Is default openVPN via foris vulnerable?
I found
comp-lzo
in openvpn config provided by foris. related to https://en.wikipedia.org/wiki/Lempel–Ziv–Oberhumer
EDIT: https://speakerdeck.com/skepticfx/voracle-compression-oracle-attacks-on-vpn-tunnels?slide=24 more info here. it was first published on Black Hat
Those reports neglect to mention that TLS 1.3 removes compression and thereby mitigates attack vectors of this sort.
Thus once implemented in OpenVPN and such updated package published to TO users this would be history.
what is the benefit of waiting x years for tls1.3 to maybe land in turrisos vs. just changing a config variable now?