summaryrefslogtreecommitdiff
path: root/openvpn/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn/ChangeLog')
-rw-r--r--openvpn/ChangeLog3875
1 files changed, 3875 insertions, 0 deletions
diff --git a/openvpn/ChangeLog b/openvpn/ChangeLog
new file mode 100644
index 0000000..d498344
--- /dev/null
+++ b/openvpn/ChangeLog
@@ -0,0 +1,3875 @@
+OpenVPN Change Log
+Copyright (C) 2002-2011 OpenVPN Technologies, Inc. <sales@openvpn.net>
+
+2012.02.21 -- Version 2.3-alpha1
+Adriaan de Jong (127):
+ Added Doxygen doxyfile
+ Changed configure to accept --with-ssl-type=openssl
+ Refactored to rand_bytes for OpenSSL-independency
+ Refactored OpenSSL-specific constants
+ Refactored maximum cipher and hmac length constants
+ Refactored show_available_* functions
+ Refactored SSL_clear_error()
+ Refactored crypto initialisation functions
+ Refactored DES key manipulation functions
+ Refactored NTLM DES key generation
+ Refactored message digest type functions
+ Refactored message digest functions
+ Refactored HMAC functions
+ Refactored cipher key types
+ Refactored cipher functions
+ Added PRNG doxygen
+ Refactored: Moved crypto.h inline functions to end of file
+ Removed stale OpenSSL defines from crypto.h
+ Added a check for Openssl or PolarSSL defines
+ Refactored: Added stubs for new files
+ Refactored SSL initialisation functions
+ Refactored TLS_PRF to new hmac and md primitives
+ Refactored tls_show_available_ciphers
+ Refactored get_highest_preference_tls_cipher
+ Refactored root SSL context initialisation
+ Refactored new external key code
+ Refactored DH paramater loading
+ Refactored root TLS option settings
+ Refactored PKCS#12 key loading
+ Refactored PKCS#11 loading
+ Refactored windows cert loading
+ Refactored load certificate functions
+ Refactored private key loading code
+ Refactored external key loading from management
+ Refactored CA and extra certs code
+ Refactored cipher restriction code
+ Refactored tls_options, key_state, and key_source data structures
+ Refactored initalisation of key_states
+ Refactored key_state free code
+ Refactored print_details
+ Refactored key_state read code (including bio_read())
+ Refactored key_state write functions
+ Refactored: Moved BIO debug functions to OpenSSL backend
+ Refactored: removed ks and ks_lame macro for clarity
+ Refactored: moved write_empty_string function back
+ Refactored Doxygen for tls_multi functions
+ Migrated data structures needed by verification functions to ssl_common.h
+ Refactored client_config_dir_exclusive function
+ Refactored certificate hash lock checks
+ Refactored common name locking functions
+ Refactored username and password authentication code
+ Add some extra comments
+ Refactored: split verify_callback into two parts
+ Added function to extract and verify the subject from a certificate
+ Added function to verify and extract the username
+ Refactored: removed global x509_username_field
+ Refactored: separated environment setup during verification
+ Refactored: Netscape certificate type verification
+ Refactored key usage verification code
+ Refactored EKU verification
+ Refactored tls-remote checking
+ Refactored tls-verify-plugin code
+ Refactored tls-verify script code
+ Refactored CRL checks
+ Minor cleanup in verify_cert:
+ Refactored: Moved verify_cert to ssl_verify
+ Cleaned up ssl.h
+ Refactored: made M_SSL dependent on USE_OPENSSL
+ Refactored: renamed X509 functions from verify_*
+ Separated OpenSSL-specific parts of the PKCS#11 driver
+ Modified base64 code in preparation for PolarSSL merge
+ Final cleanup before PolarSSL addition:
+ Refactored X509 track feature to be contained within the openssl backend
+ Added PolarSSL support:
+ Fixed a missing include in ssl_backend.h
+ Fixed a bug in the hash generation in ssl_verify_openssl.c
+ Added SHA_DIGEST_SIZE definition
+ Changed PolarSSL crypto backend to support v0.99-pre5
+ Updated ssl_polarssl.c to work with 0.99-pre5
+ Fixed a compilation warning for size_t key sizes
+ Added a warning that the PolarSSL library does not support pkcs12 files.
+ Added warning that --capath is not available with PolarSSL
+ Disable CryptoAPI when not using OpenSSL, and document that fact.
+ Removed support for management external keys in PolarSSL
+ Removed stray X509_free from ssl.c
+ Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
+ Added an extra define to allow building without PKCS#11
+ Added SSL library to title string
+ Disabled X.509 track and username selection for PolarSSL
+ Hardening: periodically reset the PRNG's nonce value
+ Fixes for the plugin system:
+ Further improvements to plugin support:
+ Fixed an unintentional change in the options calculated key size.
+ Moved print messages back to generic crypto.c from cipher backends
+ Moved HMAC prints back to main crypto module
+ Added back checks for ks->authenticated in verify_user_pass
+ Moved gc_new and gc_free to begin end of function
+ Fixed a bug in the return value of ssl_verify when pre_verify failed
+ Unified verification function return values:
+ Removed a stray Fox-IT tag
+ Fixed a typo: print the subject instead of the serial for verification errors
+ Made SSL_CIPHER const in print_details, to fix warning
+ Moved to PolarSSL 1.0.0:
+ Added missing #ifdef to allow --disable-managent to work again
+ Fixed disabling crypto and SSL
+ Got rid of a few magic numbers in ntlm.c
+ Removed obsolete des_cblock and des_keyschedule
+ Further removal of des_old.h based calls
+ Fixed missing comma in plugin.h
+ Moved prng_uninit out of crypto_uninit_lib
+ Moved CryptoAPI header include to the ssl_openssl.c
+ Reordered functions to ensure warning-free Windows build
+ Added options to switch between OpenSSL and PolarSSL and PKCS11...
+ Moved from strsep to strtok, for Windows compatibility
+ Minor cleanup to enable warning-free Windows build:
+ Fixed a typo when initialising cryptoapi certs
+ Minor code cleanup: cleaned up error handling in verify_cert.
+ Moved out of memory prototype to error.h, as the definition is in error.c
+ Removed support for calling gc_malloc with a NULL gc_arena struct
+
+ (The follwing patches from Adriaan was mistakenly merged with
+ the wrong commit author in the git tree)
+ Doxygen: Added data channel crypto docs
+ Added control channel crypto docs
+ Added compression docs
+ Added reliability layer documentation
+ Added memory management documentation
+ Added data channel fragmentation docs
+ Added main/control docs
+ Moved doxygen-specific files to a separate directory
+
+Byron Ellacott (1):
+ autoconf fixes for building on OSX
+
+David Sommerseth (50):
+ Provide 'dev_type' environment variable to plug-ins and script hooks
+ Define the new openvpn_plugin_{open,func}_v3() API
+ Implement the core v3 plug-in function calls.
+ Extend the v3 plug-in API to send over X509 certificates
+ Added a simple plug-in demonstrating the v3 plug-in API.
+ Separate the general plug-in version constant and v3 plug-in structs version
+ Use a version-less version identifier on the master branch
+ Fix the --client-cert-not-required feature
+ Change the default --tmp-dir path to a more suitable path
+ Improve the mysprintf() issue in openvpnserv.c
+ Add a simple comment regarding openvpn_snprintf() is duplicated
+ Merge branch 'feat_ipv6_transport'
+ Merge branch 'feat_ipv6_payload'
+ Merge branch 'svn-branch-2.1' into merge
+ Solved hidden merge conflicts between master and svn-branch-2.1
+ Fix const declarations in plug-in v3 structs
+ Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'
+ Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
+ Fix compiling issues with pkcs11 when --disable-management is configured
+ Remove support for Linux 2.2 configuration fallback
+ Revert "Add new openssl.cnf to easy-rsa/Windows"
+ Merge remote branch SVN 2.1 into the git tree
+ Merge branch 'svn-merger'
+ Fix Microsoft Visual Studio incompatibility in plugin.c
+ Fixed compile issues on FreeBSD and Solaris
+ Fix PolarSSL and --pkcs12 option issues
+ Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
+ Make '--win-sys env' default
+ Do some file/directory tests before really starting openvpn
+ Fix bug after removing Linux 2.2 support
+ Don't look for 'stdin' file when using --auth-user-pass
+ Fix compiling with --disable-crypto and/or --disable-ssl
+ Fix a couple of issues in openvpn_execve()
+ Move away from openvpn_basename() over to platform provided basename()
+ Enable access() when building in Visual Studio
+ New Windows build fixes
+ Fix compilation errors on Linux platforms without SO_MARK
+ autotools ./configure don't like compat.h
+ Fix pool logging when IPv6 is not enabled
+ Don't check for file presence on inline files
+ Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook
+ Enhance the error handling in _openssl_get_subject()
+ Fix assert() situations where gc_malloc() is called without a gc_arena object
+ Fix compile issues when plug-ins are disabled.
+ Remove --show-gateway if debug info is not enabled (--disable-debug)
+ Fix compile issues with status.c
+ Connection entry {tun,link}_mtu_defined not set correctly
+ Makefile.am referenced a now non-existing config-win32.h
+ Makefile.am was missing ssl_common.h
+ Revamp check_file_access() checks in stdin scenarios
+
+Davide Guerri (1):
+ New feauture: Add --stale-routes-check
+
+Frank de Brabander (1):
+ Fixed wrong return type of cipher_kt_mode
+
+Frederic Crozat (1):
+ Add support to forward console query to systemd
+
+Gert Doering (45):
+ Add more detailed explanation regarding the function of "--rdns-internal"
+ Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.
+ remove NOTES file from commit - private scribbling
+ NetBSD fixes - on 4.0 and up, use multi-af mode.
+ new feature: "ifconfig-ipv6-push" (from ccd/ config)
+ add some TODOs to TODO.IPv6
+ undo accidential duplication of existing "--iroute" line in the help text
+ basic documentation of IPv6 related options and their syntax
+ Enable IPv6 Payload in OpenVPN p2mp tun server mode.
+ remove NOTES file from commit - private scribbling
+ env_block(): if PATH is not set, add standard PATH setting to env
+ add IPv6 route add / route delete code for windows (using "netsh")
+ - Win32 IPv6 ifconfig support, using "netsh" calls
+ drop "book ipv6" from open_tun() and tuncfg() prototypes
+ document recent changes and open TODOs, adapt --version info, tag release
+ Win32: set next-hop for IPv6 routes according to TUN/TAP mode
+ when deleting a route on win32, also add gateway address
+ WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7
+ revert unconditionally-enabling of setenv_es() logging
+ implement IPv6 ifconfig + route setup/deletion on OpenBSD
+ full "VPN client connect" test framework for OpenVPN t_client.rc-sample
+ renamed t_client.sh to t_client.sh.in
+ 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8
+ correct URL for "more information about IPv6 patch is *here*"
+ bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet"
+ bump IPv6 version number (openvpn --version) to 20100922-1
+ Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces
+ rebased to 2.2RC2 (beta 2.2 branch)
+ Windows IPv6 cleanup - properly remove IPv6 routes and interface config
+ For all accesses to "struct route_list * rl", check first that rl is non-NULL
+ Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
+ Platform cleanup for NetBSD
+ Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block
+ add missing break between "case IPv4" and "case IPv6"
+ bump tap driver version from 9.8 to 9.9
+ log error message and exit for "win32, tun mode, tap driver version 9.8"
+ work around inet_ntop/inet_pton problems for MSVC builds on WinXP
+ Fix build-up of duplicate IPv6 routes on reconnect.
+ Fix list-overrun checks in copy_route_[ipv6_]option_list()
+ add "print test titles" and "use sudo" functionality to t_client.rc
+ Platform cleanup for FreeBSD
+ Implement IPv6 interface config with non-/64 prefix lengths.
+ Fix RUN_SUDO functionality for t_client.sh
+ Document IPv6-related environment variables.
+ Platform cleanup for OpenBSD
+
+Gisle Vanem (1):
+ Avoid re-defining uint32_t when using mingw compiler
+
+Gustavo Zacarias (1):
+ Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto
+
+Heiko Hund (16):
+ add .gitignore to official repository
+ remove function is_proto_tcp()
+ remove legacy code to query IE proxy information
+ lowercase include header name in syshead.h
+ define IN6_ARE_ADDR_EQUAL macro for WIN32
+ add --mark option to set SO_MARK sockopt
+ Windows UTF-8 input/output
+ UTF-8 X.509 distinguished names
+ set Windows environment variables as UCS-2
+ handle Windows unicode paths
+ replace check for TARGET_WIN32 with WIN32
+ do not use mode_t on Windows
+ use the underscore version of stat on Windows
+ make MSVC link against shell32 as well
+ move variable declaration to top of function
+ define access mode flag X_OK as 0 on Windows
+
+Igor Novgorodov (1):
+ The code blocks enabled by ENABLE_CLIENT_CR depends on management
+
+James Yonan (57):
+ Added "management-external-key" option.
+ Minor addition of logging info before and after execution of Windows net commands.
+ Misc fixes to r6708.
+ Added --x509-track option.
+ * added --management-up-down option to allow management interface to be notified of tunnel up/down events.
+ Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled.
+ Implemented get_default_gateway_mac_addr for Mac OS X
+ Fixes to r6925.
+ Properly handle certificate serial numbers > 32 bits.
+ Added "client-nat" option for stateless, one-to-one NAT on the client side.
+ Renamed branch to reflect that it is no longer beta.
+ env_filter_match now includes the serial number of all certs
+ Fixed issue where a client might receive multiple push replies from a server
+ Fixed bug introduced in r7031 that might cause this error message:
+ Extended "client-kill" management interface command (server-side)
+ Client will now try to reconnect if no push reply received within handshake-window seconds.
+ Version 2.1.3n
+ Fixed compiling issues when using --disable-crypto
+ Added "management-external-key" option.
+ Misc fixes to r6708.
+ win/sign.py now accepts an optional tap-dir argument.
+ Added "auth-token" client directive
+ Added ./configure --enable-osxipconfig option for Mac OS X
+ Added more packet ID debug info at debug level 3 for debugging false positive packet replays.
+ Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions
+ Fixed bug in port-share that could cause port share process to crash
+ For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure
+ Version 2.1.3t
+ Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option.
+ Added 'dir' flag to "crl-verify" (see man page for info).
+ Added new "extra-certs" and "verify-hash" options
+ Fixed compile issues on Windows.
+ Added --enable-lzo-stub configure option to build an OpenVPN client without LZO
+ Added optional journal directory argument to "port-share" directive
+ Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity.
+ env_filter_match now includes the serial number of all certs in chain
+ Added support for static challenge/response protocol.
+ r7316 fixes.
+ Added redirect-gateway block-local flag, with support for Linux, Mac OS X
+ Extended x509-track to allow SHA1 certificate hash to be extracted
+ Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive.
+ Version 2.1.5.
+ Fixed MSVC compile error related to r7408.
+ Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data.
+ Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars.
+ Changed CC_PRINT character class to allow UTF-8 chars.
+ Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3.
+ Fixed issue where redirect-gateway block-local code was not correctly calculating...
+ CC_PRINT character class now allows any 8-bit character value >= 32.
+ "status" management interface command (version >= 2) will now include the username for each connected user.
+ Minor fix to CC_PRINT char class
+ Fixed management interface bug where >FATAL notifications were not being output properly
+ Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3.
+ Added "memstats" option to maintain real-time operating stats in a memory-mapped file.
+ Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy:
+ Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode.
+ Added support for "on-link" routes on Linux client
+
+Jan Just Keijser (1):
+ Made some options connection-entry specific
+
+Joe Patterson (1):
+ common_name passing in auth_pam plugin
+
+JuanJo Ciarlante (40):
+ * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch
+ * created getaddr6(), use it from resolve_remote()
+ * migrated all getaddrinfo() to getaddr6
+ * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,
+ * support --disable-ipv6 build properly:
+ * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket
+ * added README.ipv6.txt
+ * fixed win32 non-ipv6 build
+ * ipv6 on win32 "milestone": 1st snapshot that passes all unittests
+ * document ipv6 milestone status
+ * doc update w/unittests results
+ * make possible to x-compile openvpn/win32 in Linux
+ * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6.
+ * renamed README.ipv6{.txt,}
+ * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist
+ * init.c: document the ENABLE_MANAGEMENT place to work on
+ * init.c: small in-doc tweaks
+ * fix multi-tcp crash (corrected assertion)
+ * TODO.ipv6 update
+ * socket.c: better buf logic in print_sockaddr_ex
+ * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)
+ * doc updates
+ * openbsd: no IFF_MULTICAST, #ifdef around it
+ * no new funcionality, just small cleanups
+ * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints
+ * polished redirect-gateway (ipv4 on ipv6 endpoints) support
+ * updated doc
+ * fix --disable-ipv6 build
+ * doc updates
+ * rebased to v2.1.1 release
+ * undo mroute.c changes related to ipv6 payload
+ * fix --multihome for ipv4
+ * fix --multihome for ipv6
+ * ipv6-0.4.14: fix xinetd usage
+ * ipv6-0.4.15: add --multihome support to xBSD
+ * ipv6-0.4.15b: rebase over openvpn-testing-master
+ * ipv6-0.4.16: fix mingw32 build
+ * make ipv6_payload compile under windowze
+ USE_PF_INET6 by default for v2.3
+ fix ipv6 compilation under macosx >= 1070 - v3
+
+Markus Koetter (1):
+ Add extv3 X509 field support to --x509-username-field
+
+Matthew L. Creech (1):
+ Fix 2.2.0 build failure when management interface disabled
+
+Matthias Andree (1):
+ Skip rather than fail test in addressless FreeBSD jails.
+
+Robert Fischer (8):
+ Update man page with info about --capath
+ Update man page with info about --connect-timeout
+ Added info about --show-proxy-settings
+ Documented --x509-username-field option
+ Documented --errors-to-stderr option
+ Documented --push-peer-info option
+ Update man page with info about --remote-random-hostname
+ Added man page entry for --management-client
+
+Samuli Seppänen (19):
+ Add man page entry for --redirect-private
+ Change all CRLF linefeeds to LF linefeeds
+ Fix a bug in devcon source code handling
+ Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
+ Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers
+ Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
+ Fix a build-ca issue on Windows
+ Add new openssl.cnf to easy-rsa/Windows
+ Updated "easy-rsa" for OpenSSL 1.0.0
+ Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
+ Fixes to easy-rsa/2.0
+ Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
+ Fixed a number of fatal build errors on Visual Studio 2008
+ Fix a Visual Studio 2008 build issue in socket.c
+ Additional Visual Studio 2008 build fixes to tun.c
+ Fixed a typo in win32.h that prevented building with Visual Studio
+ Fixed a regression causing VS2008/Python build failure
+ Fix a Visual Studio 2008 build error in tun.c
+ Fix a Visual Studio 2008 build error in options.c
+
+Simon Matter (1):
+ Fix issues with some older GCC compilers
+
+Stefan Hellermann (2):
+ plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
+ Fixed typo in plugin.h
+
+chantra (1):
+ Clarify --tmp-dir option
+
+smos (1):
+ Change the netsh.exe command from "add" to "set".
