From 27594eeae6f40a402bc3110f06d57975168e74e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Thu, 4 Jun 2015 19:20:15 +0200 Subject: ics-openvpn as a submodule! beautiful ics-openvpn is now officially on GitHub, and they track openssl and openvpn as submodules, so it's easier to update everything. Just a git submodule update --recursive. I've also set up soft links to native modules from ics-openvpn in app, so that we don't copy files in Gradle (which was causing problems with the submodules .git* files, not being copied). That makes the repo cleaner. --- app/openvpn/ChangeLog | 4071 ------------------------------------------------- 1 file changed, 4071 deletions(-) delete mode 100644 app/openvpn/ChangeLog (limited to 'app/openvpn/ChangeLog') diff --git a/app/openvpn/ChangeLog b/app/openvpn/ChangeLog deleted file mode 100644 index 7b945c80..00000000 --- a/app/openvpn/ChangeLog +++ /dev/null @@ -1,4071 +0,0 @@ -OpenVPN Change Log -Copyright (C) 2002-2012 OpenVPN Technologies, Inc. - -2012.09.12 -- Version 2.3_beta1 -Arne Schwabe (7): - Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used - Merge almost identical create_socket_tcp and create_socket_tcp6 - Document the inlining of files in openvpn and document key-direction - Merge getaddr_multi and getaddr6 into one function - Document --management-client and --management-signal a bit better - Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen. - Add checks for external-key-managements - -David Sommerseth (1): - Fix reconnect issues when --push and UDP is used on the server - -Gert Doering (4): - Reduce --version string detail about IPv6 to just "[IPv6]". - Put actual OpenVPN command line on top of corresponding log file. - Keep pre-existing tun/tap devices around on *BSD - make "ipv6 ifconfig" on linux compatible with busybox ifconfig - -Heiko Hund (6): - fix regression with --http-proxy[-*] options - add x_msg_va() log function - add API for plug-ins to write to openvpn log - remove stale _openssl_get_subject() prototype - remove unused flag SSLF_NO_NAME_REMAPPING - Add --compat-names option - -2012.07.20 -- Version 2.3_alpha3 -Arne Schwabe (1): - Fix compiling with --disable-management - -Gert Doering (1): - Repair "tap server" mode brokenness caused by fallout - -Heiko Hund (4): - make non-blocking connect work on Windows - don't treat socket related errors special anymore - remove unused show_connection_list debug function - add option --management-query-proxy - -2012.06.29 -- Version 2.3_alpha2 -Adriaan de Jong (11): - Fixed off-by-one in serial length calculation - Migrated x509_get_subject to use of the garbage collector - Migrated x509_get_serial to use the garbage collector - Migrated x509_get_sha1_hash to use the garbage collector - Ensure sys/un.h autoconf detection includes sys/socket.h - Added support for new PolarSSL 1.1 RNG - Added a configuration option to enable prediction resistance in the PolarSSL random number generator. - Use POLARSSL_CFLAGS instead of POLARSSL_CRYPTO_CFLAGS in configure.ac - Removed support for PolarSSL < 1.1 - Updated README.polarssl with build system changes. - Removed stray "Fox-IT hardening" string. - -Alon Bar-Lev (94): - build: version should not contain '-' - package: rpm: strip should be handled by package management - cleanup: options.c: remove redundant include - cleanup: remove C++ warnings - cleanup: win32.c: wrong printf format - cleanup: remove redundant ';' - cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6 - cleanup: tun.c: fix incorrect option in message (ip-win32) - cleanup: memcmp.c: remove unused source - fixup: init.c: add missing conditional for ENABLE_CLIENT_CR - build: correct place to alter WINVER is at build system - Update .gitignore - build: handle printf style format in mingw - build: rename plugin directory to plugins - build: plugins: properly use CC, CFLAGS and LDFLAGS - build: we need the sample.ovpn in future - Remove install-win32 - Remove easy-rsa - Remove tap-win32 - cleanup: rename tap-windows function from win32 to win - build: remove windows specific build system - build: split acinclude.m4 into m4/* - build: m4/ax_varargs.m4: cleanup - build: m4/ax_emptyarray.m4: cleanup - build: m4/ax_socklen_t.m4: cleanup - build: autotools: first pass of trivial autotools changes - build: autoconf: remove OPENVPN_ADD_LIBS useless macro - build: remove awk and non-standard autoconf output processing - build: standard directory layout - build: add libtool + windows resources for executables - build: autoconf: commands as environment - build: libdl usage - build: properly detect and use socket libs - build: autoconf: minor cleanups - build: proper selinux detection and usage - build: distribute pkg.m4 - build: proper pkcs11-helper detection and usage - build: properly process lzo-stub - build: proper lzo detection and usage - build: proper crypto detection and usage - build: autoconf: update defaults for options - build: win-msvc: msbuild format - build: move out config.h include from syshead - build: split out compat - build: move gettimeofday() emulation to compat - build: move daemon() emulation into compat - build: move inet_ntop(), inet_pton() emulation into compat - cleanup: move console related function into its own module - build: move wrappers into platform module - build: windows: install version.sh to allow installer read version - build: distribute samples in windows - build: use tap-windows.h as external dependency - build: ax_varargs.m4: fixups - build: autoconf: misc sockets fixups - build: enable lzo by default - build: windows: set vendor to openvpn project + cleanups - build: assume dlfcn is available on all supported platforms - build: openbsd: detect netinet/ip.h correctly - build: tap: search for tap header - build: msvc: upgrade to Visual Studio 2010 + fixups - Enable pedantic in windows compilation - cleanup: flags should not be bool - cleanup: avoid using ~0 - generic - cleanup: avoid using ~0 - ipv6 - cleanup: avoid using ~0 - netmask - cleanup: avoid using ~0 - windows - cleanup: gc usage - build: fix some statement left from conversion - build: properly detect netinet/ip.h structs - build: properly detect TUNSETPERSIST - cleanup: plugin: support C++ plugin - cleanup: remove C++ comments - cleanup: add .gitattributes to control eol style explicitly - crash: packet_id_debug_print: sl may be null - build: use stdbool.h if available - build: fix typo in --enable-save-password - build: windows: convert resources to UTF-8 - build: check minimum polarssl version - cleanup: update .gitignore - cleanup: spec: make space/tab consistent - build: spec: we support openssl >= 0.9.7 - build: insall README* document using build system - build: detect sys/wait.h required for *bsd - build: add git revision to --version output if build from git repository - build: cleanup: yet another forgotten brackets - build: update INSTALL to recent changes - build: support platforms that does not need explicit tun headers - build: do not support authenticated in verify_user_pass - Moved gc_new and gc_free to begin end of function - Fixed a bug in the return value of ssl_verify when pre_verify failed - Unified verification function return values: - Removed a stray Fox-IT tag - Fixed a typo: print the subject instead of the serial for verification errors - Made SSL_CIPHER const in print_details, to fix warning - Moved to PolarSSL 1.0.0: - Added missing #ifdef to allow --disable-managent to work again - Fixed disabling crypto and SSL - Got rid of a few magic numbers in ntlm.c - Removed obsolete des_cblock and des_keyschedule - Further removal of des_old.h based calls - Fixed missing comma in plugin.h - Moved prng_uninit out of crypto_uninit_lib - Moved CryptoAPI header include to the ssl_openssl.c - Reordered functions to ensure warning-free Windows build - Added options to switch between OpenSSL and PolarSSL and PKCS11... - Moved from strsep to strtok, for Windows compatibility - Minor cleanup to enable warning-free Windows build: - Fixed a typo when initialising cryptoapi certs - Minor code cleanup: cleaned up error handling in verify_cert. - Moved out of memory prototype to error.h, as the definition is in error.c - Removed support for calling gc_malloc with a NULL gc_arena struct - - (The follwing patches from Adriaan was mistakenly merged with - the wrong commit author in the git tree) - Doxygen: Added data channel crypto docs - Added control channel crypto docs - Added compression docs - Added reliability layer documentation - Added memory management documentation - Added data channel fragmentation docs - Added main/control docs - Moved doxygen-specific files to a separate directory - -Byron Ellacott (1): - autoconf fixes for building on OSX - -David Sommerseth (50): - Provide 'dev_type' environment variable to plug-ins and script hooks - Define the new openvpn_plugin_{open,func}_v3() API - Implement the core v3 plug-in function calls. - Extend the v3 plug-in API to send over X509 certificates - Added a simple plug-in demonstrating the v3 plug-in API. - Separate the general plug-in version constant and v3 plug-in structs version - Use a version-less version identifier on the master branch - Fix the --client-cert-not-required feature - Change the default --tmp-dir path to a more suitable path - Improve the mysprintf() issue in openvpnserv.c - Add a simple comment regarding openvpn_snprintf() is duplicated - Merge branch 'feat_ipv6_transport' - Merge branch 'feat_ipv6_payload' - Merge branch 'svn-branch-2.1' into merge - Solved hidden merge conflicts between master and svn-branch-2.1 - Fix const declarations in plug-in v3 structs - Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3' - Don't define ENABLE_PUSH_PEER_INFO if SSL is not available - Fix compiling issues with pkcs11 when --disable-management is configured - Remove support for Linux 2.2 configuration fallback - Revert "Add new openssl.cnf to easy-rsa/Windows" - Merge remote branch SVN 2.1 into the git tree - Merge branch 'svn-merger' - Fix Microsoft Visual Studio incompatibility in plugin.c - Fixed compile issues on FreeBSD and Solaris - Fix PolarSSL and --pkcs12 option issues - Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway() - Make '--win-sys env' default - Do some file/directory tests before really starting openvpn - Fix bug after removing Linux 2.2 support - Don't look for 'stdin' file when using --auth-user-pass - Fix compiling with --disable-crypto and/or --disable-ssl - Fix a couple of issues in openvpn_execve() - Move away from openvpn_basename() over to platform provided basename() - Enable access() when building in Visual Studio - New Windows build fixes - Fix compilation errors on Linux platforms without SO_MARK - autotools ./configure don't like compat.h - Fix pool logging when IPv6 is not enabled - Don't check for file presence on inline files - Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook - Enhance the error handling in _openssl_get_subject() - Fix assert() situations where gc_malloc() is called without a gc_arena object - Fix compile issues when plug-ins are disabled. - Remove --show-gateway if debug info is not enabled (--disable-debug) - Fix compile issues with status.c - Connection entry {tun,link}_mtu_defined not set correctly - Makefile.am referenced a now non-existing config-win32.h - Makefile.am was missing ssl_common.h - Revamp check_file_access() checks in stdin scenarios - -Davide Guerri (1): - New feauture: Add --stale-routes-check - -Frank de Brabander (1): - Fixed wrong return type of cipher_kt_mode - -Frederic Crozat (1): - Add support to forward console query to systemd - -Gert Doering (45): - Add more detailed explanation regarding the function of "--rdns-internal" - Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release. - remove NOTES file from commit - private scribbling - NetBSD fixes - on 4.0 and up, use multi-af mode. - new feature: "ifconfig-ipv6-push" (from ccd/ config) - add some TODOs to TODO.IPv6 - undo accidential duplication of existing "--iroute" line in the help text - basic documentation of IPv6 related options and their syntax - Enable IPv6 Payload in OpenVPN p2mp tun server mode. - remove NOTES file from commit - private scribbling - env_block(): if PATH is not set, add standard PATH setting to env - add IPv6 route add / route delete code for windows (using "netsh") - - Win32 IPv6 ifconfig support, using "netsh" calls - drop "book ipv6" from open_tun() and tuncfg() prototypes - document recent changes and open TODOs, adapt --version info, tag release - Win32: set next-hop for IPv6 routes according to TUN/TAP mode - when deleting a route on win32, also add gateway address - WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7 - revert unconditionally-enabling of setenv_es() logging - implement IPv6 ifconfig + route setup/deletion on OpenBSD - full "VPN client connect" test framework for OpenVPN t_client.rc-sample - renamed t_client.sh to t_client.sh.in - 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8 - correct URL for "more information about IPv6 patch is *here*" - bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet" - bump IPv6 version number (openvpn --version) to 20100922-1 - Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces - rebased to 2.2RC2 (beta 2.2 branch) - Windows IPv6 cleanup - properly remove IPv6 routes and interface config - For all accesses to "struct route_list * rl", check first that rl is non-NULL - Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one - Platform cleanup for NetBSD - Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block - add missing break between "case IPv4" and "case IPv6" - bump tap driver version from 9.8 to 9.9 - log error message and exit for "win32, tun mode, tap driver version 9.8" - work around inet_ntop/inet_pton problems for MSVC builds on WinXP - Fix build-up of duplicate IPv6 routes on reconnect. - Fix list-overrun checks in copy_route_[ipv6_]option_list() - add "print test titles" and "use sudo" functionality to t_client.rc - Platform cleanup for FreeBSD - Implement IPv6 interface config with non-/64 prefix lengths. - Fix RUN_SUDO functionality for t_client.sh - Document IPv6-related environment variables. - Platform cleanup for OpenBSD - -Gisle Vanem (1): - Avoid re-defining uint32_t when using mingw compiler - -Gustavo Zacarias (1): - Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto - -Heiko Hund (16): - add .gitignore to official repository - remove function is_proto_tcp() - remove legacy code to query IE proxy information - lowercase include header name in syshead.h - define IN6_ARE_ADDR_EQUAL macro for WIN32 - add --mark option to set SO_MARK sockopt - Windows UTF-8 input/output - UTF-8 X.509 distinguished names - set Windows environment variables as UCS-2 - handle Windows unicode paths - replace check for TARGET_WIN32 with WIN32 - do not use mode_t on Windows - use the underscore version of stat on Windows - make MSVC link against shell32 as well - move variable declaration to top of function - define access mode flag X_OK as 0 on Windows - -Igor Novgorodov (1): - The code blocks enabled by ENABLE_CLIENT_CR depends on management - -James Yonan (57): - Added "management-external-key" option. - Minor addition of logging info before and after execution of Windows net commands. - Misc fixes to r6708. - Added --x509-track option. - * added --management-up-down option to allow management interface to be notified of tunnel up/down events. - Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled. - Implemented get_default_gateway_mac_addr for Mac OS X - Fixes to r6925. - Properly handle certificate serial numbers > 32 bits. - Added "client-nat" option for stateless, one-to-one NAT on the client side. - Renamed branch to reflect that it is no longer beta. - env_filter_match now includes the serial number of all certs - Fixed issue where a client might receive multiple push replies from a server - Fixed bug introduced in r7031 that might cause this error message: - Extended "client-kill" management interface command (server-side) - Client will now try to reconnect if no push reply received within handshake-window seconds. - Version 2.1.3n - Fixed compiling issues when using --disable-crypto - Added "management-external-key" option. - Misc fixes to r6708. - win/sign.py now accepts an optional tap-dir argument. - Added "auth-token" client directive - Added ./configure --enable-osxipconfig option for Mac OS X - Added more packet ID debug info at debug level 3 for debugging false positive packet replays. - Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions - Fixed bug in port-share that could cause port share process to crash - For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure - Version 2.1.3t - Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option. - Added 'dir' flag to "crl-verify" (see man page for info). - Added new "extra-certs" and "verify-hash" options - Fixed compile issues on Windows. - Added --enable-lzo-stub configure option to build an OpenVPN client without LZO - Added optional journal directory argument to "port-share" directive - Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity. - env_filter_match now includes the serial number of all certs in chain - Added support for static challenge/response protocol. - r7316 fixes. - Added redirect-gateway block-local flag, with support for Linux, Mac OS X - Extended x509-track to allow SHA1 certificate hash to be extracted - Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive. - Version 2.1.5. - Fixed MSVC compile error related to r7408. - Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data. - Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars. - Changed CC_PRINT character class to allow UTF-8 chars. - Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3. - Fixed issue where redirect-gateway block-local code was not correctly calculating... - CC_PRINT character class now allows any 8-bit character value >= 32. - "status" management interface command (version >= 2) will now include the username for each connected user. - Minor fix to CC_PRINT char class - Fixed management interface bug where >FATAL notifications were not being output properly - Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3. - Added "memstats" option to maintain real-time operating stats in a memory-mapped file. - Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy: - Allow "tap-win32 dynamic " to be used in topology subnet mode. - Added support for "on-link" routes on Linux client - -Jan Just Keijser (1): - Made some options connection-entry specific - -Joe Patterson (1): - common_name passing in auth_pam plugin - -JuanJo Ciarlante (40): - * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch - * created getaddr6(), use it from resolve_remote() - * migrated all getaddrinfo() to getaddr6 - * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out, - * support --disable-ipv6 build properly: - * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket - * added README.ipv6.txt - * fixed win32 non-ipv6 build - * ipv6 on win32 "milestone": 1st snapshot that passes all unittests - * document ipv6 milestone status - * doc update w/unittests results - * make possible to x-compile openvpn/win32 in Linux - * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6. - * renamed README.ipv6{.txt,} - * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist - * init.c: document the ENABLE_MANAGEMENT place to work on - * init.c: small in-doc tweaks - * fix multi-tcp crash (corrected assertion) - * TODO.ipv6 update - * socket.c: better buf logic in print_sockaddr_ex - * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!) - * doc