> Upload a package to PyPI or Node.js that emits specially crafted console output as part of its installer. If someone runs my installer without checking the contents, why would I need UTF-8 bugs to get code executed?…
Note that this is specifically OpenVPN on Windows, since the Windows installers ship with their own openssl dll (and as already said by the other commenter, a new installer was made available around the time of your…
Thanks for elaborating. The 'other side' are the people currently working on the negotiated-ffdhe draft (which I assume are bright people too). The draft was last updated a week ago (12 May 2015), so their…
I strongly believe in 'Audi alteram partem', and like to understand rather than believe. Hence my question. For all I know, a few extra bits parameter length can make the NFS just as infeasible as generating own…
> It's not particularly surprising to the IETF TLS Working Group either, which is at least partially why https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe.... exists. This draft /does/ encourages use of…
You don't need another layer of encryption, just another layer of authentication protects you from attacks that require an active mitm adversary (as basically all attacks on TLS do). OpenVPN has offered such an option…
You should do that for all your vulnerable peers (i.e. clients too), and restart the daemon to make it load the updated library. Then generate new keys for all of them. While there are vulnerable clients out there, you…
Yes, this has been introduced in the original heartbeat extension commit (01-01-2012): http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=bd69...
> Upload a package to PyPI or Node.js that emits specially crafted console output as part of its installer. If someone runs my installer without checking the contents, why would I need UTF-8 bugs to get code executed?…
Note that this is specifically OpenVPN on Windows, since the Windows installers ship with their own openssl dll (and as already said by the other commenter, a new installer was made available around the time of your…
Thanks for elaborating. The 'other side' are the people currently working on the negotiated-ffdhe draft (which I assume are bright people too). The draft was last updated a week ago (12 May 2015), so their…
I strongly believe in 'Audi alteram partem', and like to understand rather than believe. Hence my question. For all I know, a few extra bits parameter length can make the NFS just as infeasible as generating own…
> It's not particularly surprising to the IETF TLS Working Group either, which is at least partially why https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe.... exists. This draft /does/ encourages use of…
You don't need another layer of encryption, just another layer of authentication protects you from attacks that require an active mitm adversary (as basically all attacks on TLS do). OpenVPN has offered such an option…
You should do that for all your vulnerable peers (i.e. clients too), and restart the daemon to make it load the updated library. Then generate new keys for all of them. While there are vulnerable clients out there, you…
Yes, this has been introduced in the original heartbeat extension commit (01-01-2012): http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=bd69...