2 Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2009.12.11 -- Version 2.1.1
6 * Fixed some breakage in openvpn.spec (which is required to build an
7 RPM distribution) where it was referencing a non-existent
8 subdirectory in the tarball, causing it to fail (patch from
11 2009.12.11 -- Version 2.1.0
13 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
14 (1) Fail gracefully rather than segfault if calloc returns NULL.
15 (2) The openvpn_plugin_abort_v1 function can potentially be called
16 with handle == NULL. Add code to detect this case, and if so, avoid
17 dereferencing pointers derived from handle (Thanks to David
18 Sommerseth for finding this bug).
20 * Documented "multihome" option in the man page.
22 2009.11.20 -- Version 2.1_rc22
24 * Fixed a client-side bug on Windows that occurred when the
25 "dhcp-pre-release" or "dhcp-renew" options were combined with
26 "route-gateway dhcp". The release/renew would not occur
27 because the Windows DHCP renew function is blocking and
28 therefore must be called from another process or thread
29 so as not to stall the tunnel.
31 * Added a hard failure when peer provides a certificate chain
32 with depth > 16. Previously, a warning was issued.
34 2009.11.12 -- Version 2.1_rc21
36 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
37 CVE-2009-3555. Note that OpenVPN has never relied on the session
38 renegotiation capabilities that are built into the SSL/TLS protocol,
39 therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
40 completely) will not adversely affect OpenVPN mid-session SSL/TLS
41 renegotation or any other OpenVPN capabilities.
43 * Added additional session renegotiation hardening. OpenVPN has always
44 required that mid-session renegotiations build up a new SSL/TLS
45 session from scratch. While the client certificate common name is
46 already locked against changes in mid-session TLS renegotiations, we
47 now extend this locking to the auth-user-pass username as well as all
48 certificate content in the full client certificate chain.
50 2009.10.01 -- Version 2.1_rc20
52 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
53 redirect-gateway option by itself, without any extra parameters,
54 would cause the option to be ignored.
56 * Fixed build problem when ./configure --disable-server is used.
58 * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
60 * Added --remote-random-hostname option.
62 * Added "load-stats" management interface command to get global server
65 * Added new ./configure flags:
67 --disable-def-auth Disable deferred authentication
68 --disable-pf Disable internal packet filter
70 * Added "setcon" directive for interoperability with SELinux (Sebastien
73 * Optimized PUSH_REQUEST handshake sequence to shave several seconds
74 off of a typical client connection initiation.
76 * The maximum number of "route" directives (specified in the config
77 file or pulled from a server) can now be configured via the new
78 "max-routes" directive.
80 * Eliminated the limitation on the number of options that can be pushed
81 to clients, including routes. Previously, all pushed options needed
82 to fit within a 1024 byte options string.
84 * Added --server-poll-timeout option : when polling possible remote
85 servers to connect to in a round-robin fashion, spend no more than
86 n seconds waiting for a response before trying the next server.
88 * Added the ability for the server to provide a custom reason string
89 when an AUTH_FAILED message is returned to the client. This
90 string can be set by the server-side managment interface and read
91 by the client-side management interface.
93 * client-kill management interface command, when issued on server, will
94 now send a RESTART message to client.
95 This feature is intended to make UDP clients respond the same as TCP
96 clients in the case where the server issues a RESTART message in
97 order to force the client to reconnect and pull a new options/route
100 2009.07.16 -- Version 2.1_rc19
102 * In Windows TAP driver, refactor DHCP/ARP packet injection code to
103 use a DPC (deferred procedure call) to defer packet injection until
104 IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
105 in the context of AdapterTransmit. This is an attempt to reduce kernel
106 stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
107 observed on Vista. Updated TAP driver version number to 9.6.
109 * In configure.ac, use datadir instead of datarootdir for compatibility
112 2009.06.07 -- Version 2.1_rc18
114 * Fixed compile error on ./configure --enable-small
116 * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
117 does not build on Windows on non-MINGW32.
119 2009.05.30 -- Version 2.1_rc17
121 * Reduce the debug level (--verb) at which received management interface
122 commands are echoed from 7 to 3. Passwords will be filtered.
124 * Fixed race condition in management interface recv code on
125 Windows, where sending a set of several commands to the
126 management interface in quick succession might cause the
127 latter commands in the set to be ignored.
129 * Increased management interface input command buffer size
130 from 256 to 1024 bytes.
132 * Minor tweaks to Windows build system.
134 * Added "redirect-private" option which allows private subnets
135 to be pushed to the client in such a way that they don't accidently
136 obscure critical local addresses such as the DHCP server address and
137 DNS server addresses.
139 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
140 client will examine the routing table and determine whether (a) the
141 OpenVPN server is reachable via a locally connected interface, or (b)
142 traffic to the server must be forwarded through the default router.
143 Only add a special bypass route for the OpenVPN server if (b) is true.
144 If (a) is true, behave as if the 'local' flag is specified, and do not
147 The new 'autolocal' flag depends on the non-portable test_local_addr()
148 function in route.c, which is currently only implemented for Windows.
149 The 'autolocal' flag will act as a no-op on platforms that have not
150 yet defined a test_local_addr() function.
152 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
153 more option content to be pushed from server to client).
155 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
156 levels <=3) a common and usually innocuous warning.
158 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
159 functionality (Alon Bar-Lev).
161 * Fixed bug where the remote_X environmental variables were not being
162 set correctly when the 'local' option is specifed.
164 2009.05.17 -- Version 2.1_rc16
166 * Windows installer changes:
168 1. ifdefed out the check Windows version code which is causing
169 problems on Windows 7
171 2. don't define SF_SELECTED if it is already defined
173 3. Use LZMA instead of BZIP2 compression for better compression
175 4. Upgraded OpenSSL to 0.9.8k
177 * Added the ability to read the configuration file
178 from stdin, when "stdin" is given as the config
181 * Allow "management-client" directive to be used
182 with unix domain sockets.
184 * Added errors-to-stderr option. When enabled, fatal errors
185 that result in the termination of the daemon will be written
188 * Added optional "nogw" (no gateway) flag to --server-bridge
189 to inhibit the pushing of the route-gateway parameter to
192 * Added new management interface command "pid" to show the
193 process ID of the current OpenVPN process (Angelo Laub).
195 * Fixed issue where SIGUSR1 restarts would fail if private
196 key was specified as an inline file.
198 * Added daemon_start_time and daemon_pid environmental variables.
200 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
204 1. Fixed some issues with C++ style comments that leaked into the code.
206 2. Updated configure.ac to work on MinGW64.
208 3. Updated common.h types for _WIN64.
210 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
213 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
214 OpenVPNCryptAcquireCertificatePrivateKey to work around
215 a symbol conflict in MinGW-5.1.4.
217 2008.11.19 -- Version 2.1_rc15
219 * Fixed issue introduced in 2.1_rc14 that may cause a
220 segfault when a --plugin module is used.