updates - * openbsd: no IFF_MULTICAST, #ifdef around it - * no new funcionality, just small cleanups - * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints - * polished redirect-gateway (ipv4 on ipv6 endpoints) support - * updated doc - * fix --disable-ipv6 build - * doc updates - * rebased to v2.1.1 release - * undo mroute.c changes related to ipv6 payload - * fix --multihome for ipv4 - * fix --multihome for ipv6 - * ipv6-0.4.14: fix xinetd usage - * ipv6-0.4.15: add --multihome support to xBSD - * ipv6-0.4.15b: rebase over openvpn-testing-master - * ipv6-0.4.16: fix mingw32 build - * make ipv6_payload compile under windowze - USE_PF_INET6 by default for v2.3 - fix ipv6 compilation under macosx >= 1070 - v3 - -Markus Koetter (1): - Add extv3 X509 field support to --x509-username-field - -Matthew L. Creech (1): - Fix 2.2.0 build failure when management interface disabled - -Matthias Andree (1): - Skip rather than fail test in addressless FreeBSD jails. - -Robert Fischer (8): - Update man page with info about --capath - Update man page with info about --connect-timeout - Added info about --show-proxy-settings - Documented --x509-username-field option - Documented --errors-to-stderr option - Documented --push-peer-info option - Update man page with info about --remote-random-hostname - Added man page entry for --management-client - -Samuli Seppänen (19): - Add man page entry for --redirect-private - Change all CRLF linefeeds to LF linefeeds - Fix a bug in devcon source code handling - Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi - Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers - Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier - Fix a build-ca issue on Windows - Add new openssl.cnf to easy-rsa/Windows - Updated "easy-rsa" for OpenSSL 1.0.0 - Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf - Fixes to easy-rsa/2.0 - Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6 - Fixed a number of fatal build errors on Visual Studio 2008 - Fix a Visual Studio 2008 build issue in socket.c - Additional Visual Studio 2008 build fixes to tun.c - Fixed a typo in win32.h that prevented building with Visual Studio - Fixed a regression causing VS2008/Python build failure - Fix a Visual Studio 2008 build error in tun.c - Fix a Visual Studio 2008 build error in options.c - -Simon Matter (1): - Fix issues with some older GCC compilers - -Stefan Hellermann (2): - plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case - Fixed typo in plugin.h - -chantra (1): - Clarify --tmp-dir option - -smos (1): - Change the netsh.exe command from "add" to "set". - -2011.12.25 -- Version 2.x-master -James Yonan (1): - Added support for "on-link" routes on Linux client -- these are - routes where the gateway is specified as an interface rather than - an address. This allows redirect-gateway to work on Linux clients - whose connection to the internet is via a point-to-point link - such as PPP. - - Note that at the moment, this capability is incompatible with - the "redirect-gateway block-local" directive -- this is because - the block-local directive blocks all traffic from the local LAN - except for the local and gateway addresses. Since a PPP link - is essentially a subnet of two addresses, local and remote (i.e. - gateway), the set of addresses that would be blocked by block-local - is empty. Therefore, the "redirect-gateway block-local" directive - will be ignored on PPP links. - - To view the OpenVPN client's current determination of the default - gateway, use this command: - - ./openvpn --show-gateway - -2011.03.24 -- Version 2.2-RC2 -Alon Bar-Lev (1): - Windows cross-compile cleanup - -David Sommerseth (2): - Open log files as text files on Windows - Clarify default value for the --inactive option. - -Gert Doering (1): - Implement IPv6 in TUN mode for Windows TAP driver. - -Samuli Seppänen (6): - Added support for prebuilt TAP-drivers. Automated embedding manifests. - Fixes to win/openvpn.nsi - Replaced config-win32.h with win/config.h.in - Updated INSTALL-win32.txt - Fixes to Makefile.am - Clarified --client-config-dir section on the man-page. - -Ville Skyttä (1): - Fix line continuation in chkconfig init script description. - -2011.02.28 -- Version 2.2-RC -David Sommerseth (3): - Make the --x509-username-field feature an opt-in feature - Fix compiler warning when compiling against OpenSSL 1.0.0 - Fix packaging of config-win32.h and service-win32/msvc.mak - -James Yonan (1): - Minor addition of logging info before and after execution of Windows net commands. - -Matthias Andree (1): - Change variadic macros to C99 style. - -Samuli Seppänen (15): - Added ENABLE_PASSWORD_SAVE to config-win32.h - Added a nmake makefile for openvpnserv.exe building - Moved TAP-driver version info to version.m4. Cleaned up win/settings.in. - Added helper functionality to win/wb.py - Added support for viewing config-win32.h paramters to win/show.py - Added comments and made small modifications to win/msvc.mak.in - Added command-line switch to win/build_all.py to skip TAP driver building - Added configure.h and version.m4 variable parsing to win/config.py - Added openvpnserv.exe building to win/build.py - Added comments to win/build_ddk.py - Several modifications to win/make_dist.py to allow building the NSI installer - Copied install-win32/setpath.nsi to win/setpath.nsi - Added first version of NSI installer script to win/openvpn.nsi - Changes to buildsystem patchset - Temporary snprintf-related fix to service-win32/openvpnserv.c - -2010.11.25 -- Version 2.2-beta5 - -Samuli Seppänen (1): - Fixed an issue causing a build failure with MS Visual Studio 2008. - -2010.11.18 -- Version 2.2-beta4 - -David Sommerseth (10): - Clarified --explicit-exit-notify man page entry - Clean-up: Remove pthread and mutex locking code - Clean-up: Remove more dead and inactive code paths - Clean-up: Removing useless code - hash related functions - Use stricter snprintf() formatting in socks_username_password_auth() (v3) - Fix compiler warnings about not used dummy() functions - Fixed potential misinterpretation of boolean logic - Only add some functions when really needed - Removed functions not being used anywhere - Merged add_bypass_address() and add_host_route_if_nonlocal() - -Gert Doering (3): - Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa . - Make "topology subnet" work on Solaris - Improved man page entry for script_type - -James Yonan (5): - Fixed initialization bug in route_list_add_default_gateway (Gert Doering). - Implement challenge/response authentication support in client mode - Make base64.h have the same conditional compilation expression as base64.c. - Fixed compiling issues when using --disable-crypto - In verify_callback, the subject var should be freed by OPENSSL_free, not free - -Jesse Young (1): - Remove hardcoded path to resolvconf - -Lars Hupel (1): - Add HTTP/1.1 Host header - -Pierre Bourdon (1): - Adding support for SOCKS plain text authentication - -Samuli Seppänen (2): - Added check for variable CONFIGURE_DEFINES into options.c - Added command-line option parser and an unsigned build option to build_all.py - -2010.08.21 -- Version 2.2-beta3 - -* Attempt to fix issue where domake-win build system was not properly - signing drivers and .exe files. - - Added win/tap_span.py for building multiple versions of the TAP driver - and tapinstall binaries using different DDK versions to span from Win2K - to Win7 and beyond. - -* Community patches - David Sommerseth (2): - Test framework improvment - Do not FAIL if t_client.rc is missing - More t_client.sh updates - exit with SKIP when we want to skip - - Gert Doering (4): - Fix compile problems on NetBSD and OpenBSD - Fix compile time problems on OpenBSD for good - full "VPN client connect" test framework for OpenVPN - Build t_client.sh by configure at run-time. - - chantra (1): - Fixes openssl-1.0.0 compilation warning - -2010.08.16 -- Version 2.2-beta2 - -* Windows security issue: - Fixed potential local privilege escalation vulnerability in - Windows service. The Windows service did not properly quote the - executable filename passed to CreateService. A local attacker - with write access to the root directory C:\ could create an - executable that would be run with the same privilege level as - the OpenVPN Windows service. However, since non-Administrative - users normally lack write permission on C:\, this vulnerability - is generally not exploitable except on older versions of Windows - (such as Win2K) where the default permissions on C:\ would allow - any user to create files there. - Credit: Scott Laurie, MWR InfoSecurity - -* Added Python-based based alternative build system for Windows using - Visual Studio 2008 (in win directory). - -* When aborting in a non-graceful way, try to execute do_close_tun in - init.c prior to daemon exit to ensure that the tun/tap interface is - closed and any added routes are deleted. - -* Fixed an issue where AUTH_FAILED was not being properly delivered - to the client when a bad password is given for mid-session reauth, - causing the connection to fail without an error indication. - -* Don't advance to the next connection profile on AUTH_FAILED errors. - -* Fixed an issue in the Management Interface that could cause - a process hang with 100% CPU utilization in --management-client - mode if the management interface client disconnected at the - point where credentials are queried. - -* Fixed an issue where if reneg-sec was set to 0 on the client, - so that the server-side value would take precedence, - the auth_deferred_expire_window function would incorrectly - return a window period of 0 seconds. In this case, the - correct window period should be the handshake window - period. - -* Modified ">PASSWORD:Verification Failed" management interface - notification to include a client reason string: - - >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] - -* Enable exponential backoff in reliability layer - retransmits. - -* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after - socket is created rather than waiting until after connect/listen. - -* Management interface performance optimizations: - - 1. Added env-filter MI command to perform filtering on env vars - passed through as a part of --management-client-auth - - 2. man_write will now try to aggregate output into larger blocks - (up to 1024 bytes) for more efficient i/o - -* Fixed minor issue in Windows TAP driver DEBUG builds - where non-null-terminated unicode strings were being - printed incorrectly. - -* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support - was not being compiled in. - -* Proxy improvements: - - Improved the ability of http-auth "auto" flag to dynamically detect - the auth method required by the proxy. - - Added http-auth "auto-nct" flag to reject weak proxy auth methods. - - Added HTTP proxy digest authentication method. - - Removed extraneous openvpn_sleep calls from proxy.c. - -* Implemented http-proxy-override and http-proxy-fallback directives to make it - easier for OpenVPN client UIs to start a pre-existing client config file with - proxy options, or to adaptively fall back to a proxy connection if a direct - connection fails. - -* Implemented a key/value auth channel from client to server. - -* Fixed issue where bad creds provided by the management interface - for HTTP Proxy Basic Authentication would go into an infinite - retry-fail loop instead of requerying the management interface for - new creds. - -* Added support for MSVC debugging of openvpn.exe in settings.in: - - # Build debugging version of openvpn.exe - !define PRODUCT_OPENVPN_DEBUG - -* Implemented multi-address DNS expansion on the network field of route - commands. - - When only a single IP address is desired from a multi-address DNS - expansion, use the first address rather than a random selection. - -* Added --register-dns option for Windows. - - Fixed some issues on Windows with --log, subprocess creation - for command execution, and stdout/stderr redirection. - -* Fixed an issue where application payload transmissions on the - TLS control channel (such as AUTH_FAILED) that occur during - or immediately after a TLS renegotiation might be dropped. - -* Added warning about tls-remote option in man page. - -2009.12.11 -- Version 2.1.1 - -* Fixed some breakage in openvpn.spec (which is required to build an - RPM distribution) where it was referencing a non-existent - subdirectory in the tarball, causing it to fail (patch from - David Sommerseth). - -2009.12.11 -- Version 2.1.0 - -* Fixed a couple issues in sample plugins auth-pam.c and down-root.c. - (1) Fail gracefully rather than segfault if calloc returns NULL. - (2) The openvpn_plugin_abort_v1 function can potentially be called - with handle == NULL. Add code to detect this case, and if so, avoid - dereferencing pointers derived from handle (Thanks to David - Sommerseth for finding this bug). - -* Documented "multihome" option in the man page. - -2009.11.20 -- Version 2.1_rc22 - -* Fixed a client-side bug on Windows that occurred when the - "dhcp-pre-release" or "dhcp-renew" options were combined with - "route-gateway dhcp". The release/renew would not occur - because the Windows DHCP renew function is blocking and - therefore must be called from another process or thread - so as not to stall the tunnel. - -* Added a hard failure when peer provides a certificate chain - with depth > 16. Previously, a warning was issued. - -2009.11.12 -- Version 2.1_rc21 - -* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address - CVE-2009-3555. Note that OpenVPN has never relied on the session - renegotiation capabilities that are built into the SSL/TLS protocol, - therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation - completely) will not adversely affect OpenVPN mid-session SSL/TLS - renegotation or any other OpenVPN capabilities. - -* Added additional session renegotiation hardening. OpenVPN has always - required that mid-session renegotiations build up a new SSL/TLS - session from scratch. While the client certificate common name is - already locked against changes in mid-session TLS renegotiations, we - now extend this locking to the auth-user-pass username as well as all - certificate content in the full client certificate chain. - -2009.10.01 -- Version 2.1_rc20 - -* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the - redirect-gateway option by itself, without any extra parameters, - would cause the option to be ignored. - -* Fixed build problem when ./configure --disable-server is used. - -* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke). - -* Added --remote-random-hostname option. - -* Added "load-stats" management interface command to get global server - load statistics. - -* Added new ./configure flags: - - --disable-def-auth Disable deferred authentication - --disable-pf Disable internal packet filter - -* Added "setcon" directive for interoperability with SELinux (Sebastien - Raveau). - -* Optimized PUSH_REQUEST handshake sequence to shave several seconds - off of a typical client connection initiation. - -* The maximum number of "route" directives (specified in the config - file or pulled from a server) can now be configured via the new - "max-routes" directive. - -* Eliminated the limitation on the number of options that can be pushed - to clients, including routes. Previously, all pushed options needed - to fit within a 1024 byte options string. - -* Added --server-poll-timeout option : when polling possible remote - servers to connect to in a round-robin fashion, spend no more than - n seconds waiting for a response before trying the next server. - -* Added the ability for the server to provide a custom reason string - when an AUTH_FAILED message is returned to the client. This - string can be set by the server-side managment interface and read - by the client-side management interface. - -* client-kill management interface command, when issued on server, will - now send a RESTART message to client. - This feature is intended to make UDP clients respond the same as TCP - clients in the case where the server issues a RESTART message in - order to force the client to reconnect and pull a new options/route - list. - -2009.07.16 -- Version 2.1_rc19 - -* In Windows TAP driver, refactor DHCP/ARP packet injection code to - use a DPC (deferred procedure call) to defer packet injection until - IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive - in the context of AdapterTransmit. This is an attempt to reduce kernel - stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been - observed on Vista. Updated TAP driver version number to 9.6. - -* In configure.ac, use datadir instead of datarootdir for compatibility - with CLIENT:ESTABLISHED" notification. - -* Build fixes: - - 1. Fixed some issues with C++ style comments that leaked into the code. - - 2. Updated configure.ac to work on MinGW64. - - 3. Updated common.h types for _WIN64. - - 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc - compilers. - - 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to - OpenVPNCryptAcquireCertificatePrivateKey to work around - a symbol conflict in MinGW-5.1.4. - -2008.11.19 -- Version 2.1_rc15 - -* Fixed issue introduced in 2.1_rc14 that may cause a - segfault when a --plugin module is used. - -* Added server-side --opt-verify option: clients that connect - with options that are incompatible with those of the server - will be disconnected (without this option, incompatible - clients would trigger a warning message in the server log - but would not be disconnected). - -* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket - flag on the server as well as pushes it to connecting clients. - -* Minor options check fix: --no-name-remapping is a - server-only option and should therefore generate an - error when used on the client. - -* Added --prng option to control PRNG (pseudo-random - number generator) parameters. In previous OpenVPN - versions, the PRNG was hardcoded to use the SHA1 - hash. Now any OpenSSL hash may be used. This is - part of an effort to remove hardcoded references to - a specific cipher or cryptographic hash algorithm. - -* Cleaned up man page synopsis. - -2008.11.16 -- Version 2.1_rc14 - -* Added AC_GNU_SOURCE to configure.ac to enable struct ucred, - with the goal of fixing a build issue on Fedora 9 that was - introduced in 2.1_rc13. - -* Added additional method parameter to --script-security to preserve - backward compatibility with system() call semantics used in OpenVPN - 2.1_rc8 and earlier. To preserve backward compatibility use: - - script-security 3 system - -* Added additional warning messages about --script-security 2 - or higher being required to execute user-defined scripts or - executables. - -* Windows build system changes: - - Modified Windows domake-win build system to write all openvpn.nsi - input files to gen, so that gen can be disconnected from - the rest of the source tree and makensis openvpn.nsi will - still function correctly. - - Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in - (commented out by default). - - Added optional files SAMPCONF_CONF2 (second sample configuration - file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows - build system, and may be defined in settings.in. - -* Extended Management Interface "bytecount" command - to work when OpenVPN is running as a server. - Documented Management Interface "bytecount" command in - management/management-notes.txt. - -* Fixed informational message in ssl.c to properly indicate - deferred authentication. - -* Added server-side --auth-user-pass-optional directive, to allow - connections by clients