[vpn-devel] OpenSSL Heartbleed vulnerability & Shrew VPN client

Willy Yuen zero0w at gmail.com
Thu May 29 07:21:40 CDT 2014


Hi Matthew,


Thanks very much for the clarification.



Regards,
-Willy




On Thu, May 29, 2014 at 2:32 PM, Matthew Grooms <mgrooms at shrew.net> wrote:

> Hi Willy,
>
> Heartbleed affects products that link against vulnerable versions of
> OpenSSL libssl to provide support for SSL/TLS. The Shrewsoft VPN client
> only links to libcrypto which provides cryptographic functions, but not
> SSL/TLS functionality. IPsec doesn't leverage SSL/TLS. For more info,
> please see ...
>
> http://heartbleed.com/
>
> Hope this helps,
>
> -Matthew
>
>
> On 4/12/2014 12:50 AM, Willy Yuen wrote:
>
>> Hello,
>>
>> Recently, there is widespread media coverage on OpenSSL Heartbleed
>> vulnerability.
>> Bruce Schneier does an excellent job of summarizing the vulnerability
>> and its significance here:
>>
>>
>> https://www.schneier.com/blog/archives/2014/04/heartbleed.html
>>
>>
>>
>>  From the Heartbleed official homepage: http://heartbleed.com/
>>
>>
>> Status of different versions
>> ===================
>> * OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
>> * OpenSSL 1.0.1g is NOT vulnerable
>> * OpenSSL 1.0.0 branch is NOT vulnerable
>> * OpenSSL 0.9.8 branch is NOT vulnerable
>>
>>
>> With the release of Shrew 2.2.0+ I understand the OpenSSL package has
>> been upgraded to OpenSSL 1.0.1c.
>>
>> As I run the VPN Trace program and it can be found in the log:
>>
>> Logs from ShrewSoft VPN Trace - IKE Service (Level output = Informational)
>> 14/03/26 15:23:18 ## : IKE Daemon, ver 2.2.2
>> 14/03/26 15:23:18 ## : Copyright 2013 Shrew Soft Inc.
>> 14/03/26 15:23:18 ## : This product linked [ OpenSSL 1.0.1c ] 10 May 2012
>> 14/03/26 15:23:18 ii : opened 'C:\Program Files\ShrewSoft\VPN
>> Client\debug\iked.log'
>>
>>
>> Is there any security risk in using Shrew VPN client associated with
>> this version of OpenSSL, which is affected by the Heartbleed
>> vulnerability?
>>
>>
>>
>> */Regards,/*
>> */- Willy/*
>>
>>
>>
>> _______________________________________________
>> vpn-devel mailing list
>> vpn-devel at lists.shrew.net
>> https://lists.shrew.net/mailman/listinfo/vpn-devel
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20140529/01eeaab3/attachment.html>


More information about the vpn-devel mailing list