222 * Added server-side --opt-verify option: clients that connect
223 with options that are incompatible with those of the server
224 will be disconnected (without this option, incompatible
225 clients would trigger a warning message in the server log
226 but would not be disconnected).
228 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
229 flag on the server as well as pushes it to connecting clients.
231 * Minor options check fix: --no-name-remapping is a
232 server-only option and should therefore generate an
233 error when used on the client.
235 * Added --prng option to control PRNG (pseudo-random
236 number generator) parameters. In previous OpenVPN
237 versions, the PRNG was hardcoded to use the SHA1
238 hash. Now any OpenSSL hash may be used. This is
239 part of an effort to remove hardcoded references to
240 a specific cipher or cryptographic hash algorithm.
242 * Cleaned up man page synopsis.
244 2008.11.16 -- Version 2.1_rc14
246 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
247 with the goal of fixing a build issue on Fedora 9 that was
248 introduced in 2.1_rc13.
250 * Added additional method parameter to --script-security to preserve
251 backward compatibility with system() call semantics used in OpenVPN
252 2.1_rc8 and earlier. To preserve backward compatibility use:
254 script-security 3 system
256 * Added additional warning messages about --script-security 2
257 or higher being required to execute user-defined scripts or
260 * Windows build system changes:
262 Modified Windows domake-win build system to write all openvpn.nsi
263 input files to gen, so that gen can be disconnected from
264 the rest of the source tree and makensis openvpn.nsi will
265 still function correctly.
267 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
268 (commented out by default).
270 Added optional files SAMPCONF_CONF2 (second sample configuration
271 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
272 build system, and may be defined in settings.in.
274 * Extended Management Interface "bytecount" command
275 to work when OpenVPN is running as a server.
276 Documented Management Interface "bytecount" command in
277 management/management-notes.txt.
279 * Fixed informational message in ssl.c to properly indicate
280 deferred authentication.
282 * Added server-side --auth-user-pass-optional directive, to allow
283 connections by clients that do not specify a username/password, when a
284 user-defined authentication script/module is in place (via
285 --auth-user-pass-verify, --management-client-auth, or a plugin module).
287 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
289 Calling scripts can set the KEY_NAME environmental variable to set
290 the "name" X509 subject field in generated certificates.
292 Modified pkitool to allow flexibility in separating the Common Name
293 convention from the cert/key filename convention.
297 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
299 will create a client certificate/key pair of james.crt/james.key
300 having a Common Name of "James's Laptop" and a Name of "james".
302 * Added --no-name-remapping option to allow Common Name, X509 Subject,
303 and username strings to include any printable character including
304 space, but excluding control characters such as tab, newline, and
305 carriage-return (this is important for compatibility with external
306 authentication systems).
308 As a related change, added --status-version 3 format (and "status 3"
309 in the management interface) which uses the version 2 format except
310 that tabs are used as delimiters instead of commas so that there
311 is no ambiguity when parsing a Common Name that contains a comma.
313 Also, save X509 Subject fields to environment, using the naming
316 X509_{cert_depth}_{name}={value}
318 This is to avoid ambiguities when parsing out the X509 subject string
319 since "/" characters could potentially be used in the common name.
321 * Fixed some ifconfig-pool issues that precluded it from being combined
322 with --server directive.
324 Now, for example, we can configure thusly:
326 server 10.8.0.0 255.255.255.0 nopool
327 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
329 to have ifconfig-pool manage only a subset
332 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
333 config file syntax checking to allow directives for future OpenVPN
334 versions to be ignored.
336 2008.10.07 -- Version 2.1_rc13
338 * Bundled OpenSSL 0.9.8i with Windows installer.
340 * Management interface can now listen on a unix
341 domain socket, for example:
343 management /tmp/openvpn unix
345 Also added management-client-user and management-client-group
346 directives to control which processes are allowed to connect
349 * Copyright change to OpenVPN Technologies, Inc.
351 2008.09.23 -- Version 2.1_rc12
353 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
354 part of the tarball (Matthias Andree).
356 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
357 was incorrectly expecting the lladdr parameter to be an IP address
358 when it is actually a MAC address (HoverHell).
360 2008.09.14 -- Version 2.1_rc11
362 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
363 to fail if UDP packets are dropped.
365 2008.09.10 -- Version 2.1_rc10
367 * Added "--server-bridge" (without parameters) to enable
368 DHCP proxy mode: Configure server mode for ethernet
369 bridging using a DHCP-proxy, where clients talk to the
370 OpenVPN server-side DHCP server to receive their IP address
371 allocation and DNS server addresses.
373 * Added "--route-gateway dhcp", to enable the extraction
374 of the gateway address from a DHCP negotiation with the
375 OpenVPN server-side LAN.
377 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
378 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
381 * Warn when ethernet bridging that the IP address of the bridge adapter
382 is probably not the same address that the LAN adapter was set to
385 * When running as a server, warn if the LAN network address is
386 the all-popular 192.168.[0|1].x, since this condition commonly
387 leads to subnet conflicts down the road.
389 * Primarily on the client, check for subnet conflicts between
390 the local LAN and the VPN subnet.
392 * Added a 'netmask' parameter to get_default_gateway, to return
393 the netmask of the adapter containing the default gateway.
394 Only implemented on Windows so far. Other platforms will
395 return 255.255.255.0. Currently the netmask information is
396 only used to warn about subnet conflicts.
398 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
399 and USE_SSL flags are enabled (Alon Bar-Lev).
401 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
402 --script-security rules. Also adds retrying if the addresses are in
403 use (Matthias Andree).
405 * Fixed build issue with ./configure --disable-socks --disable-http.
407 * Fixed separate compile errors in options.c and ntlm.c that occur
408 on strict C compilers (such as old versions of gcc) that require
409 that C variable declarations occur at the start of a {} block,
412 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
413 the new implementation of extract_x509_field_ssl depends on.
415 * LZO compression buffer overflow errors will now invalidate
416 the packet rather than trigger a fatal assertion.
418 * Fixed minor compile issue in ntlm.c (mid-block declaration).
420 * Added --allow-pull-fqdn option which allows client to pull DNS names
421 from server (rather than only IP address) for --ifconfig, --route, and
422 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
423 for these options to be pulled and translated to IP addresses by default.
424 Now --allow-pull-fqdn will be explicitly required on the client to enable
425 DNS-name-to-IP-address translation of pulled options.
427 * 2.1_rc8 and earlier did implicit shell expansion on script
428 arguments since all scripts were called by system().
429 The security hardening changes made to 2.1_rc9 no longer
430 use system(), but rather use the safer execve or CreateProcess
431 system calls. The security hardening also introduced a
432 backward incompatibility with 2.1_rc8 and earlier in that
433 script parameters were no longer shell-expanded, so
436 client-connect "docc CLIENT-CONNECT"
438 would fail to work because execve would try to execute
439 a script called "docc CLIENT-CONNECT" instead of "docc"
440 with "CLIENT-CONNECT" as the first argument.