+
+2011.12.25 -- Version 2.x-master
+James Yonan (1):
+ Added support for "on-link" routes on Linux client -- these are
+ routes where the gateway is specified as an interface rather than
+ an address. This allows redirect-gateway to work on Linux clients
+ whose connection to the internet is via a point-to-point link
+ such as PPP.
+
+ Note that at the moment, this capability is incompatible with
+ the "redirect-gateway block-local" directive -- this is because
+ the block-local directive blocks all traffic from the local LAN
+ except for the local and gateway addresses. Since a PPP link
+ is essentially a subnet of two addresses, local and remote (i.e.
+ gateway), the set of addresses that would be blocked by block-local
+ is empty. Therefore, the "redirect-gateway block-local" directive
+ will be ignored on PPP links.
+
+ To view the OpenVPN client's current determination of the default
+ gateway, use this command:
+
+ ./openvpn --show-gateway
+
+2011.03.24 -- Version 2.2-RC2
+Alon Bar-Lev (1):
+ Windows cross-compile cleanup
+
+David Sommerseth (2):
+ Open log files as text files on Windows
+ Clarify default value for the --inactive option.
+
+Gert Doering (1):
+ Implement IPv6 in TUN mode for Windows TAP driver.
+
+Samuli Seppänen (6):
+ Added support for prebuilt TAP-drivers. Automated embedding manifests.
+ Fixes to win/openvpn.nsi
+ Replaced config-win32.h with win/config.h.in
+ Updated INSTALL-win32.txt
+ Fixes to Makefile.am
+ Clarified --client-config-dir section on the man-page.
+
+Ville Skyttä (1):
+ Fix line continuation in chkconfig init script description.
+
+2011.02.28 -- Version 2.2-RC
+David Sommerseth (3):
+ Make the --x509-username-field feature an opt-in feature
+ Fix compiler warning when compiling against OpenSSL 1.0.0
+ Fix packaging of config-win32.h and service-win32/msvc.mak
+
+James Yonan (1):
+ Minor addition of logging info before and after execution of Windows net commands.
+
+Matthias Andree (1):
+ Change variadic macros to C99 style.
+
+Samuli Seppänen (15):
+ Added ENABLE_PASSWORD_SAVE to config-win32.h
+ Added a nmake makefile for openvpnserv.exe building
+ Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
+ Added helper functionality to win/wb.py
+ Added support for viewing config-win32.h paramters to win/show.py
+ Added comments and made small modifications to win/msvc.mak.in
+ Added command-line switch to win/build_all.py to skip TAP driver building
+ Added configure.h and version.m4 variable parsing to win/config.py
+ Added openvpnserv.exe building to win/build.py
+ Added comments to win/build_ddk.py
+ Several modifications to win/make_dist.py to allow building the NSI installer
+ Copied install-win32/setpath.nsi to win/setpath.nsi
+ Added first version of NSI installer script to win/openvpn.nsi
+ Changes to buildsystem patchset
+ Temporary snprintf-related fix to service-win32/openvpnserv.c
+
+2010.11.25 -- Version 2.2-beta5
+
+Samuli Seppänen (1):
+ Fixed an issue causing a build failure with MS Visual Studio 2008.
+
+2010.11.18 -- Version 2.2-beta4
+
+David Sommerseth (10):
+ Clarified --explicit-exit-notify man page entry
+ Clean-up: Remove pthread and mutex locking code
+ Clean-up: Remove more dead and inactive code paths
+ Clean-up: Removing useless code - hash related functions
+ Use stricter snprintf() formatting in socks_username_password_auth() (v3)
+ Fix compiler warnings about not used dummy() functions
+ Fixed potential misinterpretation of boolean logic
+ Only add some functions when really needed
+ Removed functions not being used anywhere
+ Merged add_bypass_address() and add_host_route_if_nonlocal()
+
+Gert Doering (3):
+ Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa <admin2@whiteboard.ne.jp>.
+ Make "topology subnet" work on Solaris
+ Improved man page entry for script_type
+
+James Yonan (5):
+ Fixed initialization bug in route_list_add_default_gateway (Gert Doering).
+ Implement challenge/response authentication support in client mode
+ Make base64.h have the same conditional compilation expression as base64.c.
+ Fixed compiling issues when using --disable-crypto
+ In verify_callback, the subject var should be freed by OPENSSL_free, not free
+
+Jesse Young (1):
+ Remove hardcoded path to resolvconf
+
+Lars Hupel (1):
+ Add HTTP/1.1 Host header
+
+Pierre Bourdon (1):
+ Adding support for SOCKS plain text authentication
+
+Samuli Seppänen (2):
+ Added check for variable CONFIGURE_DEFINES into options.c
+ Added command-line option parser and an unsigned build option to build_all.py
+
+2010.08.21 -- Version 2.2-beta3
+
+* Attempt to fix issue where domake-win build system was not properly
+ signing drivers and .exe files.
+
+ Added win/tap_span.py for building multiple versions of the TAP driver
+ and tapinstall binaries using different DDK versions to span from Win2K
+ to Win7 and beyond.
+
+* Community patches
+ David Sommerseth (2):
+ Test framework improvment - Do not FAIL if t_client.rc is missing
+ More t_client.sh updates - exit with SKIP when we want to skip
+
+ Gert Doering (4):
+ Fix compile problems on NetBSD and OpenBSD
+ Fix <net/if.h> compile time problems on OpenBSD for good
+ full "VPN client connect" test framework for OpenVPN
+ Build t_client.sh by configure at run-time.
+
+ chantra (1):
+ Fixes openssl-1.0.0 compilation warning
+
+2010.08.16 -- Version 2.2-beta2
+
+* Windows security issue:
+ Fixed potential local privilege escalation vulnerability in
+ Windows service. The Windows service did not properly quote the
+ executable filename passed to CreateService. A local attacker
+ with write access to the root directory C:\ could create an
+ executable that would be run with the same privilege level as
+ the OpenVPN Windows service. However, since non-Administrative
+ users normally lack write permission on C:\, this vulnerability
+ is generally not exploitable except on older versions of Windows
+ (such as Win2K) where the default permissions on C:\ would allow
+ any user to create files there.
+ Credit: Scott Laurie, MWR InfoSecurity
+
+* Added Python-based based alternative build system for Windows using
+ Visual Studio 2008 (in win directory).
+
+* When aborting in a non-graceful way, try to execute do_close_tun in
+ init.c prior to daemon exit to ensure that the tun/tap interface is
+ closed and any added routes are deleted.
+
+* Fixed an issue where AUTH_FAILED was not being properly delivered
+ to the client when a bad password is given for mid-session reauth,
+ causing the connection to fail without an error indication.
+
+* Don't advance to the next connection profile on AUTH_FAILED errors.
+
+* Fixed an issue in the Management Interface that could cause
+ a process hang with 100% CPU utilization in --management-client
+ mode if the management interface client disconnected at the
+ point where credentials are queried.
+
+* Fixed an issue where if reneg-sec was set to 0 on the client,
+ so that the server-side value would take precedence,
+ the auth_deferred_expire_window function would incorrectly
+ return a window period of 0 seconds. In this case, the
+ correct window period should be the handshake window
+ period.
+
+* Modified ">PASSWORD:Verification Failed" management interface
+ notification to include a client reason string:
+
+ >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
+
+* Enable exponential backoff in reliability layer
+ retransmits.
+
+* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
+ socket is created rather than waiting until after connect/listen.
+
+* Management interface performance optimizations:
+
+ 1. Added env-filter MI command to perform filtering on env vars
+ passed through as a part of --management-client-auth
+
+ 2. man_write will now try to aggregate output into larger blocks
+ (up to 1024 bytes) for more efficient i/o
+
+* Fixed minor issue in Windows TAP driver DEBUG builds
+ where non-null-terminated unicode strings were being
+ printed incorrectly.
+
+* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
+ was not being compiled in.
+
+* Proxy improvements:
+
+ Improved the ability of http-auth "auto" flag to dynamically detect
+ the auth method required by the proxy.
+
+ Added http-auth "auto-nct" flag to reject weak proxy auth methods.
+
+ Added HTTP proxy digest authentication method.
+
+ Removed extraneous openvpn_sleep calls from proxy.c.
+
+* Implemented http-proxy-override and http-proxy-fallback directives to make it
+ easier for OpenVPN client UIs to start a pre-existing client config file with
+ proxy options, or to adaptively fall back to a proxy connection if a direct
+ connection fails.
+
+* Implemented a key/value auth channel from client to server.
+
+* Fixed issue where bad creds provided by the management interface
+ for HTTP Proxy Basic Authentication would go into an infinite
+ retry-fail loop instead of requerying the management interface for
+ new creds.
+
+* Added support for MSVC debugging of openvpn.exe in settings.in:
+
+ # Build debugging version of openvpn.exe
+ !define PRODUCT_OPENVPN_DEBUG
+
+* Implemented multi-address DNS expansion on the network field of route
+ commands.
+
+ When only a single IP address is desired from a multi-address DNS
+ expansion, use the first address rather than a random selection.
+
+* Added --register-dns option for Windows.
+
+ Fixed some issues on Windows with --log, subprocess creation
+ for command execution, and stdout/stderr redirection.
+
+* Fixed an issue where application payload transmissions on the
+ TLS control channel (such as AUTH_FAILED) that occur during
+ or immediately after a TLS renegotiation might be dropped.
+
+* Added warning about tls-remote option in man page.
+
+2009.12.11 -- Version 2.1.1
+
+* Fixed some breakage in openvpn.spec (which is required to build an
+ RPM distribution) where it was referencing a non-existent
+ subdirectory in the tarball, causing it to fail (patch from
+ David Sommerseth).
+
+2009.12.11 -- Version 2.1.0
+
+* Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
+ (1) Fail gracefully rather than segfault if calloc returns NULL.
+ (2) The openvpn_plugin_abort_v1 function can potentially be called
+ with handle == NULL. Add code to detect this case, and if so, avoid
+ dereferencing pointers derived from handle (Thanks to David
+ Sommerseth for finding this bug).
+
+* Documented "multihome" option in the man page.
+
+2009.11.20 -- Version 2.1_rc22
+
+* Fixed a client-side bug on Windows that occurred when the
+ "dhcp-pre-release" or "dhcp-renew" options were combined with
+ "route-gateway dhcp". The release/renew would not occur
+ because the Windows DHCP renew function is blocking and
+ therefore must be called from another process or thread
+ so as not to stall the tunnel.
+
+* Added a hard failure when peer provides a certificate chain
+ with depth > 16. Previously, a warning was issued.
+
+2009.11.12 -- Version 2.1_rc21
+
+* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
+ CVE-2009-3555. Note that OpenVPN has never relied on the session
+ renegotiation capabilities that are built into the SSL/TLS protocol,
+ therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
+ completely) will not adversely affect OpenVPN mid-session SSL/TLS
+ renegotation or any other OpenVPN capabilities.
+
+* Added additional session renegotiation hardening. OpenVPN has always
+ required that mid-session renegotiations build up a new SSL/TLS
+ session from scratch. While the client certificate common name is
+ already locked against changes in mid-session TLS renegotiations, we
+ now extend this locking to the auth-user-pass username as well as all
+ certificate content in the full client certificate chain.
+
+2009.10.01 -- Version 2.1_rc20
+
+* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
+ redirect-gateway option by itself, without any extra parameters,
+ would cause the option to be ignored.
+
+* Fixed build problem when ./configure --disable-server is used.
+
+* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
+
+* Added --remote-random-hostname option.
+
+* Added "load-stats" management interface command to get global server
+ load statistics.
+
+* Added new ./configure flags:
+
+ --disable-def-auth Disable deferred authentication
+ --disable-pf Disable internal packet filter
+
+* Added "setcon" directive for interoperability with SELinux (Sebastien
+ Raveau).
+
+* Optimized PUSH_REQUEST handshake sequence to shave several seconds
+ off of a typical client connection initiation.
+
+* The maximum number of "route" directives (specified in the config
+ file or pulled from a server) can now be configured via the new
+ "max-routes" directive.
+
+* Eliminated the limitation on the number of options that can be pushed
+ to clients, including routes. Previously, all pushed options needed
+ to fit within a 1024 byte options string.
+
+* Added --server-poll-timeout option : when polling possible remote
+ servers to connect to in a round-robin fashion, spend no more than
+ n seconds waiting for a response before trying the next server.
+
+* Added the ability for the server to provide a custom reason string
+ when an AUTH_FAILED message is returned to the client. This
+ string can be set by the server-side managment interface and read
+ by the client-side management interface.
+
+* client-kill management interface command, when issued on server, will
+ now send a RESTART message to client.
+ This feature is intended to make UDP clients respond the same as TCP
+ clients in the case where the server issues a RESTART message in
+ order to force the client to reconnect and pull a new options/route
+ list.
+
+2009.07.16 -- Version 2.1_rc19
+
+* In Windows TAP driver, refactor DHCP/ARP packet injection code to
+ use a DPC (deferred procedure call) to defer packet injection until
+ IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
+ in the context of AdapterTransmit. This is an attempt to reduce kernel
+ stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
+ observed on Vista. Updated TAP driver version number to 9.6.
+
+* In configure.ac, use datadir instead of datarootdir for compatibility
+ with <autoconf-2.60.
+
+2009.06.07 -- Version 2.1_rc18
+
+* Fixed compile error on ./configure --enable-small
+
+* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
+ does not build on Windows on non-MINGW32.
+
+2009.05.30 -- Version 2.1_rc17
+
+* Reduce the debug level (--verb) at which received management interface
+ commands are echoed from 7 to 3. Passwords will be filtered.
+
+* Fixed race condition in management interface recv code on
+ Windows, where sending a set of several commands to the
+ management interface in quick succession might cause the
+ latter commands in the set to be ignored.
+
+* Increased management interface input command buffer size
+ from 256 to 1024 bytes.
+
+* Minor tweaks to Windows build system.
+
+* Added "redirect-private" option which allows private subnets
+ to be pushed to the client in such a way that they don't accidently
+ obscure critical local addresses such as the DHCP server address and
+ DNS server addresses.
+
+* Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
+ client will examine the routing table and determine whether (a) the
+ OpenVPN server is reachable via a locally connected interface, or (b)
+ traffic to the server must be forwarded through the default router.
+ Only add a special bypass route for the OpenVPN server if (b) is true.
+ If (a) is true, behave as if the 'local' flag is specified, and do not
+ add a bypass route.
+
+ The new 'autolocal' flag depends on the non-portable test_local_addr()
+ function in route.c, which is currently only implemented for Windows.
+ The 'autolocal' flag will act as a no-op on platforms that have not
+ yet defined a test_local_addr() function.
+
+* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
+ more option content to be pushed from server to client).
+
+* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
+ levels <=3) a common and usually innocuous warning.
+
+* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
+ functionality (Alon Bar-Lev).
+
+* Fixed bug where the remote_X environmental variables were not being
+ set correctly when the 'local' option is specifed.
+
+2009.05.17 -- Version 2.1_rc16
+
+* Windows installer changes:
+
+ 1. ifdefed out the check Windows version code which is causing
+ problems on Windows 7
+
+ 2. don't define SF_SELECTED if it is already defined
+
+ 3. Use LZMA instead of BZIP2 compression for better compression
+
+ 4. Upgraded OpenSSL to 0.9.8k
+
+* Added the ability to read the configuration file
+ from stdin, when "stdin" is given as the config
+ file name.
+
+* Allow "management-client" directive to be used
+ with unix domain sockets.
+
+* Added errors-to-stderr option. When enabled, fatal errors
+ that result in the termination of the daemon will be written
+ to stderr.
+
+* Added optional "nogw" (no gateway) flag to --server-bridge
+ to inhibit the pushing of the route-gateway parameter to
+ clients.
+
+* Added new management interface command "pid" to show the
+ process ID of the current OpenVPN process (Angelo Laub).
+
+* Fixed issue where SIGUSR1 restarts would fail if private
+ key was specified as an inline file.
+
+* Added daemon_start_time and daemon_pid environmental variables.
+
+* In management interface, added new ">CLIENT:ESTABLISHED" notification.
+
+* Build fixes:
+
+ 1. Fixed some issues with C++ style comments that leaked into the code.
+
+ 2. Updated configure.ac to work on MinGW64.
+
+ 3. Updated common.h types for _WIN64.
+
+ 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
+ compilers.
+
+ 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
+ OpenVPNCryptAcquireCertificatePrivateKey to work around
+ a symbol conflict in MinGW-5.1.4.
+
+2008.11.19 -- Version 2.1_rc15
+
+* Fixed issue introduced in 2.1_rc14 that may cause a
+ segfault when a --plugin module is used.
+
+* Added server-side --opt-verify option: clients that connect
+ with options that are incompatible with those of the server
+ will be disconnected (without this option, incompatible
+ clients would trigger a warning message in the server log
+ but would not be disconnected).
+
+* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
+ flag on the server as well as pushes it to connecting clients.
+
+* Minor options check fix: --no-name-remapping is a
+ server-only option and should therefore generate an
+ error when used on the client.
+
+* Added --prng option to control PRNG (pseudo-random
+ number generator) parameters. In previous OpenVPN
+ versions, the PRNG was hardcoded to use the SHA1
+ hash. Now any OpenSSL hash may be used. This is
+ part of an effort to remove hardcoded references to
+ a specific cipher or cryptographic hash algorithm.
+
+* Cleaned up man page synopsis.
+
+2008.11.16 -- Version 2.1_rc14
+
+* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
+ with the goal of fixing a build issue on Fedora 9 that was
+ introduced in 2.1_rc13.
+
+* Added additional method parameter to --script-security to preserve
+ backward compatibility with system() call semantics used in OpenVPN
+ 2.1_rc8 and earlier. To preserve backward compatibility use:
+
+ script-security 3 system
+
+* Added additional warning messages about --script-security 2
+ or higher being required to execute user-defined scripts or
+ executables.
+
+* Windows build system changes:
+
+ Modified Windows domake-win build system to write all openvpn.nsi
+ input files to gen, so that gen can be disconnected from
+ the rest of the source tree and makensis openvpn.nsi will
+ still function correctly.
+
+ Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
+ (commented out by default).
+
+ Added optional files SAMPCONF_CONF2 (second sample configuration
+ file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
+ build system, and may be defined in settings.in.
+
+* Extended Management Interface "bytecount" command
+ to work when OpenVPN is running as a server.
+ Documented Management Interface "bytecount" command in
+ management/management-notes.txt.
+
+* Fixed informational message in ssl.c to properly indicate
+ deferred authentication.
+
+* Added server-side --auth-user-pass-optional directive, to allow
+ connections by clients that do not specify a username/password, when a
+ user-defined authentication script/module is in place (via
+ --auth-user-pass-verify, --management-client-auth, or a plugin module).
+
+* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
+
+ Calling scripts can set the KEY_NAME environmental variable to set
+ the "name" X509 subject field in generated certificates.
+
+ Modified pkitool to allow flexibility in separating the Common Name
+ convention from the cert/key filename convention.