that do not specify a username/password, when a - user-defined authentication script/module is in place (via - --auth-user-pass-verify, --management-client-auth, or a plugin module). - -* Changes to easy-rsa/2.0/pkitool and related openssl.cnf: - - Calling scripts can set the KEY_NAME environmental variable to set - the "name" X509 subject field in generated certificates. - - Modified pkitool to allow flexibility in separating the Common Name - convention from the cert/key filename convention. - - For example: - - KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james - - will create a client certificate/key pair of james.crt/james.key - having a Common Name of "James's Laptop" and a Name of "james". - -* Added --no-name-remapping option to allow Common Name, X509 Subject, - and username strings to include any printable character including - space, but excluding control characters such as tab, newline, and - carriage-return (this is important for compatibility with external - authentication systems). - - As a related change, added --status-version 3 format (and "status 3" - in the management interface) which uses the version 2 format except - that tabs are used as delimiters instead of commas so that there - is no ambiguity when parsing a Common Name that contains a comma. - - Also, save X509 Subject fields to environment, using the naming - convention: - - X509_{cert_depth}_{name}={value} - - This is to avoid ambiguities when parsing out the X509 subject string - since "/" characters could potentially be used in the common name. - -* Fixed some ifconfig-pool issues that precluded it from being combined - with --server directive. - - Now, for example, we can configure thusly: - - server 10.8.0.0 255.255.255.0 nopool - ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0 - - to have ifconfig-pool manage only a subset - of the VPN subnet. - -* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax - config file syntax checking to allow directives for future OpenVPN - versions to be ignored. - -2008.10.07 -- Version 2.1_rc13 - -* Bundled OpenSSL 0.9.8i with Windows installer. - -* Management interface can now listen on a unix - domain socket, for example: - - management /tmp/openvpn unix - - Also added management-client-user and management-client-group - directives to control which processes are allowed to connect - to the socket. - -* Copyright change to OpenVPN Technologies, Inc. - -2008.09.23 -- Version 2.1_rc12 - -* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes - part of the tarball (Matthias Andree). - -* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code - was incorrectly expecting the lladdr parameter to be an IP address - when it is actually a MAC address (HoverHell). - -2008.09.14 -- Version 2.1_rc11 - -* Fixed a bug that can cause SSL/TLS negotiations in UDP mode - to fail if UDP packets are dropped. - -2008.09.10 -- Version 2.1_rc10 - -* Added "--server-bridge" (without parameters) to enable - DHCP proxy mode: Configure server mode for ethernet - bridging using a DHCP-proxy, where clients talk to the - OpenVPN server-side DHCP server to receive their IP address - allocation and DNS server addresses. - -* Added "--route-gateway dhcp", to enable the extraction - of the gateway address from a DHCP negotiation with the - OpenVPN server-side LAN. - -* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns - on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, - ignore it. - -* Warn when ethernet bridging that the IP address of the bridge adapter - is probably not the same address that the LAN adapter was set to - previously. - -* When running as a server, warn if the LAN network address is - the all-popular 192.168.[0|1].x, since this condition commonly - leads to subnet conflicts down the road. - -* Primarily on the client, check for subnet conflicts between - the local LAN and the VPN subnet. - -* Added a 'netmask' parameter to get_default_gateway, to return - the netmask of the adapter containing the default gateway. - Only implemented on Windows so far. Other platforms will - return 255.255.255.0. Currently the netmask information is - only used to warn about subnet conflicts. - -* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO - and USE_SSL flags are enabled (Alon Bar-Lev). - -* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new - --script-security rules. Also adds retrying if the addresses are in - use (Matthias Andree). - -* Fixed build issue with ./configure --disable-socks --disable-http. - -* Fixed separate compile errors in options.c and ntlm.c that occur - on strict C compilers (such as old versions of gcc) that require - that C variable declarations occur at the start of a {} block, - not in the middle. - -* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which - the new implementation of extract_x509_field_ssl depends on. - -* LZO compression buffer overflow errors will now invalidate - the packet rather than trigger a fatal assertion. - -* Fixed minor compile issue in ntlm.c (mid-block declaration). - -* Added --allow-pull-fqdn option which allows client to pull DNS names - from server (rather than only IP address) for --ifconfig, --route, and - --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names - for these options to be pulled and translated to IP addresses by default. - Now --allow-pull-fqdn will be explicitly required on the client to enable - DNS-name-to-IP-address translation of pulled options. - -* 2.1_rc8 and earlier did implicit shell expansion on script - arguments since all scripts were called by system(). - The security hardening changes made to 2.1_rc9 no longer - use system(), but rather use the safer execve or CreateProcess - system calls. The security hardening also introduced a - backward incompatibility with 2.1_rc8 and earlier in that - script parameters were no longer shell-expanded, so - for example: - - client-connect "docc CLIENT-CONNECT" - - would fail to work because execve would try to execute - a script called "docc CLIENT-CONNECT" instead of "docc" - with "CLIENT-CONNECT" as the first argument. - - This patch fixes the issue, bringing the script argument - semantics back to pre 2.1_rc9 behavior in order to preserve - backward compatibility while still using execve or CreateProcess - to execute the script/executable. - -* Modified ip_or_dns_addr_safe, which validates pulled DNS names, - to more closely conform to RFC 3696: - - (1) DNS name length must not exceed 255 characters - - (2) DNS name characters must be limited to alphanumeric, - dash ('-'), and dot ('.') - -* Fixed bug in intra-session TLS key rollover that was introduced with - deferred authentication features in 2.1_rc8. - -2008.07.31 -- Version 2.1_rc9 - -* Security Fix -- affects non-Windows OpenVPN clients running - OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT - vulnerable nor are any versions of the OpenVPN server vulnerable). - An OpenVPN client connecting to a malicious or compromised - server could potentially receive an "lladdr" or "iproute" configuration - directive from the server which could cause arbitrary code execution on - the client. A successful attack requires that (a) the client has agreed - to allow the server to push configuration directives to it by including - "pull" or the macro "client" in its configuration file, (b) the client - successfully authenticates the server, (c) the server is malicious or has - been compromised and is under the control of the attacker, and (d) the - client is running a non-Windows OS. Credit: David Wagner. - CVE-2008-3459 - -* Miscellaneous defensive programming changes to multiple - areas of the code. In particular, use of the system() call - for calling executables such as ifconfig, route, and - user-defined scripts has been completely revamped in favor - of execve() on unix and CreateProcess() on Windows. - -* In Windows build, package a statically linked openssl.exe to work around - observed instabilities in the dynamic build since the migration to - OpenSSL 0.9.8h. - -2008.06.11 -- Version 2.1_rc8 - -* Added client authentication and packet filtering capability - to management interface. In addition, allow OpenVPN plugins - to take advantage of deferred authentication and packet - filtering capability. - -* Added support for client-side connection profiles. - -* Fixed unbounded memory growth bug in environmental variable - code that could have caused long-running OpenVPN sessions - with many TLS renegotiations to incrementally - increase memory usage over time. - -* Windows release now packages openssl-0.9.8h. - -* Build system changes -- allow building on Windows using - autoconf/automake scripts (Alon Bar-Lev). - -* Changes to Windows build system to make it easier to do - partial builds, with a reduced set of prerequisites, - where only a subset of OpenVPN installer - components are built. See ./domake-win comments. - -* Cleanup IP address for persistence interfaces for tap and also - using ifconfig, gentoo#209055 (Alon Bar-Lev). - -* Fall back to old version of extract_x509_field for OpenSSL 0.9.6. - -* Clarified tcp-queue-limit man page entry (Matti Linnanvuori). - -* Added new OpenVPN icon and installer graphic. - -* Minor pkitool changes. - -* Added --pkcs11-id-management option, which will cause OpenVPN to - query the management interface via the new NEED-STR asynchronous - notification query to get additional PKCS#11 options (Alon Bar-Lev). - -* Added NEED-STR management interface asynchronous query and - "needstr" management interface command to respond to the query - (Alon Bar-Lev). - -* Added Dragonfly BSD support (Francis-Gudin). - -* Quote device names before passing to up/down script (Josh Cepek). - -* Bracketed struct openvpn_pktinfo with #pragma pack(1) to - prevent structure padding from causing an incorrect length - to be returned by sizeof (struct openvpn_pktinfo) on 64-bit - platforms. - -* On systems that support res_init, always call it - before calling gethostbyname to ensure that - resolver configuration state is current. - -* Added NTLMv2 proxy support (Miroslav Zajic). - -* Fixed an issue in extract_x509_field_ssl where the extraction - would fail on the first field of the subject name, such as - the common name in: /CN=foo/emailAddress=foo@bar.com - -* Made "Linux ip addr del failed" error nonfatal. - -* Amplified --client-cert-not-required warning. - -* Added #pragma pack to proto.h. - -2008.01.29 -- Version 2.1_rc7 - -* Added a few extra files that exist in the svn repo but were - not being copied into the tarball by make dist. - -* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev). - -2008.01.24 -- Version 2.1_rc6 - -* Fixed options checking bug introduced in rc5 where legitimate configuration - files might elicit the error: "Options error: Parameter pkcs11_private_mode - can only be specified in TLS-mode, i.e. where --tls-server or --tls-client - is also specified." - -2008.01.23 -- Version 2.1_rc5 - -* Fixed Win2K TAP driver bug that was introduced by Vista fixes, - incremented driver version to 9.4. - -* Windows build system changes: - - Incremented included OpenSSL version to openssl-0.9.7m. - - Updated openssl.patch for openssl-0.9.7m and added some - brief usage comments to the head of the patch. - - Added build-pkcs11-helper.sh for building the pkcs11-helper - library. - - Integrated inclusion of pkcs11-helper into Windows build - system. - - Upgraded TAP build scripts to use WDK 6001.17121 - (Windows 2008 Server pre-RTM). - -* Windows installer changes: - - Clean up the start menu folder. - - Allow for a site-specific sample configuration file and keys - to be included in a custom installer (see SAMPCONF macros - in settings.in). - - New icon (temporary). - -* Added "forget-passwords" command to the management interface - (Alon Bar-Lev). - -* Added --management-signal option to signal SIGUSR1 when the - management interface disconnects (Alon Bar-Lev). - -* Modified command line and config file parser to allow - quoted strings using single quotes ('') (Alon Bar-Lev). - -* Use pkcs11-helper as external library, can be downloaded from - https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). - -* Fixed interim memory growth issue in TCP connect loop where - "TCP: connect to %s failed, will try again in %d seconds: %s" - is output. - -* Fixed bug in epoll driver in event.c, where the lack of a - handler for EPOLLHUP could cause 99% CPU usage. - -* Defined ALLOW_NON_CBC_CIPHERS for people who don't - want to use a CBC cipher for OpenVPN's data channel. - -* Added PLUGIN_LIBDIR preprocessor string to prepend a default - plugin directory to the dlopen search list when the user - specifies the basename of the plugin only (Marius Tomaschewski). - -* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS - to allow forward slash characters ("/") in the X509 common name - (Pavel Shramov). - -* Allow OpenVPN to run completely unprivileged under Linux - by allowing openvpn --mktun to be used with --user and --group - to set the UID/GID of the tun device node. Also added --iproute - option to allow an alternative command to be executed in place - of the default iproute2 command (Alon Bar-Lev). - -* Fixed --disable-iproute2 in ./configure to actually disable - iproute2 usage (Alon Bar-Lev). - -* Added --management-forget-disconnect option -- forget - passwords when management session disconnects (Alon Bar-Lev). - -2007.04.25 -- Version 2.1_rc4 - -* Worked out remaining issues with TAP driver signing - on Vista x64. OpenVPN will now run on Vista x64 - with driver signing enforcement enabled. - -* Fixed 64-bit portability bug in time_string function - (Thomas Habets). - -2007.04.22 -- Version 2.1_rc3 - -* Additional fixes to TAP driver for Windows x64. Driver - now runs successfully on Vista x64 if driver signing - enforcement is disabled. - -* The Windows Installer and TAP driver are now signed by - OpenVPN Solutions LLC (in addition to the usual GnuPG - signatures). - -* Added OpenVPN GUI (Mathias Sundman version) as install - option in Windows installer. - -* Clean up configure on FreeBSD for recent autotool versions - that require that all .h files have to be compiled. - Also, FreeBSD install does not support GNU long options - which the Makefile in easy-rsa/2.0 uses (not checked the - others as we don't install those on Gentoo) (Roy Marples). - -* Added additional scripts to easy-rsa/Windows for working - with password-protected keys; also add -extensions server - option when generating server cert via - build-key-server-pass.bat (Daniel Zauft). - -2007.02.27 -- Version 2.1_rc2 - -* auth-pam change: link with -lpam rather - than dlopen (Roy Marples). - -* Prevent SIGUSR1 or SIGHUP from causing program - exit from initial management hold. - -* SO_REUSEADDR should not be set on Windows TCP sockets - because it will cause bind to succeed on port conflicts. - -* Added time_ascii, time_duration, and time_unix - environmental variables for plugins and callback - scripts. - -* Fixed issue where OpenVPN does not apply the --txqueuelen option - to persistent interfaces made with --mktun (Roy Marples). - -* Attempt at rational signal handling when in the - management hold state. During management hold, ignore - SIGUSR1/SIGHUP signals thrown with the "signal" command. - Also, "signal" command will now apply remapping as - specified with the --remap-usr1 option. - When a signal entered using the "signal" command from a management - hold is ignored, output: >HOLD:Waiting for hold release - -* Fixed issue where struct env_set methods that - change the value of an existing name=value pair - would delay the freeing of the memory held by - the previous name=value pair until the underlying - client instance object is closed. - This could cause a server that handles long-term - client connections, resulting in many periodic calls - to verify_callback, to needlessly grow the env_set - memory allocation until the underlying client instance - object is closed. - -* Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys - to reflect the fact that Vista has blacklisted the tap0801.sys - file name due to previous compatibility issues which have now - been resolved. TAP-Win32 major/minor version number is now 9/1. - -* Windows installer will delete a previously installed - tap0801.sys TAP driver before installing tap0901.sys. - -* Added code to Windows installer to fail gracefully on 64 bit - installs until 64-bit TAP driver issues can be resolved. - -* Added code to Windows installer to fail gracefully on - versions of Windows which are not explicitly supported. - -* The Windows version will now use a default route-delay - of 5 seconds to deal with an apparent routing table race - condition on Vista. - -* Worked around an incompatibility in the Windows Vista - version of CreateIpForwardEntry as described in - http://www.nynaeve.net/?p=59 - This issue would cause route additions using the - IP Helper API to fail on Vista. - -* On Windows, revert to "ip-win32 dynamic" as the default. - -2006.10.31 -- Version 2.1_rc1 - -* Support recovery (return to hold) from signal at - management password prompt. - -* Added workaround for OpenSC PKCS#11 bug#108 - (Alon Bar-Lev). - -2006.10.01 -- Version 2.1-beta16 - -* Windows installer updated with OpenSSL 0.9.7l DLLs to fix - published vulnerabilities. - -* Fixed TAP-Win32 bug that caused BSOD on Windows Vista - (Henry Nestler). - -* Autodetect 32/64 bit Windows in installer and install - appropriate TAP driver (Mathias Sundman, Hypherion). - -* Fixed bug in loopback self-test introduced - in 2.1-beta15 where self test as invoked by - "make check" would not properly exit after - 2 minutes (Paul Howarth). - -2006.09.12 -- Version 2.1-beta15 - -* Windows installer updated with OpenSSL 0.9.7k DLLs to fix - RSA Signature Forgery (CVE-2006-4339). - -* Fixed bug introduced with the --port-share directive - (back in 2.1-beta9 which causes TLS soft resets - (1 per hour by default) in TCP server mode to force - a blockage of tunnel packets and later time-out and - restart the connection. - -* easy-rsa update (Alon Bar-Lev) - Makefile (install) is now available so that - distribs will be able to install it safely. - -* PKCS#11 changes: (Alon Bar-Lev) - - Modified ssl.c to not FATAL and return to init.c - so auth-retry will work. - - Modifed pkcs11-helper.c to fix some problem with - multiple providers. - - Added retry counter to PKCS#11 PIN hook. - - Modified PKCS#11 PIN retry loop to return correct error - code when PIN is incorrect. - - Fix handling (ignoring) zero sized attributes. - - Fix gcc-2 issues. - - Fix openssl 0.9.6 (first version) issues. - -* Minor fixes of lladdr (Alon Bar-Lev) - Updated makefile.w32-vc to include lladdr.