442 This patch fixes the issue, bringing the script argument
443 semantics back to pre 2.1_rc9 behavior in order to preserve
444 backward compatibility while still using execve or CreateProcess
445 to execute the script/executable.
447 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
448 to more closely conform to RFC 3696:
450 (1) DNS name length must not exceed 255 characters
452 (2) DNS name characters must be limited to alphanumeric,
453 dash ('-'), and dot ('.')
455 * Fixed bug in intra-session TLS key rollover that was introduced with
456 deferred authentication features in 2.1_rc8.
458 2008.07.31 -- Version 2.1_rc9
460 * Security Fix -- affects non-Windows OpenVPN clients running
461 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
462 vulnerable nor are any versions of the OpenVPN server vulnerable).
463 An OpenVPN client connecting to a malicious or compromised
464 server could potentially receive an "lladdr" or "iproute" configuration
465 directive from the server which could cause arbitrary code execution on
466 the client. A successful attack requires that (a) the client has agreed
467 to allow the server to push configuration directives to it by including
468 "pull" or the macro "client" in its configuration file, (b) the client
469 successfully authenticates the server, (c) the server is malicious or has
470 been compromised and is under the control of the attacker, and (d) the
471 client is running a non-Windows OS. Credit: David Wagner.
474 * Miscellaneous defensive programming changes to multiple
475 areas of the code. In particular, use of the system() call
476 for calling executables such as ifconfig, route, and
477 user-defined scripts has been completely revamped in favor
478 of execve() on unix and CreateProcess() on Windows.
480 * In Windows build, package a statically linked openssl.exe to work around
481 observed instabilities in the dynamic build since the migration to
484 2008.06.11 -- Version 2.1_rc8
486 * Added client authentication and packet filtering capability
487 to management interface. In addition, allow OpenVPN plugins
488 to take advantage of deferred authentication and packet
489 filtering capability.
491 * Added support for client-side connection profiles.
493 * Fixed unbounded memory growth bug in environmental variable
494 code that could have caused long-running OpenVPN sessions
495 with many TLS renegotiations to incrementally
496 increase memory usage over time.
498 * Windows release now packages openssl-0.9.8h.
500 * Build system changes -- allow building on Windows using
501 autoconf/automake scripts (Alon Bar-Lev).
503 * Changes to Windows build system to make it easier to do
504 partial builds, with a reduced set of prerequisites,
505 where only a subset of OpenVPN installer
506 components are built. See ./domake-win comments.
508 * Cleanup IP address for persistence interfaces for tap and also
509 using ifconfig, gentoo#209055 (Alon Bar-Lev).
511 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
513 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
515 * Added new OpenVPN icon and installer graphic.
517 * Minor pkitool changes.
519 * Added --pkcs11-id-management option, which will cause OpenVPN to
520 query the management interface via the new NEED-STR asynchronous
521 notification query to get additional PKCS#11 options (Alon Bar-Lev).
523 * Added NEED-STR management interface asynchronous query and
524 "needstr" management interface command to respond to the query
527 * Added Dragonfly BSD support (Francis-Gudin).
529 * Quote device names before passing to up/down script (Josh Cepek).
531 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
532 prevent structure padding from causing an incorrect length
533 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
536 * On systems that support res_init, always call it
537 before calling gethostbyname to ensure that
538 resolver configuration state is current.
540 * Added NTLMv2 proxy support (Miroslav Zajic).
542 * Fixed an issue in extract_x509_field_ssl where the extraction
543 would fail on the first field of the subject name, such as
544 the common name in: /CN=foo/emailAddress=foo@bar.com
546 * Made "Linux ip addr del failed" error nonfatal.
548 * Amplified --client-cert-not-required warning.
550 * Added #pragma pack to proto.h.
552 2008.01.29 -- Version 2.1_rc7
554 * Added a few extra files that exist in the svn repo but were
555 not being copied into the tarball by make dist.
557 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
559 2008.01.24 -- Version 2.1_rc6
561 * Fixed options checking bug introduced in rc5 where legitimate configuration
562 files might elicit the error: "Options error: Parameter pkcs11_private_mode
563 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
566 2008.01.23 -- Version 2.1_rc5
568 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
569 incremented driver version to 9.4.
571 * Windows build system changes:
573 Incremented included OpenSSL version to openssl-0.9.7m.
575 Updated openssl.patch for openssl-0.9.7m and added some
576 brief usage comments to the head of the patch.
578 Added build-pkcs11-helper.sh for building the pkcs11-helper
581 Integrated inclusion of pkcs11-helper into Windows build
584 Upgraded TAP build scripts to use WDK 6001.17121
585 (Windows 2008 Server pre-RTM).
587 * Windows installer changes:
589 Clean up the start menu folder.
591 Allow for a site-specific sample configuration file and keys
592 to be included in a custom installer (see SAMPCONF macros
595 New icon (temporary).
597 * Added "forget-passwords" command to the management interface
600 * Added --management-signal option to signal SIGUSR1 when the
601 management interface disconnects (Alon Bar-Lev).
603 * Modified command line and config file parser to allow
604 quoted strings using single quotes ('') (Alon Bar-Lev).
606 * Use pkcs11-helper as external library, can be downloaded from
607 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
609 * Fixed interim memory growth issue in TCP connect loop where
610 "TCP: connect to %s failed, will try again in %d seconds: %s"
613 * Fixed bug in epoll driver in event.c, where the lack of a
614 handler for EPOLLHUP could cause 99% CPU usage.
616 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
617 want to use a CBC cipher for OpenVPN's data channel.
619 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
620 plugin directory to the dlopen search list when the user
621 specifies the basename of the plugin only (Marius Tomaschewski).
623 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
624 to allow forward slash characters ("/") in the X509 common name
627 * Allow OpenVPN to run completely unprivileged under Linux
628 by allowing openvpn --mktun to be used with --user and --group
629 to set the UID/GID of the tun device node. Also added --iproute
630 option to allow an alternative command to be executed in place
631 of the default iproute2 command (Alon Bar-Lev).
633 * Fixed --disable-iproute2 in ./configure to actually disable
634 iproute2 usage (Alon Bar-Lev).
636 * Added --management-forget-disconnect option -- forget
637 passwords when management session disconnects (Alon Bar-Lev).
639 2007.04.25 -- Version 2.1_rc4
641 * Worked out remaining issues with TAP driver signing
642 on Vista x64. OpenVPN will now run on Vista x64
643 with driver signing enforcement enabled.
645 * Fixed 64-bit portability bug in time_string function
648 2007.04.22 -- Version 2.1_rc3
650 * Additional fixes to TAP driver for Windows x64. Driver
651 now runs successfully on Vista x64 if driver signing
652 enforcement is disabled.