+
+ For example:
+
+ KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
+
+ will create a client certificate/key pair of james.crt/james.key
+ having a Common Name of "James's Laptop" and a Name of "james".
+
+* Added --no-name-remapping option to allow Common Name, X509 Subject,
+ and username strings to include any printable character including
+ space, but excluding control characters such as tab, newline, and
+ carriage-return (this is important for compatibility with external
+ authentication systems).
+
+ As a related change, added --status-version 3 format (and "status 3"
+ in the management interface) which uses the version 2 format except
+ that tabs are used as delimiters instead of commas so that there
+ is no ambiguity when parsing a Common Name that contains a comma.
+
+ Also, save X509 Subject fields to environment, using the naming
+ convention:
+
+ X509_{cert_depth}_{name}={value}
+
+ This is to avoid ambiguities when parsing out the X509 subject string
+ since "/" characters could potentially be used in the common name.
+
+* Fixed some ifconfig-pool issues that precluded it from being combined
+ with --server directive.
+
+ Now, for example, we can configure thusly:
+
+ server 10.8.0.0 255.255.255.0 nopool
+ ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
+
+ to have ifconfig-pool manage only a subset
+ of the VPN subnet.
+
+* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
+ config file syntax checking to allow directives for future OpenVPN
+ versions to be ignored.
+
+2008.10.07 -- Version 2.1_rc13
+
+* Bundled OpenSSL 0.9.8i with Windows installer.
+
+* Management interface can now listen on a unix
+ domain socket, for example:
+
+ management /tmp/openvpn unix
+
+ Also added management-client-user and management-client-group
+ directives to control which processes are allowed to connect
+ to the socket.
+
+* Copyright change to OpenVPN Technologies, Inc.
+
+2008.09.23 -- Version 2.1_rc12
+
+* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
+ part of the tarball (Matthias Andree).
+
+* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
+ was incorrectly expecting the lladdr parameter to be an IP address
+ when it is actually a MAC address (HoverHell).
+
+2008.09.14 -- Version 2.1_rc11
+
+* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
+ to fail if UDP packets are dropped.
+
+2008.09.10 -- Version 2.1_rc10
+
+* Added "--server-bridge" (without parameters) to enable
+ DHCP proxy mode: Configure server mode for ethernet
+ bridging using a DHCP-proxy, where clients talk to the
+ OpenVPN server-side DHCP server to receive their IP address
+ allocation and DNS server addresses.
+
+* Added "--route-gateway dhcp", to enable the extraction
+ of the gateway address from a DHCP negotiation with the
+ OpenVPN server-side LAN.
+
+* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
+ on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
+ ignore it.
+
+* Warn when ethernet bridging that the IP address of the bridge adapter
+ is probably not the same address that the LAN adapter was set to
+ previously.
+
+* When running as a server, warn if the LAN network address is
+ the all-popular 192.168.[0|1].x, since this condition commonly
+ leads to subnet conflicts down the road.
+
+* Primarily on the client, check for subnet conflicts between
+ the local LAN and the VPN subnet.
+
+* Added a 'netmask' parameter to get_default_gateway, to return
+ the netmask of the adapter containing the default gateway.
+ Only implemented on Windows so far. Other platforms will
+ return 255.255.255.0. Currently the netmask information is
+ only used to warn about subnet conflicts.
+
+* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
+ and USE_SSL flags are enabled (Alon Bar-Lev).
+
+* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
+ --script-security rules. Also adds retrying if the addresses are in
+ use (Matthias Andree).
+
+* Fixed build issue with ./configure --disable-socks --disable-http.
+
+* Fixed separate compile errors in options.c and ntlm.c that occur
+ on strict C compilers (such as old versions of gcc) that require
+ that C variable declarations occur at the start of a {} block,
+ not in the middle.
+
+* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
+ the new implementation of extract_x509_field_ssl depends on.
+
+* LZO compression buffer overflow errors will now invalidate
+ the packet rather than trigger a fatal assertion.
+
+* Fixed minor compile issue in ntlm.c (mid-block declaration).
+
+* Added --allow-pull-fqdn option which allows client to pull DNS names
+ from server (rather than only IP address) for --ifconfig, --route, and
+ --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
+ for these options to be pulled and translated to IP addresses by default.
+ Now --allow-pull-fqdn will be explicitly required on the client to enable
+ DNS-name-to-IP-address translation of pulled options.
+
+* 2.1_rc8 and earlier did implicit shell expansion on script
+ arguments since all scripts were called by system().
+ The security hardening changes made to 2.1_rc9 no longer
+ use system(), but rather use the safer execve or CreateProcess
+ system calls. The security hardening also introduced a
+ backward incompatibility with 2.1_rc8 and earlier in that
+ script parameters were no longer shell-expanded, so
+ for example:
+
+ client-connect "docc CLIENT-CONNECT"
+
+ would fail to work because execve would try to execute
+ a script called "docc CLIENT-CONNECT" instead of "docc"
+ with "CLIENT-CONNECT" as the first argument.
+
+ This patch fixes the issue, bringing the script argument
+ semantics back to pre 2.1_rc9 behavior in order to preserve
+ backward compatibility while still using execve or CreateProcess
+ to execute the script/executable.
+
+* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
+ to more closely conform to RFC 3696:
+
+ (1) DNS name length must not exceed 255 characters
+
+ (2) DNS name characters must be limited to alphanumeric,
+ dash ('-'), and dot ('.')
+
+* Fixed bug in intra-session TLS key rollover that was introduced with
+ deferred authentication features in 2.1_rc8.
+
+2008.07.31 -- Version 2.1_rc9
+
+* Security Fix -- affects non-Windows OpenVPN clients running
+ OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
+ vulnerable nor are any versions of the OpenVPN server vulnerable).
+ An OpenVPN client connecting to a malicious or compromised
+ server could potentially receive an "lladdr" or "iproute" configuration
+ directive from the server which could cause arbitrary code execution on
+ the client. A successful attack requires that (a) the client has agreed
+ to allow the server to push configuration directives to it by including
+ "pull" or the macro "client" in its configuration file, (b) the client
+ successfully authenticates the server, (c) the server is malicious or has
+ been compromised and is under the control of the attacker, and (d) the
+ client is running a non-Windows OS. Credit: David Wagner.
+ CVE-2008-3459
+
+* Miscellaneous defensive programming changes to multiple
+ areas of the code. In particular, use of the system() call
+ for calling executables such as ifconfig, route, and
+ user-defined scripts has been completely revamped in favor
+ of execve() on unix and CreateProcess() on Windows.
+
+* In Windows build, package a statically linked openssl.exe to work around
+ observed instabilities in the dynamic build since the migration to
+ OpenSSL 0.9.8h.
+
+2008.06.11 -- Version 2.1_rc8
+
+* Added client authentication and packet filtering capability
+ to management interface. In addition, allow OpenVPN plugins
+ to take advantage of deferred authentication and packet
+ filtering capability.
+
+* Added support for client-side connection profiles.
+
+* Fixed unbounded memory growth bug in environmental variable
+ code that could have caused long-running OpenVPN sessions
+ with many TLS renegotiations to incrementally
+ increase memory usage over time.
+
+* Windows release now packages openssl-0.9.8h.
+
+* Build system changes -- allow building on Windows using
+ autoconf/automake scripts (Alon Bar-Lev).
+
+* Changes to Windows build system to make it easier to do
+ partial builds, with a reduced set of prerequisites,
+ where only a subset of OpenVPN installer
+ components are built. See ./domake-win comments.
+
+* Cleanup IP address for persistence interfaces for tap and also
+ using ifconfig, gentoo#209055 (Alon Bar-Lev).
+
+* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
+
+* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
+
+* Added new OpenVPN icon and installer graphic.
+
+* Minor pkitool changes.
+
+* Added --pkcs11-id-management option, which will cause OpenVPN to
+ query the management interface via the new NEED-STR asynchronous
+ notification query to get additional PKCS#11 options (Alon Bar-Lev).
+
+* Added NEED-STR management interface asynchronous query and
+ "needstr" management interface command to respond to the query
+ (Alon Bar-Lev).
+
+* Added Dragonfly BSD support (Francis-Gudin).
+
+* Quote device names before passing to up/down script (Josh Cepek).
+
+* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
+ prevent structure padding from causing an incorrect length
+ to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
+ platforms.
+
+* On systems that support res_init, always call it
+ before calling gethostbyname to ensure that
+ resolver configuration state is current.
+
+* Added NTLMv2 proxy support (Miroslav Zajic).
+
+* Fixed an issue in extract_x509_field_ssl where the extraction
+ would fail on the first field of the subject name, such as
+ the common name in: /CN=foo/emailAddress=foo@bar.com
+
+* Made "Linux ip addr del failed" error nonfatal.
+
+* Amplified --client-cert-not-required warning.
+
+* Added #pragma pack to proto.h.
+
+2008.01.29 -- Version 2.1_rc7
+
+* Added a few extra files that exist in the svn repo but were
+ not being copied into the tarball by make dist.
+
+* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
+
+2008.01.24 -- Version 2.1_rc6
+
+* Fixed options checking bug introduced in rc5 where legitimate configuration
+ files might elicit the error: "Options error: Parameter pkcs11_private_mode
+ can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
+ is also specified."
+
+2008.01.23 -- Version 2.1_rc5
+
+* Fixed Win2K TAP driver bug that was introduced by Vista fixes,
+ incremented driver version to 9.4.
+
+* Windows build system changes:
+
+ Incremented included OpenSSL version to openssl-0.9.7m.
+
+ Updated openssl.patch for openssl-0.9.7m and added some
+ brief usage comments to the head of the patch.
+
+ Added build-pkcs11-helper.sh for building the pkcs11-helper
+ library.
+
+ Integrated inclusion of pkcs11-helper into Windows build
+ system.
+
+ Upgraded TAP build scripts to use WDK 6001.17121
+ (Windows 2008 Server pre-RTM).
+
+* Windows installer changes:
+
+ Clean up the start menu folder.
+
+ Allow for a site-specific sample configuration file and keys
+ to be included in a custom installer (see SAMPCONF macros
+ in settings.in).
+
+ New icon (temporary).
+
+* Added "forget-passwords" command to the management interface
+ (Alon Bar-Lev).
+
+* Added --management-signal option to signal SIGUSR1 when the
+ management interface disconnects (Alon Bar-Lev).
+
+* Modified command line and config file parser to allow
+ quoted strings using single quotes ('') (Alon Bar-Lev).
+
+* Use pkcs11-helper as external library, can be downloaded from
+ https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
+
+* Fixed interim memory growth issue in TCP connect loop where
+ "TCP: connect to %s failed, will try again in %d seconds: %s"
+ is output.
+
+* Fixed bug in epoll driver in event.c, where the lack of a
+ handler for EPOLLHUP could cause 99% CPU usage.
+
+* Defined ALLOW_NON_CBC_CIPHERS for people who don't
+ want to use a CBC cipher for OpenVPN's data channel.
+
+* Added PLUGIN_LIBDIR preprocessor string to prepend a default
+ plugin directory to the dlopen search list when the user
+ specifies the basename of the plugin only (Marius Tomaschewski).
+
+* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
+ to allow forward slash characters ("/") in the X509 common name
+ (Pavel Shramov).
+
+* Allow OpenVPN to run completely unprivileged under Linux
+ by allowing openvpn --mktun to be used with --user and --group
+ to set the UID/GID of the tun device node. Also added --iproute
+ option to allow an alternative command to be executed in place
+ of the default iproute2 command (Alon Bar-Lev).
+
+* Fixed --disable-iproute2 in ./configure to actually disable
+ iproute2 usage (Alon Bar-Lev).
+
+* Added --management-forget-disconnect option -- forget
+ passwords when management session disconnects (Alon Bar-Lev).
+
+2007.04.25 -- Version 2.1_rc4
+
+* Worked out remaining issues with TAP driver signing
+ on Vista x64. OpenVPN will now run on Vista x64
+ with driver signing enforcement enabled.
+
+* Fixed 64-bit portability bug in time_string function
+ (Thomas Habets).
+
+2007.04.22 -- Version 2.1_rc3
+
+* Additional fixes to TAP driver for Windows x64. Driver
+ now runs successfully on Vista x64 if driver signing
+ enforcement is disabled.
+
+* The Windows Installer and TAP driver are now signed by
+ OpenVPN Solutions LLC (in addition to the usual GnuPG
+ signatures).
+
+* Added OpenVPN GUI (Mathias Sundman version) as install
+ option in Windows installer.
+
+* Clean up configure on FreeBSD for recent autotool versions
+ that require that all .h files have to be compiled.
+ Also, FreeBSD install does not support GNU long options
+ which the Makefile in easy-rsa/2.0 uses (not checked the
+ others as we don't install those on Gentoo) (Roy Marples).
+
+* Added additional scripts to easy-rsa/Windows for working
+ with password-protected keys; also add -extensions server
+ option when generating server cert via
+ build-key-server-pass.bat (Daniel Zauft).
+
+2007.02.27 -- Version 2.1_rc2
+
+* auth-pam change: link with -lpam rather
+ than dlopen (Roy Marples).
+
+* Prevent SIGUSR1 or SIGHUP from causing program
+ exit from initial management hold.
+
+* SO_REUSEADDR should not be set on Windows TCP sockets
+ because it will cause bind to succeed on port conflicts.
+
+* Added time_ascii, time_duration, and time_unix
+ environmental variables for plugins and callback
+ scripts.
+
+* Fixed issue where OpenVPN does not apply the --txqueuelen option
+ to persistent interfaces made with --mktun (Roy Marples).
+
+* Attempt at rational signal handling when in the
+ management hold state. During management hold, ignore
+ SIGUSR1/SIGHUP signals thrown with the "signal" command.
+ Also, "signal" command will now apply remapping as
+ specified with the --remap-usr1 option.
+ When a signal entered using the "signal" command from a management
+ hold is ignored, output: >HOLD:Waiting for hold release
+
+* Fixed issue where struct env_set methods that
+ change the value of an existing name=value pair
+ would delay the freeing of the memory held by
+ the previous name=value pair until the underlying
+ client instance object is closed.
+ This could cause a server that handles long-term
+ client connections, resulting in many periodic calls
+ to verify_callback, to needlessly grow the env_set
+ memory allocation until the underlying client instance
+ object is closed.
+
+* Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
+ to reflect the fact that Vista has blacklisted the tap0801.sys
+ file name due to previous compatibility issues which have now
+ been resolved. TAP-Win32 major/minor version number is now 9/1.
+
+* Windows installer will delete a previously installed
+ tap0801.sys TAP driver before installing tap0901.sys.
+
+* Added code to Windows installer to fail gracefully on 64 bit
+ installs until 64-bit TAP driver issues can be resolved.
+
+* Added code to Windows installer to fail gracefully on
+ versions of Windows which are not explicitly supported.
+
+* The Windows version will now use a default route-delay
+ of 5 seconds to deal with an apparent routing table race
+ condition on Vista.
+
+* Worked around an incompatibility in the Windows Vista
+ version of CreateIpForwardEntry as described in
+ http://www.nynaeve.net/?p=59
+ This issue would cause route additions using the
+ IP Helper API to fail on Vista.
+
+* On Windows, revert to "ip-win32 dynamic" as the default.
+
+2006.10.31 -- Version 2.1_rc1
+
+* Support recovery (return to hold) from signal at
+ management password prompt.
+
+* Added workaround for OpenSC PKCS#11 bug#108
+ (Alon Bar-Lev).
+
+2006.10.01 -- Version 2.1-beta16
+
+* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
+ published vulnerabilities.
+
+* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
+ (Henry Nestler).
+
+* Autodetect 32/64 bit Windows in installer and install
+ appropriate TAP driver (Mathias Sundman, Hypherion).
+
+* Fixed bug in loopback self-test introduced
+ in 2.1-beta15 where self test as invoked by
+ "make check" would not properly exit after
+ 2 minutes (Paul Howarth).
+
+2006.09.12 -- Version 2.1-beta15
+
+* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
+ RSA Signature Forgery (CVE-2006-4339).
+
+* Fixed bug introduced with the --port-share directive
+ (back in 2.1-beta9 which causes TLS soft resets
+ (1 per hour by default) in TCP server mode to force
+ a blockage of tunnel packets and later time-out and
+ restart the connection.
+
+* easy-rsa update (Alon Bar-Lev)
+ Makefile (install) is now available so that
+ distribs will be able to install it safely.
+
+* PKCS#11 changes: (Alon Bar-Lev)
+ - Modified ssl.c to not FATAL and return to init.c
+ so auth-retry will work.
+ - Modifed pkcs11-helper.c to fix some problem with
+ multiple providers.
+ - Added retry counter to PKCS#11 PIN hook.
+ - Modified PKCS#11 PIN retry loop to return correct error
+ code when PIN is incorrect.
+ - Fix handling (ignoring) zero sized attributes.
+ - Fix gcc-2 issues.
+ - Fix openssl 0.9.6 (first version) issues.
+
+* Minor fixes of lladdr (Alon Bar-Lev)
+ Updated makefile.w32-vc to include lladdr.*, updated
+ linkage libraries.
+ Modified lladdr.c to be compiled under visual C.
+
+* Added two new management states:
+ OPENVPN_STATE_RESOLVE -- DNS lookup
+ OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
+
+* Echo management state change to log.
+
+* Minor syshead.h change for NetBSD to allow
+ TCP_NODELAY flag to work.
+
+* Modified --port-share code to remove the assumption that
+ CMSG_SPACE always evaluates to a constant, to enable
+ compilation on NetBSD and possibly other BSDs as well.
+
+* Eliminated gcc 3.3.3 warnings on NetBSD
+ when ./configure --enable-strict is used.
+
+* Added optional minimum-number-of-bytes parameter
+ to --inactive directive.
+
+2006.04.13 -- Version 2.1-beta14
+
+* Fixed Windows server bug in time backtrack handling code which
+ could cause TLS negotiation failures on legitimate clients.
+
+* Rewrote gettimeofday function for Windows to be
+ simpler and more efficient.
+
+* Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
+
+* Added --route-metric option to set a default route metric
+ for --route (Roy Marples).
+
+* Added --lladdr option to specify the link layer (MAC) address
+ for the tap interface on non-Windows platforms (Roy Marples).
+
+2006.04.12 -- Version 2.1-beta13
+
+* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
+ to 64 bits caused a bug in the Windows version which has now
+ been fixed. The bug could cause intermittent crashes.
+
+2006.04.05 -- Version 2.1-beta12
+
+* Security Vulnerability -- An OpenVPN client connecting to a
+ malicious or compromised server could potentially receive
+ "setenv" configuration directives from the server which could
+ cause arbitrary code execution on the client via a LD_PRELOAD
+ attack. A successful attack appears to require that (a) the
+ client has agreed to allow the server to push configuration
+ directives to it by including "pull" or the macro "client" in
+ its configuration file, (b) the client configuration file uses
+ a scripting directive such as "up" or "down", (c) the client
+ succesfully authenticates the server, (d) the server is
+ malicious or has been compromised and is under the control of
+ the attacker, and (e) the attacker has at least some level of
+ pre-existing control over files on the client (this might be
+ accomplished by having the server respond to a client web request
+ with a specially crafted file). Credit: Hendrik Weimer.