*, updated - linkage libraries. - Modified lladdr.c to be compiled under visual C. - -* Added two new management states: - OPENVPN_STATE_RESOLVE -- DNS lookup - OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server - -* Echo management state change to log. - -* Minor syshead.h change for NetBSD to allow - TCP_NODELAY flag to work. - -* Modified --port-share code to remove the assumption that - CMSG_SPACE always evaluates to a constant, to enable - compilation on NetBSD and possibly other BSDs as well. - -* Eliminated gcc 3.3.3 warnings on NetBSD - when ./configure --enable-strict is used. - -* Added optional minimum-number-of-bytes parameter - to --inactive directive. - -2006.04.13 -- Version 2.1-beta14 - -* Fixed Windows server bug in time backtrack handling code which - could cause TLS negotiation failures on legitimate clients. - -* Rewrote gettimeofday function for Windows to be - simpler and more efficient. - -* Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev). - -* Added --route-metric option to set a default route metric - for --route (Roy Marples). - -* Added --lladdr option to specify the link layer (MAC) address - for the tap interface on non-Windows platforms (Roy Marples). - -2006.04.12 -- Version 2.1-beta13 - -* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters - to 64 bits caused a bug in the Windows version which has now - been fixed. The bug could cause intermittent crashes. - -2006.04.05 -- Version 2.1-beta12 - -* Security Vulnerability -- An OpenVPN client connecting to a - malicious or compromised server could potentially receive - "setenv" configuration directives from the server which could - cause arbitrary code execution on the client via a LD_PRELOAD - attack. A successful attack appears to require that (a) the - client has agreed to allow the server to push configuration - directives to it by including "pull" or the macro "client" in - its configuration file, (b) the client configuration file uses - a scripting directive such as "up" or "down", (c) the client - succesfully authenticates the server, (d) the server is - malicious or has been compromised and is under the control of - the attacker, and (e) the attacker has at least some level of - pre-existing control over files on the client (this might be - accomplished by having the server respond to a client web request - with a specially crafted file). Credit: Hendrik Weimer. - CVE-2006-1629. - - The fix is to disallow "setenv" to be pushed to clients from - the server, and to add a new directive "setenv-safe" which is - pushable from the server, but which appends "OPENVPN_" to the - name of each remotely set environmental variable. - -* "topology subnet" fix for FreeBSD (Benoit Bourdin). - -* PKCS11 fixes (Alon Bar-Lev). For full description: - svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21 - -* When deleting routes under Linux, use the route metric - as a differentiator to ensure that the route teardown - process only deletes the identical route which was originally - added via the "route" directive (Roy Marples). - -* Fix the t_cltsrv.sh file in FreeBSD 4 jails - (Matthias Andree, Dirk Meyer, Vasil Dimov). - -* Extended tun device configure code to support ethernet - bridging on NetBSD (Emmanuel Kasper). - -2006.02.19 -- Version 2.1-beta11 - -* Fixed --port-share bug that caused premature closing - of proxied sessions. - -2006.02.17 -- Version 2.1-beta10 - -* Fixed --port-share breakage introduced in 2.1-beta9. - -2006.02.16 -- Version 2.1-beta9 - -* Added --port-share option for allowing OpenVPN and HTTPS - server to share the same port number. -* Added --management-client option to connect as a client - to management GUI app rather than be connected to as a - server. -* Added "bytecount" command to management interface. -* --remote-cert-tls fixes (Alon Bar-Lev). - -2006.01.03 -- Version 2.1-beta8 - -* --remap-usr1 will now also remap signals thrown during - initialization. -* Added --connect-timeout option to control the timeout - on TCP client connection attempts (doesn't work on all - OSes). This patch also makes OpenVPN signalable during - TCP connection attempts. -* Fixed bug in acinclude.m4 where capability of compiler - to handle zero-length arrays in structs is tested - (David Stipp). -* Fixed typo in manage.c where inline function declaration - was declared without the "static" keyword (David Stipp). -* Patch to support --topology subnet on Mac OS X (Mathias Sundman). -* Added --auto-proxy directive to auto-detect HTTP or SOCKS - proxy settings (currently Windows only). -* Removed redundant base64 code. -* Better sanity checking of --server and --server-bridge - IP pool ranges, so as not to hit the assertion at - pool.c:119 (2.0.5). -* Fixed bug where --daemon and --management-query-passwords - used together would cause OpenVPN to block prior to - daemonization. -* Fixed client/server race condition which could occur - when --auth-retry interact is set and the initially - provided auth-user-pass credentials are incorrect, - forcing a username/password re-query. -* Fixed bug where if --daemon and --management-hold are - used together, --user or --group options would be ignored. -* --ip-win32 adaptive is now the default. -* --ip-win32 netsh (or --ip-win32 adaptive when in netsh - mode) can now set DNS/WINS addresses on the TAP-Win32 - adapter. -* Added new option --route-method adaptive (Win32) - which tries IP helper API first, then falls back to - route.exe. -* Made --route-method adaptive the default. - -2005.11.12 -- Version 2.1-beta7 - -* Allow blank passwords to be passed via the management - interface. -* Fixed bug where "make check" inside a FreeBSD "jail" - would never complete (Matthias Andree). -* Fixed bug where --server directive in --dev tap mode - claimed that it would support subnets of /30 or less - but actually would only accept /29 or less. -* Extend byte counters to 64 bits (M. van Cuijk). -* Fixed bug in Linux get_default_gateway function - introduced in 2.0.4, which would cause redirect-gateway - on Linux clients to fail. -* Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to - be compatible with 2.0.x distribution. -* Documented --route-nopull. -* Documented --ip-win32 adaptive. -* Windows build now linked with LZO2. -* Allow ca, cert, key, and dh files to be specified - inline via XML-like syntax without needing to - reference an explicit file. - For example: - - data here... - -* Allow plugin and push directives to have multi-line - parameter lists such as: - - my-plugin.so - parm1 - parm2 - -* Added connect-retry-max option (Alon Bar-Lev). -* Fixed problems where signals thrown during initialization - were not returning to a management-hold state. -* Added a backtrack-hardened system time algorithm. -* Added --remote-cert-ku, --remote-cert-eku, and - --remote-cert-tls options for verifying certificate - attributes (Alon Bar-Lev). -* For Windows, reverted --ip-win32 default back to "dynamic". - To use new adaptive mode, set explicitly. - -2005.11.01 -- Version 2.1-beta6 - -* Security fix (merged from 2.0.4) -- Affects non-Windows - OpenVPN clients of version 2.0 or higher which connect to - a malicious or compromised server. A format string - vulnerability in the foreign_option function in options.c - could potentially allow a malicious or compromised server - to execute arbitrary code on the client. Only - non-Windows clients are affected. The vulnerability - only exists if (a) the client's TLS negotiation with - the server succeeds, (b) the server is malicious or - has been compromised such that it is configured to - push a maliciously crafted options string to the client, - and (c) the client indicates its willingness to accept - pushed options from the server by having "pull" or - "client" in its configuration file (Credit: Vade79). - CVE-2005-3393 -* Security fix -- (merged from 2.0.4) Potential DoS - vulnerability on the server in TCP mode. If the TCP - server accept() call returns an error status, the resulting - exception handler may attempt to indirect through a NULL - pointer, causing a segfault. Affects all OpenVPN 2.0 versions. - CVE-2005-3409 -* Fix attempt of assertion at multi.c:1586 (note that - this precise line number will vary across different - versions of OpenVPN). -* Windows reliability changes: - (a) Added code to make sure that the local PATH environmental - variable points to the Windows system32 directory. - (b) Added new --ip-win32 adaptive mode which tries 'dynamic' - and then fails over to 'netsh' if the DHCP negotiation fails. - (c) Made --ip-win32 adaptive the default. -* More PKCS#11 additions/changes (Alon Bar-Lev). -* Added ".PHONY: plugin" to Makefile.am to work around - "make dist" issue. -* Fixed double fork issue that occurs when --management-hold - is used. -* Moved TUN/TAP read/write log messages from --verb 8 to 6. -* Warn when multiple clients having the same common name or - username usurp each other when --duplicate-cn is not used. -* Modified Windows and Linux versions of get_default_gateway - to return the route with the smallest metric - if multiple 0.0.0.0/0.0.0.0 entries are present. -* Added ">NEED-OK" alert and "needok" command to management - interface to provide a general interface for sending - alerts to the end-user. Used by the PKCS#11 code - to send Token Insertion Requests to the user. -* Added actual remote address used to the ">STATE" alert - in the management interface (Rolf Fokkens). - -2005.10.17 -- Version 2.1-beta4 - -* Fixed bug introduced in 2.1-beta3 where management - socket bind would fail. -* --capath fix in ssl.c (Zhuang Yuyao). -* Added ".PHONY: plugin" to Makefile.am, reverted - location of "plugin" directory (thanks to - Matthias Andree for figuring this out). - -2005.10.16 -- Version 2.1-beta3 - -* Added PKCS#11 support (Alon Bar-Lev). -* Enable the use of --ca together with --pkcs12. If --ca is - used at the same time as --pkcs12, the CA certificate is loaded - from the file specified by --ca regardless if the pkcs12 file - contains a CA cert or not (Mathias Sundman). -* Merged --capath patch (Thomas Noel). -* Merged --multihome patch. -* Added --bind option for TCP client connections (Ewan Bhamrah - Harley). -* Moved "plugin" directory to "plugins" to deal with strange - automake problem that ended up being also fixable with - ".PHONY: plugin" in Makefile.am. - -2005.10.13 -- Version 2.1-beta2 - -* Made --sndbuf and --rcvbuf pushable. - -2005.10.01 -- Version 2.1-beta1 - -* Made LZO setting pushable. -* Renamed sample-keys/tmp-ca.crt to ca.crt. -* Fixed bug where remove_iroutes_from_push_route_list - was missing routes if those routes had - an implied netmask (by omission) of 255.255.255.255. -* Merged with 2.0.3-rc1 -* easy-rsa/2.0 moved to easy-rsa -* old easy-rsa moved to easy-rsa/1.0 - -2005.09.23 -- Version 2.0.2-TO4 - -* Added feature to TAP-Win32 adapter to allow it to be - opened from non-administrator mode. This feature - is enabled by default, and can be enabled/disabled - in the adapter advanced properties dialog. -* Added --allow-nonadmin standalone option for Windows to - set TAP adapter to allow non-admin access. This - is a user-mode version of the code, and duplicates - the same feature as the above entry. -* Added fix that attempts to solve corner case of tunnel not - forwarding packets when system clock is reset to an earlier time. -* Added --redirect-gateway bypass-dns option. (Developers: - To add bypass-dhcp or bypass-dns support to other OSes, - add a get_bypass_addresses function to route.c for - your OS.) -* Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which - allows a client-connect plugin to return configuration text - in memory, rather than via a file. -* Fixed a bug where --mode server --proto tcp-server --cipher none - operation could cause tunnel packet truncation. -* openvpn --version will show [LZO1] or [LZO2], depending on - version that was linked. - -2005.09.07 -- Version 2.0.2-TO1 - -* Added --topology directive. See man page. -* Added --redirect-gateway bypass-dhcp option to add a route - allowing DHCP packets to bypass the tunnel, when the - DHCP server is non-local. Currently only implemented - on Windows clients. -* Modified OpenVPN Service on Windows to declare the DHCP - client service as a dependency. -* Extended the plugin interface to allow plugins to declare - per-client constructor and destructor functions, to make - it simpler for plugins to maintain per-client state. - -2005.09.25 -- Version 2.0.3-rc1 - -* openvpn_plugin_abort_v1 function wasn't being properly - registered on Windows. -* Fixed a bug where --mode server --proto tcp-server --cipher none - operation could cause tunnel packet truncation. - -2005.08.25 -- Version 2.0.2 - -* No change from 2.0.2-rc1. - -2005.08.24 -- Version 2.0.2-rc1 - -* Fixed regression bug in Win32 installer, introduced in 2.0.1, - which incorrectly set OpenVPN service to autostart. -* Don't package source code zip file in Windows installer - in order to reduce the size of the installer. The source - zip file can always be downloaded separately if needed. -* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD - version of get_default_gateway. Allocated socket for route - manipulation is never freed so number of mbufs continuously - grow and exhaust system resources after a while (Jaroslav Klaus). -* Fixed bug where "--proto tcp-server --mode p2p --management - host port" would cause the management port to not respond until - the OpenVPN peer connects. -* Modified pkitool script to be /bin/sh compatible (Johnny Lam). - -2005.08.16 -- Version 2.0.1 - -* Security Fix -- DoS attack against server when run with "verb 0" and - without "tls-auth". If a client connection to the server fails - certificate verification, the OpenSSL error queue is not properly - flushed, which can result in another unrelated client instance on the - server seeing the error and responding to it, resulting in disconnection - of the unrelated client (CAN-2005-2531). -* Security Fix -- DoS attack against server by authenticated client. - This bug presents a potential DoS attack vector against the server - which can only be initiated by a connected and authenticated client. - If the client sends a packet which fails to decrypt on the server, - the OpenSSL error queue is not properly flushed, which can result in - another unrelated client instance on the server seeing the error and - responding to it, resulting in disconnection of the unrelated client - (CAN-2005-2532). Credit: Mike Ireton. -* Security Fix -- DoS attack against server by authenticated client. - A malicious client in "dev tap" ethernet bridging mode could - theoretically flood the server with packets appearing to come from - hundreds of thousands of different MAC addresses, causing the OpenVPN - process to deplete system virtual memory as it expands its internal - routing table. A --max-routes-per-client directive has been added - (default=256) to limit the maximum number of routes in OpenVPN's - internal routing table which can be associated with a given client - (CAN-2005-2533). -* Security Fix -- DoS attack against server by authenticated client. - If two or more client machines try to connect to the server at the - same time via TCP, using the same client certificate, and when - --duplicate-cn is not enabled on the server, a race condition can - crash the server with "Assertion failed at mtcp.c:411" - (CAN-2005-2534). -* Fixed server bug where under certain circumstances, the client instance - object deletion function would try to delete iroutes which had never been - added in the first place, triggering "Assertion failed at mroute.c:349". -* Added --auth-retry option to prevent auth errors from being fatal - on the client side, and to permit username/password requeries in case - of error. Also controllable via new "auth-retry" management interface - command. See man page for more info. -* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 -* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' - would fail to build. -* Implement "make check" to perform loopback tests (Matthias Andree). - -2005.07.21 -- Version 2.0.1-rc7 - -* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree). -* Include linux/types.h before checking for linux/errqueue.h (Matthias - Andree). - -2005.07.15 -- Version 2.0.1-rc6 - -* Commented out "user nobody" and "group nobody" in sample - client/server config files. -* Allow '@' character to be used in --client-config-dir - file names. - -2005.07.04 -- Version 2.0.1-rc5 - -* Windows version will log a for-further-info URL when - initialization sequence is completed with errors. -* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile - to control whether auth-pam plugin links to PAM via - dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing - behavior should be preserved. DLOPEN_PAM=0 is the preferred - setting to link via -lpam, but DLOPEN_PAM=1 works around - a bug in SuSE 9.1 (and possibly other distros as well) - where the PAM modules are not linked with -lpam. See - thread on openvpn-devel for more discussion about this - patch (Simon Perreault). - -2005.06.15 -- Version 2.0.1-rc4 - -* Support LZO 2.00, including changes to configure script to - autodetect LZO version. - -2005.06.12 -- Version 2.0.1-rc3 - -* Fixed a bug which caused standard file handles to not be closed - after daemonization when --plugin and --daemon are used together, - and if the plugin initialization function forks (as does auth-pam - and down-root) (Simon Perreault). -* Added client-side up/down scripts in contrib/pull-resolv-conf - for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS" - on Linux/Unix systems (Jesse Adelman). -* Fixed bug where if client-connect scripts/plugins were cascaded, - and one (but not all) of them returned an error status, there might - be cases where for an individual script/plugin, client-connect was - called but not client-disconnect. The goal of this fix is to - ensure that if client-connect is called on a given client instance, - then client-disconnect will definitely be called. A potential - complication of this fix is that when client-connect functions are - cascaded, it's possible that the client-disconnect function would - be called in cases where the related client-connect function returned - an error status. This fix should not alter OpenVPN behavior when - scripts/plugins are not cascaded. -* Changed the hard-to-reproduce "Assertion failed at fragment.c:312" - fatal error to a warning: "FRAG: outgoing buffer is not empty". - Need more info on how to reproduce this one. -* When --duplicate-cn is used, the --ifconfig-pool allocation - algorithm will now allocate the first available IP address. -* When --daemon and --management-hold are used together, - OpenVPN will daemonize before it enters the management hold state. - -2005.05.16 -- Version 2.0.1-rc2 - -* Modified vendor test in openvpn.spec file to match against - "Mandrakesoft" in addition to "MandrakeSoft". -* Using --iroute in a --client-config-dir file while in --dev tap - mode is not currently supported and will produce a warning - message. Fixed bug where in certain cases, in addition to - generating a warning message, this combination of options - would also produce a fatal assertion in mroute.c. -* Pass --auth-user-pass username to server-side plugin without - performing any string remapping (plugins, unlike scripts, - don't get any security benefit from string remapping). - This is intended to fix an issue with openvpn-auth-pam/pam_winbind - where backslash characters in a username ('\') were being remapped - to underscore ('_'). -* Updated OpenSSL DLLs in Windows build to 0.9.7g. -* Documented --explicit-exit-notify in man page. -* --explicit-exit-notify seconds parameter defaults to 1 if - unspecified. - -2005.04.30 -- Version 2.0.1-rc1 - -* Fixed bug where certain kinds of fatal errors after - initialization (such as port in use) would leave plugin - processes (such as openvpn-auth-pam) still running. -* Added optional openvpn_plugin_abort_v1 plugin function for - closing initialized plugin objects in the event of a fatal - error by main OpenVPN process. -* When the --remote list is > 1, and --resolv-retry is not - specified (meaning that it defaults to "infinite"), apply the - infinite timeout to the --remote list as a whole, but try each - list item only once before moving on to the next item. -* Added new --syslog directive which redirects output - to syslog without requiring the use of the --daemon or --inetd - directives. -* Added openvpn.spec option to allow RPM to be built