654 * The Windows Installer and TAP driver are now signed by
655 OpenVPN Solutions LLC (in addition to the usual GnuPG
658 * Added OpenVPN GUI (Mathias Sundman version) as install
659 option in Windows installer.
661 * Clean up configure on FreeBSD for recent autotool versions
662 that require that all .h files have to be compiled.
663 Also, FreeBSD install does not support GNU long options
664 which the Makefile in easy-rsa/2.0 uses (not checked the
665 others as we don't install those on Gentoo) (Roy Marples).
667 * Added additional scripts to easy-rsa/Windows for working
668 with password-protected keys; also add -extensions server
669 option when generating server cert via
670 build-key-server-pass.bat (Daniel Zauft).
672 2007.02.27 -- Version 2.1_rc2
674 * auth-pam change: link with -lpam rather
675 than dlopen (Roy Marples).
677 * Prevent SIGUSR1 or SIGHUP from causing program
678 exit from initial management hold.
680 * SO_REUSEADDR should not be set on Windows TCP sockets
681 because it will cause bind to succeed on port conflicts.
683 * Added time_ascii, time_duration, and time_unix
684 environmental variables for plugins and callback
687 * Fixed issue where OpenVPN does not apply the --txqueuelen option
688 to persistent interfaces made with --mktun (Roy Marples).
690 * Attempt at rational signal handling when in the
691 management hold state. During management hold, ignore
692 SIGUSR1/SIGHUP signals thrown with the "signal" command.
693 Also, "signal" command will now apply remapping as
694 specified with the --remap-usr1 option.
695 When a signal entered using the "signal" command from a management
696 hold is ignored, output: >HOLD:Waiting for hold release
698 * Fixed issue where struct env_set methods that
699 change the value of an existing name=value pair
700 would delay the freeing of the memory held by
701 the previous name=value pair until the underlying
702 client instance object is closed.
703 This could cause a server that handles long-term
704 client connections, resulting in many periodic calls
705 to verify_callback, to needlessly grow the env_set
706 memory allocation until the underlying client instance
709 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
710 to reflect the fact that Vista has blacklisted the tap0801.sys
711 file name due to previous compatibility issues which have now
712 been resolved. TAP-Win32 major/minor version number is now 9/1.
714 * Windows installer will delete a previously installed
715 tap0801.sys TAP driver before installing tap0901.sys.
717 * Added code to Windows installer to fail gracefully on 64 bit
718 installs until 64-bit TAP driver issues can be resolved.
720 * Added code to Windows installer to fail gracefully on
721 versions of Windows which are not explicitly supported.
723 * The Windows version will now use a default route-delay
724 of 5 seconds to deal with an apparent routing table race
727 * Worked around an incompatibility in the Windows Vista
728 version of CreateIpForwardEntry as described in
729 http://www.nynaeve.net/?p=59
730 This issue would cause route additions using the
731 IP Helper API to fail on Vista.
733 * On Windows, revert to "ip-win32 dynamic" as the default.
735 2006.10.31 -- Version 2.1_rc1
737 * Support recovery (return to hold) from signal at
738 management password prompt.
740 * Added workaround for OpenSC PKCS#11 bug#108
743 2006.10.01 -- Version 2.1-beta16
745 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
746 published vulnerabilities.
748 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
751 * Autodetect 32/64 bit Windows in installer and install
752 appropriate TAP driver (Mathias Sundman, Hypherion).
754 * Fixed bug in loopback self-test introduced
755 in 2.1-beta15 where self test as invoked by
756 "make check" would not properly exit after
757 2 minutes (Paul Howarth).
759 2006.09.12 -- Version 2.1-beta15
761 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
762 RSA Signature Forgery (CVE-2006-4339).
764 * Fixed bug introduced with the --port-share directive
765 (back in 2.1-beta9 which causes TLS soft resets
766 (1 per hour by default) in TCP server mode to force
767 a blockage of tunnel packets and later time-out and
768 restart the connection.
770 * easy-rsa update (Alon Bar-Lev)
771 Makefile (install) is now available so that
772 distribs will be able to install it safely.
774 * PKCS#11 changes: (Alon Bar-Lev)
775 - Modified ssl.c to not FATAL and return to init.c
776 so auth-retry will work.
777 - Modifed pkcs11-helper.c to fix some problem with
779 - Added retry counter to PKCS#11 PIN hook.
780 - Modified PKCS#11 PIN retry loop to return correct error
781 code when PIN is incorrect.
782 - Fix handling (ignoring) zero sized attributes.
784 - Fix openssl 0.9.6 (first version) issues.
786 * Minor fixes of lladdr (Alon Bar-Lev)
787 Updated makefile.w32-vc to include lladdr.*, updated
789 Modified lladdr.c to be compiled under visual C.
791 * Added two new management states:
792 OPENVPN_STATE_RESOLVE -- DNS lookup
793 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
795 * Echo management state change to log.
797 * Minor syshead.h change for NetBSD to allow
798 TCP_NODELAY flag to work.
800 * Modified --port-share code to remove the assumption that
801 CMSG_SPACE always evaluates to a constant, to enable
802 compilation on NetBSD and possibly other BSDs as well.
804 * Eliminated gcc 3.3.3 warnings on NetBSD
805 when ./configure --enable-strict is used.
807 * Added optional minimum-number-of-bytes parameter
808 to --inactive directive.
810 2006.04.13 -- Version 2.1-beta14
812 * Fixed Windows server bug in time backtrack handling code which
813 could cause TLS negotiation failures on legitimate clients.
815 * Rewrote gettimeofday function for Windows to be
816 simpler and more efficient.
818 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
820 * Added --route-metric option to set a default route metric
821 for --route (Roy Marples).
823 * Added --lladdr option to specify the link layer (MAC) address
824 for the tap interface on non-Windows platforms (Roy Marples).
826 2006.04.12 -- Version 2.1-beta13
828 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
829 to 64 bits caused a bug in the Windows version which has now
830 been fixed. The bug could cause intermittent crashes.
832 2006.04.05 -- Version 2.1-beta12
834 * Security Vulnerability -- An OpenVPN client connecting to a
835 malicious or compromised server could potentially receive
836 "setenv" configuration directives from the server which could
837 cause arbitrary code execution on the client via a LD_PRELOAD
838 attack. A successful attack appears to require that (a) the
839 client has agreed to allow the server to push configuration
840 directives to it by including "pull" or the macro "client" in
841 its configuration file, (b) the client configuration file uses
842 a scripting directive such as "up" or "down", (c) the client
843 succesfully authenticates the server, (d) the server is
844 malicious or has been compromised and is under the control of
845 the attacker, and (e) the attacker has at least some level of
846 pre-existing control over files on the client (this might be
847 accomplished by having the server respond to a client web request
848 with a specially crafted file). Credit: Hendrik Weimer.
851 The fix is to disallow "setenv" to be pushed to clients from
852 the server, and to add a new directive "setenv-safe" which is
853 pushable from the server, but which appends "OPENVPN_" to the
854 name of each remotely set environmental variable.