+ CVE-2006-1629.
+
+ The fix is to disallow "setenv" to be pushed to clients from
+ the server, and to add a new directive "setenv-safe" which is
+ pushable from the server, but which appends "OPENVPN_" to the
+ name of each remotely set environmental variable.
+
+* "topology subnet" fix for FreeBSD (Benoit Bourdin).
+
+* PKCS11 fixes (Alon Bar-Lev). For full description:
+ svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
+
+* When deleting routes under Linux, use the route metric
+ as a differentiator to ensure that the route teardown
+ process only deletes the identical route which was originally
+ added via the "route" directive (Roy Marples).
+
+* Fix the t_cltsrv.sh file in FreeBSD 4 jails
+ (Matthias Andree, Dirk Meyer, Vasil Dimov).
+
+* Extended tun device configure code to support ethernet
+ bridging on NetBSD (Emmanuel Kasper).
+
+2006.02.19 -- Version 2.1-beta11
+
+* Fixed --port-share bug that caused premature closing
+ of proxied sessions.
+
+2006.02.17 -- Version 2.1-beta10
+
+* Fixed --port-share breakage introduced in 2.1-beta9.
+
+2006.02.16 -- Version 2.1-beta9
+
+* Added --port-share option for allowing OpenVPN and HTTPS
+ server to share the same port number.
+* Added --management-client option to connect as a client
+ to management GUI app rather than be connected to as a
+ server.
+* Added "bytecount" command to management interface.
+* --remote-cert-tls fixes (Alon Bar-Lev).
+
+2006.01.03 -- Version 2.1-beta8
+
+* --remap-usr1 will now also remap signals thrown during
+ initialization.
+* Added --connect-timeout option to control the timeout
+ on TCP client connection attempts (doesn't work on all
+ OSes). This patch also makes OpenVPN signalable during
+ TCP connection attempts.
+* Fixed bug in acinclude.m4 where capability of compiler
+ to handle zero-length arrays in structs is tested
+ (David Stipp).
+* Fixed typo in manage.c where inline function declaration
+ was declared without the "static" keyword (David Stipp).
+* Patch to support --topology subnet on Mac OS X (Mathias Sundman).
+* Added --auto-proxy directive to auto-detect HTTP or SOCKS
+ proxy settings (currently Windows only).
+* Removed redundant base64 code.
+* Better sanity checking of --server and --server-bridge
+ IP pool ranges, so as not to hit the assertion at
+ pool.c:119 (2.0.5).
+* Fixed bug where --daemon and --management-query-passwords
+ used together would cause OpenVPN to block prior to
+ daemonization.
+* Fixed client/server race condition which could occur
+ when --auth-retry interact is set and the initially
+ provided auth-user-pass credentials are incorrect,
+ forcing a username/password re-query.
+* Fixed bug where if --daemon and --management-hold are
+ used together, --user or --group options would be ignored.
+* --ip-win32 adaptive is now the default.
+* --ip-win32 netsh (or --ip-win32 adaptive when in netsh
+ mode) can now set DNS/WINS addresses on the TAP-Win32
+ adapter.
+* Added new option --route-method adaptive (Win32)
+ which tries IP helper API first, then falls back to
+ route.exe.
+* Made --route-method adaptive the default.
+
+2005.11.12 -- Version 2.1-beta7
+
+* Allow blank passwords to be passed via the management
+ interface.
+* Fixed bug where "make check" inside a FreeBSD "jail"
+ would never complete (Matthias Andree).
+* Fixed bug where --server directive in --dev tap mode
+ claimed that it would support subnets of /30 or less
+ but actually would only accept /29 or less.
+* Extend byte counters to 64 bits (M. van Cuijk).
+* Fixed bug in Linux get_default_gateway function
+ introduced in 2.0.4, which would cause redirect-gateway
+ on Linux clients to fail.
+* Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
+ be compatible with 2.0.x distribution.
+* Documented --route-nopull.
+* Documented --ip-win32 adaptive.
+* Windows build now linked with LZO2.
+* Allow ca, cert, key, and dh files to be specified
+ inline via XML-like syntax without needing to
+ reference an explicit file.
+ For example:
+ <ca>
+ data here...
+ </ca>
+* Allow plugin and push directives to have multi-line
+ parameter lists such as:
+ <plugin>
+ my-plugin.so
+ parm1
+ parm2
+ </plugin>
+* Added connect-retry-max option (Alon Bar-Lev).
+* Fixed problems where signals thrown during initialization
+ were not returning to a management-hold state.
+* Added a backtrack-hardened system time algorithm.
+* Added --remote-cert-ku, --remote-cert-eku, and
+ --remote-cert-tls options for verifying certificate
+ attributes (Alon Bar-Lev).
+* For Windows, reverted --ip-win32 default back to "dynamic".
+ To use new adaptive mode, set explicitly.
+
+2005.11.01 -- Version 2.1-beta6
+
+* Security fix (merged from 2.0.4) -- Affects non-Windows
+ OpenVPN clients of version 2.0 or higher which connect to
+ a malicious or compromised server. A format string
+ vulnerability in the foreign_option function in options.c
+ could potentially allow a malicious or compromised server
+ to execute arbitrary code on the client. Only
+ non-Windows clients are affected. The vulnerability
+ only exists if (a) the client's TLS negotiation with
+ the server succeeds, (b) the server is malicious or
+ has been compromised such that it is configured to
+ push a maliciously crafted options string to the client,
+ and (c) the client indicates its willingness to accept
+ pushed options from the server by having "pull" or
+ "client" in its configuration file (Credit: Vade79).
+ CVE-2005-3393
+* Security fix -- (merged from 2.0.4) Potential DoS
+ vulnerability on the server in TCP mode. If the TCP
+ server accept() call returns an error status, the resulting
+ exception handler may attempt to indirect through a NULL
+ pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
+ CVE-2005-3409
+* Fix attempt of assertion at multi.c:1586 (note that
+ this precise line number will vary across different
+ versions of OpenVPN).
+* Windows reliability changes:
+ (a) Added code to make sure that the local PATH environmental
+ variable points to the Windows system32 directory.
+ (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
+ and then fails over to 'netsh' if the DHCP negotiation fails.
+ (c) Made --ip-win32 adaptive the default.
+* More PKCS#11 additions/changes (Alon Bar-Lev).
+* Added ".PHONY: plugin" to Makefile.am to work around
+ "make dist" issue.
+* Fixed double fork issue that occurs when --management-hold
+ is used.
+* Moved TUN/TAP read/write log messages from --verb 8 to 6.
+* Warn when multiple clients having the same common name or
+ username usurp each other when --duplicate-cn is not used.
+* Modified Windows and Linux versions of get_default_gateway
+ to return the route with the smallest metric
+ if multiple 0.0.0.0/0.0.0.0 entries are present.
+* Added ">NEED-OK" alert and "needok" command to management
+ interface to provide a general interface for sending
+ alerts to the end-user. Used by the PKCS#11 code
+ to send Token Insertion Requests to the user.
+* Added actual remote address used to the ">STATE" alert
+ in the management interface (Rolf Fokkens).
+
+2005.10.17 -- Version 2.1-beta4
+
+* Fixed bug introduced in 2.1-beta3 where management
+ socket bind would fail.
+* --capath fix in ssl.c (Zhuang Yuyao).
+* Added ".PHONY: plugin" to Makefile.am, reverted
+ location of "plugin" directory (thanks to
+ Matthias Andree for figuring this out).
+
+2005.10.16 -- Version 2.1-beta3
+
+* Added PKCS#11 support (Alon Bar-Lev).
+* Enable the use of --ca together with --pkcs12. If --ca is
+ used at the same time as --pkcs12, the CA certificate is loaded
+ from the file specified by --ca regardless if the pkcs12 file
+ contains a CA cert or not (Mathias Sundman).
+* Merged --capath patch (Thomas Noel).
+* Merged --multihome patch.
+* Added --bind option for TCP client connections (Ewan Bhamrah
+ Harley).
+* Moved "plugin" directory to "plugins" to deal with strange
+ automake problem that ended up being also fixable with
+ ".PHONY: plugin" in Makefile.am.
+
+2005.10.13 -- Version 2.1-beta2
+
+* Made --sndbuf and --rcvbuf pushable.
+
+2005.10.01 -- Version 2.1-beta1
+
+* Made LZO setting pushable.
+* Renamed sample-keys/tmp-ca.crt to ca.crt.
+* Fixed bug where remove_iroutes_from_push_route_list
+ was missing routes if those routes had
+ an implied netmask (by omission) of 255.255.255.255.
+* Merged with 2.0.3-rc1
+* easy-rsa/2.0 moved to easy-rsa
+* old easy-rsa moved to easy-rsa/1.0
+
+2005.09.23 -- Version 2.0.2-TO4
+
+* Added feature to TAP-Win32 adapter to allow it to be
+ opened from non-administrator mode. This feature
+ is enabled by default, and can be enabled/disabled
+ in the adapter advanced properties dialog.
+* Added --allow-nonadmin standalone option for Windows to
+ set TAP adapter to allow non-admin access. This
+ is a user-mode version of the code, and duplicates
+ the same feature as the above entry.
+* Added fix that attempts to solve corner case of tunnel not
+ forwarding packets when system clock is reset to an earlier time.
+* Added --redirect-gateway bypass-dns option. (Developers:
+ To add bypass-dhcp or bypass-dns support to other OSes,
+ add a get_bypass_addresses function to route.c for
+ your OS.)
+* Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
+ allows a client-connect plugin to return configuration text
+ in memory, rather than via a file.
+* Fixed a bug where --mode server --proto tcp-server --cipher none
+ operation could cause tunnel packet truncation.
+* openvpn --version will show [LZO1] or [LZO2], depending on
+ version that was linked.
+
+2005.09.07 -- Version 2.0.2-TO1
+
+* Added --topology directive. See man page.
+* Added --redirect-gateway bypass-dhcp option to add a route
+ allowing DHCP packets to bypass the tunnel, when the
+ DHCP server is non-local. Currently only implemented
+ on Windows clients.
+* Modified OpenVPN Service on Windows to declare the DHCP
+ client service as a dependency.
+* Extended the plugin interface to allow plugins to declare
+ per-client constructor and destructor functions, to make
+ it simpler for plugins to maintain per-client state.
+
+2005.09.25 -- Version 2.0.3-rc1
+
+* openvpn_plugin_abort_v1 function wasn't being properly
+ registered on Windows.
+* Fixed a bug where --mode server --proto tcp-server --cipher none
+ operation could cause tunnel packet truncation.
+
+2005.08.25 -- Version 2.0.2
+
+* No change from 2.0.2-rc1.
+
+2005.08.24 -- Version 2.0.2-rc1
+
+* Fixed regression bug in Win32 installer, introduced in 2.0.1,
+ which incorrectly set OpenVPN service to autostart.
+* Don't package source code zip file in Windows installer
+ in order to reduce the size of the installer. The source
+ zip file can always be downloaded separately if needed.
+* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
+ version of get_default_gateway. Allocated socket for route
+ manipulation is never freed so number of mbufs continuously
+ grow and exhaust system resources after a while (Jaroslav Klaus).
+* Fixed bug where "--proto tcp-server --mode p2p --management
+ host port" would cause the management port to not respond until
+ the OpenVPN peer connects.
+* Modified pkitool script to be /bin/sh compatible (Johnny Lam).
+
+2005.08.16 -- Version 2.0.1
+
+* Security Fix -- DoS attack against server when run with "verb 0" and
+ without "tls-auth". If a client connection to the server fails
+ certificate verification, the OpenSSL error queue is not properly
+ flushed, which can result in another unrelated client instance on the
+ server seeing the error and responding to it, resulting in disconnection
+ of the unrelated client (CAN-2005-2531).
+* Security Fix -- DoS attack against server by authenticated client.
+ This bug presents a potential DoS attack vector against the server
+ which can only be initiated by a connected and authenticated client.
+ If the client sends a packet which fails to decrypt on the server,
+ the OpenSSL error queue is not properly flushed, which can result in
+ another unrelated client instance on the server seeing the error and
+ responding to it, resulting in disconnection of the unrelated client
+ (CAN-2005-2532). Credit: Mike Ireton.
+* Security Fix -- DoS attack against server by authenticated client.
+ A malicious client in "dev tap" ethernet bridging mode could
+ theoretically flood the server with packets appearing to come from
+ hundreds of thousands of different MAC addresses, causing the OpenVPN
+ process to deplete system virtual memory as it expands its internal
+ routing table. A --max-routes-per-client directive has been added
+ (default=256) to limit the maximum number of routes in OpenVPN's
+ internal routing table which can be associated with a given client
+ (CAN-2005-2533).
+* Security Fix -- DoS attack against server by authenticated client.
+ If two or more client machines try to connect to the server at the
+ same time via TCP, using the same client certificate, and when
+ --duplicate-cn is not enabled on the server, a race condition can
+ crash the server with "Assertion failed at mtcp.c:411"
+ (CAN-2005-2534).
+* Fixed server bug where under certain circumstances, the client instance
+ object deletion function would try to delete iroutes which had never been
+ added in the first place, triggering "Assertion failed at mroute.c:349".
+* Added --auth-retry option to prevent auth errors from being fatal
+ on the client side, and to permit username/password requeries in case
+ of error. Also controllable via new "auth-retry" management interface
+ command. See man page for more info.
+* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
+* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
+ would fail to build.
+* Implement "make check" to perform loopback tests (Matthias Andree).
+
+2005.07.21 -- Version 2.0.1-rc7
+
+* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
+* Include linux/types.h before checking for linux/errqueue.h (Matthias
+ Andree).
+
+2005.07.15 -- Version 2.0.1-rc6
+
+* Commented out "user nobody" and "group nobody" in sample
+ client/server config files.
+* Allow '@' character to be used in --client-config-dir
+ file names.
+
+2005.07.04 -- Version 2.0.1-rc5
+
+* Windows version will log a for-further-info URL when
+ initialization sequence is completed with errors.
+* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
+ to control whether auth-pam plugin links to PAM via
+ dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
+ behavior should be preserved. DLOPEN_PAM=0 is the preferred
+ setting to link via -lpam, but DLOPEN_PAM=1 works around
+ a bug in SuSE 9.1 (and possibly other distros as well)
+ where the PAM modules are not linked with -lpam. See
+ thread on openvpn-devel for more discussion about this
+ patch (Simon Perreault).
+
+2005.06.15 -- Version 2.0.1-rc4
+
+* Support LZO 2.00, including changes to configure script to
+ autodetect LZO version.
+
+2005.06.12 -- Version 2.0.1-rc3
+
+* Fixed a bug which caused standard file handles to not be closed
+ after daemonization when --plugin and --daemon are used together,
+ and if the plugin initialization function forks (as does auth-pam
+ and down-root) (Simon Perreault).
+* Added client-side up/down scripts in contrib/pull-resolv-conf
+ for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
+ on Linux/Unix systems (Jesse Adelman).
+* Fixed bug where if client-connect scripts/plugins were cascaded,
+ and one (but not all) of them returned an error status, there might
+ be cases where for an individual script/plugin, client-connect was
+ called but not client-disconnect. The goal of this fix is to
+ ensure that if client-connect is called on a given client instance,
+ then client-disconnect will definitely be called. A potential
+ complication of this fix is that when client-connect functions are
+ cascaded, it's possible that the client-disconnect function would
+ be called in cases where the related client-connect function returned
+ an error status. This fix should not alter OpenVPN behavior when
+ scripts/plugins are not cascaded.
+* Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
+ fatal error to a warning: "FRAG: outgoing buffer is not empty".
+ Need more info on how to reproduce this one.
+* When --duplicate-cn is used, the --ifconfig-pool allocation
+ algorithm will now allocate the first available IP address.
+* When --daemon and --management-hold are used together,
+ OpenVPN will daemonize before it enters the management hold state.
+
+2005.05.16 -- Version 2.0.1-rc2
+
+* Modified vendor test in openvpn.spec file to match against
+ "Mandrakesoft" in addition to "MandrakeSoft".
+* Using --iroute in a --client-config-dir file while in --dev tap
+ mode is not currently supported and will produce a warning
+ message. Fixed bug where in certain cases, in addition to
+ generating a warning message, this combination of options
+ would also produce a fatal assertion in mroute.c.
+* Pass --auth-user-pass username to server-side plugin without
+ performing any string remapping (plugins, unlike scripts,
+ don't get any security benefit from string remapping).
+ This is intended to fix an issue with openvpn-auth-pam/pam_winbind
+ where backslash characters in a username ('\') were being remapped
+ to underscore ('_').
+* Updated OpenSSL DLLs in Windows build to 0.9.7g.
+* Documented --explicit-exit-notify in man page.
+* --explicit-exit-notify seconds parameter defaults to 1 if
+ unspecified.
+
+2005.04.30 -- Version 2.0.1-rc1
+
+* Fixed bug where certain kinds of fatal errors after
+ initialization (such as port in use) would leave plugin
+ processes (such as openvpn-auth-pam) still running.
+* Added optional openvpn_plugin_abort_v1 plugin function for
+ closing initialized plugin objects in the event of a fatal
+ error by main OpenVPN process.
+* When the --remote list is > 1, and --resolv-retry is not
+ specified (meaning that it defaults to "infinite"), apply the
+ infinite timeout to the --remote list as a whole, but try each
+ list item only once before moving on to the next item.
+* Added new --syslog directive which redirects output
+ to syslog without requiring the use of the --daemon or --inetd
+ directives.
+* Added openvpn.spec option to allow RPM to be built with support
+ for passwords read from a file:
+ rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
+
+2005.04.17 -- Version 2.0
+
+* Fixed minor options string typo in options.c.
+
+2005.04.10 -- Version 2.0-rc21
+
+* Change license description from "GPL Version 2 or (at your
+ option) any later version" to just "GPL Version 2".
+
+2005.04.04 -- Version 2.0-rc20
+
+* Dag Wieers has put together an OpenVPN/LZO binary RPM set with
+ excellent distro/version coverage for RH/EL/Fedora, though
+ using his own SPEC. I modified openvpn.spec to follow some of
+ the same conventions such as putting sample scripts and doc
+ files in %doc rather than /usr/share/openvpn.
+* Minor change to init scripts to run the user-defined script
+ /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
+ configs are started, and to run /etc/openvpn/openvpn-shutdown
+ after all OpenVPN configs have been stopped. The
+ openvpn-startup script can be used for stuff like
+ insmod tun.o, setting up firewall rules, or starting
+ ethernet bridges.
+
+2005.03.29 -- Version 2.0-rc19
+
+* Omit additions of routes where the network and
+ gateway are equal and the netmask is 255.255.255.255.
+ This can come up if you are using both
+ server/ifconfig-pool and client-config-dir with
+ ifconfig-push static addresses for some subset of clients
+ which directly reference the server IP address as the
+ remote endpoint.
+
+2005.03.28 -- Version 2.0-rc18
+
+* Packaged Windows installer with OpenSSL 0.9.7f.
