[OpenVPN-NL] Security advisory - SLOTH
Steffan Karger
steffan.karger at fox-it.com
Mon Jan 18 10:17:20 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Summary:
OpenVPN-NL is not vulnerable to the SLOTH attack [0].
Background:
On January 6th 2016, INRIA published information on a TLS
vulnerability called 'SLOTH' [0]. The vulnerability allows an
attacker to impersonate a client with client certificate if the
following conditions are met:
* the attacker has a Man-in-the-Middle position between a client and
server,
* the client is willing to authenticate itself with its certificate
to the MitM attacker,
* both parties support TLS 1.2, and,
* both parties allow MD5 ciphersuites to be used.
OpenVPN-NL does not allow MD5 cipher suites, and therefore is not
vulnerable to the SLOTH attack.
[0] http://www.mitls.org/pages/attacks/SLOTH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWnKu2AAoJEEEwndWOY1w5GsAIAIteWS56EKrVnBAi05gq0W1u
nXBpta4Wm/rCHIxiWKViKWoKameHksfS3aLLiaO/qxOj9AwhsKzln5IiGNfJpE97
TaZFZb1JOddVckBzMsIphBLttctDeb7bW6cwQgF8Vn0wl+MYekHSRGtTXxAQZqiX
SSYXTVjqbqsmg03V3jQQ8yiFF82N7eMRQ/jxitrKz7PosCPSbCSIVSY95rijbgLB
h/sZ7LLCSUtpg82ZIVHs35LNFKFGZeCHnzjNpeVpGNxYdi6GrfROJL21qJ/QjXKm
k1R+OoDHXIN204aLbpkbVZRQKSCI2is5y3J+K7RZtVOnxyW7eD09BSRI/AaCMH4=
=hvWX
-----END PGP SIGNATURE-----
More information about the list-openvpn-nl
mailing list