SoftEther VPN User Forum

Is SoftEther vulnerable to Heartbleed related attacks?

Does it use OpenSSL ... as part of the OpenVPN stack for example?

It seems most Windows servers do not use OpenSSL, they use a Micrsoft SSL implementation with IIS. Likewise, Microsoft VPN stuff uses built-in SSL from Microsoft. But SoftEther VPN may be affected, and so my Windows servers with SoftEther may be vulnerable... maybe?

Thanks for any input!

Nick

Yes, it uses OpenSSL library.

Depend on what openssl version is using.
It happen on OpenSSL 1.0.1 - 1.0.1f , Only fixed in 1.0.1g

And there is no problem on OpenSSL 0.9.8X

Check this thread. http://www.vpnusers.com/viewtopic.php?f=15&t=2903

Although it is japaness. you can use google translate to translate it.

Does SoftEther use the OS installation of OpenSSL on Linux/Mac systems? Or does it always use its own bundled versions of the libraries?

I assume the libraries are bundled into the Windows executables.

Nick

arprip wrote:
> Depend on what openssl version is using.
> It happen on OpenSSL 1.0.1 - 1.0.1f , Only fixed in 1.0.1g
>
> And there is no problem on OpenSSL 0.9.8X

Good point!

arprip wrote:
> And there is no problem on OpenSSL 0.9.8X
>
> Check this thread. http://www.vpnusers.com/viewtopic.php?f=15&t=2903

It does appear from that thread, and forum search for "openssl" that SoftEther uses the older library version. We are safely behind the bleeding edge!

Thanks for the help!
Nick

If you visit the open source repositories at SoftEther's uploader site http://uploader.softether.co.jp/src/ you will see that SoftEther uses OpenSSL 0.9.81 and as such avoids the Heartbleed vunerability.