+* Built Windows installer with NSIS 2.06.
+
+2005.03.12 -- Version 2.0-rc17
+
+* "MANAGEMENT: CMD" log file output will now only occur
+ at --verb 7 or greater.
+* Added an optional name/value configuration list to
+ the openvpn-auth-pam plugin module argument list. See
+ plugin/auth-pam/README for documentation. This is necessary
+ in order for openvpn-auth-pam to work with queries generated
+ by arbitrary PAM modules.
+* In both auth-pam and down-root plugins, in the forked process,
+ a read error on the parent process socket is no longer fatal.
+* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
+ A conditional test of the vendor has been added to
+ Require the appropriately named 'lzo' (liblzo1 / lzo).
+ (Tom Walsh - http://openhardware.net)
+
+
+2005.02.20 -- Version 2.0-rc16
+
+* Fixed bug introduced in rc13 where Windows service wrapper
+ would be installed with a startup type of Automatic.
+ This fix restores the previous behavior of installing
+ with a startup type of Manual.
+
+2005.02.19 -- Version 2.0-rc15
+
+* Added warning when --keepalive is not used in a server
+ configuration.
+* Don't include OpenSSL md4.h file if we are not building
+ NTLM proxy support (Waldemar Brodkorb).
+* Added easy-rsa/build-key-pkcs12 and
+ easy-rsa/Windows/build-key-pkcs12.bat scripts
+ (Mathias Sundman).
+
+2005.02.16 -- Version 2.0-rc14
+
+* Fixed small memory leak that occurs when --crl-verify
+ is used.
+* Upgraded Windows installer and .nsi script to NSIS 2.05
+ (Mathias Sundman).
+* Changed #include backslash usage in cryptoapi.c to use
+ forward slashes instead (Gisle Vanem).
+* Created easy-rsa/revoke-full to handle revocations in
+ a single step: (a) revoke crt, (b) regenerate CRL, and
+ (c) verify that revocation succeeded.
+* Renamed easy-rsa/Windows/revoke-key to revoke-full so
+ that both *nix and Windows scripts are equivalent.
+
+2005.02.11 -- Version 2.0-rc13
+
+* Improve human-readability of local/remote options
+ diff, when inconsistencies are present.
+* For Windows easy-rsa, distribute vars.bat.sample and
+ openssl.cnf.sample, then copy them to their normal
+ filenames (without the .sample) when init-config.bat
+ is run. This is to prevent OpenVPN upgrades from
+ wiping out vars.bat and openssl.cnf edits.
+* Modified service wrapper (Windows) to use a
+ case-insensitive search when scanning for .ovpn files
+ in \Program Files\OpenVPN\config. Prior versions
+ required an all-lower-case .ovpn file extension.
+* Miscellaneous service wrapper code cleanup.
+* If --user/--group is used on Windows, treat it
+ as a no-op with a warning (this makes it easier to
+ distribute the same client config file to Windows
+ and *nix users).
+* Warn if --ifconfig-pool-persist is used with
+ --duplicate-cn.
+
+2005.02.05 -- Version 2.0-rc12
+
+* Removed some debugging code inadvertently included
+ in rc11 which would print the --auth-user-pass
+ username/password provided by clients in the server
+ logfile.
+* Client code for cycling through --remote list will
+ retry the last address which successfully authenticated
+ before moving on through the list.
+* Windows installer will now install sample configuration
+ files in \Program Files\OpenVPN\sample-configs as well
+ as generate a start menu shortcut to this directory.
+* Minor type change in buffer.[ch] to work around char-type
+ ambiguity bug. Caused management interface lock-ups on
+ ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
+
+2005.02.03 -- Version 2.0-rc11
+
+* Windows installer will now install easy-rsa directory
+ in \Program Files\OpenVPN
+* Allow syslog facility to be controlled at compile time,
+ e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
+* Changed certain shell scripts in distribution to use
+ #!/bin/sh rather than #!/bin/bash for better portability.
+* If --ifconfig-pool-persist seconds parameter is 0, treat
+ persist file as an allocation of fixed IP addresses
+ (previous versions took IP-to-common-name associations
+ from this list as hints, not mandatory static allocations).
+* Fixed bug on *nix where if --auth-user-pass and --log
+ were used together, the username prompt would be sent to
+ the log file rather than /dev/tty.
+* Spurious text in openvpn.8 detected by doclifter
+ (Eric S. Raymond).
+* Call closelog later on daemon kill so that process
+ exit message is written to syslog.
+
+2005.01.27 -- Version 2.0-rc10
+
+* When ./configure is run with plugins enabled (the default),
+ check whether or not dlopen exists in libc before testing
+ for libdl. This is to fix an issue on FreeBSD and possibly
+ other OSes which bundle libdl functions in libc.
+* On Windows, filter initial WSAEINVAL warning which occurs
+ on the initial read attempt of an unbound socket.
+* The easy-rsa scripts build-key, build-key-pass, and
+ build-key-server will now chmod the .key file
+ to 0600. This is in addition to the fact the generated
+ keys directory has always been similarly protected
+ (Pete Harlan).
+
+2005.01.23 -- Version 2.0-rc9
+
+* Fixed error "ROUTE: route addition failed using
+ CreateIpForwardEntry ..." on Windows when --redirect-gateway
+ is used over a RRAS internet link.
+* When using --route-method exe on Windows, include the
+ gateway parameter on route delete commands (Mathias Sundman).
+* Try not to do a hard reset (i.e. SIGHUP) when two
+ SIGUSR1 signals are received in close succession.
+* If the push list tries to grow beyond its buffer capacity,
+ the resulting error will be non-fatal.
+* To increase the push list capacity (must be done on both
+ client and server), increase TLS_CHANNEL_BUF_SIZE in
+ common.h (default=1024).
+
+2005.01.15 -- Version 2.0-rc8
+
+* Fixed bug introduced in rc7 where options error
+ "--auth-user-pass requires --pull" might occur even
+ if --pull was correctly specified.
+* Changed management interface code to bind once
+ to TCP socket, rather than rebinding after every
+ client disconnect.
+* Added "disable" directive for client-config-dir
+ files.
+* Windows binary install is now distributed with
+ OpenSSL 0.9.7e.
+* Query the management interface for --http-proxy
+ username/password if authfile is set to "stdin".
+* Added current OpenVPN version number to "Unrecognized
+ option or missing parameter" error message.
+* Added "-extensions server" to "openssl req" command
+ in easy-rsa/build-key-server (Nir Yeffet).
+
+2005.01.10 -- Version 2.0-rc7
+
+* Fixed bug in management interface which could cause
+ 100% CPU utilization in --proto tcp-server mode
+ on all *nix OSes except for Linux 2.6.
+* --ifconfig-push now accepts DNS names as well as
+ IP addresses.
+* Added sanity check errors when --pull or
+ --auth-user-pass is used in an incorrect mode.
+* Updated man page entries for --client-connect and
+ --ifconfig-push.
+* Added "String Types and Remapping" section to man
+ page to consisely document the way which OpenVPN
+ may convert certain types of characters in strings
+ to ('_').
+* Modified bridging description in HOWTO to emphasize
+ the fact that bridging allows Windows file and print
+ sharing without a WINS server (Charles Duffy).
+
+2004.12.20 -- Version 2.0-rc6
+
+* Improved checking for epoll support in ./configure
+ to fix false positive on RH9 (Jan Just Keijser).
+* Made the "MULTI TCP: I/O wait required blocking in
+ multi_tcp_action, action=7" error nonfatal and replaced
+ with "MULTI: Outgoing TUN queue full, dropped packet".
+ So far the issue only seems to occur on Linux 2.2
+ in --mode server --proto tcp mode. It occurs when
+ the TUN/TAP driver locks up and refuses to accept
+ new packet writes for a second or more.
+* Fixed bug where if a --client-config-dir file tried
+ to include another file using "config", and if that
+ include failed, OpenVPN would abort with a fatal
+ error. Now such inclusion failures will be logged
+ but are no longer fatal.
+* Global changes to the way that packet buffer alignment
+ is handled. Previously we didn't care about alignment
+ and took care, when handling 16 and 32 bit words
+ in buffers, to always use alignment-safe transfers.
+ This approach appears to be inadequate on some
+ architectures such as alpha. The new approach is
+ to initialize packet buffers in a way that anticipates
+ how component structures will be allocated within
+ them, to maintain correct alignment.
+* Added --dhcp-option DISABLE-NBT to disable NetBIOS
+ over TCP (Jan Just Keijser).
+* Added --http-proxy-option directive for controlling
+ miscellaneous HTTP proxy options.
+* Management state will no longer transition to "WAIT"
+ during TLS renegotiations.
+
+2004.12.16 -- Version 2.0-rc5
+
+* The --client-config-dir option will now try to open
+ a default file called "DEFAULT" if no file matching
+ the common name of the incoming client was found.
+* The --client-connect script/plugin can now veto client
+ authentication by returning a failure code.
+* The --learn-address script/plugin can now prevent a
+ client-instance/address association from being learned
+ by returning a failure code.
+* Changed RPM group in .spec file to Applications/Internet.
+
+2004.12.14 -- Version 2.0-rc4
+
+* SuSE only -- Fixed interaction between openvpn.spec and
+ suse/openvpn.init where the .spec file was writing the
+ OpenVPN binary to a different location than where the
+ .init script was referencing it (Stefan Engel).
+* Solaris only -- Split Solaris ifconfig command into two
+ parts (Jan Just Keijser).
+* Some cleanup in add_option().
+* Better error checking on input dotted quad IP addresses.
+* Verify that --push argument is quoted, if there is
+ more than one.
+* More miscellaneous option sanity checks.
+
+2004.12.13 -- Version 2.0-rc3
+
+* On Windows, when --log or --log-append is used,
+ save the original stderr for username and password
+ prompts.
+* Fixed a bug introduced in the late 2.0 betas where
+ if a "verb" parameter >= 16 was used, it would be
+ ignored and the actual verb level would remain at 1.
+* Fixed a bug mostly seen on OS X where --management-hold
+ or --management-query-passwords would cause the management
+ interface to be unresponsive to incoming client connections.
+* Trigger an options error if one of the management-modifying
+ options is used without "management" itself.
+
+2004.12.12 -- Version 2.0-rc2
+
+* Amplified warnings in documentation about possible
+ man-in-the-middle attack when clients do not properly
+ verify server certificate. Changes to easy-rsa README,
+ FAQ, HOWTO, man page, and sample client config file.
+* Added a warning message if --tls-client or --client
+ is used without also specifying one of either
+ --ns-cert-type, --tls-remote, or --tls-verify.
+* status_open() fixes for MSVC builds (Blaine Fleming).
+* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
+ compiler error which has been reported on some platforms.
+* The openvpn.spec file for rpmbuild has several
+ new build-time options. See comments in the file.
+* Plugins are now built and packaged in the RPM and
+ will be saved in /usr/share/openvpn/plugin/lib.
+* Added --management-hold directive to start OpenVPN
+ in a hibernating state until released by the
+ management interface. Also added "hold" command
+ to the management interface.
+
+2004.12.07 -- Version 2.0-rc1
+
+* openvpn.spec workaround for SuSE confusion regarding
+ /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
+
+2004.12.05 -- Version 2.0-beta20
+
+* The ability to read --askpass and --auth-user-pass
+ passwords from a file has been disabled by default.
+ To re-enable, use ./configure --enable-password-save.
+* Added additional pre-connected states to management
+ interface. See management/management-notes.txt
+ for more info.
+* State history is now recorded by the management
+ interface, and the "state" command now works like
+ the log or echo commands.
+* State history and real-time state change notifications
+ are now prepended with an integer unix timestamp.
+* Added --http-proxy-timeout option, previously
+ the timeout was hardcoded to 5 seconds.
+
+2004.12.02 -- Version 2.0-beta19
+
+* Fixed bug in management interface line termination
+ where output lines incorrectly contained a \00 char
+ after the customary \0d \0a.
+* Fixed bug introduced in beta18 where Windows version
+ would segfault on options errors.
+* Fixed bug in management interface where an empty
+ quoted string ("") entered as a parameter would cause
+ a segfault.
+* Fixed bug where --resolv-retry was not working
+ properly with multiple --remote hosts.
+* Added additional ./configure options to reduce
+ executable size for embedded applications.
+ See ./configure --help.
+
+2004.11.28 -- Version 2.0-beta18
+
+* Added management interface. See new --management-*
+ options or the full management interface documentation
+ in management/management-notes.txt in the tarball.
+ Management interface inclusion can be disabled by
+ ./configure --disable-management.
+* Added two new plugin modules: auth-pam and down-root.
+ Auth-pam supports pam-based authentication using a
+ split privilege execution model, while down-root enables
+ a down script to be executed with root privileges, even
+ when --user/--group is used to drop root privileges.
+ See the plugin directory in the tarball for READMEs,
+ source code, and Makefiles.
+* Plugin developers should note that some changes were
+ made to the plugin interface since beta17. See
+ openvpn-plugin.h for details.
+ Plugin interface inclusion can be disabled with
+ ./configure --disable-plugins
+* Added easy-rsa/build-key-server script which will
+ build a certificate with with nsCertType=server.
+* Added --ns-cert-type option for verification
+ of nsCertType field in peer certificate.
+* If --fragment n is specified and --mssfix is specified
+ without a parameter, default --mssfix to n. This restores
+ the 1.6 behavior when using --mssfix without a parameter.
+* Fixed SSL context initialization bug introduced in beta14
+ where this error might occur on restarts: "Cannot load
+ certificate chain ... PEM_read_bio:no start line".
+
+2004.11.11 -- Version 2.0-beta17
+
+* Changed default port number to 1194 per IANA official
+ port number assignment.
+* Added --plugin directive which allows compiled
+ modules to intercept script callbacks. See
+ plugin folder in tarball for more info.
+* Fixed bug introduced in beta12 where --key-method 1
+ authentications which should have succeeded would fail.
+* Ignore SIGUSR1 during DNS resolution.
+* Added SuSE support to openvpn.spec (Umberto Nicoletti).
+* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
+ Runestig).
+
+2004.11.07 -- Version 2.0-beta16
+
+* Modified sample-scripts/auth-pam.pl to get username
+ and password from OpenVPN via a file rather than
+ via environmental variables.
+* Added bytes_sent and bytes_received environmental
+ variables to be set prior to client-disconnect script.
+* Changed client virtual IP derivation precedence:
+ (1) use --ifconfig-push directive from --client-connect
+ script, (2) use --ifconfig-push directive from
+ --client-config-dir, and (3) use --ifconfig-pool
+ address.
+* If a --client-config-dir file specifies --ifconfig-push,
+ it will be visible to the --client-connect-script in
+ the ifconfig_pool_remote_ip environmental variable.
+* For tun-style tunnels, the ifconfig_pool_local_ip
+ environmental variable will be set, while for
+ tap-style tunnels, the ifconfig_pool_netmask variable
+ will be set.
+* Added intelligence to autoconf script to test
+ compiler for the accepted form of zero-length arrays.
+* Fixed a bug introduced in beta12 where --ip-win32
+ netsh would fail if --dev-node was not explicitly
+ specified.
+* --ip-win32 netsh will now work on hidden adapters.
+* Fix attempt of "Assertion failed at crypto.c:149".
+ This assertion has also been reported on 1.x with a
+ slightly different line number. The fix is twofold:
+ (1) In previous releases, --mtu-test may trigger this
+ assertion -- this bug has been fixed. (2) If something
+ else causes the assertion to be thrown, don't panic,
+ just output a nonfatal warning to the log and drop
+ the packet which generated the error.
+* Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
+* Added --echo directive.
+* Added --auth-nocache directive.
+
+2004.10.28 -- Version 2.0-beta15
+
+* Changed environmental variable character classes
+ so that names must consist of alphanumeric or
+ underbar chars and values must consist of printable
+ characters. Illegal chars will be deleted.
+ Versions prior to 2.0-beta12 were more restrictive
+ and would map spaces to '.'.
+* On Windows, when the TAP adapter fails to
+ initialize with the correct IP address, output
+ "Initialization Sequence Completed with Errors"
+ to the console or log file.
+* Added a warning when user/group/chroot is used
+ without persist-tun and persist-key.
+* Added cryptoapi.[ch] to tarball and source zip.
+* --tls-remote option now works with common name
+ prefixes as well as with the full X509 subject
+ string. This is a useful alternative to using
+ a CRL on the client.
+* common names associated with a static
+ --ifconfig-push setting will no longer leave
+ any state in the --ifconfig-pool-persist file.
+* Hard TLS errors (TLS handshake failed) will now
+ trigger either a SIGUSR1 signal by default
+ or SIGTERM (if --tls-exit is specified). In TCP
+ mode, all TLS errors are considered to be hard.
+ In server mode, the signal will be local to the
+ client instance.
+* Added method parameter to --auth-user-pass-verify
+ directive to select whether username/password
+ is passed to script via environment or a temporary
+ file.
+* Added --status-version option to control format
+ of --status file. The --mode server
+ --status-version 2 format now includes a line
+ type token, the virtual IP address is shown
+ in the client list (even in --dev tap mode),
+ and the integer time_t value is shown anywhere
+ an ascii-formatted time/date is also shown.
+* Added --remap-usr1 directive which can be used
+ to control whether internally or externally
+ generated SIGUSR1 signals are remapped to
+ SIGHUP (restart without persisting state) or
+ SIGTERM (exit).
+* When running as a Windows service (using
+ --service option), check the exit event before
+ and after reading one line of input from
+ stdin, when reading username/password info.
+* For developers: Extended the --gremlin function
+ to better stress-test the new 2.0 features,
+ added Valgrind support on Linux and Dmalloc
+ support on Windows.
+
+2004.10.19 -- Version 2.0-beta14
+
+* Fixed a bug introduced in Beta12 that would occur
+ if you use a --client-connect script without also
+ defining --tmp-dir.
+* Fixed a bug introduced in Beta12 where a learn-address
+ script might segfault on the delete method.
+* Added Crypto API support in Windows version via
+ the --cryptoapicert option (Peter 'Luna' Runestig).
+
+2004.10.18 -- Version 2.0-beta13
+
+* Fixed an issue introduced in Beta12 where the private
+ key password would not be prompted for unless --askpass
+ was explicitly specified in the config.
+
+2004.10.17 -- Version 2.0-beta12
+
+* Added support for username/password-based authentication.
+ Clients can now authentication themselves with the server
+ using either a certificate, a username/password, or both.
+ New directives: --auth-user-pass, --auth-user-pass-verify,
+ --client-cert-not-required, and --username-as-common-name.
+* Added NTLM proxy patch (William Preston).
+* Added --ifconfig-pool-linear server flag to allocate
+ individual tun addresses for clients rather than /30
+ subnets (won't work with Windows clients).
+* Modified --http-proxy code to cache username/password
+ across restarts.
+* Modified --http-proxy code to read username/password
+ from the console when the auth file is given as "stdin".
+* Modified --askpass to take an optional filename argument.