856 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
858 * PKCS11 fixes (Alon Bar-Lev). For full description:
859 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
861 * When deleting routes under Linux, use the route metric
862 as a differentiator to ensure that the route teardown
863 process only deletes the identical route which was originally
864 added via the "route" directive (Roy Marples).
866 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
867 (Matthias Andree, Dirk Meyer, Vasil Dimov).
869 * Extended tun device configure code to support ethernet
870 bridging on NetBSD (Emmanuel Kasper).
872 2006.02.19 -- Version 2.1-beta11
874 * Fixed --port-share bug that caused premature closing
877 2006.02.17 -- Version 2.1-beta10
879 * Fixed --port-share breakage introduced in 2.1-beta9.
881 2006.02.16 -- Version 2.1-beta9
883 * Added --port-share option for allowing OpenVPN and HTTPS
884 server to share the same port number.
885 * Added --management-client option to connect as a client
886 to management GUI app rather than be connected to as a
888 * Added "bytecount" command to management interface.
889 * --remote-cert-tls fixes (Alon Bar-Lev).
891 2006.01.03 -- Version 2.1-beta8
893 * --remap-usr1 will now also remap signals thrown during
895 * Added --connect-timeout option to control the timeout
896 on TCP client connection attempts (doesn't work on all
897 OSes). This patch also makes OpenVPN signalable during
898 TCP connection attempts.
899 * Fixed bug in acinclude.m4 where capability of compiler
900 to handle zero-length arrays in structs is tested
902 * Fixed typo in manage.c where inline function declaration
903 was declared without the "static" keyword (David Stipp).
904 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
905 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
906 proxy settings (currently Windows only).
907 * Removed redundant base64 code.
908 * Better sanity checking of --server and --server-bridge
909 IP pool ranges, so as not to hit the assertion at
911 * Fixed bug where --daemon and --management-query-passwords
912 used together would cause OpenVPN to block prior to
914 * Fixed client/server race condition which could occur
915 when --auth-retry interact is set and the initially
916 provided auth-user-pass credentials are incorrect,
917 forcing a username/password re-query.
918 * Fixed bug where if --daemon and --management-hold are
919 used together, --user or --group options would be ignored.
920 * --ip-win32 adaptive is now the default.
921 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
922 mode) can now set DNS/WINS addresses on the TAP-Win32
924 * Added new option --route-method adaptive (Win32)
925 which tries IP helper API first, then falls back to
927 * Made --route-method adaptive the default.
929 2005.11.12 -- Version 2.1-beta7
931 * Allow blank passwords to be passed via the management
933 * Fixed bug where "make check" inside a FreeBSD "jail"
934 would never complete (Matthias Andree).
935 * Fixed bug where --server directive in --dev tap mode
936 claimed that it would support subnets of /30 or less
937 but actually would only accept /29 or less.
938 * Extend byte counters to 64 bits (M. van Cuijk).
939 * Fixed bug in Linux get_default_gateway function
940 introduced in 2.0.4, which would cause redirect-gateway
941 on Linux clients to fail.
942 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
943 be compatible with 2.0.x distribution.
944 * Documented --route-nopull.
945 * Documented --ip-win32 adaptive.
946 * Windows build now linked with LZO2.
947 * Allow ca, cert, key, and dh files to be specified
948 inline via XML-like syntax without needing to
949 reference an explicit file.
954 * Allow plugin and push directives to have multi-line
955 parameter lists such as:
961 * Added connect-retry-max option (Alon Bar-Lev).
962 * Fixed problems where signals thrown during initialization
963 were not returning to a management-hold state.
964 * Added a backtrack-hardened system time algorithm.
965 * Added --remote-cert-ku, --remote-cert-eku, and
966 --remote-cert-tls options for verifying certificate
967 attributes (Alon Bar-Lev).
968 * For Windows, reverted --ip-win32 default back to "dynamic".
969 To use new adaptive mode, set explicitly.
971 2005.11.01 -- Version 2.1-beta6
973 * Security fix (merged from 2.0.4) -- Affects non-Windows
974 OpenVPN clients of version 2.0 or higher which connect to
975 a malicious or compromised server. A format string
976 vulnerability in the foreign_option function in options.c
977 could potentially allow a malicious or compromised server
978 to execute arbitrary code on the client. Only
979 non-Windows clients are affected. The vulnerability
980 only exists if (a) the client's TLS negotiation with
981 the server succeeds, (b) the server is malicious or
982 has been compromised such that it is configured to
983 push a maliciously crafted options string to the client,
984 and (c) the client indicates its willingness to accept
985 pushed options from the server by having "pull" or
986 "client" in its configuration file (Credit: Vade79).
988 * Security fix -- (merged from 2.0.4) Potential DoS
989 vulnerability on the server in TCP mode. If the TCP
990 server accept() call returns an error status, the resulting
991 exception handler may attempt to indirect through a NULL
992 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
994 * Fix attempt of assertion at multi.c:1586 (note that
995 this precise line number will vary across different
996 versions of OpenVPN).
997 * Windows reliability changes:
998 (a) Added code to make sure that the local PATH environmental
999 variable points to the Windows system32 directory.
1000 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
1001 and then fails over to 'netsh' if the DHCP negotiation fails.
1002 (c) Made --ip-win32 adaptive the default.
1003 * More PKCS#11 additions/changes (Alon Bar-Lev).
1004 * Added ".PHONY: plugin" to Makefile.am to work around
1006 * Fixed double fork issue that occurs when --management-hold
1008 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
1009 * Warn when multiple clients having the same common name or
1010 username usurp each other when --duplicate-cn is not used.
1011 * Modified Windows and Linux versions of get_default_gateway
1012 to return the route with the smallest metric
1013 if multiple 0.0.0.0/0.0.0.0 entries are present.
1014 * Added ">NEED-OK" alert and "needok" command to management
1015 interface to provide a general interface for sending
1016 alerts to the end-user. Used by the PKCS#11 code
1017 to send Token Insertion Requests to the user.
1018 * Added actual remote address used to the ">STATE" alert
1019 in the management interface (Rolf Fokkens).
1021 2005.10.17 -- Version 2.1-beta4
1023 * Fixed bug introduced in 2.1-beta3 where management
1024 socket bind would fail.
1025 * --capath fix in ssl.c (Zhuang Yuyao).
1026 * Added ".PHONY: plugin" to Makefile.am, reverted
1027 location of "plugin" directory (thanks to
1028 Matthias Andree for figuring this out).
1030 2005.10.16 -- Version 2.1-beta3
1032 * Added PKCS#11 support (Alon Bar-Lev).
1033 * Enable the use of --ca together with --pkcs12. If --ca is
1034 used at the same time as --pkcs12, the CA certificate is loaded
1035 from the file specified by --ca regardless if the pkcs12 file
1036 contains a CA cert or not (Mathias Sundman).
