Impact of CVE-2014-0160?

Pedro Côrte-Real pedro at pedrocr.net
Wed Apr 16 21:08:12 CEST 2014


On Thu, Apr 10, 2014 at 5:08 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> On Thu, Apr 10, 2014 at 05:35:39PM +0200, Jan Lühr wrote:
>
>> since tinc depends on OpenSSL (at least in Debian):
>>
>> -> In what way does CVE-2014-0160 impact tinc?
>
> Tinc does not use the SSL or TLS protocol, so it is not affected at all by the
> Heartbleed bug.
>
>> -> Does tinc use PFS?
>
> Not in tinc 1.0.x, but in 1.1 when the new protocol is enabled.

Would it make sense to move to NaCl/libsodium for the new protocol?
Apparently SigmaVPN does this and got good reviews on hacker news:

https://news.ycombinator.com/item?id=7599091

Pedro


More information about the tinc mailing list