+* --persist-tun and --persist-key now work in client mode
+ and can be pushed to clients as well.
+* Added --ifconfig-pool-persist directive, to maintain
+ ifconfig-pool info in a file which is persistent across
+ daemon instantiations.
+* --user and --group privilege downgrades as well as
+ --chroot now also work in client mode (the
+ dowgrade/chroot will be delayed until the initialization
+ sequence is completed).
+* Added --show-engines standalone directive to show
+ available OpenSSL crypto accelerator engine support.
+* --engine directive now accepts an optional engine-ID
+ parameter to control which engine is used.
+* "Connection reset, restarting" log message now shows
+ which client is being reset.
+* Added --dhcp-pre-release directive in Windows version.
+* Second parm to --ip-win32 can be "default", e.g.
+ --ip-win32 dynamic default 60.
+* Fixed documentation bug regarding environmental
+ variable settings for --ifconfig-pool IP addresses.
+ The correct environmental variable names are:
+ ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
+* ifconfig_pool_local_ip and ifconfig_pool_remote_ip
+ environmental variables are now passed to the
+ client-disconnect script.
+* In server mode, environmental variables are now scoped
+ according to the client they are associated with,
+ to solve the problem of "crosstalk" between different
+ client's environmental variable sets.
+* Added --down-pre flag to cause --down script to be
+ called before TUN/TAP close (rather than after).
+* Added --tls-exit flag which will cause OpenVPN
+ to exit on any TLS errors.
+* Don't push a route to a client if it exactly
+ matches an iroute (this lets you push routes to
+ all clients, and OpenVPN will automatically remove
+ the route from the route push list only for that client
+ which the route actually belongs to).
+* Made '--resolv-retry infinite' the default.
+ --resolv-retry can be disabled by using a parameter of 0.
+* For clients which plan to pull config info from server,
+ set an initial default ping-restart of 60 seconds.
+* Optimized mute code to lessen the load on the processor
+ when messages are being muted at a higher frequency.
+* Made route log messages non-mutable.
+* Silence the Linux "No buffer space available" message.
+* Added miscellaneous additional option sanity checks.
+* Added Windows version of easy-rsa scripts in
+ easy-rsa/Windows directory (Andrew J. Richardson).
+* Added NetBSD route patch (Ed Ravin).
+* Added OpenBSD patch for TAP + --redirect-gateway
+ (Waldemar Brodkorb).
+* Directives which prompt for a username and/or password
+ will now work with --daemon (OpenVPN will prompt
+ before forking).
+* Warn if CRL is from a different issuer than the
+ issuer of the peer certificate (Bernhard Weisshuhn).
+* Changed init script chkconfig parameters to start
+ OpenVPN daemon(s) before NFS.
+* Bug fix attempt of "too many I/O wait events" which occurs
+ on OSes which prefer select() over poll() such as Mac OS X.
+* Added --ccd-exclusive flag. This flag will require, as a
+ condition of authentication, that a connecting client has
+ a --client-config-dir file.
+* TAP-Win32 open code will attempt to open a free adapter
+ if --dev-node is not specified (Mathias Sundman).
+* Resequenced --nice and --chroot ordering so that --nice
+ occurs first.
+* Added --suppress-timestamps flag (Charles Duffy).
+* Source code changes to allow compilation by MSVC
+ (Peter 'Luna' Runestig).
+* Added experimental --fast-io flag which optimizes
+ TUN/TAP/UDP writes on non-Windows systems.
+
+2004.08.18 -- Version 2.0-beta11
+
+* Added --server, --server-bridge, --client, and
+ --keepalive helper directives. See client.conf
+ and server.conf in sample-config-files for sample
+ configurations which use the new directives.
+* On Windows, added --route-method to control
+ whether IP Helper API or route.exe is used
+ to add/delete routes.
+* On Windows, added a second parameter to
+ --route-delay to control the maximum time period
+ to wait for the TAP-Win32 adapter to come up
+ before adding routes.
+* Fixed bug in Windows version where configurations
+ which omit --ifconfig might fail to recognize when
+ the TAP adapter is up.
+* Proxy connection failures will now retry according
+ to the --connect-retry parameter.
+* Fixed --dev null handling on Windows so that TLS
+ loopback test described in INSTALL file works
+ correctly on Windows.
+* Added "Initialization Sequence Completed" message
+ after all initialization steps have been completed
+ and the VPN can be considered "up".
+* Better sanity-checking on --ifconfig-pool parameters.
+* Added --tcp-queue-limit option to control
+ TUN/TAP -> TCP socket overflow.
+* --ifconfig-nowarn flag will now silence general
+ warnings about possible --ifconfig address
+ conflicts, including the warning about --ifconfig
+ and --remote addresses being in same /24 subnet.
+* Fixed case where server mode did not correctly
+ identify certain types of ethernet multicast packets
+ (Marcel de Kogel).
+* Added --explicit-exit-notify option (experimental).
+
+2004.08.02 -- Version 2.0-beta10
+
+* Fixed possible reference after free of option strings
+ after a restart, bug was introduced in beta8.
+* Fixed segfault at route.c:919 in the beta9
+ Windows version that was being caused by indirection
+ through a NULL pointer.
+* Mistakenly built debug version of TAP-Win32 driver
+ for beta9. Beta10 has correct release build.
+
+2004.07.30 -- Version 2.0-beta9
+
+* Fixed --route issue on Windows that was introduced with
+ the new beta8 route implementation based on the
+ IP Helper API.
+
+2004.07.27 -- Version 2.0-beta8
+
+* Added TCP support in server mode.
+* Added PKCS #12 support (Mathias Sundman).
+* Added patch to make revoke-crt and make-crl work
+ seamlessly within the easy-rsa environment (Jan Kiszka).
+* Modified --mode server ethernet bridge code to forward
+ special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
+* Added --dhcp-renew and --dhcp-release flags to Windows
+ version. Normally DHCP renewal and release on the TAP
+ adapter occurs automatically under Windows, however
+ if you set the TAP-Win32 adapter Media Status property
+ to "Always Connected", you may need these flags.
+* Added --show-net standalone flag to Windows version to
+ show OpenVPN's view of the system adapter and routing
+ tables.
+* Added --show-net-up flag to Windows version to output
+ the system routing table and network adapter list to
+ the log file after the TAP-Win32 adapter has been brought
+ up and any routes have been added.
+* Modified Windows version to add routes using the IP Helper
+ API rather than by calling route.exe.
+* Fixed bug where --route-up script was not being called
+ if no --route options were specified.
+* Added --mute-replay-warnings to suppress packet replay
+ warnings. This is a common false alarm on WiFi nets.
+* Added "def1" flag to --redirect-gateway option to override
+ the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
+ rather than 0.0.0.0/0. This has the benefit of overriding
+ but not wiping out the original default gateway.
+ (Thanks to Jim Carter for pointing out this idea).
+* You can now run OpenVPN with a single config file argument.
+ For example, you can now say "openvpn config.conf"
+ rather than "openvpn --config config.conf".
+* On Windows, made --route and --route-delay more adaptive
+ with respect to waiting for interfaces referenced by the
+ route destination to come up. Routes added by --route
+ should now be added as soon as the interface comes up,
+ rather than after an obligatory 10 second delay. The
+ way this works internally is that --route-delay now
+ defaults to 0 on Windows. Previous versions would
+ wait for --route-delay seconds then add the routes.
+ This version will wait --route-delay seconds and then
+ test the routing table at one second intervals for the
+ next 30 seconds and will not add the routes until they
+ can be added without errors.
+* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
+ default on TCP/UDP socket in light of reports that this
+ action can have undesirable global side effects on the
+ MTU settings of other adapters. These parameters can
+ still be set, but you need to explicitly specify
+ --sndbuf and/or --rcvbuf.
+* Added --max-clients option to limit the maximum number
+ of simultaneously connected clients in server mode.
+* Added error message to illuminate shell escape gotcha when
+ single backslashes are used in Windows path names.
+* Added optional netmask parm to --ifconfig-pool.
+* Fixed bug where http-proxy connect retry attempts were
+ incorrectly going to the remote OpenVPN server,
+ not to the HTTP proxy server.
+
+2004.06.29 -- Version 2.0-beta7
+
+* Fixed bug in link_socket_verify_incoming_addr() which
+ under certain circumstances could have caused --float
+ behavior even if --float was not specified.
+* --tls-auth option now works with --mode server.
+ All clients and the server should use the same
+ --tls-auth key when operating in client/server mode.
+* Added --engine option to make use of OpenSSL-supported
+ crypto acceleration hardware.
+* Fixed some high verbosity print format size issues
+ in event.c for 64 bit platforms (Janne Johansson).
+* Made failure to open --log or --log-append file
+ a non-fatal error.
+
+2004.06.23 -- Version 2.0-beta6
+
+* Fixed Windows installer to intelligently put
+ up a reboot dialog only if tapinstall tells
+ us that it's really necessary.
+* Fixed "Assertion failed at fragment.c:309"
+ bug when --mode server and --fragment are used
+ together.
+* Ignore HUP, USR1, and USR2 signals during
+ initialization. Prior versions would abort.
+* Fixed bug on OS X: "Assertion failed at event.c:406".
+* Added --service option to Windows version, for use
+ when OpenVPN is being programmatically instantiated
+ by another process (see man page for info).
+* --log and --log-append options now work on Windows.
+* Update OpenBSD INSTALL notes (Janne Johansson).
+* Enable multicast on tun interface when running on
+ OpenBSD (Pavlin Radoslavov).
+* Fixed recent --test-crypto breakage, where options
+ such as --cipher were not being parsed correctly.
+* Modified options compatibility string by removing
+ ifconfig substring if it is empty. Incremented
+ options compatibility string version number to 4.
+* Fixed typo in --tls-timeout option parsing
+ (Mikael Lonnroth).
+
+2004.06.13 -- Version 2.0-beta5
+
+* Fixed rare --mode server crash that could occur
+ if data was being routed to a client at
+ high bandwidth at the precise moment that the
+ client instance object on the server was being
+ deleted.
+* Fixed issue on machines which have epoll.h and
+ the epoll_create glibc call defined, but which
+ don't actually implement epoll in the kernel.
+ OpenVPN will now gracefully fall back to the
+ poll API in this case.
+* Fixed Windows bug which would cause the following
+ error in a --mode server --dev tap configuration:
+ "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
+ exceeded".
+* Added CRL (certificate revocation list) management
+ scripts to easy-rsa directory (Jon Bendtsen).
+* Do a better job of getting the ifconfig component
+ of the options consistency check to work correctly
+ when --up-delay is used.
+* De-inlined some functions which were too complex
+ to be inlined anyway with gcc.
+* If a --dhcp-option option is pushed to a non-windows
+ client, the option will be saved in the client's
+ environment before the --up script is called, under
+ the name "foreign_option_{n}".
+* Added --learn-address script (see man page) which
+ allows for firewall access through the VPN to be
+ controlled based on the client common name.
+* In mode --server mode, when a client connects to
+ the server, the server will disconnect any
+ still-active clients which use the same common
+ name. Use --duplicate-cn flag to revert to
+ previous behavior of allowing multiple clients
+ to concurrently connect with the same common name.
+
+2004.06.08 -- Version 2.0-beta4
+
+* Fixed issue with beta3 where Win32 service wrapper
+ was keying off of old TAP HWID as a dependency. To
+ ensure that the new service wrapper is correctly
+ installed, the Windows install script will uninstall
+ the old wrapper before installing the new one,
+ causing a reset of service properties.
+* Fixed permissions issue on --status output file,
+ with default access permissions of owner read/write
+ only (default permissions can be changed of course with
+ chmod).
+
+2004.06.05 -- Version 2.0-beta3
+
+* More changes to TAP-Win32 driver's INF file which
+ affects the placement of the driver in the Windows
+ device namespace. This is done to work around an
+ apparent bug in Windows when short HWIDs are used,
+ and will also ease the upgrade from 1.x to 2.0 by
+ reducing the chances that a reboot will be needed
+ on upgrade. Like beta2, this upgrade will
+ delete existing TAP-Win32 interfaces, and reinstall
+ a single new interface with default properties.
+* Major rewrite of I/O event wait layer in the style
+ of libevent. This is a precursor to TCP support
+ in --mode server.
+* New feature: --status. Outputs a SIGUSR2-like
+ status summary to a given file, updated once
+ per n seconds. The status file is comma delimited
+ for easy machine parsing.
+* --ifconfig-pool now remembers common names and
+ will try to assign a consistent IP to a given
+ common name. Still to do: persist --ifconfig-pool
+ memory across restarts by saving state in file.
+* Fixed bug in event timer queue which could cause
+ recurring timer events such as --ping to not
+ correctly schedule again after firing. This in
+ turn would cause spurrious ping restarts and possible
+ connection outages. Thanks to Denis Vlasenko for
+ tracking this down.
+* Possible fix to reported bug where --daemon argument
+ was not printing to syslog correctly after restart.
+* Fixed bug where pulling --route or --dhcp-option
+ directives from a server would problematically
+ interact with --persist-tun on the client.
+* Updated contrib/multilevel-init.patch (Farkas Levente).
+* Added RPM build option to .spec and .spec.in files
+ to optionally disable LZO inclusion (Ian Pilcher).
+* The latest MingW runtime and headers define
+ 'ssize_t', so a patch is needed (Gisle Vanem).
+
+2004.05.14 -- Version 2.0-beta2
+
+* Fixed signal handling bug in --mode server, where
+ SIGHUP and SIGUSR1 were treated as SIGTERM.
+* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
+ Apparently the larger string may work around
+ a problem where the TAP adapter is sometimes missing
+ from the network connections panel, especially under
+ XP SP2. Also note that installing this upgrade will
+ uninstall any pre-existing TAP-Win32 adapters, and then
+ install a single new adapter, meaning that old adapter
+ properties will be lost. Thanks to Md5Chap for solving
+ this one.
+* For --mode server --dev tap, the options --ifconfig and
+ --ifconfig-pool are now optional. This allows address
+ assignment via DHCP or use of a TAP VPN without
+ IP support, as has always been possible with 1.x.
+* Fixed bug where --ifconfig may not work correctly on
+ Linux 2.2.
+* Added 'local' flag to --redirect-gateway for use on
+ networks where both OpenVPN daemons are connected
+ to a shared subnet, such as wireless.
+
+2004.05.09 -- Version 2.0-beta1
+
+* Unchanged from test29 except for version number
+ upgrade.
+
+2004.05.08 -- Version 2.0-test29
+
+* Modified --dev-node on Windows to accept a TAP-Win32
+ GUID name. In addition, --show-adapters will now
+ display the high-level name and GUID of each adapter.
+ This is an attempt to work around an issue in Windows
+ where sometimes the TAP-Win32 adapter installs correctly
+ but has no icon in the network connections control
+ panel. In such cases, being able to specify
+ --dev-node {TAP-GUID} can work around the missing icon.
+
+2004.05.07 -- Version 2.0-test28
+
+* Fixed bug which could cause segfault on program
+ shutdown if --route and --persist-tun are used
+ together.
+
+2004.05.06 -- Version 2.0-test27
+
+* Fixed bug in close_instance() which might cause
+ memory to be accessed after it had already been freed.
+* Fixed bug in verify_callback() that might have
+ caused uninitialized data to be referenced.
+* --iroute now allows full CIDR subnet routing.
+* In "--mode server --dev tun" usage, source addresses
+ on VPN packets coming from a particular client must
+ be associated with that client in the OpenVPN internal
+ routing table.
+
+2004.04.28 -- Version 2.0-test26
+
+* Optimized broadcast path in multi-client mode.
+* Added socket buffer size options --rcvbuf & --sndbuf.
+* Configure Linux tun/tap driver to use a more sensible
+ txqueuelen default. Also allow explicit setting
+ via --txqueuelen option (Harald Roelle).
+* The --remote option now allows the port number
+ to be specified as the second parameter. If
+ unspecified, the port number defaults to the
+ --rport value.
+* Multiple --remote options on the client can now be
+ specified for load balancing and failover. The
+ --remote-random flag can be used to initially randomize
+ the --remote list for basic load balancing.
+* If a remote DNS name resolves to multiple DNS addresses,
+ one will be chosen by random as a kind of basic
+ load-balancing feature if --remote-random is used.
+* Added --connect-freq option to control maximum
+ new connection frequency in multi-client mode.
+* In multi-client mode, all syslog messages associated
+ with a specific client now include a client-ID prefix.
+* For Windows, use a gettimeofday() function based
+ on QueryPerformanceCounter (Derek Burdick).
+* Fixed bug in interaction between --key-method 2
+ and DES ciphers, where dynamic keys would be generated
+ with bad parity and then be rejected.
+
+2004.04.17 -- Version 2.0-test24
+
+* Reworked multi-client broadcast handling.
+
+2004.04.13 -- Version 2.0-test23
+
+* Fixed bug in --dev tun --client-to-client routing.
+* Fixed a potential deadlock in --pull.
+* Fixed a problem with select() usage which could
+ cause a repeating sequence of "select : Invalid
+ argument (code=22)"
+
+2004.04.11 -- Version 2.0-test22
+
+* Fixed bug where --mode server + --daemon was
+ prematurely closing syslog connection.
+* Added support for --redirect-gateway on Mac OS X
+ (Jeremy Apple).
+* Minor changes to TAP-Win32 driver based on feedback
+ from the NDISTest tool.
+
+2004.04.11 -- Version 2.0-test21
+
+* Optimizations in multi-client server event loop.
+
+2004.04.10 -- Version 2.0-test20
+
+* --mode server capability now works with either tun
+ or tap interfaces. When used with tap interfaces,
+ OpenVPN will internally bridge all client tap
+ interfaces with the server tap interface.
+* Connecting clients can now have a client-specific
+ configuration on the server, based on the client
+ common name embedded in the client certificate.
+ See --client-config-dir and --client-connect.
+ These options can be used to configure client-specific
+ routes.
+* Added an option --client-to-client that enables
+ internal client-to-client routing or bridging.
+ Otherwise, clients will only "see" the server,
+ not other connected clients.
+* Fixed bug in route scheduling which would have caused
+ --mode server to not work on Windows in test18
+ and test19 with the sample config file.
+* Man page is up to date with all new options.
+* OpenVPN 2.0 release notes on web site updated
+ with tap-style tunnel examples.
+
+2004.04.02 -- Version 2.0-test19
+
+* Fixed bug where routes pushed from server were
+ not working correctly on Windows clients.
+* Added Mac OS X route patch (Jeremy Apple).
+
+2004.03.30 -- Version 2.0-test18
+
+* Minor fixes + Windows self-install modified
+ to use OpenSSL 0.9.7d.
+
+2004.03.29 -- Version 2.0-test17
+
+* Fixed some bugs related to instance timeout and deletion.
+* Extended --push/--pull option to support additional
+ option classes.
+
+2004.03.28 -- Version 2.0-test16
+
+* Successful test of --mode udp-server, --push,
+ --pull, and --ifconfig-pool with server on
+ Linux 2.4 and clients on Linux and Windows.
