Page MenuHomePhabricator

Any need to respond to the encryption weakness described in sweet32.io?
Closed, WontfixPublic

Description

In https://sweet32.info/, it mentions that OpenVPN is affected and working on a fix, among other software packages.

The OpenVPN on VyOS 1.1.7 is version 2.1.3 built on March 9, 2015.

The current latest OpenVPN on Github (https://github.com/OpenVPN/openvpn/releases/tag/v2.3.12) is 2.3.12 released August 24, 2016.

Are there plans to upgrade OpenVPN for VyOS 1.1?

Thanks.

Details

Difficulty level
Easy (less than an hour)
Version
1.1.7

Event Timeline

The page you've linked mentioned the fix: don't use legacy ciphers.

Thanks. I'll try to find how to follow this advice.

Isn't it a concern that the OpenVPN version on VyOS is so far behind the current release?

syncer added a subscriber: syncer.Aug 31 2016, 8:46 PM

Well, basically it's not only OpenVPN is old there, all is old there

syncer closed this task as Wontfix.Aug 31 2016, 8:49 PM
syncer claimed this task.
syncer triaged this task as Low priority.

1.1.x won't get any major updates for packages,
we instead forcing 1.2 testing to transit it to production in some near future
1.2 will address this issue among other things

Thanks for the update.
Where can I get 1.2 to help testing?

syncer added a project: Rejected.Oct 15 2018, 6:30 AM