with support - for passwords read from a file: - rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' - -2005.04.17 -- Version 2.0 - -* Fixed minor options string typo in options.c. - -2005.04.10 -- Version 2.0-rc21 - -* Change license description from "GPL Version 2 or (at your - option) any later version" to just "GPL Version 2". - -2005.04.04 -- Version 2.0-rc20 - -* Dag Wieers has put together an OpenVPN/LZO binary RPM set with - excellent distro/version coverage for RH/EL/Fedora, though - using his own SPEC. I modified openvpn.spec to follow some of - the same conventions such as putting sample scripts and doc - files in %doc rather than /usr/share/openvpn. -* Minor change to init scripts to run the user-defined script - /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN - configs are started, and to run /etc/openvpn/openvpn-shutdown - after all OpenVPN configs have been stopped. The - openvpn-startup script can be used for stuff like - insmod tun.o, setting up firewall rules, or starting - ethernet bridges. - -2005.03.29 -- Version 2.0-rc19 - -* Omit additions of routes where the network and - gateway are equal and the netmask is 255.255.255.255. - This can come up if you are using both - server/ifconfig-pool and client-config-dir with - ifconfig-push static addresses for some subset of clients - which directly reference the server IP address as the - remote endpoint. - -2005.03.28 -- Version 2.0-rc18 - -* Packaged Windows installer with OpenSSL 0.9.7f. -* Built Windows installer with NSIS 2.06. - -2005.03.12 -- Version 2.0-rc17 - -* "MANAGEMENT: CMD" log file output will now only occur - at --verb 7 or greater. -* Added an optional name/value configuration list to - the openvpn-auth-pam plugin module argument list. See - plugin/auth-pam/README for documentation. This is necessary - in order for openvpn-auth-pam to work with queries generated - by arbitrary PAM modules. -* In both auth-pam and down-root plugins, in the forked process, - a read error on the parent process socket is no longer fatal. -* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'. - A conditional test of the vendor has been added to - Require the appropriately named 'lzo' (liblzo1 / lzo). - (Tom Walsh - http://openhardware.net) - - -2005.02.20 -- Version 2.0-rc16 - -* Fixed bug introduced in rc13 where Windows service wrapper - would be installed with a startup type of Automatic. - This fix restores the previous behavior of installing - with a startup type of Manual. - -2005.02.19 -- Version 2.0-rc15 - -* Added warning when --keepalive is not used in a server - configuration. -* Don't include OpenSSL md4.h file if we are not building - NTLM proxy support (Waldemar Brodkorb). -* Added easy-rsa/build-key-pkcs12 and - easy-rsa/Windows/build-key-pkcs12.bat scripts - (Mathias Sundman). - -2005.02.16 -- Version 2.0-rc14 - -* Fixed small memory leak that occurs when --crl-verify - is used. -* Upgraded Windows installer and .nsi script to NSIS 2.05 - (Mathias Sundman). -* Changed #include backslash usage in cryptoapi.c to use - forward slashes instead (Gisle Vanem). -* Created easy-rsa/revoke-full to handle revocations in - a single step: (a) revoke crt, (b) regenerate CRL, and - (c) verify that revocation succeeded. -* Renamed easy-rsa/Windows/revoke-key to revoke-full so - that both *nix and Windows scripts are equivalent. - -2005.02.11 -- Version 2.0-rc13 - -* Improve human-readability of local/remote options - diff, when inconsistencies are present. -* For Windows easy-rsa, distribute vars.bat.sample and - openssl.cnf.sample, then copy them to their normal - filenames (without the .sample) when init-config.bat - is run. This is to prevent OpenVPN upgrades from - wiping out vars.bat and openssl.cnf edits. -* Modified service wrapper (Windows) to use a - case-insensitive search when scanning for .ovpn files - in \Program Files\OpenVPN\config. Prior versions - required an all-lower-case .ovpn file extension. -* Miscellaneous service wrapper code cleanup. -* If --user/--group is used on Windows, treat it - as a no-op with a warning (this makes it easier to - distribute the same client config file to Windows - and *nix users). -* Warn if --ifconfig-pool-persist is used with - --duplicate-cn. - -2005.02.05 -- Version 2.0-rc12 - -* Removed some debugging code inadvertently included - in rc11 which would print the --auth-user-pass - username/password provided by clients in the server - logfile. -* Client code for cycling through --remote list will - retry the last address which successfully authenticated - before moving on through the list. -* Windows installer will now install sample configuration - files in \Program Files\OpenVPN\sample-configs as well - as generate a start menu shortcut to this directory. -* Minor type change in buffer.[ch] to work around char-type - ambiguity bug. Caused management interface lock-ups on - ARM when building with armv4b-hardhat-linux-gcc 2.95.3. - -2005.02.03 -- Version 2.0-rc11 - -* Windows installer will now install easy-rsa directory - in \Program Files\OpenVPN -* Allow syslog facility to be controlled at compile time, - e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern). -* Changed certain shell scripts in distribution to use - #!/bin/sh rather than #!/bin/bash for better portability. -* If --ifconfig-pool-persist seconds parameter is 0, treat - persist file as an allocation of fixed IP addresses - (previous versions took IP-to-common-name associations - from this list as hints, not mandatory static allocations). -* Fixed bug on *nix where if --auth-user-pass and --log - were used together, the username prompt would be sent to - the log file rather than /dev/tty. -* Spurious text in openvpn.8 detected by doclifter - (Eric S. Raymond). -* Call closelog later on daemon kill so that process - exit message is written to syslog. - -2005.01.27 -- Version 2.0-rc10 - -* When ./configure is run with plugins enabled (the default), - check whether or not dlopen exists in libc before testing - for libdl. This is to fix an issue on FreeBSD and possibly - other OSes which bundle libdl functions in libc. -* On Windows, filter initial WSAEINVAL warning which occurs - on the initial read attempt of an unbound socket. -* The easy-rsa scripts build-key, build-key-pass, and - build-key-server will now chmod the .key file - to 0600. This is in addition to the fact the generated - keys directory has always been similarly protected - (Pete Harlan). - -2005.01.23 -- Version 2.0-rc9 - -* Fixed error "ROUTE: route addition failed using - CreateIpForwardEntry ..." on Windows when --redirect-gateway - is used over a RRAS internet link. -* When using --route-method exe on Windows, include the - gateway parameter on route delete commands (Mathias Sundman). -* Try not to do a hard reset (i.e. SIGHUP) when two - SIGUSR1 signals are received in close succession. -* If the push list tries to grow beyond its buffer capacity, - the resulting error will be non-fatal. -* To increase the push list capacity (must be done on both - client and server), increase TLS_CHANNEL_BUF_SIZE in - common.h (default=1024). - -2005.01.15 -- Version 2.0-rc8 - -* Fixed bug introduced in rc7 where options error - "--auth-user-pass requires --pull" might occur even - if --pull was correctly specified. -* Changed management interface code to bind once - to TCP socket, rather than rebinding after every - client disconnect. -* Added "disable" directive for client-config-dir - files. -* Windows binary install is now distributed with - OpenSSL 0.9.7e. -* Query the management interface for --http-proxy - username/password if authfile is set to "stdin". -* Added current OpenVPN version number to "Unrecognized - option or missing parameter" error message. -* Added "-extensions server" to "openssl req" command - in easy-rsa/build-key-server (Nir Yeffet). - -2005.01.10 -- Version 2.0-rc7 - -* Fixed bug in management interface which could cause - 100% CPU utilization in --proto tcp-server mode - on all *nix OSes except for Linux 2.6. -* --ifconfig-push now accepts DNS names as well as - IP addresses. -* Added sanity check errors when --pull or - --auth-user-pass is used in an incorrect mode. -* Updated man page entries for --client-connect and - --ifconfig-push. -* Added "String Types and Remapping" section to man - page to consisely document the way which OpenVPN - may convert certain types of characters in strings - to ('_'). -* Modified bridging description in HOWTO to emphasize - the fact that bridging allows Windows file and print - sharing without a WINS server (Charles Duffy). - -2004.12.20 -- Version 2.0-rc6 - -* Improved checking for epoll support in ./configure - to fix false positive on RH9 (Jan Just Keijser). -* Made the "MULTI TCP: I/O wait required blocking in - multi_tcp_action, action=7" error nonfatal and replaced - with "MULTI: Outgoing TUN queue full, dropped packet". - So far the issue only seems to occur on Linux 2.2 - in --mode server --proto tcp mode. It occurs when - the TUN/TAP driver locks up and refuses to accept - new packet writes for a second or more. -* Fixed bug where if a --client-config-dir file tried - to include another file using "config", and if that - include failed, OpenVPN would abort with a fatal - error. Now such inclusion failures will be logged - but are no longer fatal. -* Global changes to the way that packet buffer alignment - is handled. Previously we didn't care about alignment - and took care, when handling 16 and 32 bit words - in buffers, to always use alignment-safe transfers. - This approach appears to be inadequate on some - architectures such as alpha. The new approach is - to initialize packet buffers in a way that anticipates - how component structures will be allocated within - them, to maintain correct alignment. -* Added --dhcp-option DISABLE-NBT to disable NetBIOS - over TCP (Jan Just Keijser). -* Added --http-proxy-option directive for controlling - miscellaneous HTTP proxy options. -* Management state will no longer transition to "WAIT" - during TLS renegotiations. - -2004.12.16 -- Version 2.0-rc5 - -* The --client-config-dir option will now try to open - a default file called "DEFAULT" if no file matching - the common name of the incoming client was found. -* The --client-connect script/plugin can now veto client - authentication by returning a failure code. -* The --learn-address script/plugin can now prevent a - client-instance/address association from being learned - by returning a failure code. -* Changed RPM group in .spec file to Applications/Internet. - -2004.12.14 -- Version 2.0-rc4 - -* SuSE only -- Fixed interaction between openvpn.spec and - suse/openvpn.init where the .spec file was writing the - OpenVPN binary to a different location than where the - .init script was referencing it (Stefan Engel). -* Solaris only -- Split Solaris ifconfig command into two - parts (Jan Just Keijser). -* Some cleanup in add_option(). -* Better error checking on input dotted quad IP addresses. -* Verify that --push argument is quoted, if there is - more than one. -* More miscellaneous option sanity checks. - -2004.12.13 -- Version 2.0-rc3 - -* On Windows, when --log or --log-append is used, - save the original stderr for username and password - prompts. -* Fixed a bug introduced in the late 2.0 betas where - if a "verb" parameter >= 16 was used, it would be - ignored and the actual verb level would remain at 1. -* Fixed a bug mostly seen on OS X where --management-hold - or --management-query-passwords would cause the management - interface to be unresponsive to incoming client connections. -* Trigger an options error if one of the management-modifying - options is used without "management" itself. - -2004.12.12 -- Version 2.0-rc2 - -* Amplified warnings in documentation about possible - man-in-the-middle attack when clients do not properly - verify server certificate. Changes to easy-rsa README, - FAQ, HOWTO, man page, and sample client config file. -* Added a warning message if --tls-client or --client - is used without also specifying one of either - --ns-cert-type, --tls-remote, or --tls-verify. -* status_open() fixes for MSVC builds (Blaine Fleming). -* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared" - compiler error which has been reported on some platforms. -* The openvpn.spec file for rpmbuild has several - new build-time options. See comments in the file. -* Plugins are now built and packaged in the RPM and - will be saved in /usr/share/openvpn/plugin/lib. -* Added --management-hold directive to start OpenVPN - in a hibernating state until released by the - management interface. Also added "hold" command - to the management interface. - -2004.12.07 -- Version 2.0-rc1 - -* openvpn.spec workaround for SuSE confusion regarding - /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel). - -2004.12.05 -- Version 2.0-beta20 - -* The ability to read --askpass and --auth-user-pass - passwords from a file has been disabled by default. - To re-enable, use ./configure --enable-password-save. -* Added additional pre-connected states to management - interface. See management/management-notes.txt - for more info. -* State history is now recorded by the management - interface, and the "state" command now works like - the log or echo commands. -* State history and real-time state change notifications - are now prepended with an integer unix timestamp. -* Added --http-proxy-timeout option, previously - the timeout was hardcoded to 5 seconds. - -2004.12.02 -- Version 2.0-beta19 - -* Fixed bug in management interface line termination - where output lines incorrectly contained a \00 char - after the customary \0d \0a. -* Fixed bug introduced in beta18 where Windows version - would segfault on options errors. -* Fixed bug in management interface where an empty - quoted string ("") entered as a parameter would cause - a segfault. -* Fixed bug where --resolv-retry was not working - properly with multiple --remote hosts. -* Added additional ./configure options to reduce - executable size for embedded applications. - See ./configure --help. - -2004.11.28 -- Version 2.0-beta18 - -* Added management interface. See new --management-* - options or the full management interface documentation - in management/management-notes.txt in the tarball. - Management interface inclusion can be disabled by - ./configure --disable-management. -* Added two new plugin modules: auth-pam and down-root. - Auth-pam supports pam-based authentication using a - split privilege execution model, while down-root enables - a down script to be executed with root privileges, even - when --user/--group is used to drop root privileges. - See the plugin directory in the tarball for READMEs, - source code, and Makefiles. -* Plugin developers should note that some changes were - made to the plugin interface since beta17. See - openvpn-plugin.h for details. - Plugin interface inclusion can be disabled with - ./configure --disable-plugins -* Added easy-rsa/build-key-server script which will - build a certificate with with nsCertType=server. -* Added --ns-cert-type option for verification - of nsCertType field in peer certificate. -* If --fragment n is specified and --mssfix is specified - without a parameter, default --mssfix to n. This restores - the 1.6 behavior when using --mssfix without a parameter. -* Fixed SSL context initialization bug introduced in beta14 - where this error might occur on restarts: "Cannot load - certificate chain ... PEM_read_bio:no start line". - -2004.11.11 -- Version 2.0-beta17 - -* Changed default port number to 1194 per IANA official - port number assignment. -* Added --plugin directive which allows compiled - modules to intercept script callbacks. See - plugin folder in tarball for more info. -* Fixed bug introduced in beta12 where --key-method 1 - authentications which should have succeeded would fail. -* Ignore SIGUSR1 during DNS resolution. -* Added SuSE support to openvpn.spec (Umberto Nicoletti). -* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna' - Runestig). - -2004.11.07 -- Version 2.0-beta16 - -* Modified sample-scripts/auth-pam.pl to get username - and password from OpenVPN via a file rather than - via environmental variables. -* Added bytes_sent and bytes_received environmental - variables to be set prior to client-disconnect script. -* Changed client virtual IP derivation precedence: - (1) use --ifconfig-push directive from --client-connect - script, (2) use --ifconfig-push directive from - --client-config-dir, and (3) use --ifconfig-pool - address. -* If a --client-config-dir file specifies --ifconfig-push, - it will be visible to the --client-connect-script in - the ifconfig_pool_remote_ip environmental variable. -* For tun-style tunnels, the ifconfig_pool_local_ip - environmental variable will be set, while for - tap-style tunnels, the ifconfig_pool_netmask variable - will be set. -* Added intelligence to autoconf script to test - compiler for the accepted form of zero-length arrays. -* Fixed a bug introduced in beta12 where --ip-win32 - netsh would fail if --dev-node was not explicitly - specified. -* --ip-win32 netsh will now work on hidden adapters. -* Fix attempt of "Assertion failed at crypto.c:149". - This assertion has also been reported on 1.x with a - slightly different line number. The fix is twofold: - (1) In previous releases, --mtu-test may trigger this - assertion -- this bug has been fixed. (2) If something - else causes the assertion to be thrown, don't panic, - just output a nonfatal warning to the log and drop - the packet which generated the error. -* Support TAP interfaces on Mac OS X (Waldemar Brodkorb). -* Added --echo directive. -* Added --auth-nocache directive. - -2004.10.28 -- Version 2.0-beta15 - -* Changed environmental variable character classes - so that names must consist of alphanumeric or - underbar chars and values must consist of printable - characters. Illegal chars will be deleted. - Versions prior to 2.0-beta12 were more restrictive - and would map spaces to '.'. -* On Windows, when the TAP adapter fails to - initialize with the correct IP address, output - "Initialization Sequence Completed with Errors" - to the console or log file. -* Added a warning when user/group/chroot is used - without persist-tun and persist-key. -* Added cryptoapi.