Search the Community

Hello, The latest stable client of Eddie - 2.10, is using a very outdated version of OpenSSL (1.0.3c) that has many vulnerabilities. Your latest experimental version of Eddie - 2.11 still uses an outdated version of OpenSSL that has a few known vulnerabilities. Please explain why as a major VPN provider, especially one that puts an emphasis on privacy, does not bother to keep OpenSSL updated even though there are several vulnerabilities reported as "High Severity"? https://www.openssl.org/news/vulnerabilities.html#y2016

Hi, On the experimental client (2.10.3) mono required, the binary stunnel is build with openssl .1.0.1f, which, have if i'm not making a mistake, multiples vulnerability Any reason why the stunnel binary is outdated ? Thanks !

Hi, this has been announced here https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html the security flaw is impacting versions 1.0.1 and 1.0.2 of Openssl. From eddie (mac version) it states openssl version 1.0.1k, so it is affected. Will you repack Eddie with the 1.0.1p version patched soon? Thanks

Want to know what the OpenBSD Foundation is doing with OpenSSL's code? Then you should read this blog. It's more suited for those who are able to read and understand C code. Skimming just the first page looks like the code is really in a bad condition - there are 39 pages so far (as of 15.07.2014). It's interesting to see what is being done. The only question is: Is this "list" complete?

I've been using the Eddie client for a while now but I can not get it to work over ssh or ssl. I keeps disconnecting and reconnect repeating a cycle that creates a bunch of processes. 6/11/2014 - 9:55 PM AirVPN client version: 2.1, System: Linux, Architecture: x64 6/11/2014 - 9:55 PM Reading options from /home/klepto/AIR/AirVPN.xml 6/11/2014 - 9:55 PM Data Path: /home/klepto/AIR 6/11/2014 - 9:55 PM App Path: /home/klepto/AIR 6/11/2014 - 9:55 PM Executable Path: /home/klepto/AIR/airvpn 6/11/2014 - 9:55 PM Command line arguments: 6/11/2014 - 9:55 PM Operating System: Unix 3.14.6.1 - Linux LUNASYLUM 3.14.6-1-ARCH #1 SMP PREEMPT Sun Jun 8 10:08:38 CEST 2014 x86_64 GNU/Linux 6/11/2014 - 9:55 PM OpenVPN Driver - Found 6/11/2014 - 9:55 PM OpenVPN - Version: OpenVPN 2.3.3 (/home/klepto/AIR/openvpn) 6/11/2014 - 9:55 PM SSH - Version: OpenSSH_6.6.1p1, OpenSSL 1.0.1h 5 Jun 2014 (/usr/bin/ssh) 6/11/2014 - 9:55 PM SSL - Version: stunnel 5.01 (/home/klepto/AIR/stunnel) 6/11/2014 - 9:55 PM IPV6: Available 6/11/2014 - 9:55 PM Session starting. 6/11/2014 - 9:55 PM Checking environment 6/11/2014 - 9:55 PM Waiting for latency tests 6/11/2014 - 9:55 PM Checking authorization 6/11/2014 - 9:55 PM Connecting to Pavonis (us) 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: stunnel 5.01 on x86_64-unknown-linux-gnu platform 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Compiled/running with OpenSSL 1.0.1g 7 Apr 2014 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Reading configuration from file /home/klepto/AIR/a6a54b9427fd348ef37fea2ec7f05b91b6ba82fec6e24e851b036484588e613f.tmp.ssl 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG6[26060]: Initializing service [openvpn] 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:35 LOG5[26060]: Configuration successful 6/11/2014 - 9:55 PM OpenVPN > OpenVPN 2.3.3 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Apr 14 2014 6/11/2014 - 9:55 PM OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100 6/11/2014 - 9:55 PM OpenVPN > Control Channel Authentication: tls-auth using INLINE static key file 6/11/2014 - 9:55 PM OpenVPN > Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 6/11/2014 - 9:55 PM OpenVPN > Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication /* Removed IP info */ 6/11/2014 - 9:55 PM OpenVPN > Validating certificate key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has key usage 00a0, expects 00a0 6/11/2014 - 9:55 PM OpenVPN > VERIFY KU OK 6/11/2014 - 9:55 PM OpenVPN > Validating certificate extended key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 6/11/2014 - 9:55 PM OpenVPN > VERIFY EKU OK 6/11/2014 - 9:55 PM OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org 6/11/2014 - 9:55 PM OpenVPN > Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 6/11/2014 - 9:55 PM OpenVPN > Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 6/11/2014 - 9:55 PM OpenVPN > Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 6/11/2014 - 9:55 PM OpenVPN > Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 6/11/2014 - 9:55 PM OpenVPN > Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA 6/11/2014 - 9:55 PM OpenVPN > [server] Peer Connection Initiated with [AF_INET]127.0.0.1:53314 6/11/2014 - 9:55 PM OpenVPN > SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: LZO parms modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: route options modified 6/11/2014 - 9:55 PM OpenVPN > OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 6/11/2014 - 9:55 PM Flushing DNS 6/11/2014 - 9:55 PM Checking route 6/11/2014 - 9:55 PM Connected. 6/11/2014 - 9:55 PM OpenVPN > MANAGEMENT: Client connected from [AF_INET]127.0.0.1:3100 6/11/2014 - 9:55 PM OpenVpn Management > >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info 6/11/2014 - 9:55 PM Disconnecting 6/11/2014 - 9:55 PM Management - Send 'signal SIGTERM' 6/11/2014 - 9:55 PM OpenVPN > MANAGEMENT: CMD 'signal SIGTERM' 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG6[26063]: Read socket closed (readsocket) 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG6[26063]: SSL_shutdown successfully sent close_notify alert 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG3[26063]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:42 LOG5[26063]: Connection closed: 12137 byte(s) sent to SSL, 15169 byte(s) sent to socket 6/11/2014 - 9:55 PM Connecting to Pavonis (us) 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: stunnel 5.01 on x86_64-unknown-linux-gnu platform 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Compiled/running with OpenSSL 1.0.1g 7 Apr 2014 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Reading configuration from file /home/klepto/AIR/232ecf01d2847609b6f741c518067d5a8012298972f180adcaed1ec52264c4dc.tmp.ssl 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG6[26081]: Initializing service [openvpn] 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG5[26081]: Configuration successful 6/11/2014 - 9:55 PM OpenVPN > OpenVPN 2.3.3 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on Apr 14 2014 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG6[26084]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-AES256-SHA (256-bit encryption) 6/11/2014 - 9:55 PM OpenVPN > Socket Buffers: R=[87380->131072] S=[16384->131072] 6/11/2014 - 9:55 PM SSL > 2014.06.11 21:55:46 LOG6[26084]: Compression: null, expansion: null 6/11/2014 - 9:55 PM OpenVPN > Attempting to establish TCP connection with [AF_INET]127.0.0.1:34604 [nonblock] 6/11/2014 - 9:55 PM OpenVPN > TCP connection established with [AF_INET]127.0.0.1:34604 6/11/2014 - 9:55 PM OpenVPN > TCPv4_CLIENT link local: [undef] 6/11/2014 - 9:55 PM OpenVPN > TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:34604 6/11/2014 - 9:55 PM OpenVPN > TLS: Initial packet from [AF_INET]127.0.0.1:34604, sid=0eb09504 ef87f7e3 6/11/2014 - 9:55 PM OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org 6/11/2014 - 9:55 PM OpenVPN > Validating certificate key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has key usage 00a0, expects 00a0 6/11/2014 - 9:55 PM OpenVPN > VERIFY KU OK 6/11/2014 - 9:55 PM OpenVPN > Validating certificate extended key usage 6/11/2014 - 9:55 PM OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 6/11/2014 - 9:55 PM OpenVPN > VERIFY EKU OK 6/11/2014 - 9:55 PM OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org

