-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Summary:

OpenVPN-NL is not vulnerable to the two 'high'-rated security issues in the recently published mbed TLS security advisory [0].

Background:

Recently, mbed TLS issued new software versions accompanied by a security advisory containing two 'high'-rated security issues:

1) Remote plaintext recovery on use of CBC-based cipher suites through a timing side-channel

Researchers showed that the mitigations for the lucky13 attack implemented by mbedtls were not working properly for cipher suites using SHA384 (or SHA512, but those do not exist). This attack applies only when using a TLS cipher suite that combines AES-CBC with SHA384. OpenVPN-NL does not support such a cipher suite, and is therefor not vulnerable.

2) Plaintext recovery on use of CBC-based cipher suites through a cache based side-channel

Similar to the above, the implementation of the same cipher suites was also vulnerable to cache-based side-channel attacks. OpenVPN-NL does not support any of the affected cipher suites, and is therefor not vulnerable.

[0] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-a dvisory-2018-02