1037 * Merged --capath patch (Thomas Noel).
1038 * Merged --multihome patch.
1039 * Added --bind option for TCP client connections (Ewan Bhamrah
1041 * Moved "plugin" directory to "plugins" to deal with strange
1042 automake problem that ended up being also fixable with
1043 ".PHONY: plugin" in Makefile.am.
1045 2005.10.13 -- Version 2.1-beta2
1047 * Made --sndbuf and --rcvbuf pushable.
1049 2005.10.01 -- Version 2.1-beta1
1051 * Made LZO setting pushable.
1052 * Renamed sample-keys/tmp-ca.crt to ca.crt.
1053 * Fixed bug where remove_iroutes_from_push_route_list
1054 was missing routes if those routes had
1055 an implied netmask (by omission) of 255.255.255.255.
1056 * Merged with 2.0.3-rc1
1057 * easy-rsa/2.0 moved to easy-rsa
1058 * old easy-rsa moved to easy-rsa/1.0
1060 2005.09.23 -- Version 2.0.2-TO4
1062 * Added feature to TAP-Win32 adapter to allow it to be
1063 opened from non-administrator mode. This feature
1064 is enabled by default, and can be enabled/disabled
1065 in the adapter advanced properties dialog.
1066 * Added --allow-nonadmin standalone option for Windows to
1067 set TAP adapter to allow non-admin access. This
1068 is a user-mode version of the code, and duplicates
1069 the same feature as the above entry.
1070 * Added fix that attempts to solve corner case of tunnel not
1071 forwarding packets when system clock is reset to an earlier time.
1072 * Added --redirect-gateway bypass-dns option. (Developers:
1073 To add bypass-dhcp or bypass-dns support to other OSes,
1074 add a get_bypass_addresses function to route.c for
1076 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
1077 allows a client-connect plugin to return configuration text
1078 in memory, rather than via a file.
1079 * Fixed a bug where --mode server --proto tcp-server --cipher none
1080 operation could cause tunnel packet truncation.
1081 * openvpn --version will show [LZO1] or [LZO2], depending on
1082 version that was linked.
1084 2005.09.07 -- Version 2.0.2-TO1
1086 * Added --topology directive. See man page.
1087 * Added --redirect-gateway bypass-dhcp option to add a route
1088 allowing DHCP packets to bypass the tunnel, when the
1089 DHCP server is non-local. Currently only implemented
1091 * Modified OpenVPN Service on Windows to declare the DHCP
1092 client service as a dependency.
1093 * Extended the plugin interface to allow plugins to declare
1094 per-client constructor and destructor functions, to make
1095 it simpler for plugins to maintain per-client state.
1097 2005.09.25 -- Version 2.0.3-rc1
1099 * openvpn_plugin_abort_v1 function wasn't being properly
1100 registered on Windows.
1101 * Fixed a bug where --mode server --proto tcp-server --cipher none
1102 operation could cause tunnel packet truncation.
1104 2005.08.25 -- Version 2.0.2
1106 * No change from 2.0.2-rc1.
1108 2005.08.24 -- Version 2.0.2-rc1
1110 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
1111 which incorrectly set OpenVPN service to autostart.
1112 * Don't package source code zip file in Windows installer
1113 in order to reduce the size of the installer. The source
1114 zip file can always be downloaded separately if needed.
1115 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
1116 version of get_default_gateway. Allocated socket for route
1117 manipulation is never freed so number of mbufs continuously
1118 grow and exhaust system resources after a while (Jaroslav Klaus).
1119 * Fixed bug where "--proto tcp-server --mode p2p --management
1120 host port" would cause the management port to not respond until
1121 the OpenVPN peer connects.
1122 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
1124 2005.08.16 -- Version 2.0.1
1126 * Security Fix -- DoS attack against server when run with "verb 0" and
1127 without "tls-auth". If a client connection to the server fails
1128 certificate verification, the OpenSSL error queue is not properly
1129 flushed, which can result in another unrelated client instance on the
1130 server seeing the error and responding to it, resulting in disconnection
1131 of the unrelated client (CAN-2005-2531).
1132 * Security Fix -- DoS attack against server by authenticated client.
1133 This bug presents a potential DoS attack vector against the server
1134 which can only be initiated by a connected and authenticated client.
1135 If the client sends a packet which fails to decrypt on the server,
1136 the OpenSSL error queue is not properly flushed, which can result in
1137 another unrelated client instance on the server seeing the error and
1138 responding to it, resulting in disconnection of the unrelated client
1139 (CAN-2005-2532). Credit: Mike Ireton.
1140 * Security Fix -- DoS attack against server by authenticated client.
1141 A malicious client in "dev tap" ethernet bridging mode could
1142 theoretically flood the server with packets appearing to come from
1143 hundreds of thousands of different MAC addresses, causing the OpenVPN
1144 process to deplete system virtual memory as it expands its internal
1145 routing table. A --max-routes-per-client directive has been added
1146 (default=256) to limit the maximum number of routes in OpenVPN's
1147 internal routing table which can be associated with a given client
1149 * Security Fix -- DoS attack against server by authenticated client.
1150 If two or more client machines try to connect to the server at the
1151 same time via TCP, using the same client certificate, and when
1152 --duplicate-cn is not enabled on the server, a race condition can
1153 crash the server with "Assertion failed at mtcp.c:411"
1155 * Fixed server bug where under certain circumstances, the client instance
1156 object deletion function would try to delete iroutes which had never been
1157 added in the first place, triggering "Assertion failed at mroute.c:349".
1158 * Added --auth-retry option to prevent auth errors from being fatal
1159 on the client side, and to permit username/password requeries in case
1160 of error. Also controllable via new "auth-retry" management interface
1161 command. See man page for more info.
1162 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
1163 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
1164 would fail to build.
1165 * Implement "make check" to perform loopback tests (Matthias Andree).
1167 2005.07.21 -- Version 2.0.1-rc7
1169 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
1170 * Include linux/types.h before checking for linux/errqueue.h (Matthias
1173 2005.07.15 -- Version 2.0.1-rc6
1175 * Commented out "user nobody" and "group nobody" in sample
1176 client/server config files.
1177 * Allow '@' character to be used in --client-config-dir
1180 2005.07.04 -- Version 2.0.1-rc5
1182 * Windows version will log a for-further-info URL when
1183 initialization sequence is completed with errors.
1184 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
1185 to control whether auth-pam plugin links to PAM via
1186 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
1187 behavior should be preserved. DLOPEN_PAM=0 is the preferred
1188 setting to link via -lpam, but DLOPEN_PAM=1 works around
1189 a bug in SuSE 9.1 (and possibly other distros as well)
1190 where the PAM modules are not linked with -lpam. See
1191 thread on openvpn-devel for more discussion about this
1192 patch (Simon Perreault).