In the wake of the Heartbleed Bug, the OpenBSD Foundation has begun a fork of the OpenSSL source code. Enter LibreSSL. In one week they have removed 90,000 lines of C code and 150,000 lines of content that they say was old or unused. For those not familiar with OpenBSD, they are a non-profit and are security centric in the coding of their software. Part of their culture is to frequently perform group audits of their code. PF, or Packet Filter, was originally designed by them and is the underlying engine of pfSense, which I trust to keep me secure. They are implementing the first release of LibreSSL into OpenBSD 5.6 and then working on porting it to other OS's I personally am excited about this. I think this has good potential for future releases of OpenVPN and ultimately our uses with VPN. This perhaps might be a good canidate for AirVPN's No-Profit Community innitiative. If it meets the standards for it, i will gladly submit a post for it. Further reading: http://www.libressl.org/ http://www.openbsdfoundation.org/ http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

Hi there, I thought I'd direct the AirVPN staffs attention towards this newly discovered bug in certain versions of OpenSSL. Description: http://heartbleed.com/ Reddit Netsec Discussion: http://www.reddit.com/r/netsec/comments/22gaar/heartbleed_attack_allows_for_stealing_server/ Are AirVPN users vulnerable to this exploit, and if so will you be implementing Fixed OpenSSL? Thanks, you guys are always awesome!

Hi all, I have just finished configuring the SSL tunnel for AirVPN under Linux (Ubuntu). I think the guide at https://airvpn.org/ssl/ needs to be updated. If you use apt-get install stunnel Ubuntu will install stunnel4, but the softlink which is used in stunnel "AirVPN <..> - SSL <..>.ssl" points at version stunnel3. So first, go to /usr/bin/ and change the softlink to point at stunnel4 instead of 3: sudo -ln -s /usr/bin/stunnel4 /usr/bin/stunnel [EDIT from Staff: the correct command is "sudo ln ..."] Second point is, stunnel needs to know where the ssl certificate is located, if you don't point it to the right directory, the connection will end with the error: End of section stunnel: SSL server needs a certificate So to get rid of this, you have to go to /etc/stunnel and create a file stunnel.conf (also check the README there for more infos) and in it insert 2 lines: cert=/path/to/pemkey=/path/to/keyLast but not least you have to generate a stunnel private key: openssl req -new -x509 -days 365 -nodes Just remember to put it in the folder, which is listed in the stunnel.conf file. Now you should be able to run the connection through a tunnel Because I'm not a Linux wiz, I have used help from the following guides: Google http://serverfault.com/questions/424619/stunnel-not-reading-configuration-file http://www.onsight.com/faq/stunnel/stunnel-faq-a.html https://www.stunnel.org/pipermail/stunnel-users/2011-September/003261.html

I really love the ability tunnel all the openvpn traffic through ssl or ssh. I'm not sure which is more secure or faster. I normally use ssl tunnelling and do most of my daily browsing and I've no problem other than a bit of latency sometimes. Thank you for your thoughtful and very important service.