[ch] to tarball and source zip. -* --tls-remote option now works with common name - prefixes as well as with the full X509 subject - string. This is a useful alternative to using - a CRL on the client. -* common names associated with a static - --ifconfig-push setting will no longer leave - any state in the --ifconfig-pool-persist file. -* Hard TLS errors (TLS handshake failed) will now - trigger either a SIGUSR1 signal by default - or SIGTERM (if --tls-exit is specified). In TCP - mode, all TLS errors are considered to be hard. - In server mode, the signal will be local to the - client instance. -* Added method parameter to --auth-user-pass-verify - directive to select whether username/password - is passed to script via environment or a temporary - file. -* Added --status-version option to control format - of --status file. The --mode server - --status-version 2 format now includes a line - type token, the virtual IP address is shown - in the client list (even in --dev tap mode), - and the integer time_t value is shown anywhere - an ascii-formatted time/date is also shown. -* Added --remap-usr1 directive which can be used - to control whether internally or externally - generated SIGUSR1 signals are remapped to - SIGHUP (restart without persisting state) or - SIGTERM (exit). -* When running as a Windows service (using - --service option), check the exit event before - and after reading one line of input from - stdin, when reading username/password info. -* For developers: Extended the --gremlin function - to better stress-test the new 2.0 features, - added Valgrind support on Linux and Dmalloc - support on Windows. - -2004.10.19 -- Version 2.0-beta14 - -* Fixed a bug introduced in Beta12 that would occur - if you use a --client-connect script without also - defining --tmp-dir. -* Fixed a bug introduced in Beta12 where a learn-address - script might segfault on the delete method. -* Added Crypto API support in Windows version via - the --cryptoapicert option (Peter 'Luna' Runestig). - -2004.10.18 -- Version 2.0-beta13 - -* Fixed an issue introduced in Beta12 where the private - key password would not be prompted for unless --askpass - was explicitly specified in the config. - -2004.10.17 -- Version 2.0-beta12 - -* Added support for username/password-based authentication. - Clients can now authentication themselves with the server - using either a certificate, a username/password, or both. - New directives: --auth-user-pass, --auth-user-pass-verify, - --client-cert-not-required, and --username-as-common-name. -* Added NTLM proxy patch (William Preston). -* Added --ifconfig-pool-linear server flag to allocate - individual tun addresses for clients rather than /30 - subnets (won't work with Windows clients). -* Modified --http-proxy code to cache username/password - across restarts. -* Modified --http-proxy code to read username/password - from the console when the auth file is given as "stdin". -* Modified --askpass to take an optional filename argument. -* --persist-tun and --persist-key now work in client mode - and can be pushed to clients as well. -* Added --ifconfig-pool-persist directive, to maintain - ifconfig-pool info in a file which is persistent across - daemon instantiations. -* --user and --group privilege downgrades as well as - --chroot now also work in client mode (the - dowgrade/chroot will be delayed until the initialization - sequence is completed). -* Added --show-engines standalone directive to show - available OpenSSL crypto accelerator engine support. -* --engine directive now accepts an optional engine-ID - parameter to control which engine is used. -* "Connection reset, restarting" log message now shows - which client is being reset. -* Added --dhcp-pre-release directive in Windows version. -* Second parm to --ip-win32 can be "default", e.g. - --ip-win32 dynamic default 60. -* Fixed documentation bug regarding environmental - variable settings for --ifconfig-pool IP addresses. - The correct environmental variable names are: - ifconfig_pool_local_ip and ifconfig_pool_remote_ip. -* ifconfig_pool_local_ip and ifconfig_pool_remote_ip - environmental variables are now passed to the - client-disconnect script. -* In server mode, environmental variables are now scoped - according to the client they are associated with, - to solve the problem of "crosstalk" between different - client's environmental variable sets. -* Added --down-pre flag to cause --down script to be - called before TUN/TAP close (rather than after). -* Added --tls-exit flag which will cause OpenVPN - to exit on any TLS errors. -* Don't push a route to a client if it exactly - matches an iroute (this lets you push routes to - all clients, and OpenVPN will automatically remove - the route from the route push list only for that client - which the route actually belongs to). -* Made '--resolv-retry infinite' the default. - --resolv-retry can be disabled by using a parameter of 0. -* For clients which plan to pull config info from server, - set an initial default ping-restart of 60 seconds. -* Optimized mute code to lessen the load on the processor - when messages are being muted at a higher frequency. -* Made route log messages non-mutable. -* Silence the Linux "No buffer space available" message. -* Added miscellaneous additional option sanity checks. -* Added Windows version of easy-rsa scripts in - easy-rsa/Windows directory (Andrew J. Richardson). -* Added NetBSD route patch (Ed Ravin). -* Added OpenBSD patch for TAP + --redirect-gateway - (Waldemar Brodkorb). -* Directives which prompt for a username and/or password - will now work with --daemon (OpenVPN will prompt - before forking). -* Warn if CRL is from a different issuer than the - issuer of the peer certificate (Bernhard Weisshuhn). -* Changed init script chkconfig parameters to start - OpenVPN daemon(s) before NFS. -* Bug fix attempt of "too many I/O wait events" which occurs - on OSes which prefer select() over poll() such as Mac OS X. -* Added --ccd-exclusive flag. This flag will require, as a - condition of authentication, that a connecting client has - a --client-config-dir file. -* TAP-Win32 open code will attempt to open a free adapter - if --dev-node is not specified (Mathias Sundman). -* Resequenced --nice and --chroot ordering so that --nice - occurs first. -* Added --suppress-timestamps flag (Charles Duffy). -* Source code changes to allow compilation by MSVC - (Peter 'Luna' Runestig). -* Added experimental --fast-io flag which optimizes - TUN/TAP/UDP writes on non-Windows systems. - -2004.08.18 -- Version 2.0-beta11 - -* Added --server, --server-bridge, --client, and - --keepalive helper directives. See client.conf - and server.conf in sample-config-files for sample - configurations which use the new directives. -* On Windows, added --route-method to control - whether IP Helper API or route.exe is used - to add/delete routes. -* On Windows, added a second parameter to - --route-delay to control the maximum time period - to wait for the TAP-Win32 adapter to come up - before adding routes. -* Fixed bug in Windows version where configurations - which omit --ifconfig might fail to recognize when - the TAP adapter is up. -* Proxy connection failures will now retry according - to the --connect-retry parameter. -* Fixed --dev null handling on Windows so that TLS - loopback test described in INSTALL file works - correctly on Windows. -* Added "Initialization Sequence Completed" message - after all initialization steps have been completed - and the VPN can be considered "up". -* Better sanity-checking on --ifconfig-pool parameters. -* Added --tcp-queue-limit option to control - TUN/TAP -> TCP socket overflow. -* --ifconfig-nowarn flag will now silence general - warnings about possible --ifconfig address - conflicts, including the warning about --ifconfig - and --remote addresses being in same /24 subnet. -* Fixed case where server mode did not correctly - identify certain types of ethernet multicast packets - (Marcel de Kogel). -* Added --explicit-exit-notify option (experimental). - -2004.08.02 -- Version 2.0-beta10 - -* Fixed possible reference after free of option strings - after a restart, bug was introduced in beta8. -* Fixed segfault at route.c:919 in the beta9 - Windows version that was being caused by indirection - through a NULL pointer. -* Mistakenly built debug version of TAP-Win32 driver - for beta9. Beta10 has correct release build. - -2004.07.30 -- Version 2.0-beta9 - -* Fixed --route issue on Windows that was introduced with - the new beta8 route implementation based on the - IP Helper API. - -2004.07.27 -- Version 2.0-beta8 - -* Added TCP support in server mode. -* Added PKCS #12 support (Mathias Sundman). -* Added patch to make revoke-crt and make-crl work - seamlessly within the easy-rsa environment (Jan Kiszka). -* Modified --mode server ethernet bridge code to forward - special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX. -* Added --dhcp-renew and --dhcp-release flags to Windows - version. Normally DHCP renewal and release on the TAP - adapter occurs automatically under Windows, however - if you set the TAP-Win32 adapter Media Status property - to "Always Connected", you may need these flags. -* Added --show-net standalone flag to Windows version to - show OpenVPN's view of the system adapter and routing - tables. -* Added --show-net-up flag to Windows version to output - the system routing table and network adapter list to - the log file after the TAP-Win32 adapter has been brought - up and any routes have been added. -* Modified Windows version to add routes using the IP Helper - API rather than by calling route.exe. -* Fixed bug where --route-up script was not being called - if no --route options were specified. -* Added --mute-replay-warnings to suppress packet replay - warnings. This is a common false alarm on WiFi nets. -* Added "def1" flag to --redirect-gateway option to override - the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 - rather than 0.0.0.0/0. This has the benefit of overriding - but not wiping out the original default gateway. - (Thanks to Jim Carter for pointing out this idea). -* You can now run OpenVPN with a single config file argument. - For example, you can now say "openvpn config.conf" - rather than "openvpn --config config.conf". -* On Windows, made --route and --route-delay more adaptive - with respect to waiting for interfaces referenced by the - route destination to come up. Routes added by --route - should now be added as soon as the interface comes up, - rather than after an obligatory 10 second delay. The - way this works internally is that --route-delay now - defaults to 0 on Windows. Previous versions would - wait for --route-delay seconds then add the routes. - This version will wait --route-delay seconds and then - test the routing table at one second intervals for the - next 30 seconds and will not add the routes until they - can be added without errors. -* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by - default on TCP/UDP socket in light of reports that this - action can have undesirable global side effects on the - MTU settings of other adapters. These parameters can - still be set, but you need to explicitly specify - --sndbuf and/or --rcvbuf. -* Added --max-clients option to limit the maximum number - of simultaneously connected clients in server mode. -* Added error message to illuminate shell escape gotcha when - single backslashes are used in Windows path names. -* Added optional netmask parm to --ifconfig-pool. -* Fixed bug where http-proxy connect retry attempts were - incorrectly going to the remote OpenVPN server, - not to the HTTP proxy server. - -2004.06.29 -- Version 2.0-beta7 - -* Fixed bug in link_socket_verify_incoming_addr() which - under certain circumstances could have caused --float - behavior even if --float was not specified. -* --tls-auth option now works with --mode server. - All clients and the server should use the same - --tls-auth key when operating in client/server mode. -* Added --engine option to make use of OpenSSL-supported - crypto acceleration hardware. -* Fixed some high verbosity print format size issues - in event.c for 64 bit platforms (Janne Johansson). -* Made failure to open --log or --log-append file - a non-fatal error. - -2004.06.23 -- Version 2.0-beta6 - -* Fixed Windows installer to intelligently put - up a reboot dialog only if tapinstall tells - us that it's really necessary. -* Fixed "Assertion failed at fragment.c:309" - bug when --mode server and --fragment are used - together. -* Ignore HUP, USR1, and USR2 signals during - initialization. Prior versions would abort. -* Fixed bug on OS X: "Assertion failed at event.c:406". -* Added --service option to Windows version, for use - when OpenVPN is being programmatically instantiated - by another process (see man page for info). -* --log and --log-append options now work on Windows. -* Update OpenBSD INSTALL notes (Janne Johansson). -* Enable multicast on tun interface when running on - OpenBSD (Pavlin Radoslavov). -* Fixed recent --test-crypto breakage, where options - such as --cipher were not being parsed correctly. -* Modified options compatibility string by removing - ifconfig substring if it is empty. Incremented - options compatibility string version number to 4. -* Fixed typo in --tls-timeout option parsing - (Mikael Lonnroth). - -2004.06.13 -- Version 2.0-beta5 - -* Fixed rare --mode server crash that could occur - if data was being routed to a client at - high bandwidth at the precise moment that the - client instance object on the server was being - deleted. -* Fixed issue on machines which have epoll.h and - the epoll_create glibc call defined, but which - don't actually implement epoll in the kernel. - OpenVPN will now gracefully fall back to the - poll API in this case. -* Fixed Windows bug which would cause the following - error in a --mode server --dev tap configuration: - "resource limit WSA_MAXIMUM_WAIT_EVENTS has been - exceeded". -* Added CRL (certificate revocation list) management - scripts to easy-rsa directory (Jon Bendtsen). -* Do a better job of getting the ifconfig component - of the options consistency check to work correctly - when --up-delay is used. -* De-inlined some functions which were too complex - to be inlined anyway with gcc. -* If a --dhcp-option option is pushed to a non-windows - client, the option will be saved in the client's - environment before the --up script is called, under - the name "foreign_option_{n}". -* Added --learn-address script (see man page) which - allows for firewall access through the VPN to be - controlled based on the client common name. -* In mode --server mode, when a client connects to - the server, the server will disconnect any - still-active clients which use the same common - name. Use --duplicate-cn flag to revert to - previous behavior of allowing multiple clients - to concurrently connect with the same common name. - -2004.06.08 -- Version 2.0-beta4 - -* Fixed issue with beta3 where Win32 service wrapper - was keying off of old TAP HWID as a dependency. To - ensure that the new service wrapper is correctly - installed, the Windows install script will uninstall - the old wrapper before installing the new one, - causing a reset of service properties. -* Fixed permissions issue on --status output file, - with default access permissions of owner read/write - only (default permissions can be changed of course with - chmod). - -2004.06.05 -- Version 2.0-beta3 - -* More changes to TAP-Win32 driver's INF file which - affects the placement of the driver in the Windows - device namespace. This is done to work around an - apparent bug in Windows when short HWIDs are used, - and will also ease the upgrade from 1.x to 2.0 by - reducing the chances that a reboot will be needed - on upgrade. Like beta2, this upgrade will - delete existing TAP-Win32 interfaces, and reinstall - a single new interface with default properties. -* Major rewrite of I/O event wait layer in the style - of libevent. This is a precursor to TCP support - in --mode server. -* New feature: --status. Outputs a SIGUSR2-like - status summary to a given file, updated once - per n seconds. The status file is comma delimited - for easy machine parsing. -* --ifconfig-pool now remembers common names and - will try to assign a consistent IP to a given - common name. Still to do: persist --ifconfig-pool - memory across restarts by saving state in file. -* Fixed bug in event timer queue which could cause - recurring timer events such as --ping to not - correctly schedule again after firing. This in - turn would cause spurrious ping restarts and possible - connection outages. Thanks to Denis Vlasenko for - tracking this down. -* Possible fix to reported bug where --daemon argument - was not printing to syslog correctly after restart. -* Fixed bug where pulling --route or --dhcp-option - directives from a server would problematically - interact with --persist-tun on the client. -* Updated contrib/multilevel-init.patch (Farkas Levente). -* Added RPM build option to .spec and .spec.in files - to optionally disable LZO inclusion (Ian Pilcher). -* The latest MingW runtime and headers define - 'ssize_t', so a patch is needed (Gisle Vanem). - -2004.05.14 -- Version 2.0-beta2 - -* Fixed signal handling bug in --mode server, where - SIGHUP and SIGUSR1 were treated as SIGTERM. -* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV". - Apparently the larger string may work around - a problem where the TAP adapter is sometimes missing - from the network connections panel, especially under - XP SP2. Also note that installing this upgrade will - uninstall any pre-existing TAP-Win32 adapters, and then - install a single new adapter, meaning that old adapter - properties will be lost. Thanks to Md5Chap for solving - this one. -* For --mode server --dev tap, the options --ifconfig and - --ifconfig-pool are now optional. This allows address - assignment via DHCP or use of a TAP VPN without - IP support, as has always been possible with 1.x. -* Fixed bug where --ifconfig may not work correctly on - Linux 2.2. -* Added 'local' flag to --redirect-gateway for use on - networks where both OpenVPN daemons are connected - to a shared subnet, such as wireless. - -2004.05.09 -- Version 2.0-beta1 - -* Unchanged from test29 except for version number - upgrade. - -2004.05.08 -- Version 2.0-test29 - -* Modified --dev-node on Windows to accept a TAP-Win32 - GUID name. In addition, --show-adapters will now - display the high-level name and GUID of each adapter. - This is an attempt to work around an issue in Windows - where sometimes the TAP-Win32 adapter installs correctly - but has no icon in the network connections control - panel. In such cases, being able to specify - --dev-node {TAP-GUID} can work around the missing icon. - -2004.05.07 -- Version 2.0-test28 - -* Fixed bug which could cause segfault on program - shutdown if --route and --persist-tun are used - together. - -2004.05.06 -- Version 2.0-test27 - -* Fixed bug in close_instance() which might cause - memory to be accessed after it had already been freed. -* Fixed bug in verify_callback() that might have - caused uninitialized data to be referenced. -* --iroute now allows full CIDR subnet routing. -* In "--mode server --dev tun" usage, source addresses - on VPN packets coming from a particular client must - be associated with that client in the OpenVPN internal - routing table. - -2004.04.28 -- Version 2.0-test26 - -* Optimized broadcast path in multi-client mode. -* Added socket buffer size options --rcvbuf & --sndbuf. -* Configure Linux tun/tap driver to use a more sensible - txqueuelen default. Also allow explicit setting - via --txqueuelen option (Harald Roelle). -* The --remote option now allows the port number - to be specified as the second parameter. If - unspecified, the port number defaults to the - --rport value. -* Multiple --remote options on the client can now be - specified for load balancing and failover. The - --remote-random flag can be used to initially randomize - the --remote list for basic load balancing. -* If a remote DNS name resolves to multiple DNS addresses, - one will be chosen by random as a kind of basic - load-balancing feature if --remote-random is used. -* Added --connect-freq option to control maximum - new connection frequency in multi-client mode. -* In multi-client mode, all syslog messages associated - with a specific client now include a client-ID prefix. -* For Windows, use a gettimeofday() function based - on QueryPerformanceCounter (Derek Burdick). -* Fixed bug in interaction between --key-method 2 - and DES ciphers, where dynamic keys would be generated - with bad parity and then be rejected. - -2004.04.17 -- Version 2.0-test24 - -* Reworked multi-client broadcast handling. - -2004.04.13 -- Version 2.0-test23 - -* Fixed bug in --dev tun --client-to-client routing. -* Fixed a potential deadlock in --pull. -* Fixed a problem