By default, OpenConnect uses GnuTLS rather than OpenSSL. It only uses OpenSSL if the following conditions are met at build-time: 1.) GnuTLS does not support DTLS (only the case for old versions, AIUI) 2.) --without-openssl was not passed OR --without-gnutls was passed Further information can be found in configure.ac (version 7.06, the most recent at time of posting): http://git.infradead.org/users/dwmw2/openconnect.git/blob/v7.06:/configure.ac#l255 ASHLEY GRAVES (RIT Student) wrote: > Is OpenConnect affected by the same OpenSSL vulnerabilities as > AnyConnect from the June advisory > (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl)? > > The included CVEs are CVE-2015-1789, CVE-2015-1792, CVE-2014-8176, > CVE-2015-1788, CVE-2015-1790, CVE-2015-1791. > > If not, does the way OpenConnect handles OpenSSL leave it unaffected > by the recent surge of other OpenSSL vulns? Thanks in advance.
