Libreswan and Heartbleed: Difference between revisions

From Libreswan
Jump to navigation Jump to search
(Created page with "== Is Libreswan vulnerable to the OpenSSL "Heartbleed" exploit? == Unlike some open source VPN software, Libreswan does not utilize the OpenSSL library. The pluto daemon uses ...")
 
No edit summary
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Is Libreswan vulnerable to the OpenSSL "Heartbleed" exploit? ==
== Is Libreswan vulnerable to the OpenSSL "Heartbleed" exploit? ==
Unlike some open source VPN software, Libreswan does not utilize the OpenSSL library. The pluto daemon uses [https://developer.mozilla.org/en-US/docs/NSS_FAQ NSS] for all cryptographic operations during the IKE exchange in userspace, and once the tunnel is established the traffic encryption is then handled by a kernel module. Therefore pluto and the associated tools included with Libreswan are not subject to the OpenSSL vulnerability CVE-2014-0160, AKA Heartbleed.


See [[Using NSS with libreswan]] for more details about Libreswan's use of NSS
Libreswan is '''NOT''' vulnerable to the openssl vulnerability CVE-2014-0160 known as Heartbleed.
 
Libreswan is an implementation of IPsec IKEv1 and IKEv2 keying protocols. These protocols do not use TLS to establish VPN connections. VPN services and products based on TLS are often called "SSL VPNs". Libreswan is an IKE/IPsec based VPN.
 
Libreswan does not use openssl for IKE/IPsec. Libreswan does use libcurl which itself uses openssl for establishing connections for OCSP and CRL URLs, but it does not provide a server for OCSP/CRL and is therefor not vulnerable there either.

Latest revision as of 21:03, 10 April 2014

Is Libreswan vulnerable to the OpenSSL "Heartbleed" exploit?

Libreswan is NOT vulnerable to the openssl vulnerability CVE-2014-0160 known as Heartbleed.

Libreswan is an implementation of IPsec IKEv1 and IKEv2 keying protocols. These protocols do not use TLS to establish VPN connections. VPN services and products based on TLS are often called "SSL VPNs". Libreswan is an IKE/IPsec based VPN.

Libreswan does not use openssl for IKE/IPsec. Libreswan does use libcurl which itself uses openssl for establishing connections for OCSP and CRL URLs, but it does not provide a server for OCSP/CRL and is therefor not vulnerable there either.