with select() usage which could - cause a repeating sequence of "select : Invalid - argument (code=22)" - -2004.04.11 -- Version 2.0-test22 - -* Fixed bug where --mode server + --daemon was - prematurely closing syslog connection. -* Added support for --redirect-gateway on Mac OS X - (Jeremy Apple). -* Minor changes to TAP-Win32 driver based on feedback - from the NDISTest tool. - -2004.04.11 -- Version 2.0-test21 - -* Optimizations in multi-client server event loop. - -2004.04.10 -- Version 2.0-test20 - -* --mode server capability now works with either tun - or tap interfaces. When used with tap interfaces, - OpenVPN will internally bridge all client tap - interfaces with the server tap interface. -* Connecting clients can now have a client-specific - configuration on the server, based on the client - common name embedded in the client certificate. - See --client-config-dir and --client-connect. - These options can be used to configure client-specific - routes. -* Added an option --client-to-client that enables - internal client-to-client routing or bridging. - Otherwise, clients will only "see" the server, - not other connected clients. -* Fixed bug in route scheduling which would have caused - --mode server to not work on Windows in test18 - and test19 with the sample config file. -* Man page is up to date with all new options. -* OpenVPN 2.0 release notes on web site updated - with tap-style tunnel examples. - -2004.04.02 -- Version 2.0-test19 - -* Fixed bug where routes pushed from server were - not working correctly on Windows clients. -* Added Mac OS X route patch (Jeremy Apple). - -2004.03.30 -- Version 2.0-test18 - -* Minor fixes + Windows self-install modified - to use OpenSSL 0.9.7d. - -2004.03.29 -- Version 2.0-test17 - -* Fixed some bugs related to instance timeout and deletion. -* Extended --push/--pull option to support additional - option classes. - -2004.03.28 -- Version 2.0-test16 - -* Successful test of --mode udp-server, --push, - --pull, and --ifconfig-pool with server on - Linux 2.4 and clients on Linux and Windows. - -2004.03.25 -- Version 2.0-test15 - -* Implemented hash-table lookup of client instances - based either on remote UDP address/port or remote - ifconfig endpoint. -* Implemented a randomized binary tree based - scheduler for scalably scheduling a large number - of client instance events. Uses the treap - data structure and node rotation algorithm - to keep the tree balanced. -* Initial implementation of ifconfig-pool. -* Made --key-method 2 the default. - -2004.03.20 -- Version 2.0-test14 - -* Implemented --push and --pull. - -2004.03.20 -- Version 2.0-test13 - -* Reduced struct tls_multi and --single-session - memory footprint. -* Modified --single-session flag to be used - in multi-client UDP server client instances. - -2004.03.19 -- Version 2.0-test12 - -* Added the key multi-client UDP server options, - --mode, --push, --pull, and --ifconfig-pool. -* Revamped GC (garbage collection) code to not rely - on any global data. -* Modifications to thread.[ch] to allow a more - flexible thread model. - -2004.03.16 -- Version 2.0-test11 - -* Moved all timer code to interval.h, added new file - interval.c. -* Fixed missing include. - -2004.03.16 -- Version 2.0-test10 - -* More TAP-Win32 fixes. -* Initial debugging and testing of multi.[ch]. - -2004.03.14 -- Version 2.0-test9 - -* Branch merge with 1.6-rc3 -* More point-to-multipoint work in multi.[ch]. -* Major TAP-Win32 driver restructuring to use - NdisMRegisterDevice instead of - IoCreateDevice/IoCreateSymbolicLink. -* Changed TAP-Win32 symbolic links to use \DosDevices\Global\ - pathname prefix. -* In the majority of cases, TAP-Win32 should now be - able to install and uninstall on Win2K without requiring - a reboot. -* TAP-Win32 MAC address can now be explicitly set in the - adapter advanced properties page. - -2004.03.04 -- Version 2.0-test8 - -* Branch merge with 1.6-rc2. - -2004.03.03 -- Version 2.0-test7 - -* Branch merge with 1.6-rc1.2. - -2004.03.02 -- Version 2.0-test6 - -* Branch merge with 1.6-rc1. - -2004.03.02 -- Version 2.0-test5 - -* Move Socks5 UDP header append/remove to socks.c, and is - called from forward.c. -* Moved verify statics from ssl.c into struct tls_session. -* Wrote multi.[ch] to handle top level of point-to-multipoint - mode. -* Wrote some code to allow a struct link_socket in a child context - to be slaved to the parent context. -* Broke up packet read and process functions in forward.c - (from socket or tuntap) into separate functions for read - and process, so that point-to-point and point-to-multipoint can - share the same code. -* Expand TLS control channel to allow the passing of configuration - commands. -* Wrote mroute.[ch] to handle internal packet routing for - point-to-multipoint mode. - -2004.02.22 -- Version 2.0-test3 - -* Initial work on UDP multi-client server. -* Branch merge of 1.6-beta7 - -2004.02.14 -- Version 2.0-test2 - -* Refactorization of openvpn.c into openvpn.[ch] - init.[ch] forward.[ch] forward-inline.h - occ.[ch] occ-inline.h ping.[ch] ping-inline.h - sig.[ch]. Created a master per-tunnel - struct context in openvpn.h. -* Branch merge of 1.6-beta6.2 - -2003.11.06 -- Version 2.0-test1 - -* Initial testbed for 2.0. - -2004.05.09 -- Version 1.6.0 - -* Unchanged from 1.6-rc4 except for version number - upgrade. - -2004.04.01 -- Version 1.6-rc4 - -* Made minor customizations to devcon and - renamed as tapinstall.exe for Windows version. -* Fixed "storage size of `iv' isn't known" build - problem on FreeBSD. -* OpenSSL 0.9.7d bundled with Windows self-install. - -2004.03.13 -- Version 1.6-rc3 - -* Minor Windows fixes for --ip-win32 dynamic, relating to - the way the TAP-Win32 driver responds to a DHCP request - from the Windows DHCP client. -* The net_gateway environmental variable wasn't being - set correctly for called scripts (Paul Zuber). -* Added code to determine the default gateway on FreeBSD, - allowing the --redirect-gateway option to work - (Juan Rodriguez Hervella). - -2004.03.04 -- Version 1.6-rc2 - -* Fixed bug in Windows version where the NetBIOS node-type - DHCP option might have been passed even if it was not - specified. -* Fixed bug in Windows version introduced in 1.6-rc1, where - DHCP timeout would be set to 0 seconds if --ifconfig option - was used and --ip-win32 option was not explicitly specified. -* Added some new --dhcp-option types for Windows version. - -2004.03.02 -- Version 1.6-rc1 - -* For Windows, make "--ip-win32 dynamic" the default. -* For Windows, make "--route-delay 10" the default - unless --ip-win32 dynamic is not used or --route-delay - is explicitly specified. -* L_TLS mutex could have been left in a locked state - for certain kinds of TLS errors. - -2004.02.22 -- Version 1.6-beta7 - -* Allow scheduling priority increase (--nice) together - with UID/GID downgrade (--user/--group). -* Code that causes SIGUSR1 restart on TLS errors in TCP - mode was not activated in pthread builds. -* Save the certificate serial number in an environmental - variable called tls_serial_{n} prior to calling the - --tls-verify script. n is the current cert chain level. -* Added NetBSD IPv6 tunnel capability (also requires - a kernel patch) (Horst Laschinsky). -* Fixed bug in checking the return value of the nice() - function (Ian Pilcher). -* Bug fix in new FreeBSD IPv6 over TUN code which was - originally added in 1.6-beta5 (Nathanael Rensen). -* More Socks5 fixes -- extended the struct frame - infrastructure to accomodate proxy-based encapsulation - overhead. -* Added --dhcp-option to Windows version for setting - adapter properties such as WINS & DNS servers. -* Use a default route-delay of 5 seconds when - --ip-win32 dynamic is specified (only applicable when - --route-delay is not explicitly specified). -* Added "log_append" registry variable to control - whether the OpenVPN service wrapper on Windows - opens log files in append (log_append="1") or - truncate (log_append="0") mode. The default - is truncate. - -2004.02.05 -- Version 1.6-beta6 - -* UDP over Socks5 fix to accomodate Socks5 encapsulation - overhead (Christof Meerwald). -* Minor --ip-win32 dynamic tweaks (use long lease time, - invalidate existing lease with DHCPNAK). - -2004.02.01 -- Version 1.6-beta5 - -* Added Socks5 proxy support (Christof Meerwald). -* IPv6 tun support for FreeBSD (Thomas Glanzmann). -* Special TAP-Win32 debug mode for Windows self-install that was - enabled in beta4 is now turned off. -* Added some new Solaris notes to INSTALL (Koen Maris). -* More work on --ip-win32 dynamic. - -2004.01.27 -- Version 1.6-beta4 - -* For this beta, the Windows self-install is a debug version - and will run slower -- use only for testing. -* Reverted the --ip-win32 default back to 'ipapi' - from 'dynamic'. -* Added the offset parameter to '--ip-win32 dynamic' which - can be used to control the address of the masqueraded - DHCP server which replies to Windows DHCP requests. -* Added a wait/nowait option to --inetd (nowait can only - be used with TCP sockets, TLS authentication, and over - a bridged configuration -- see FAQ for more info) - (Stefan `Sec` Zehl). -* Added a build-time capability where TAP-Win32 driver - debug messages can be output by OpenVPN at --verb 6 - or higher. - -2004.01.20 -- Version 1.6-beta2 - -* Added ./configure --enable-iproute2 flag which - uses iproute2 instead of route + ifconfig -- - this is necessary for the LEAF Linux distro - (Martin Hejl). -* Added renewal-time and rebind-time to set of - DHCP options returned by the TAP-Win32 driver when - "--ip-win32 dynamic" is used. - -2004.01.14 -- Version 1.6-beta1 - -* Fixed --proxy bug that sometimes caused plaintext - control info generated by the proxy prior to http - CONNECT method establishment to be incorrectly - parsed as OpenVPN data. -* For Windows version, implemented the - "--ip-win32 dynamic" method and made it the default. - This method sets the TAP-Win32 adapter IP address - and netmask by replying to the kernel's DHCP queries. - See the man page for more detailed info. -* Added --connect-retry parameter which controls - the time interval (in seconds) between connect() - retries when --proto tcp-client is used. Previously, - this value was hardcoded to 5 seconds, and still - defaults as such. -* --resolv-retry can now be used with a parameter - of "infinite" to retry indefinitely. -* Added SSL_CTX_use_certificate_chain_file() to ssl.c - for support of multi-level certificate chains - (Sten Kalenda). -* Fixed --tls-auth incompatibility with 1.4.x and earlier - versions of OpenVPN when the passphrase file is an - OpenVPN static key file (as generated by --genkey). -* Added shell-escape support in config files using - the backslash character ("\") so that (for example) - double quotes can be passed to the shell. -* Added "contrib" subdirectory on tarball, source zip, - and CVS containing user-submitted contributions. -* Added an optional patch to the Redhat init script to - allow the configuration file directory to be a - multi-level directory hierarchy (Farkas Levente). - See contrib/multilevel-init.patch -* Added some scripts and documentation on using - Linux "fwmark" iptables rules to enable - fine-grained routing control over the VPN - (Sean Reifschneider, ). - See contrib/openvpn-fwmarkroute-1.00 - -2003.11.20 -- Version 1.5.0 - -* Minor documentation changes. - -2003.11.04 -- Version 1.5-beta14 - -* Fixed build problem with ./configure --disable-ssl - that was reported on Debian woody. -* Fixed bug where --redirect-gateway could not be used - together with --resolv-retry. - -2003.11.03 -- Version 1.5-beta13 - -* Added CRL (certificate revocation list) capability using - --crl-verify option (Stefano Bracalenti). -* Added --replay-window option for variable replay-protection - window sizes. -* Fixed --fragment bug which might have caused certain large - packets to be sent unfragmented. -* Modified --secret and --tls-auth to permit different cipher and - HMAC keys to be used for each data flow direction. Also - increased static key file size generated by --genkey from - 1024 to 2048 bits, where 512 bits each are reserved for - send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward - and backward compatibility is maintained. See --secret option - documentation on the man page for more info. -* Added --tls-remote option (Teemu Kiviniemi). -* Fixed --tls-cipher documention regarding correct delimiter - usage (Teemu Kiviniemi). -* Added --key-method option for selecting alternative data - channel key negotiation methods. Method 1 is the default. - Method 2 has been added (see man page for more info). -* Added French translation of HOWTO to web site - (Guillaume Lehmann). -* Fixed problem caused by late resolver library load on - certain platforms when --resolv-retry and --chroot are - used together (Teemu Kiviniemi). -* In TCP mode, all decryption or TLS errors will abort the current - connection (this is not done in UDP mode because UDP is - "connectionless"). -* Fixed a TCP client reconnect bug that only occurs on the - BSDs, where connect() fails with an invalid argument. This - bug was partially (but not completely) fixed in beta7. -* Added "route_net_gateway" environmental variable which contains - the pre-existing default gateway address from the routing table - (there's no standard API for getting the default gateway, so - right now this feature only works on Windows or Linux). -* Renamed the "route_default_gateway" enviromental variable to - "route_vpn_gateway" -- this is the remote VPN endpoint. -* The special keywords vpn_gateway, net_gateway, and remote_host - can now be used for the network or gateway components of the - --route option. See the man page for more info. -* Added the --redirect-gateway option to configure the VPN - as the default gateway (implemented on Linux and Windows only). -* Added the --http-proxy option with basic authentication - support for use in TCP client mode. Successfully tested - using Squid as the HTTP proxy, with and without authentication. - -2003.10.12 -- Version 1.5-beta12 - -* Fixed Linux-only bug in --mktun and --rmtun which was - introduced around beta8 or so, which would cause - an error such as "I don't recognize device tun0 as a - tun or tap device1". -* Added --ifconfig-nowarn option to disable options - consistency warnings about --ifconfig parameters. -* Don't allow any kind of sequence number backtracking or - message reordering when in TCP mode. -* Changed beta naming convention to use '_' (underscore) - rather than '-' (dash) to pacify rpmbuild. - -2003.10.08 -- Version 1.5-beta11 - -* Modified code in the Windows version which sets the IP address - and netmask of the TAP-Win32 adapter using the IP Helper API. - Most of the changes involve better error recovery when - the IP Helper API returns an error status. See the - manual page entry on --ip-win32 for more info. - -2003.10.08 -- Version 1.5-beta10 - -* Added getpass() function for Windows version so that --askpass - option works correctly (Stefano Bracalenti). -* Added reboot advisory to end of Win32 install script. -* Changed crypto code to use pseudo-random IVs rather than - carrying forward the IV state from the previous packet. - This is in response to item 2 in the following document: - http://www.openssl.org/~bodo/tls-cbc.txt which points - out weaknesses in TLS's use of the same IV carryforward - approach. This change does not break protocol compatibility - with previous versions of OpenVPN. -* Made a change to the crypto replay protection code to also - protect against certain kinds of packet reordering attacks. - This change does not break protocol compatibility with - previous versions of OpenVPN. -* Added --ip-win32 option to provide several choices for - setting the IP address on the TAP-Win32 adapter. -* #ifdefed out non-CBC crypto modes by default. -* Added --up-delay option to delay TUN/TAP open and --up script - execution until after connection establishment. This option - replaces the earlier windows-only option --tap-delay. - -2003.10.01 -- Version 1.5-beta9 - -* Fixed --route-noexec bug where option was not parsed correctly. -* Complain if --dev tun is specified without --ifconfig on Windows. -* Fixed bug where TCP connections on windows would sometimes cause - an assertion failure. -* Added a new flag to TAP-Win32 advanced properties that allows one - to set the adapter to be always "connected" even when an OpenVPN - process doesn't have it open. The default behavior is to report - a media status of connected only when an OpenVPN process has the - adapter open. -* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c - DLLs in response to an OpenSSL security advisory. - -2003.09.30 -- Version 1.5-beta8 - -* Extended the --ifconfig option to work on tap devices as well - as tun devices. -* Implemented the --ifconfig option for Windows, by calling the - netsh tool. -* By default, do an "arp -d *" on Windows after TAP-Win32 open to - refresh the MAC cache. This behaviour can be disabled with - --no-arp-del. -* On Windows, allow the --dev-node parameter (which specifies - the name of the TAP-Win32 adapter) to be omitted in cases where - there is a single TAP-Win32 adapter on the system which can be - assumed to be the default. -* Modified the diagnostic --verb 5 debugging level to print 'R' - for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, - and 'w' for TUN/TAP write. -* Conditionalize OpenBSD read_tun and write_tun based on tun or tap - mode. -* Added IPv6 tun support to OpenBSD (Thomas Glanzmann). -* Make the --enable-mtu-dynamic ./configure option enabled by - default. -* Deprecated the --mtu-dynamic run-time option, in favor of - --fragment. -* DNS names can now be used as --ifconfig parameters. -* Significant work on TAP-Win32 driver to bring up to SMP standards. -* On Windows, fixed dangling IRP problem if TAP-Win32 driver is - unloaded or disabled, while a user-space process has it open. -* On Windows, if --tun-mtu is not specified, it will be read from - the TAP-Win32 driver via ioctl. -* On Windows, added TAP-Win32 driver status info to "F2" keyboard - signal (only when run from a console window). -* Added --mssfix option to control TCP MSS size (YANO Hirokuni). -* Renamed --mtu-dynamic option to --fragment to more accurately - reflect its function. Fragment accepts a single parameter which - is the upper limit on acceptable UDP packet size. -* Changed default --tun-mtu-extra parameter to 32 from 64. -* Eliminated reference to malloc.o in configure.ac. -* Added tun device emulation to the TAP-Win32 driver. -* Added --route and related options. -* Added init script for SuSE Linux (Frank Plohmann). -* Extended option consistency check between peers to function - in all crypto modes, including static-key and cleartext modes. - Previously only TLS mode was supported. Disable with - --disable-occ. -* Overall, increased the amount of configuration option sanity - checking, especially of networking parameters. -* Added --mtu-test option for empirical MTU measurement. -* Added Windows-only option --tap-delay to not set the TAP-Win32 - adapter media state to 'connected' until TCP/UDP connection - establishment with peer. -* Slightly modified --route/--route-delay semantics so that when - --route is given without --route-delay, routes are added - immediately after tun/tap device open. When --route-delay is - specified, routes will be added n seconds after connection - initiation, where n is the --route-delay parameter (which - can be set to 0). -* Made TCP framing error into a non-fatal error that triggers a - connection reset. - -2003.08.28 -- Version 1.5-beta7 - -* Fixed