Is OpenVPN UDP vulnerable to heartbleed?

Question

I need to decide if I'm going to rebuild some servers, but they are very carefully firewalled; 1194/TCP is one of the firewalled ports (yay whitelist!).

1194/UDP is used (mission critical).

score 6 · Answer 1 · edited Mar 17 '17 at 10:46

6

OpenVPN over UDP also uses TLS, so it is equally effected just like HTTPS. I have verified this by looking at a packet capture, and saw that the Heartbeat extension is advertised.

Many public tools just check for TLS/STARTTLS servers, but there is no reason why someone cannot craft a special tool for OpenVPN.

The TLS layer in OpenVPN runs on a proprietary socket layer which runs atop of UDP/TCP as can be seen in this picture.

edited Mar 17 '17 at 10:46

Community

1

answered Apr 09 '14 at 21:44

Lekensteyn

6,241
6
39
55

And no proof that someone hasn't already crafted such a tool. – Grant Apr 09 '14 at 21:55

score 6 · Answer 2 · answered Apr 09 '14 at 21:56

6

Yes, OpenVPN derives its encryption entirely from OpenSSL. The OpenVPN community has posted a response to Heartbleed: https://community.openvpn.net/openvpn/wiki/heartbleed

answered Apr 09 '14 at 21:56

el viejo

161
2

Is OpenVPN UDP vulnerable to heartbleed?

2 Answers2