Is OpenVPN UDP vulnerable to heartbleed?

heartbleed udp openvpn

Is OpenVPN UDP vulnerable to heartbleed?

I need to decide if I'm going to rebuild some servers, but they are very carefully firewalled; 1194/TCP is one of the firewalled ports (yay whitelist!).

1194/UDP is used (mission critical).


Solution 1:

OpenVPN over UDP also uses TLS, so it is equally effected just like HTTPS. I have verified this by looking at a packet capture, and saw that the Heartbeat extension is advertised.

Many public tools just check for TLS/STARTTLS servers, but there is no reason why someone cannot craft a special tool for OpenVPN.

The TLS layer in OpenVPN runs on a proprietary socket layer which runs atop of UDP/TCP as can be seen in this picture.

Solution 2:

Yes, OpenVPN derives its encryption entirely from OpenSSL. The OpenVPN community has posted a response to Heartbleed: https://community.openvpn.net/openvpn/wiki/heartbleed

Related

Can EC2 instances dynamically add RAM while running?
Deny requests for other domains in Apache 2
send files to dozens of servers quickly
How can a "standard Elastic IP" become the External IP for a VPC?
Find out the history of a script execution on Linux box
Access local console via SSH
Where is active directory snap-in for Server 2012 R2?
Allowing nagios plugin check_dhcp to work without setuid root
Is there a way to check that the hardware of one server is the same as that of another?
Unable to mount '/dev/sda'
Why is Wireshark not capturing certain POST requests?
What is the unit of "mem" and "memory" in /proc/net/sockstat