bug that caused OpenVPN not to respond to exit/restart - signals when --resolv-retry is used and a local or remote DNS - name cannot be resolved. -* Exported a series of environmental variables with useful - info for scripts. See man page for more info. Based - on a suggestion by Anthony Ciaravalo. -* Moved TCP/UDP socket bind to a point in the initialization - before the --up script gets called. This is desirable - because (a) a socket bind failure will happen before - daemonization, allowing an error status code to be returned - to the shell and (b) the possibility is eliminated of a - socket bind failure causing the --up script to be run - but not the --down script. This change has a side effect - that --resolv-retry will no longer work with --local. -* Fixed bug where if an OpenVPN TCP server went down and back - up again, Solaris or FreeBSD clients would fail to reconnect - to it. -* Fixed bug that prevented OpenVPN from being run by - inetd/xinetd in TCP mode. -* Added --log and --log-append options for logging messages to - a file. -* On Windows, check that the current user is a member of the - Administrator group before attempting install or uninstall. - -2003.08.16 -- Version 1.5-beta6 - -* Fixed TAP-Win32 driver to properly increment the Rx/Tx count. - -2003.08.14 -- Version 1.5-beta5 - -* Added user-configurability of the TAP-Win32 adapter MTU - through the adapter advanced properties page. -* Added Windows Service support. -* On Windows, added file association and right-clickability - for .ovpn files (OpenVPN config files). - -2003.08.05 -- Version 1.5-beta4 - -* Extra refinements and error checking added to Windows - NSIS install script. - -2003.08.05 -- Version 1.5-beta3 - -* Added md5.h include to crypto.c to fix build problem on - OpenBSD. -* Created a Win32 installer using NSIS. -* Removed DelService command from TAP-Win32 INF file. It appears - to be not necessary and it interfered with the ability to - uninstall and reinstall the driver without needing to reboot. -* On Windows version, added "addtap" and "deltapall" batch - files to add and delete TAP-Win32 adapter instances. - -2003.07.31 -- Version 1.5-beta2 - -* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted - in Windows ASCII so it's easier to click and view. -* Added postscript and PDF versions of the HOWTO to the web - site (C R Zamana). -* Merged Michael Clarke's stability patch into TAP-Win32 - driver which appears to fix the suspend/resume driver bug - and significantly improve driver stability. -* Added Christof Meerwald's Media Status patch to the - TAP-Win32 driver which shows the TAP adapter to be - disconnected when OpenVPN is not running. -* Moved socket connect and TCP server listen code to a later - point in openvpn() function so that the TCP server listen - state is entered after daemonization. -* Added keyboard shortcuts to simulate signals in the Windows - version, see the window title bar for descriptions. - -2003.07.24 -- Version 1.5-beta1 - -* Added TCP support via the new --proto option. -* Renamed udp-centric options such as --udp-mtu to - --link-mtu (old option names preserved for compatibility). -* Ported to Windows 2000 + XP using mingw and a TAP driver - derived from the Cipe-Win32 project by Damion K. Wilson. -* Added --show-adapters flag for windows version. -* Reworked the SSL/TLS packet acknowledge code to better - handle certain corner cases. -* Turned off the default enabling of IP forwarding in the - sample-scripts/openvpn.init script for Redhat. - Forwarding can be enabled by users in their --up scripts - or firewall config. -* Added --up-restart option based on suggestion from Sean - Reifschneider. -* If --dev tap or --dev-type tap is specified, --tun-mtu - defaults to 1500 and --tun-mtu-extra defaults to 64. -* Enabled --verb 5 debugging mode that prints 'R' and 'W' - for each packet read or write on the TCP/UDP socket. - -2003.08.04 -- Version 1.4.3 - -* Added md5.h include to crypto.c - to fix build problem on OpenBSD. - -2003.07.15 -- Version 1.4.2 - -* Removed adaptive bandwidth from - --mtu-dynamic -- its absence appears - to work better than its existence (1.4.1.2). -* Minor changes to --shaper to fix long - retransmit timeouts at low bandwidth - (1.4.1.2). -* Added LOG_RW flag to openvpn.h for - debugging (1.4.1.2). -* Silenced spurious configure warnings (1.4.1.2). -* Backed out --dev-name patch, modified --dev - to offer equivalent functionality (1.4.1.4). -* Added an optional parameter to --daemon and - --inetd to support the passing of a custom - program name to the system logger (1.4.1.5). -* Add compiled-in options to the program title - (1.4.1.5). -* Coded the beginnings of a WIN32 port (1.4.1.5). -* Succeeded in porting to Win32 Mingw environment - and running loopback tests (1.4.1.6). Still - need a kernel driver for full Win32 - functionality. -* Fixed a bug in error.h where - HAVE_CPP_VARARG_MACRO_GCC was misspelled. - This would have caused a significant slowdown - of OpenVPN when built by compilers that - lack ISO C99 vararg macros (1.4.1.6). -* Created an init script for Gentoo Linux - in ./gentoo directory (1.4.1.6). - -2003.05.15 -- Version 1.4.1 - -* Modified the Linux 2.4 TUN/TAP open code to - fall back to the 2.2 TUN/TAP interface if the - open or ioctl fails. -* Fixed bug when --verb is set to 0 and non-fatal - socket errors occur, causing 100% CPU utilization. - Occurs on platorms where - EXTENDED_SOCKET_ERROR_CAPABILITY is defined, - such as Linux 2.4. -* Fixed typo in tun.c that was preventing - OpenBSD build. -* Added --enable-mtu-dynamic configure option - to enable --mtu-dynamic experimental option. - -2003.05.07 -- Version 1.4.0 - -* Added --replay-persist feature to allow replay - protection across sessions. -* Fixed bug where --ifconfig could not be used - with --tun-mtu. -* Added --tun-mtu-extra parameter to deal with - the situation where a read on a TUN/TAP device - returns more data than the device's MTU size. -* Fixed bug where some IPv6 support code for - Linux was not being properly ifdefed out for - Linux 2.2, causing compile errors. -* Added OPENVPN_EXIT_STATUS_x codes to - openvpn.h to control which status value - openvpn returns to its caller (such as - a shell or inetd/xinetd) for various conditions. -* Added OPENVPN_DEBUG_COMMAND_LINE flag to - openvpn.h to allow debugging in situations - where stdout, stderr, and syslog cannot be used - for message output, such as when OpenVPN is - instantiated by inetd/xinetd. -* Removed owner-execute permission from file - created by static key generator (Herbert Xu - and Alberto Gonzalez Iniesta). -* Added --passtos option to allow IPv4 TOS bits - to be passed from TUN/TAP input packets to - the outgoing UDP socket (Craig Knox). -* Added code to prevent open socket file descriptors - from being accessible to called scripts. -* Added --dev-name option (Christian Lademann). -* Added --mtu-disc option for manual control - over MTU options. -* Show OS MTU value on UDP socket write failures - (linux only). -* Numerous build system and portability - fixes (Matthias Andree). -* Added better sensing of compiler support for - variable argument macros, including (a) gcc - style, (b) ISO C 1999 style, and (c) no support. -* Removed generated files from CVS. Note INSTALL - file for new CVS build commands. -* Changed certain internal symbol names - for C standards compliance. -* Added TUN/TAP open code to cycle dynamically - through unit numbers until it finds a free - unit (based on code from Thomas Gielfeldt - and VTun). -* Added dynamic MTU and fragmenting infrastructure - (Experimental). Rebuild with FRAGMENT_ENABLE - defined to enable. -* Minor changes to SSL/TLS negotiation, use - exponential backoff on retransmits, and use - a smaller MTU size (note that no protocol - changes have been made which would break - compatibility with 1.3.x). -* Added --enable-strict-options flag - to ./configure. This option will cause - a more strict check for options compatibility - between peers when SSL/TLS negotiation is used, - but should only be used when both OpenVPN peers - are of the same version. -* Reorganization of debugging levels. -* Added a workaround in configure.ac for - default SSL header location on Linux - to fix RH9 build problem. -* Fixed potential deadlock when pthread support - is used on OSes that allocate a small socketpair() - message buffer. -* Fixed openvpn.init to be sh compliant - (Bishop Clark). -* Changed --daemon to wait until all - initialization is finished before becoming a - daemon, for the benefit of initialization - scripts that want a useful return status from - the openvpn command. -* Made openvpn.init script more robust, including - positive indication of initialization errors - in the openvpn daemon and better sanity checks. -* Changed --chroot to wait until initialization - is finished before calling chroot(), and allow - the use of --user and --group with --chroot. -* When syslog logging is enabled (--daemon or - --inetd), set stdin/stdout/stderr to point - to /dev/null. -* For inetd instantiations, dup socket descriptor - to a >2 value. -* Fixed bug in verify-cn script, where test would - incorrectly fail if CN=x was the last component - of the X509 composite string (Anonymous). -* Added Markus F.X.J. Oberhumer's special - license exception to COPYING. - -2002.10.23 -- Version 1.3.2 - -* Added SSL_CTX_set_client_CA_list call - to follow the canonical form for TLS initialization - recommended by the OpenSSL docs. This change allows - better support for intermediate CAs and has no impact - on security. -* Added build-inter script to easy-rsa package, to - facilitate the generation of intermediate CAs. -* Ported to NetBSD (Dimitri Goldin). -* Fixed minor bug in easy-rsa/sign-req. It refers to - openssl.cnf file, instead of $KEY_CONFIG, like all - other scripts (Ernesto Baschny). -* Added --days 3650 to the root CA generation command - in the HOWTO to override the woefully small 30 day - default (Dominik 'Aeneas' Schnitzer). -* Fixed bug where --ping-restart would sometimes - not re-resolve remote DNS hostname. -* Added --tun-ipv6 option and related infrastructure - support for IPv6 over tun. -* Added IPv6 over tun support for Linux (Aaron Sethman). -* Added FreeBSD 4.1.1+ TUN/TAP driver notes to - INSTALL (Matthias Andree). -* Added inetd/xinetd support (--inetd) including - documentation in the HOWTO. -* Added "Important Note on the use of commercial certificate - authorities (CAs) with OpenVPN" to HOWTO based on - issues raised on the openvpn-users list. - -2002.07.10 -- Version 1.3.1 - -* Fixed bug in openvpn.spec and openvpn.init - which caused RPM upgrade to fail. - -2002.07.10 -- Version 1.3.0 - -* Added --dev-node option to allow explicit selection of - tun/tap device node. -* Removed mlockall call from child thread, as it doesn't - appear to be necessary (child thread inherits mlockall - state from parent). -* Added --ping-timer-rem which causes timer for --ping-exit - and --ping-restart not to run unless we have a remote IP - address. -* Added condrestart to openvpn.init and openvpn.spec - (Bishop Clark). -* Added --ifconfig case for FreeBSD (Matthias Andree). -* Call openlog with facility=LOG_DAEMON (Matthias Andree). -* Changed LOG_INFO messages to LOG_NOTICE. -* Added warning when key files are group/others accessible. -* Added --single-session flag for TLS mode. -* Fixed bug where --writepid would segfault if used with - an invalid filename. -* Fixed bug where --ipchange status message was formatted - incorrectly. -* Print more concise error message when system() call - fails. -* Added --disable-occ option. -* Added --local, --remote, and --ifconfig options sanity - check. -* Changed default UDP MTU to 1300 and TUN/TAP MTU to - 1300. -* Successfully tested with OpenSSL 0.9.7 Beta 2. -* Broke out debug level definitions to errlevel.h -* Minor documentation and web site changes. -* All changes maintain protocol compatibility - with OpenVPN versions since 1.1.0, however default - MTU changes will require setting the MTU explicitly - by command line option, if you want 1.3.0 to - communicate with previous versions. - -2002.06.12 -- Version 1.2.1 - -* Added --ping-restart option to restart - connection on ping timeout using SIGUSR1 - logic (Matthias Andree). -* Added --persist-tun, --persist-key, - --persist-local-ip, and --persist-remote-ip - options for finer-grained control over SIGUSR1 - and --ping-restart restarts. To - replicate previous SIGUSR1 functionality, - use --persist-remote-ip. -* Changed residual IV fetching code to take - IV from tail of ciphertext. -* Added check to make sure that CFB or OFB - cipher modes are only used with SSL/TLS - authentication mode, and added a caveat - to INSTALL. -* Changed signal handling during initialization - (including re-initialization during restarts) - to exit on SIGTERM or SIGINT and ignore other - signals which would ordinarily be caught. -* Added --resolv-retry option to allow - retries on hostname resolution. -* Expanded the --float option to also - allow dynamic changes in source port number - on incoming datagrams. -* Added --mute option to limit repetitive - logging of similar message types. -* Added --group option to downgrade GID - after initialization. -* Try to set ifconfig path automatically - in configure. -* Added --ifconfig code for Mac OS X - (Christoph Pfisterer). -* Moved "Peer Connection Initiated" message - to --verb level 1. -* Successfully tested with - OpenSSL 0.9.7 Beta 1 and AES cipher. -* Added RPM notes to INSTALL. -* Added ACX_PTHREAD (from the autoconf - macro archive) to configure.ac - to figure out the right pthread - options for a given platform. -* Broke out macro definitions from - configure.ac to acinclude.m4. -* Minor changes to docs and HOWTO. -* All changes maintain protocol compatibility - with OpenVPN versions since 1.1.0. - -2002.05.22 -- Version 1.2.0 - -* Added configuration file support via - the --config option. -* Added pthread support to improve latency. - With pthread support, OpenVPN - will offload CPU-intensive tasks such as RSA - key number crunching to a background thread - to improve tunnel packet forwarding - latency. pthread support can be enabled - with the --enable-pthread configure option. - Pthread support is currently available - only for Linux and Solaris. -* Added --dev-type option so that tun/tap - device names don't need to begin with - "tun" or "tap". -* Added --writepid option to write main - process ID to a file. -* Numerous portability fixes to ease - porting to other OSes including changing - all network types to uint8_t and uint32_t, - and not assuming that time_t is 32 bits. -* Backported to OpenSSL 0.9.5. -* Ported to Solaris. -* Finished OpenBSD port except for - pthread support. -* Added initialization script: - sample-scripts/openvpn.init - (Douglas Keller) -* Ported to Mac OS X (Christoph Pfisterer). -* Improved resilience to DoS attacks when - TLS mode is used without --remote or - --tls-auth, or when --float is used - with --remote. Note however that the best - defense against DoS attacks in TLS mode - is to use --tls-auth. -* Eliminated automake/autoconf dependency - for non-developers. -* Ported configure.in to configure.ac - and autoconf 2.50+. -* SIGHUP signal now causes OpenVPN to restart - and re-read command line and or config file, - in conformance with canonical daemon behaviour. -* SIGUSR1 now does what SIGHUP did in - version 1.1.1 and earlier -- close and reopen - the UDP socket for use when DHCP changes - host's IP address and preserve most recently - authenticated peer address without rereading - config file. -* SIGUSR2 added -- outputs current statistics, - including compression statistics. -* All changes maintain protocol compatibility - with 1.1.1 and 1.1.0. - -2002.04.22 -- Version 1.1.1 - -* Added --ifconfig option to automatically configure - TUN device. -* Added inactivity disconnect (--inactive - and --ping-exit options). -* Added --ping option to keep stateful firewalls - from timing out. -* Added sanity check to command line parser to - err if any TLS options are used in non-TLS mode. -* Fixed build problem with compiler environments that - define printf as a macro. -* Fixed build problem on linux systems that have - an integrated TUN/TAP driver but lack the persistent - tunnel feature (TUNSETPERSIST). Some linux kernels - >= 2.4.0 and < 2.4.7 fall into this category. -* Changed all calls to EVP_CipherInit to use explicit - encrypt/decrypt mode in order to fix problem with - IDEA-CBC and AES-256-CBC ciphers. -* Minor changes to control channel transmit limiter - algorithm to fix problem where TLS control channel - might not renegotiate within the default 60 second window. -* Simplified man page examples by taking advantage - of the new --ifconfig option. -* Minor changes to configure.in to check more - rigourously for OpenSSL 0.9.6 or greater. -* Put back openvpn.spec, eliminated - openvpn.spec.in. -* Modified openvpn.spec to reflect new automake-based - build environment (Bishop Clark). -* Other documentation changes. -* Added --test-crypto option for debugging. -* Added "missing" and "mkinstalldirs" automake - support files. - - -2002.04.09 -- Version 1.1.0 - -* Strengthened replay protection and IV handling, - extending it fully to both static key and - TLS dynamic key exchange modes. -* Added --mlock option to disable paging and ensure that key - material and tunnel data is never paged to disk. -* Added optional traffic shaping feature to cap the maximum - data rate of the tunnel. -* Converted to automake (The Platypus Brothers 2002-04-01). -* Ported to OpenBSD by Janne Johansson. -* Added --tun-af-inet option to work around an incompatibility - between Linux and BSD tun drivers. -* Sequence number-based replay protection using the - IPSec sliding window model is now the default, - disable with --no-replay. -* Explicit IV is now the default, disable with --no-iv. -* Disabled all cipher modes except CBC, CFB, and OFB. -* In CBC mode, use explicit IV and carry forward residuals, - using IPSec model. -* In CFB/OFB mode, IV is timestamp, sequence number. -* Eliminated --packet-id, --timestamp, and max-delta parameter to - the --tls-auth option as they are now supplanted by improved - replay code which is enabled by default. -* Eliminated --rand-iv as it is now obsolete with improved - IV code. -* Eliminated --reneg-err option as it increases vulnerability - to DoS attacks. -* Added weak key check for DES ciphers. -* --tls-freq option is no longer specified on the command line, - instead it now inherits its parameter from the - --tls-timeout option. -* Fixed bug that would try to free memory on exit that was - never malloced if --comp-lzo was not specified. -* Errata fixed in the man page examples: "test-ca" should be - "tmp-ca". -* Updated manual page. -* Preliminary work in porting to OpenSSL 0.9.7. -* Changed license to allowing linking with OpenSSL. - -2002.03.29 -- Version 1.0.3 - -* Fixed a problem in configure with library ordering on the - command line. - -2002.03.28 -- Version 1.0.2 - -* Improved the efficiency of the inner event loop. -* Fixed a minor bug with timeout handling. -* Improved the build system to build on RH 6.2 through 7.2. -* Added an openvpn.spec file for RPM builders (Bishop Clark). - -2002.03.23 -- Version 1.0 - -* Added TLS-based authentication and key exchange. -* Added gremlin mode to stress test. -* Wrote man page. - -2001.12.26 -- Version 0.91 - -* Added any choice of cipher or HMAC digest. - -2001.5.13 -- Version 0.90 - -* Initial release. -* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. -- cgit v1.2.3