPN-NL site [1]. This version is based on OpenVPN 2.3.5 [2], and PolarSSL 1.2.12 [3]. This new version of OpenVPN-NL fixes a denial-of-service vulnerability [4]. The vulnerability enables authenticated clients to stop openvpn server instances, potentially causing availability issues. Confidentiality and authenticity of traffic are *not* affected. OpenVPN-NL server administrators are recommended to upgrade their server instances to 2.3.5-nl2 as soon as possible. OpenVPN-NL client instances are not directly affected, and can be updated according to your regular update schedule. References - ---------- [1] https://openvpn.fox-it.com/ [2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 [3] https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released [4] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUfLNHAAoJEEEwndWOY1w5SogH/RQv29CDaBylVJYwaL27UfGh baThd6/li1Nm2J4zIXeMfPUL8QJN1HYl3XWbtcyB991pjkaMV4kxvvckj5rJVxHx uYQO4biytbvAKAJVtcaQKfN4LWMNZCDmNKuDahRXIlgdb1Ogpq7D95XziGjTN3m6 61VrxekUKeGQq5YDN8za+Jx8KnxxDqOmyDFuxTXNdOkPE0ZpBfdZ5/7VPxIQTOTD qI6je0gH8lXSS6E+Vvm4VglbxcG/0Ak5hD0Ynhtm5hh7c8FHEpLOWZcs39Yp54lg aKdrFxOArley6edFgLSuDkHFH3W8uV/CVaIerflBYRfkoGYN7SsEl15CDCaiHNc= =sTCd -----END PGP SIGNATURE-----

1 0

Pre-notification: upcoming release
by Steffan Karger 01 Dec '14

01 Dec '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A denial of service security vulnerability affecting OpenVPN-NL servers was recently brought to our attention. The vulnerability enables authenticated clients to stop openvpn server instances. The vulnerability affects server availability only. Confidentiality and authenticity of traffic are *not* affected. A fixed version of OpenVPN-NL will be released today (1st Dec 2014) at around 18:00 UTC (20:00 CET). Upstream (regular OpenVPN) will also release a fixed version around the same time. More details will be released to the public once the fixed versions are available. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUfCMFAAoJEEEwndWOY1w5yQAH/3o7+r1qd7CWpiP4ibizGqBd 53RST7V8Y6B0ivieFKVeGIdYLp3GqVTXmFStVSmSsY3kBPMxMfDmLlwkRaCTK+OH Oft9r4VLCwSUvPLMW/bppxiDXb96sltUe87fl6hHhkHWSUYJy/yh4C/bEEModCv9 BvsYqVT/tCeREb0DJKyFLNJ8jEK2AfmAd3ccNBV41M30JJs2MQ01PtjoMdeCVMRZ bXRjcomilTsVGmLYnfDhAqCc9g184aDphxE5qgFwrfVOJc38P7lhB2jZdfq0GgzS rOKSfkNkoWg/ejMijja2n8RLGw/QSIEYqfXpUY4fqR5efXwgPTRKYf9/ijYMVqk= =6QO5 -----END PGP SIGNATURE-----

1 0

OpenVPN-NL v2.3.5-nl1 released
by Steffan Karger 17 Nov '14

17 Nov '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A new version of OpenVPN-NL (2.3.5-nl1) is available on the OpenVPN-NL site [1]. This version is based on OpenVPN 2.3.5 [2], and PolarSSL 1.2.12 [3]. This new version of OpenVPN-NL includes a new PolarSSL release, which fixes a remotely-triggerable memory leak when parsing some X.509 certificates. When using tls-auth, this can only be achieved when the group key ("tls-auth") has been compromised. A successful attack can potentially cause a denial-of-service; confidentiality and authenticity are not compromised. This release contains some minor bugfixes in both PolarSSL and OpenVPN [2,3]. References - ---------- [1] https://openvpn.fox-it.com/ [2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 [3] https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUaby3AAoJEEEwndWOY1w5kH4H/3/tkhQ0Zus3b23JRqG0fyzF mXB49uLsMWoc08J35TU4akCPgg+fLnirW8petCKEHztcshklbfpC8TmRyr5FPrWQ hcDTVSaDZs6Ey5KdXnVd69pcBGaGL4lwRNNL3T/pMXVjh73zkS6QCncVkwkyY/Pc oI9x4D8UkZbK+nf3hwevcF15MYLvkcBfmsa3UfdrSujgDV8l/5zi/RW6EPAh5oLx Seh5FubuMrk+oD2ECw075Itg5b+SYTXPO9Wkk/C++db0rBR4o6uq5YiguSONNmjo FaB9HcnbG8sf4KduvwxH0tZV+X1DzWAnJdz/Xudn7rHUR114bJ46xYuKSO1Uqps= =B9jG -----END PGP SIGNATURE-----