1194 2005.06.15 -- Version 2.0.1-rc4
1196 * Support LZO 2.00, including changes to configure script to
1197 autodetect LZO version.
1199 2005.06.12 -- Version 2.0.1-rc3
1201 * Fixed a bug which caused standard file handles to not be closed
1202 after daemonization when --plugin and --daemon are used together,
1203 and if the plugin initialization function forks (as does auth-pam
1204 and down-root) (Simon Perreault).
1205 * Added client-side up/down scripts in contrib/pull-resolv-conf
1206 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
1207 on Linux/Unix systems (Jesse Adelman).
1208 * Fixed bug where if client-connect scripts/plugins were cascaded,
1209 and one (but not all) of them returned an error status, there might
1210 be cases where for an individual script/plugin, client-connect was
1211 called but not client-disconnect. The goal of this fix is to
1212 ensure that if client-connect is called on a given client instance,
1213 then client-disconnect will definitely be called. A potential
1214 complication of this fix is that when client-connect functions are
1215 cascaded, it's possible that the client-disconnect function would
1216 be called in cases where the related client-connect function returned
1217 an error status. This fix should not alter OpenVPN behavior when
1218 scripts/plugins are not cascaded.
1219 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
1220 fatal error to a warning: "FRAG: outgoing buffer is not empty".
1221 Need more info on how to reproduce this one.
1222 * When --duplicate-cn is used, the --ifconfig-pool allocation
1223 algorithm will now allocate the first available IP address.
1224 * When --daemon and --management-hold are used together,
1225 OpenVPN will daemonize before it enters the management hold state.
1227 2005.05.16 -- Version 2.0.1-rc2
1229 * Modified vendor test in openvpn.spec file to match against
1230 "Mandrakesoft" in addition to "MandrakeSoft".
1231 * Using --iroute in a --client-config-dir file while in --dev tap
1232 mode is not currently supported and will produce a warning
1233 message. Fixed bug where in certain cases, in addition to
1234 generating a warning message, this combination of options
1235 would also produce a fatal assertion in mroute.c.
1236 * Pass --auth-user-pass username to server-side plugin without
1237 performing any string remapping (plugins, unlike scripts,
1238 don't get any security benefit from string remapping).
1239 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
1240 where backslash characters in a username ('\') were being remapped
1241 to underscore ('_').
1242 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
1243 * Documented --explicit-exit-notify in man page.
1244 * --explicit-exit-notify seconds parameter defaults to 1 if
1247 2005.04.30 -- Version 2.0.1-rc1
1249 * Fixed bug where certain kinds of fatal errors after
1250 initialization (such as port in use) would leave plugin
1251 processes (such as openvpn-auth-pam) still running.
1252 * Added optional openvpn_plugin_abort_v1 plugin function for
1253 closing initialized plugin objects in the event of a fatal
1254 error by main OpenVPN process.
1255 * When the --remote list is > 1, and --resolv-retry is not
1256 specified (meaning that it defaults to "infinite"), apply the
1257 infinite timeout to the --remote list as a whole, but try each
1258 list item only once before moving on to the next item.
1259 * Added new --syslog directive which redirects output
1260 to syslog without requiring the use of the --daemon or --inetd
1262 * Added openvpn.spec option to allow RPM to be built with support
1263 for passwords read from a file:
1264 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
1266 2005.04.17 -- Version 2.0
1268 * Fixed minor options string typo in options.c.
1270 2005.04.10 -- Version 2.0-rc21
1272 * Change license description from "GPL Version 2 or (at your
1273 option) any later version" to just "GPL Version 2".
1275 2005.04.04 -- Version 2.0-rc20
1277 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
1278 excellent distro/version coverage for RH/EL/Fedora, though
1279 using his own SPEC. I modified openvpn.spec to follow some of
1280 the same conventions such as putting sample scripts and doc
1281 files in %doc rather than /usr/share/openvpn.
1282 * Minor change to init scripts to run the user-defined script
1283 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
1284 configs are started, and to run /etc/openvpn/openvpn-shutdown
1285 after all OpenVPN configs have been stopped. The
1286 openvpn-startup script can be used for stuff like
1287 insmod tun.o, setting up firewall rules, or starting
1290 2005.03.29 -- Version 2.0-rc19
1292 * Omit additions of routes where the network and
1293 gateway are equal and the netmask is 255.255.255.255.
1294 This can come up if you are using both
1295 server/ifconfig-pool and client-config-dir with
1296 ifconfig-push static addresses for some subset of clients
1297 which directly reference the server IP address as the
1300 2005.03.28 -- Version 2.0-rc18
1302 * Packaged Windows installer with OpenSSL 0.9.7f.
1303 * Built Windows installer with NSIS 2.06.
1305 2005.03.12 -- Version 2.0-rc17
1307 * "MANAGEMENT: CMD" log file output will now only occur
1308 at --verb 7 or greater.
1309 * Added an optional name/value configuration list to
1310 the openvpn-auth-pam plugin module argument list. See
1311 plugin/auth-pam/README for documentation. This is necessary
1312 in order for openvpn-auth-pam to work with queries generated
1313 by arbitrary PAM modules.
1314 * In both auth-pam and down-root plugins, in the forked process,
1315 a read error on the parent process socket is no longer fatal.
1316 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
1317 A conditional test of the vendor has been added to
1318 Require the appropriately named 'lzo' (liblzo1 / lzo).
1319 (Tom Walsh - http://openhardware.net)
1322 2005.02.20 -- Version 2.0-rc16
1324 * Fixed bug introduced in rc13 where Windows service wrapper
1325 would be installed with a startup type of Automatic.
1326 This fix restores the previous behavior of installing
1327 with a startup type of Manual.
1329 2005.02.19 -- Version 2.0-rc15
1331 * Added warning when --keepalive is not used in a server
1333 * Don't include OpenSSL md4.h file if we are not building
1334 NTLM proxy support (Waldemar Brodkorb).
1335 * Added easy-rsa/build-key-pkcs12 and
1336 easy-rsa/Windows/build-key-pkcs12.bat scripts
1339 2005.02.16 -- Version 2.0-rc14
1341 * Fixed small memory leak that occurs when --crl-verify
1343 * Upgraded Windows installer and .nsi script to NSIS 2.05
1345 * Changed #include backslash usage in cryptoapi.c to use
1346 forward slashes instead (Gisle Vanem).
1347 * Created easy-rsa/revoke-full to handle revocations in
1348 a single step: (a) revoke crt, (b) regenerate CRL, and
1349 (c) verify that revocation succeeded.
1350 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
1351 that both *nix and Windows scripts are equivalent.
1353 2005.02.11 -- Version 2.0-rc13
1355 * Improve human-readability of local/remote options
1356 diff, when inconsistencies are present.
1357 * For Windows easy-rsa, distribute vars.bat.sample and
1358 openssl.cnf.sample, then copy them to their normal
1359 filenames (without the .sample) when init-config.bat
1360 is run. This is to prevent OpenVPN upgrades from
1361 wiping out vars.bat and openssl.cnf edits.
