openvpn security issue for both john and merlin

[RMerlin]

The first paragraph specifically states that jumping from 1.0.0 to 1.0.2 should retain binary compatibility.

http://openssl.org/about/releasestrat.html

That is actually the most helpful bit of information there, especially since the confirmation is from the OpenSSL devs. Thanks!

Also concerning minor releases, ie. The last digit.

As hackish as it would seem to simply symlink 1.0.0 -> 1.0.2, it should be acceptable.

I wouldn't blindly do that, because who knows what a programmer decided to change in his API in a minor revision number change. But in this case since the developer itself confirmed backward API compatibility, it would be fine then having a symlink pointing to the 1.0.2 version of the library.

 

[RMerlin]

My post was waiting moderation. Perhaps because I posted a url, and don't have many posts.

The new forum software is more touchy, and after the large waves of spam that hit us these past few months, I suspect Tim decided to tighten security a bit more to cut down on spam, so occasionally Tim and I (for the Asus wireless subforums) do have to release a moderated post from the queue.

 

[RMerlin]

BTW, to use TLS 1.2 (and the newer TLS ciphers) after upgrading OpenSSL to 1.0.2, you must tell OpenVPN to negotiate support for TLS > 1.0, by adding this to both clients and servers:

tls-version-min 1.0

This will result in this:

Before:

Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

After:

Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA

Otherwise, just upgrading OpenSSL to 1.0.2 will bring no change to OpenVPN's behaviour.

Source: https://community.openvpn.net/openvpn/ticket/401

 

[Chrysalis]

I had to set tls-version-min 1.2 on both client and server to get 1.2 to work,when 1.0 was set or the line was missing the client would refuse to use 1.2 ciphers.

info here. http://superuser.com/questions/869589/openvpn-tls-1-2