1 0

Security advisory - POODLE
by Steffan Karger 15 Oct '14

15 Oct '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Summary: OpenVPN-NL is not vulnerable to the POODLE attack on SSLv3 [1]. Background: On October 14th 2014, Google released a SSLv3 vulnerability called 'POODLE' [1]. The vulnerability allows an attacker to obtain the plaintext of connections secured with SSLv3. OpenVPN-NL is not vulnerable, since OpenVPN-NL never supported SSLv3 or SSLv3 fallback. [1] http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploitin… -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJUPjjkAAoJEEEwndWOY1w5CIIH/2vFFL4eCqRn2U6MqPNSUWis nMMFJpjsKWXc2ItGEGJwYCrPqpGJfJ47NVAfQRO3q+hXg7sgaj7MT+Phyv4+id7Z 535GIMLCXP9WCliUJFYac7665XdfwrmzNcFTFuqrqtfVwBsajMuECasExga/ubuV GjZ/7cNYOhtfzQcS4JnqcDbWERwqzky0RvkDnaVVFWQqKyuceJBzdIML+iY46+d2 0eAhdn58VZb8LZqYEPZYD/AnRGbR7R1SgGQ58wRMz07fcYyA8x4YxbAzaHztO9Yf 2nuifBGxk/3TX0WKDIQcNbP56gUcAuilfHW7JriqbiAMV6ya5b8lPpGBUbm3xh8= =pSYZ -----END PGP SIGNATURE-----

1 0

OpenVPN-NL v2.3.4-nl1 released
by Steffan Karger 11 Aug '14

11 Aug '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A new version of OpenVPN-NL (2.3.4-nl1) is available on the OpenVPN-NL site [1]. This version is based on OpenVPN 2.3.4, and PolarSSL 1.2.11 [2]. The new version of OpenVPN-NL includes a new PolarSSL release, which fixes a denial-of-service vulnerability when GCM TLS-cipher suites were used [3]. A successful attack could compromise the availability, but would *not* compromise confidentiality. In OpenVPN-NL, this denial-of-service attack can only be exploited when the group key ("tls-auth") has been compromised. We strongly recommend that you upgrade to the new version of OpenVPN-NL. Important note for plugin/script users: This release changes the representation of the tls_serial_{n} environment variable from hex to decimal, to match upstream OpenVPN behaviour. To ease transition for plugin/script users, a new env variable tls_serial_hex_{n} is added, that exports the serial in hex represenation (like tls_serial_{n} previously did). References [1] https://openvpn.fox-it.com/ [2] https://polarssl.org/tech-updates/releases [3] https://polarssl.org/tech-updates/security-advisories/polarssl-security-adv… -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT6NRRAAoJEEEwndWOY1w59q8H/RjWWp63ODmHskLp/M8tNV/+ QtmJj7NeXjzCmEHTWUWpcE8XYa9+iozDo0Dc0MRUf0BaIRM2zwnT0Nj/wGbZnNFb cL9cmc53IrnPDclMXZGNgn0q+Dn/mR37Yga32sJlv6s+Qu9/xYPgVkRxzG7OO4uY VG6PPWPk82w95HpLgdF27ZuNZXHvgQuMkW2RXMUzkoLfXykCJrak1wXVECGll6mT 6vVf2IRLf+YMzlaE96Tz60qczg0T0q4cAwMIZTTw2flGAFUMh8LDL+Fgh5Q1+3/P xJNrdZDkHD1hy/xwNEseyYAiHL8wqUtXZ13631ekaxnEdpsP+XKPo2VyR1WeqMI= =Yfrw -----END PGP SIGNATURE-----

