-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello!
A CVE for mbed TLS has been published, CVE-2025-27809. The issue is that mbed TLS silently skips validating the hostname on the server certificate if the expected hostname is not provided via a call to the function mbedtls_ssl_set_hostname().
OpenVPN does not use the TLS library to validate hostnames. Instead, OpenVPN itself validates the name on the peer's certificate if the configuration option --verify-x509-name is given. This check is performed independently of mbed TLS and is not affected by the CVE.
If you do not use this option, the name of the certificate can not be validated because OpenVPN does not know what the expected name is. The deployment advisory (inzetadvies) for OpenVPN-NL requires clients to use this option to validate server certificates. (Appendix 1)
Best regards, Max Fillinger