+
+2004.03.25 -- Version 2.0-test15
+
+* Implemented hash-table lookup of client instances
+ based either on remote UDP address/port or remote
+ ifconfig endpoint.
+* Implemented a randomized binary tree based
+ scheduler for scalably scheduling a large number
+ of client instance events. Uses the treap
+ data structure and node rotation algorithm
+ to keep the tree balanced.
+* Initial implementation of ifconfig-pool.
+* Made --key-method 2 the default.
+
+2004.03.20 -- Version 2.0-test14
+
+* Implemented --push and --pull.
+
+2004.03.20 -- Version 2.0-test13
+
+* Reduced struct tls_multi and --single-session
+ memory footprint.
+* Modified --single-session flag to be used
+ in multi-client UDP server client instances.
+
+2004.03.19 -- Version 2.0-test12
+
+* Added the key multi-client UDP server options,
+ --mode, --push, --pull, and --ifconfig-pool.
+* Revamped GC (garbage collection) code to not rely
+ on any global data.
+* Modifications to thread.[ch] to allow a more
+ flexible thread model.
+
+2004.03.16 -- Version 2.0-test11
+
+* Moved all timer code to interval.h, added new file
+ interval.c.
+* Fixed missing include.
+
+2004.03.16 -- Version 2.0-test10
+
+* More TAP-Win32 fixes.
+* Initial debugging and testing of multi.[ch].
+
+2004.03.14 -- Version 2.0-test9
+
+* Branch merge with 1.6-rc3
+* More point-to-multipoint work in multi.[ch].
+* Major TAP-Win32 driver restructuring to use
+ NdisMRegisterDevice instead of
+ IoCreateDevice/IoCreateSymbolicLink.
+* Changed TAP-Win32 symbolic links to use \DosDevices\Global\
+ pathname prefix.
+* In the majority of cases, TAP-Win32 should now be
+ able to install and uninstall on Win2K without requiring
+ a reboot.
+* TAP-Win32 MAC address can now be explicitly set in the
+ adapter advanced properties page.
+
+2004.03.04 -- Version 2.0-test8
+
+* Branch merge with 1.6-rc2.
+
+2004.03.03 -- Version 2.0-test7
+
+* Branch merge with 1.6-rc1.2.
+
+2004.03.02 -- Version 2.0-test6
+
+* Branch merge with 1.6-rc1.
+
+2004.03.02 -- Version 2.0-test5
+
+* Move Socks5 UDP header append/remove to socks.c, and is
+ called from forward.c.
+* Moved verify statics from ssl.c into struct tls_session.
+* Wrote multi.[ch] to handle top level of point-to-multipoint
+ mode.
+* Wrote some code to allow a struct link_socket in a child context
+ to be slaved to the parent context.
+* Broke up packet read and process functions in forward.c
+ (from socket or tuntap) into separate functions for read
+ and process, so that point-to-point and point-to-multipoint can
+ share the same code.
+* Expand TLS control channel to allow the passing of configuration
+ commands.
+* Wrote mroute.[ch] to handle internal packet routing for
+ point-to-multipoint mode.
+
+2004.02.22 -- Version 2.0-test3
+
+* Initial work on UDP multi-client server.
+* Branch merge of 1.6-beta7
+
+2004.02.14 -- Version 2.0-test2
+
+* Refactorization of openvpn.c into openvpn.[ch]
+ init.[ch] forward.[ch] forward-inline.h
+ occ.[ch] occ-inline.h ping.[ch] ping-inline.h
+ sig.[ch]. Created a master per-tunnel
+ struct context in openvpn.h.
+* Branch merge of 1.6-beta6.2
+
+2003.11.06 -- Version 2.0-test1
+
+* Initial testbed for 2.0.
+
+2004.05.09 -- Version 1.6.0
+
+* Unchanged from 1.6-rc4 except for version number
+ upgrade.
+
+2004.04.01 -- Version 1.6-rc4
+
+* Made minor customizations to devcon and
+ renamed as tapinstall.exe for Windows version.
+* Fixed "storage size of `iv' isn't known" build
+ problem on FreeBSD.
+* OpenSSL 0.9.7d bundled with Windows self-install.
+
+2004.03.13 -- Version 1.6-rc3
+
+* Minor Windows fixes for --ip-win32 dynamic, relating to
+ the way the TAP-Win32 driver responds to a DHCP request
+ from the Windows DHCP client.
+* The net_gateway environmental variable wasn't being
+ set correctly for called scripts (Paul Zuber).
+* Added code to determine the default gateway on FreeBSD,
+ allowing the --redirect-gateway option to work
+ (Juan Rodriguez Hervella).
+
+2004.03.04 -- Version 1.6-rc2
+
+* Fixed bug in Windows version where the NetBIOS node-type
+ DHCP option might have been passed even if it was not
+ specified.
+* Fixed bug in Windows version introduced in 1.6-rc1, where
+ DHCP timeout would be set to 0 seconds if --ifconfig option
+ was used and --ip-win32 option was not explicitly specified.
+* Added some new --dhcp-option types for Windows version.
+
+2004.03.02 -- Version 1.6-rc1
+
+* For Windows, make "--ip-win32 dynamic" the default.
+* For Windows, make "--route-delay 10" the default
+ unless --ip-win32 dynamic is not used or --route-delay
+ is explicitly specified.
+* L_TLS mutex could have been left in a locked state
+ for certain kinds of TLS errors.
+
+2004.02.22 -- Version 1.6-beta7
+
+* Allow scheduling priority increase (--nice) together
+ with UID/GID downgrade (--user/--group).
+* Code that causes SIGUSR1 restart on TLS errors in TCP
+ mode was not activated in pthread builds.
+* Save the certificate serial number in an environmental
+ variable called tls_serial_{n} prior to calling the
+ --tls-verify script. n is the current cert chain level.
+* Added NetBSD IPv6 tunnel capability (also requires
+ a kernel patch) (Horst Laschinsky).
+* Fixed bug in checking the return value of the nice()
+ function (Ian Pilcher).
+* Bug fix in new FreeBSD IPv6 over TUN code which was
+ originally added in 1.6-beta5 (Nathanael Rensen).
+* More Socks5 fixes -- extended the struct frame
+ infrastructure to accomodate proxy-based encapsulation
+ overhead.
+* Added --dhcp-option to Windows version for setting
+ adapter properties such as WINS & DNS servers.
+* Use a default route-delay of 5 seconds when
+ --ip-win32 dynamic is specified (only applicable when
+ --route-delay is not explicitly specified).
+* Added "log_append" registry variable to control
+ whether the OpenVPN service wrapper on Windows
+ opens log files in append (log_append="1") or
+ truncate (log_append="0") mode. The default
+ is truncate.
+
+2004.02.05 -- Version 1.6-beta6
+
+* UDP over Socks5 fix to accomodate Socks5 encapsulation
+ overhead (Christof Meerwald).
+* Minor --ip-win32 dynamic tweaks (use long lease time,
+ invalidate existing lease with DHCPNAK).
+
+2004.02.01 -- Version 1.6-beta5
+
+* Added Socks5 proxy support (Christof Meerwald).
+* IPv6 tun support for FreeBSD (Thomas Glanzmann).
+* Special TAP-Win32 debug mode for Windows self-install that was
+ enabled in beta4 is now turned off.
+* Added some new Solaris notes to INSTALL (Koen Maris).
+* More work on --ip-win32 dynamic.
+
+2004.01.27 -- Version 1.6-beta4
+
+* For this beta, the Windows self-install is a debug version
+ and will run slower -- use only for testing.
+* Reverted the --ip-win32 default back to 'ipapi'
+ from 'dynamic'.
+* Added the offset parameter to '--ip-win32 dynamic' which
+ can be used to control the address of the masqueraded
+ DHCP server which replies to Windows DHCP requests.
+* Added a wait/nowait option to --inetd (nowait can only
+ be used with TCP sockets, TLS authentication, and over
+ a bridged configuration -- see FAQ for more info)
+ (Stefan `Sec` Zehl).
+* Added a build-time capability where TAP-Win32 driver
+ debug messages can be output by OpenVPN at --verb 6
+ or higher.
+
+2004.01.20 -- Version 1.6-beta2
+
+* Added ./configure --enable-iproute2 flag which
+ uses iproute2 instead of route + ifconfig --
+ this is necessary for the LEAF Linux distro
+ (Martin Hejl).
+* Added renewal-time and rebind-time to set of
+ DHCP options returned by the TAP-Win32 driver when
+ "--ip-win32 dynamic" is used.
+
+2004.01.14 -- Version 1.6-beta1
+
+* Fixed --proxy bug that sometimes caused plaintext
+ control info generated by the proxy prior to http
+ CONNECT method establishment to be incorrectly
+ parsed as OpenVPN data.
+* For Windows version, implemented the
+ "--ip-win32 dynamic" method and made it the default.
+ This method sets the TAP-Win32 adapter IP address
+ and netmask by replying to the kernel's DHCP queries.
+ See the man page for more detailed info.
+* Added --connect-retry parameter which controls
+ the time interval (in seconds) between connect()
+ retries when --proto tcp-client is used. Previously,
+ this value was hardcoded to 5 seconds, and still
+ defaults as such.
+* --resolv-retry can now be used with a parameter
+ of "infinite" to retry indefinitely.
+* Added SSL_CTX_use_certificate_chain_file() to ssl.c
+ for support of multi-level certificate chains
+ (Sten Kalenda).
+* Fixed --tls-auth incompatibility with 1.4.x and earlier
+ versions of OpenVPN when the passphrase file is an
+ OpenVPN static key file (as generated by --genkey).
+* Added shell-escape support in config files using
+ the backslash character ("\") so that (for example)
+ double quotes can be passed to the shell.
+* Added "contrib" subdirectory on tarball, source zip,
+ and CVS containing user-submitted contributions.
+* Added an optional patch to the Redhat init script to
+ allow the configuration file directory to be a
+ multi-level directory hierarchy (Farkas Levente).
+ See contrib/multilevel-init.patch
+* Added some scripts and documentation on using
+ Linux "fwmark" iptables rules to enable
+ fine-grained routing control over the VPN
+ (Sean Reifschneider, <jafo@tummy.com>).
+ See contrib/openvpn-fwmarkroute-1.00
+
+2003.11.20 -- Version 1.5.0
+
+* Minor documentation changes.
+
+2003.11.04 -- Version 1.5-beta14
+
+* Fixed build problem with ./configure --disable-ssl
+ that was reported on Debian woody.
+* Fixed bug where --redirect-gateway could not be used
+ together with --resolv-retry.
+
+2003.11.03 -- Version 1.5-beta13
+
+* Added CRL (certificate revocation list) capability using
+ --crl-verify option (Stefano Bracalenti).
+* Added --replay-window option for variable replay-protection
+ window sizes.
+* Fixed --fragment bug which might have caused certain large
+ packets to be sent unfragmented.
+* Modified --secret and --tls-auth to permit different cipher and
+ HMAC keys to be used for each data flow direction. Also
+ increased static key file size generated by --genkey from
+ 1024 to 2048 bits, where 512 bits each are reserved for
+ send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
+ and backward compatibility is maintained. See --secret option
+ documentation on the man page for more info.
+* Added --tls-remote option (Teemu Kiviniemi).
+* Fixed --tls-cipher documention regarding correct delimiter
+ usage (Teemu Kiviniemi).
+* Added --key-method option for selecting alternative data
+ channel key negotiation methods. Method 1 is the default.
+ Method 2 has been added (see man page for more info).
+* Added French translation of HOWTO to web site
+ (Guillaume Lehmann).
+* Fixed problem caused by late resolver library load on
+ certain platforms when --resolv-retry and --chroot are
+ used together (Teemu Kiviniemi).
+* In TCP mode, all decryption or TLS errors will abort the current
+ connection (this is not done in UDP mode because UDP is
+ "connectionless").
+* Fixed a TCP client reconnect bug that only occurs on the
+ BSDs, where connect() fails with an invalid argument. This
+ bug was partially (but not completely) fixed in beta7.
+* Added "route_net_gateway" environmental variable which contains
+ the pre-existing default gateway address from the routing table
+ (there's no standard API for getting the default gateway, so
+ right now this feature only works on Windows or Linux).
+* Renamed the "route_default_gateway" enviromental variable to
+ "route_vpn_gateway" -- this is the remote VPN endpoint.
+* The special keywords vpn_gateway, net_gateway, and remote_host
+ can now be used for the network or gateway components of the
+ --route option. See the man page for more info.
+* Added the --redirect-gateway option to configure the VPN
+ as the default gateway (implemented on Linux and Windows only).
+* Added the --http-proxy option with basic authentication
+ support for use in TCP client mode. Successfully tested
+ using Squid as the HTTP proxy, with and without authentication.
+
+2003.10.12 -- Version 1.5-beta12
+
+* Fixed Linux-only bug in --mktun and --rmtun which was
+ introduced around beta8 or so, which would cause
+ an error such as "I don't recognize device tun0 as a
+ tun or tap device1".
+* Added --ifconfig-nowarn option to disable options
+ consistency warnings about --ifconfig parameters.
+* Don't allow any kind of sequence number backtracking or
+ message reordering when in TCP mode.
+* Changed beta naming convention to use '_' (underscore)
+ rather than '-' (dash) to pacify rpmbuild.
+
+2003.10.08 -- Version 1.5-beta11
+
+* Modified code in the Windows version which sets the IP address
+ and netmask of the TAP-Win32 adapter using the IP Helper API.
+ Most of the changes involve better error recovery when
+ the IP Helper API returns an error status. See the
+ manual page entry on --ip-win32 for more info.
+
+2003.10.08 -- Version 1.5-beta10
+
+* Added getpass() function for Windows version so that --askpass
+ option works correctly (Stefano Bracalenti).
+* Added reboot advisory to end of Win32 install script.
+* Changed crypto code to use pseudo-random IVs rather than
+ carrying forward the IV state from the previous packet.
+ This is in response to item 2 in the following document:
+ http://www.openssl.org/~bodo/tls-cbc.txt which points
+ out weaknesses in TLS's use of the same IV carryforward
+ approach. This change does not break protocol compatibility
+ with previous versions of OpenVPN.
+* Made a change to the crypto replay protection code to also
+ protect against certain kinds of packet reordering attacks.
+ This change does not break protocol compatibility with
+ previous versions of OpenVPN.
+* Added --ip-win32 option to provide several choices for
+ setting the IP address on the TAP-Win32 adapter.
+* #ifdefed out non-CBC crypto modes by default.
+* Added --up-delay option to delay TUN/TAP open and --up script
+ execution until after connection establishment. This option
+ replaces the earlier windows-only option --tap-delay.
+
+2003.10.01 -- Version 1.5-beta9
+
+* Fixed --route-noexec bug where option was not parsed correctly.
+* Complain if --dev tun is specified without --ifconfig on Windows.
+* Fixed bug where TCP connections on windows would sometimes cause
+ an assertion failure.
+* Added a new flag to TAP-Win32 advanced properties that allows one
+ to set the adapter to be always "connected" even when an OpenVPN
+ process doesn't have it open. The default behavior is to report
+ a media status of connected only when an OpenVPN process has the
+ adapter open.
+* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
+ DLLs in response to an OpenSSL security advisory.
+
+2003.09.30 -- Version 1.5-beta8
+
+* Extended the --ifconfig option to work on tap devices as well
+ as tun devices.
+* Implemented the --ifconfig option for Windows, by calling the
+ netsh tool.
+* By default, do an "arp -d *" on Windows after TAP-Win32 open to
+ refresh the MAC cache. This behaviour can be disabled with
+ --no-arp-del.
+* On Windows, allow the --dev-node parameter (which specifies
+ the name of the TAP-Win32 adapter) to be omitted in cases where
+ there is a single TAP-Win32 adapter on the system which can be
+ assumed to be the default.
+* Modified the diagnostic --verb 5 debugging level to print 'R'
+ for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
+ and 'w' for TUN/TAP write.
+* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
+ mode.
+* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
+* Make the --enable-mtu-dynamic ./configure option enabled by
+ default.
+* Deprecated the --mtu-dynamic run-time option, in favor of
+ --fragment.
+* DNS names can now be used as --ifconfig parameters.
+* Significant work on TAP-Win32 driver to bring up to SMP standards.
+* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
+ unloaded or disabled, while a user-space process has it open.
+* On Windows, if --tun-mtu is not specified, it will be read from
+ the TAP-Win32 driver via ioctl.
+* On Windows, added TAP-Win32 driver status info to "F2" keyboard
+ signal (only when run from a console window).
+* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
+* Renamed --mtu-dynamic option to --fragment to more accurately
+ reflect its function. Fragment accepts a single parameter which
+ is the upper limit on acceptable UDP packet size.
+* Changed default --tun-mtu-extra parameter to 32 from 64.
+* Eliminated reference to malloc.o in configure.ac.
+* Added tun device emulation to the TAP-Win32 driver.
+* Added --route and related options.
+* Added init script for SuSE Linux (Frank Plohmann).
+* Extended option consistency check between peers to function
+ in all crypto modes, including static-key and cleartext modes.
+ Previously only TLS mode was supported. Disable with
+ --disable-occ.
+* Overall, increased the amount of configuration option sanity
+ checking, especially of networking parameters.
+* Added --mtu-test option for empirical MTU measurement.
+* Added Windows-only option --tap-delay to not set the TAP-Win32
+ adapter media state to 'connected' until TCP/UDP connection
+ establishment with peer.
+* Slightly modified --route/--route-delay semantics so that when
+ --route is given without --route-delay, routes are added
+ immediately after tun/tap device open. When --route-delay is
+ specified, routes will be added n seconds after connection
+ initiation, where n is the --route-delay parameter (which
+ can be set to 0).
+* Made TCP framing error into a non-fatal error that triggers a
+ connection reset.
+
+2003.08.28 -- Version 1.5-beta7
+
+* Fixed bug that caused OpenVPN not to respond to exit/restart
+ signals when --resolv-retry is used and a local or remote DNS
+ name cannot be resolved.
+* Exported a series of environmental variables with useful
+ info for scripts. See man page for more info. Based
+ on a suggestion by Anthony Ciaravalo.
+* Moved TCP/UDP socket bind to a point in the initialization
+ before the --up script gets called. This is desirable
+ because (a) a socket bind failure will happen before
+ daemonization, allowing an error status code to be returned
+ to the shell and (b) the possibility is eliminated of a
+ socket bind failure causing the --up script to be run
+ but not the --down script. This change has a side effect
+ that --resolv-retry will no longer work with --local.
+* Fixed bug where if an OpenVPN TCP server went down and back
+ up again, Solaris or FreeBSD clients would fail to reconnect
+ to it.
+* Fixed bug that prevented OpenVPN from being run by
+ inetd/xinetd in TCP mode.
+* Added --log and --log-append options for logging messages to
+ a file.
+* On Windows, check that the current user is a member of the
+ Administrator group before attempting install or uninstall.
+
+2003.08.16 -- Version 1.5-beta6
+
+* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
+
+2003.08.14 -- Version 1.5-beta5
+
+* Added user-configurability of the TAP-Win32 adapter MTU
+ through the adapter advanced properties page.