1 0

OpenVPN-NL security advisory - heartbleed
by Steffan Karger 08 Apr '14

08 Apr '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A serious vulnerability in OpenSSL has been discovered [1]. OpenVPN-NL does not use OpenSSL and thus is not affected by this bug. OpenVPN-NL users should consider: * OpenVPN-NL uses PolarSSL, not OpenSSL, and is not vulnerable [2]. * When using OpenVPN-NL together with OpenSSL-based OpenVPN, the OpenSSL-based peers are vulnerable, and their keys and connection could be compromised. * When using a TLS-auth ('group') key, attackers needs this key to mount an attack on OpenSSL-based peers (e.g. through an untrusted or compromised client). [1] http://heartbleed.com/ [2] https://polarssl.org/tech-updates/security-advisories/polarssl-security-adv… -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBCAAGBQJTRA1VAAoJEEEwndWOY1w54cYH/1yk02o0qKCJQXY0j20Q83tO m3DKdDDZl2jFfQkV5Z0w49qm+ZqifZiZyAWvpWeo3P5PicdMDgDxsle7dtva90VM DAEEslDC7V3Fwbj0237wM6GUZ7ruJarxxhH8UFTfaSkZZmXVMBkDHBKwX5nC6OfM GDNBXGEYqtf1eaCneGsp6m/TrL2opAhvVWbrOAj3ir7Y9usepLlH0Ce3DQewTmzz zU8xk25oPZ5KfaVab7tLaXaJwFRBDQVKpFzVdgGnGu3LGlmncMKwdRNCwSrkxkZ2 7J+EKxcEu8jVGjXSvoP9qcKe5bz6e2P9PWQYr6T1fPWdj7hK7KTFyekpOmUrHMs= =FDQd -----END PGP SIGNATURE-----

1 0

OpenVPN-NL v2.3.2-nl2 released
by Steffan Karger 07 Nov '13

07 Nov '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A new version of OpenVPN-NL (2.3.2-nl2) is available on the OpenVPN-NL site [1]. This version is based on OpenVPN 2.3.2, and PolarSSL 1.2.10 [2]. This new version of OpenVPN-NL includes a new PolarSSL release, which fixes a possible timing attack on the server [3,4]. A successful attack could compromise the server's RSA private key. In OpenVPN-NL, this denial-of-service attack can only be exploited when the group key ("tls-auth") has been compromised. We strongly recommend that you upgrade to this new version of OpenVPN-NL. Although we believe that this attack is not feasible over the internet, users should consider whether their situation warrants replacement of their server's private/public key pair. References - ---------- [1] https://openvpn.fox-it.com/ [2] https://polarssl.org/tech-updates/releases [3] https://polarssl.org/tech-updates/security-advisories/polarssl-security-adv… [4] https://polarssl.org/public/ctrsa13.pdf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCAAGBQJSe8TcAAoJEEEwndWOY1w5k9QH/0lTbDPVsvJGYE4ZGEy3KeF0 752bUybgKik8v4eF1Ac6L3rY+8KRRJxgSU/Oo2gX9+5E8tbbRnfDavwB4JIRYjpt 07gcim3fH+15M5diWNOoVyUS70m6bIJjJFeA2SbhtzWMMhffaIjHGl3hM08IvR4S vvoWZ7DxIlbezNmeM+oefiMR00N47syRhcI2JaEzTOFF7Keis3zUZzvMgK8wJ2cX OwieXcpSrzLY9zPjBD37TEQkIe5UXb/Y5237BpQRHgGyZ35jLMptQuLajr6HcUac gn5ql+CNASTjJTijeoJ3tLRKpn2HU/+4V/rb5RuGgpG/4X39I297z8sG2Gw3aEo= =vTvA -----END PGP SIGNATURE-----

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

list-openvpn-nl