[vpn-devel] OpenSSL Heartbleed vulnerability & Shrew VPN client
Matthew Grooms
mgrooms at shrew.net
Thu May 29 01:32:02 CDT 2014
Hi Willy,
Heartbleed affects products that link against vulnerable versions of
OpenSSL libssl to provide support for SSL/TLS. The Shrewsoft VPN client
only links to libcrypto which provides cryptographic functions, but not
SSL/TLS functionality. IPsec doesn't leverage SSL/TLS. For more info,
please see ...
http://heartbleed.com/
Hope this helps,
-Matthew
On 4/12/2014 12:50 AM, Willy Yuen wrote:
> Hello,
>
> Recently, there is widespread media coverage on OpenSSL Heartbleed
> vulnerability.
> Bruce Schneier does an excellent job of summarizing the vulnerability
> and its significance here:
>
>
> https://www.schneier.com/blog/archives/2014/04/heartbleed.html
>
>
>
> From the Heartbleed official homepage: http://heartbleed.com/
>
>
> Status of different versions
> ===================
> * OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
> * OpenSSL 1.0.1g is NOT vulnerable
> * OpenSSL 1.0.0 branch is NOT vulnerable
> * OpenSSL 0.9.8 branch is NOT vulnerable
>
>
> With the release of Shrew 2.2.0+ I understand the OpenSSL package has
> been upgraded to OpenSSL 1.0.1c.
>
> As I run the VPN Trace program and it can be found in the log:
>
> Logs from ShrewSoft VPN Trace - IKE Service (Level output = Informational)
> 14/03/26 15:23:18 ## : IKE Daemon, ver 2.2.2
> 14/03/26 15:23:18 ## : Copyright 2013 Shrew Soft Inc.
> 14/03/26 15:23:18 ## : This product linked [ OpenSSL 1.0.1c ] 10 May 2012
> 14/03/26 15:23:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
>
>
> Is there any security risk in using Shrew VPN client associated with
> this version of OpenSSL, which is affected by the Heartbleed vulnerability?
>
>
>
> */Regards,/*
> */- Willy/*
>
>
>
> _______________________________________________
> vpn-devel mailing list
> vpn-devel at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-devel
>
More information about the vpn-devel
mailing list