+* Added Windows Service support.
+* On Windows, added file association and right-clickability
+ for .ovpn files (OpenVPN config files).
+
+2003.08.05 -- Version 1.5-beta4
+
+* Extra refinements and error checking added to Windows
+ NSIS install script.
+
+2003.08.05 -- Version 1.5-beta3
+
+* Added md5.h include to crypto.c to fix build problem on
+ OpenBSD.
+* Created a Win32 installer using NSIS.
+* Removed DelService command from TAP-Win32 INF file. It appears
+ to be not necessary and it interfered with the ability to
+ uninstall and reinstall the driver without needing to reboot.
+* On Windows version, added "addtap" and "deltapall" batch
+ files to add and delete TAP-Win32 adapter instances.
+
+2003.07.31 -- Version 1.5-beta2
+
+* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
+ in Windows ASCII so it's easier to click and view.
+* Added postscript and PDF versions of the HOWTO to the web
+ site (C R Zamana).
+* Merged Michael Clarke's stability patch into TAP-Win32
+ driver which appears to fix the suspend/resume driver bug
+ and significantly improve driver stability.
+* Added Christof Meerwald's Media Status patch to the
+ TAP-Win32 driver which shows the TAP adapter to be
+ disconnected when OpenVPN is not running.
+* Moved socket connect and TCP server listen code to a later
+ point in openvpn() function so that the TCP server listen
+ state is entered after daemonization.
+* Added keyboard shortcuts to simulate signals in the Windows
+ version, see the window title bar for descriptions.
+
+2003.07.24 -- Version 1.5-beta1
+
+* Added TCP support via the new --proto option.
+* Renamed udp-centric options such as --udp-mtu to
+ --link-mtu (old option names preserved for compatibility).
+* Ported to Windows 2000 + XP using mingw and a TAP driver
+ derived from the Cipe-Win32 project by Damion K. Wilson.
+* Added --show-adapters flag for windows version.
+* Reworked the SSL/TLS packet acknowledge code to better
+ handle certain corner cases.
+* Turned off the default enabling of IP forwarding in the
+ sample-scripts/openvpn.init script for Redhat.
+ Forwarding can be enabled by users in their --up scripts
+ or firewall config.
+* Added --up-restart option based on suggestion from Sean
+ Reifschneider.
+* If --dev tap or --dev-type tap is specified, --tun-mtu
+ defaults to 1500 and --tun-mtu-extra defaults to 64.
+* Enabled --verb 5 debugging mode that prints 'R' and 'W'
+ for each packet read or write on the TCP/UDP socket.
+
+2003.08.04 -- Version 1.4.3
+
+* Added md5.h include to crypto.c
+ to fix build problem on OpenBSD.
+
+2003.07.15 -- Version 1.4.2
+
+* Removed adaptive bandwidth from
+ --mtu-dynamic -- its absence appears
+ to work better than its existence (1.4.1.2).
+* Minor changes to --shaper to fix long
+ retransmit timeouts at low bandwidth
+ (1.4.1.2).
+* Added LOG_RW flag to openvpn.h for
+ debugging (1.4.1.2).
+* Silenced spurious configure warnings (1.4.1.2).
+* Backed out --dev-name patch, modified --dev
+ to offer equivalent functionality (1.4.1.4).
+* Added an optional parameter to --daemon and
+ --inetd to support the passing of a custom
+ program name to the system logger (1.4.1.5).
+* Add compiled-in options to the program title
+ (1.4.1.5).
+* Coded the beginnings of a WIN32 port (1.4.1.5).
+* Succeeded in porting to Win32 Mingw environment
+ and running loopback tests (1.4.1.6). Still
+ need a kernel driver for full Win32
+ functionality.
+* Fixed a bug in error.h where
+ HAVE_CPP_VARARG_MACRO_GCC was misspelled.
+ This would have caused a significant slowdown
+ of OpenVPN when built by compilers that
+ lack ISO C99 vararg macros (1.4.1.6).
+* Created an init script for Gentoo Linux
+ in ./gentoo directory (1.4.1.6).
+
+2003.05.15 -- Version 1.4.1
+
+* Modified the Linux 2.4 TUN/TAP open code to
+ fall back to the 2.2 TUN/TAP interface if the
+ open or ioctl fails.
+* Fixed bug when --verb is set to 0 and non-fatal
+ socket errors occur, causing 100% CPU utilization.
+ Occurs on platorms where
+ EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
+ such as Linux 2.4.
+* Fixed typo in tun.c that was preventing
+ OpenBSD build.
+* Added --enable-mtu-dynamic configure option
+ to enable --mtu-dynamic experimental option.
+
+2003.05.07 -- Version 1.4.0
+
+* Added --replay-persist feature to allow replay
+ protection across sessions.
+* Fixed bug where --ifconfig could not be used
+ with --tun-mtu.
+* Added --tun-mtu-extra parameter to deal with
+ the situation where a read on a TUN/TAP device
+ returns more data than the device's MTU size.
+* Fixed bug where some IPv6 support code for
+ Linux was not being properly ifdefed out for
+ Linux 2.2, causing compile errors.
+* Added OPENVPN_EXIT_STATUS_x codes to
+ openvpn.h to control which status value
+ openvpn returns to its caller (such as
+ a shell or inetd/xinetd) for various conditions.
+* Added OPENVPN_DEBUG_COMMAND_LINE flag to
+ openvpn.h to allow debugging in situations
+ where stdout, stderr, and syslog cannot be used
+ for message output, such as when OpenVPN is
+ instantiated by inetd/xinetd.
+* Removed owner-execute permission from file
+ created by static key generator (Herbert Xu
+ and Alberto Gonzalez Iniesta).
+* Added --passtos option to allow IPv4 TOS bits
+ to be passed from TUN/TAP input packets to
+ the outgoing UDP socket (Craig Knox).
+* Added code to prevent open socket file descriptors
+ from being accessible to called scripts.
+* Added --dev-name option (Christian Lademann).
+* Added --mtu-disc option for manual control
+ over MTU options.
+* Show OS MTU value on UDP socket write failures
+ (linux only).
+* Numerous build system and portability
+ fixes (Matthias Andree).
+* Added better sensing of compiler support for
+ variable argument macros, including (a) gcc
+ style, (b) ISO C 1999 style, and (c) no support.
+* Removed generated files from CVS. Note INSTALL
+ file for new CVS build commands.
+* Changed certain internal symbol names
+ for C standards compliance.
+* Added TUN/TAP open code to cycle dynamically
+ through unit numbers until it finds a free
+ unit (based on code from Thomas Gielfeldt
+ and VTun).
+* Added dynamic MTU and fragmenting infrastructure
+ (Experimental). Rebuild with FRAGMENT_ENABLE
+ defined to enable.
+* Minor changes to SSL/TLS negotiation, use
+ exponential backoff on retransmits, and use
+ a smaller MTU size (note that no protocol
+ changes have been made which would break
+ compatibility with 1.3.x).
+* Added --enable-strict-options flag
+ to ./configure. This option will cause
+ a more strict check for options compatibility
+ between peers when SSL/TLS negotiation is used,
+ but should only be used when both OpenVPN peers
+ are of the same version.
+* Reorganization of debugging levels.
+* Added a workaround in configure.ac for
+ default SSL header location on Linux
+ to fix RH9 build problem.
+* Fixed potential deadlock when pthread support
+ is used on OSes that allocate a small socketpair()
+ message buffer.
+* Fixed openvpn.init to be sh compliant
+ (Bishop Clark).
+* Changed --daemon to wait until all
+ initialization is finished before becoming a
+ daemon, for the benefit of initialization
+ scripts that want a useful return status from
+ the openvpn command.
+* Made openvpn.init script more robust, including
+ positive indication of initialization errors
+ in the openvpn daemon and better sanity checks.
+* Changed --chroot to wait until initialization
+ is finished before calling chroot(), and allow
+ the use of --user and --group with --chroot.
+* When syslog logging is enabled (--daemon or
+ --inetd), set stdin/stdout/stderr to point
+ to /dev/null.
+* For inetd instantiations, dup socket descriptor
+ to a >2 value.
+* Fixed bug in verify-cn script, where test would
+ incorrectly fail if CN=x was the last component
+ of the X509 composite string (Anonymous).
+* Added Markus F.X.J. Oberhumer's special
+ license exception to COPYING.
+
+2002.10.23 -- Version 1.3.2
+
+* Added SSL_CTX_set_client_CA_list call
+ to follow the canonical form for TLS initialization
+ recommended by the OpenSSL docs. This change allows
+ better support for intermediate CAs and has no impact
+ on security.
+* Added build-inter script to easy-rsa package, to
+ facilitate the generation of intermediate CAs.
+* Ported to NetBSD (Dimitri Goldin).
+* Fixed minor bug in easy-rsa/sign-req. It refers to
+ openssl.cnf file, instead of $KEY_CONFIG, like all
+ other scripts (Ernesto Baschny).
+* Added --days 3650 to the root CA generation command
+ in the HOWTO to override the woefully small 30 day
+ default (Dominik 'Aeneas' Schnitzer).
+* Fixed bug where --ping-restart would sometimes
+ not re-resolve remote DNS hostname.
+* Added --tun-ipv6 option and related infrastructure
+ support for IPv6 over tun.
+* Added IPv6 over tun support for Linux (Aaron Sethman).
+* Added FreeBSD 4.1.1+ TUN/TAP driver notes to
+ INSTALL (Matthias Andree).
+* Added inetd/xinetd support (--inetd) including
+ documentation in the HOWTO.
+* Added "Important Note on the use of commercial certificate
+ authorities (CAs) with OpenVPN" to HOWTO based on
+ issues raised on the openvpn-users list.
+
+2002.07.10 -- Version 1.3.1
+
+* Fixed bug in openvpn.spec and openvpn.init
+ which caused RPM upgrade to fail.
+
+2002.07.10 -- Version 1.3.0
+
+* Added --dev-node option to allow explicit selection of
+ tun/tap device node.
+* Removed mlockall call from child thread, as it doesn't
+ appear to be necessary (child thread inherits mlockall
+ state from parent).
+* Added --ping-timer-rem which causes timer for --ping-exit
+ and --ping-restart not to run unless we have a remote IP
+ address.
+* Added condrestart to openvpn.init and openvpn.spec
+ (Bishop Clark).
+* Added --ifconfig case for FreeBSD (Matthias Andree).
+* Call openlog with facility=LOG_DAEMON (Matthias Andree).
+* Changed LOG_INFO messages to LOG_NOTICE.
+* Added warning when key files are group/others accessible.
+* Added --single-session flag for TLS mode.
+* Fixed bug where --writepid would segfault if used with
+ an invalid filename.
+* Fixed bug where --ipchange status message was formatted
+ incorrectly.
+* Print more concise error message when system() call
+ fails.
+* Added --disable-occ option.
+* Added --local, --remote, and --ifconfig options sanity
+ check.
+* Changed default UDP MTU to 1300 and TUN/TAP MTU to
+ 1300.
+* Successfully tested with OpenSSL 0.9.7 Beta 2.
+* Broke out debug level definitions to errlevel.h
+* Minor documentation and web site changes.
+* All changes maintain protocol compatibility
+ with OpenVPN versions since 1.1.0, however default
+ MTU changes will require setting the MTU explicitly
+ by command line option, if you want 1.3.0 to
+ communicate with previous versions.
+
+2002.06.12 -- Version 1.2.1
+
+* Added --ping-restart option to restart
+ connection on ping timeout using SIGUSR1
+ logic (Matthias Andree).
+* Added --persist-tun, --persist-key,
+ --persist-local-ip, and --persist-remote-ip
+ options for finer-grained control over SIGUSR1
+ and --ping-restart restarts. To
+ replicate previous SIGUSR1 functionality,
+ use --persist-remote-ip.
+* Changed residual IV fetching code to take
+ IV from tail of ciphertext.
+* Added check to make sure that CFB or OFB
+ cipher modes are only used with SSL/TLS
+ authentication mode, and added a caveat
+ to INSTALL.
+* Changed signal handling during initialization
+ (including re-initialization during restarts)
+ to exit on SIGTERM or SIGINT and ignore other
+ signals which would ordinarily be caught.
+* Added --resolv-retry option to allow
+ retries on hostname resolution.
+* Expanded the --float option to also
+ allow dynamic changes in source port number
+ on incoming datagrams.
+* Added --mute option to limit repetitive
+ logging of similar message types.
+* Added --group option to downgrade GID
+ after initialization.
+* Try to set ifconfig path automatically
+ in configure.
+* Added --ifconfig code for Mac OS X
+ (Christoph Pfisterer).
+* Moved "Peer Connection Initiated" message
+ to --verb level 1.
+* Successfully tested with
+ OpenSSL 0.9.7 Beta 1 and AES cipher.
+* Added RPM notes to INSTALL.
+* Added ACX_PTHREAD (from the autoconf
+ macro archive) to configure.ac
+ to figure out the right pthread
+ options for a given platform.
+* Broke out macro definitions from
+ configure.ac to acinclude.m4.
+* Minor changes to docs and HOWTO.
+* All changes maintain protocol compatibility
+ with OpenVPN versions since 1.1.0.
+
+2002.05.22 -- Version 1.2.0
+
+* Added configuration file support via
+ the --config option.
+* Added pthread support to improve latency.
+ With pthread support, OpenVPN
+ will offload CPU-intensive tasks such as RSA
+ key number crunching to a background thread
+ to improve tunnel packet forwarding
+ latency. pthread support can be enabled
+ with the --enable-pthread configure option.
+ Pthread support is currently available
+ only for Linux and Solaris.
+* Added --dev-type option so that tun/tap
+ device names don't need to begin with
+ "tun" or "tap".
+* Added --writepid option to write main
+ process ID to a file.
+* Numerous portability fixes to ease
+ porting to other OSes including changing
+ all network types to uint8_t and uint32_t,
+ and not assuming that time_t is 32 bits.
+* Backported to OpenSSL 0.9.5.
+* Ported to Solaris.
+* Finished OpenBSD port except for
+ pthread support.
+* Added initialization script:
+ sample-scripts/openvpn.init
+ (Douglas Keller)
+* Ported to Mac OS X (Christoph Pfisterer).
+* Improved resilience to DoS attacks when
+ TLS mode is used without --remote or
+ --tls-auth, or when --float is used
+ with --remote. Note however that the best
+ defense against DoS attacks in TLS mode
+ is to use --tls-auth.
+* Eliminated automake/autoconf dependency
+ for non-developers.
+* Ported configure.in to configure.ac
+ and autoconf 2.50+.
+* SIGHUP signal now causes OpenVPN to restart
+ and re-read command line and or config file,
+ in conformance with canonical daemon behaviour.
+* SIGUSR1 now does what SIGHUP did in
+ version 1.1.1 and earlier -- close and reopen
+ the UDP socket for use when DHCP changes
+ host's IP address and preserve most recently
+ authenticated peer address without rereading
+ config file.
+* SIGUSR2 added -- outputs current statistics,
+ including compression statistics.
+* All changes maintain protocol compatibility
+ with 1.1.1 and 1.1.0.
+
+2002.04.22 -- Version 1.1.1
+
+* Added --ifconfig option to automatically configure
+ TUN device.
+* Added inactivity disconnect (--inactive
+ and --ping-exit options).
+* Added --ping option to keep stateful firewalls
+ from timing out.
+* Added sanity check to command line parser to
+ err if any TLS options are used in non-TLS mode.
+* Fixed build problem with compiler environments that
+ define printf as a macro.
+* Fixed build problem on linux systems that have
+ an integrated TUN/TAP driver but lack the persistent
+ tunnel feature (TUNSETPERSIST). Some linux kernels
+ >= 2.4.0 and < 2.4.7 fall into this category.
+* Changed all calls to EVP_CipherInit to use explicit
+ encrypt/decrypt mode in order to fix problem with
+ IDEA-CBC and AES-256-CBC ciphers.
+* Minor changes to control channel transmit limiter
+ algorithm to fix problem where TLS control channel
+ might not renegotiate within the default 60 second window.
+* Simplified man page examples by taking advantage
+ of the new --ifconfig option.
+* Minor changes to configure.in to check more
+ rigourously for OpenSSL 0.9.6 or greater.
+* Put back openvpn.spec, eliminated
+ openvpn.spec.in.
+* Modified openvpn.spec to reflect new automake-based
+ build environment (Bishop Clark).
+* Other documentation changes.
+* Added --test-crypto option for debugging.
+* Added "missing" and "mkinstalldirs" automake
+ support files.
+
+
+2002.04.09 -- Version 1.1.0
+
+* Strengthened replay protection and IV handling,
+ extending it fully to both static key and
+ TLS dynamic key exchange modes.
+* Added --mlock option to disable paging and ensure that key
+ material and tunnel data is never paged to disk.
+* Added optional traffic shaping feature to cap the maximum
+ data rate of the tunnel.
+* Converted to automake (The Platypus Brothers 2002-04-01).
+* Ported to OpenBSD by Janne Johansson.
+* Added --tun-af-inet option to work around an incompatibility
+ between Linux and BSD tun drivers.
+* Sequence number-based replay protection using the
+ IPSec sliding window model is now the default,
+ disable with --no-replay.
+* Explicit IV is now the default, disable with --no-iv.
+* Disabled all cipher modes except CBC, CFB, and OFB.
+* In CBC mode, use explicit IV and carry forward residuals,
+ using IPSec model.
+* In CFB/OFB mode, IV is timestamp, sequence number.
+* Eliminated --packet-id, --timestamp, and max-delta parameter to
+ the --tls-auth option as they are now supplanted by improved
+ replay code which is enabled by default.
+* Eliminated --rand-iv as it is now obsolete with improved
+ IV code.
+* Eliminated --reneg-err option as it increases vulnerability
+ to DoS attacks.
+* Added weak key check for DES ciphers.
+* --tls-freq option is no longer specified on the command line,
+ instead it now inherits its parameter from the
+ --tls-timeout option.
+* Fixed bug that would try to free memory on exit that was
+ never malloced if --comp-lzo was not specified.
+* Errata fixed in the man page examples: "test-ca" should be
+ "tmp-ca".
+* Updated manual page.
+* Preliminary work in porting to OpenSSL 0.9.7.
+* Changed license to allowing linking with OpenSSL.
+
+2002.03.29 -- Version 1.0.3
+
+* Fixed a problem in configure with library ordering on the
+ command line.
+
+2002.03.28 -- Version 1.0.2
+
+* Improved the efficiency of the inner event loop.
+* Fixed a minor bug with timeout handling.
+* Improved the build system to build on RH 6.2 through 7.2.
+* Added an openvpn.spec file for RPM builders (Bishop Clark).
+
+2002.03.23 -- Version 1.0
+
+* Added TLS-based authentication and key exchange.
+* Added gremlin mode to stress test.
+* Wrote man page.
+
+2001.12.26 -- Version 0.91
+
+* Added any choice of cipher or HMAC digest.
+
+2001.5.13 -- Version 0.90
+
+* Initial release.
+* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.