12 Nov 11:04
OpenVPN 2.1_rc21 released
James Yonan <jim <at> yonan.net>
2009-11-12 10:04:14 GMT
2009-11-12 10:04:14 GMT
This release is to respond to the OpenSSL vulnerability CVE-2009-3555. Some people have worried that the fix made to OpenSSL to address this vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's session renegotiation capability. This is not the case. OpenVPN does not rely on the session renegotiation capability that is built into SSL/TLS, and therefore if OpenVPN is linked against an OpenSSL library that disables SSL/TLS renegotiation, there should be no loss of functionality. Changes: 2009.11.12 -- Version 2.1_rc21 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address CVE-2009-3555. Note that OpenVPN has never relied on the session renegotiation capabilities that are built into the SSL/TLS protocol, therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation completely) will not adversely affect OpenVPN mid-session SSL/TLS renegotation or any other OpenVPN capabilities. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain. James ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
RSS Feed