1362 * Modified service wrapper (Windows) to use a
1363 case-insensitive search when scanning for .ovpn files
1364 in \Program Files\OpenVPN\config. Prior versions
1365 required an all-lower-case .ovpn file extension.
1366 * Miscellaneous service wrapper code cleanup.
1367 * If --user/--group is used on Windows, treat it
1368 as a no-op with a warning (this makes it easier to
1369 distribute the same client config file to Windows
1371 * Warn if --ifconfig-pool-persist is used with
1374 2005.02.05 -- Version 2.0-rc12
1376 * Removed some debugging code inadvertently included
1377 in rc11 which would print the --auth-user-pass
1378 username/password provided by clients in the server
1380 * Client code for cycling through --remote list will
1381 retry the last address which successfully authenticated
1382 before moving on through the list.
1383 * Windows installer will now install sample configuration
1384 files in \Program Files\OpenVPN\sample-configs as well
1385 as generate a start menu shortcut to this directory.
1386 * Minor type change in buffer.[ch] to work around char-type
1387 ambiguity bug. Caused management interface lock-ups on
1388 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
1390 2005.02.03 -- Version 2.0-rc11
1392 * Windows installer will now install easy-rsa directory
1393 in \Program Files\OpenVPN
1394 * Allow syslog facility to be controlled at compile time,
1395 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
1396 * Changed certain shell scripts in distribution to use
1397 #!/bin/sh rather than #!/bin/bash for better portability.
1398 * If --ifconfig-pool-persist seconds parameter is 0, treat
1399 persist file as an allocation of fixed IP addresses
1400 (previous versions took IP-to-common-name associations
1401 from this list as hints, not mandatory static allocations).
1402 * Fixed bug on *nix where if --auth-user-pass and --log
1403 were used together, the username prompt would be sent to
1404 the log file rather than /dev/tty.
1405 * Spurious text in openvpn.8 detected by doclifter
1407 * Call closelog later on daemon kill so that process
1408 exit message is written to syslog.
1410 2005.01.27 -- Version 2.0-rc10
1412 * When ./configure is run with plugins enabled (the default),
1413 check whether or not dlopen exists in libc before testing
1414 for libdl. This is to fix an issue on FreeBSD and possibly
1415 other OSes which bundle libdl functions in libc.
1416 * On Windows, filter initial WSAEINVAL warning which occurs
1417 on the initial read attempt of an unbound socket.
1418 * The easy-rsa scripts build-key, build-key-pass, and
1419 build-key-server will now chmod the .key file
1420 to 0600. This is in addition to the fact the generated
1421 keys directory has always been similarly protected
1424 2005.01.23 -- Version 2.0-rc9
1426 * Fixed error "ROUTE: route addition failed using
1427 CreateIpForwardEntry ..." on Windows when --redirect-gateway
1428 is used over a RRAS internet link.
1429 * When using --route-method exe on Windows, include the
1430 gateway parameter on route delete commands (Mathias Sundman).
1431 * Try not to do a hard reset (i.e. SIGHUP) when two
1432 SIGUSR1 signals are received in close succession.
1433 * If the push list tries to grow beyond its buffer capacity,
1434 the resulting error will be non-fatal.
1435 * To increase the push list capacity (must be done on both
1436 client and server), increase TLS_CHANNEL_BUF_SIZE in
1437 common.h (default=1024).
1439 2005.01.15 -- Version 2.0-rc8
1441 * Fixed bug introduced in rc7 where options error
1442 "--auth-user-pass requires --pull" might occur even
1443 if --pull was correctly specified.
1444 * Changed management interface code to bind once
1445 to TCP socket, rather than rebinding after every
1447 * Added "disable" directive for client-config-dir
1449 * Windows binary install is now distributed with
1451 * Query the management interface for --http-proxy
1452 username/password if authfile is set to "stdin".
1453 * Added current OpenVPN version number to "Unrecognized
1454 option or missing parameter" error message.
1455 * Added "-extensions server" to "openssl req" command
1456 in easy-rsa/build-key-server (Nir Yeffet).
1458 2005.01.10 -- Version 2.0-rc7
1460 * Fixed bug in management interface which could cause
1461 100% CPU utilization in --proto tcp-server mode
1462 on all *nix OSes except for Linux 2.6.
1463 * --ifconfig-push now accepts DNS names as well as
1465 * Added sanity check errors when --pull or
1466 --auth-user-pass is used in an incorrect mode.
1467 * Updated man page entries for --client-connect and
1469 * Added "String Types and Remapping" section to man
1470 page to consisely document the way which OpenVPN
1471 may convert certain types of characters in strings
1473 * Modified bridging description in HOWTO to emphasize
1474 the fact that bridging allows Windows file and print
1475 sharing without a WINS server (Charles Duffy).
1477 2004.12.20 -- Version 2.0-rc6
1479 * Improved checking for epoll support in ./configure
1480 to fix false positive on RH9 (Jan Just Keijser).
1481 * Made the "MULTI TCP: I/O wait required blocking in
1482 multi_tcp_action, action=7" error nonfatal and replaced
1483 with "MULTI: Outgoing TUN queue full, dropped packet".
1484 So far the issue only seems to occur on Linux 2.2
1485 in --mode server --proto tcp mode. It occurs when
1486 the TUN/TAP driver locks up and refuses to accept
1487 new packet writes for a second or more.
1488 * Fixed bug where if a --client-config-dir file tried
1489 to include another file using "config", and if that
1490 include failed, OpenVPN would abort with a fatal
1491 error. Now such inclusion failures will be logged
1492 but are no longer fatal.
1493 * Global changes to the way that packet buffer alignment
1494 is handled. Previously we didn't care about alignment
1495 and took care, when handling 16 and 32 bit words
1496 in buffers, to always use alignment-safe transfers.
1497 This approach appears to be inadequate on some
1498 architectures such as alpha. The new approach is
1499 to initialize packet buffers in a way that anticipates
1500 how component structures will be allocated within
1501 them, to maintain correct alignment.
1502 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
1503 over TCP (Jan Just Keijser).
1504 * Added --http-proxy-option directive for controlling
1505 miscellaneous HTTP proxy options.
1506 * Management state will no longer transition to "WAIT"
1507 during TLS renegotiations.
1509 2004.12.16 -- Version 2.0-rc5
1511 * The --client-config-dir option will now try to open
1512 a default file called "DEFAULT" if no file matching
1513 the common name of the incoming client was found.
1514 * The --client-connect script/plugin can now veto client
1515 authentication by returning a failure code.
1516 * The --learn-address script/plugin can now prevent a
1517 client-instance/address association from being learned
1518 by returning a failure code.
1519 * Changed RPM group in .spec file to Applications/Internet.
1521 2004.12.14 -- Version 2.0-rc4
1523 * SuSE only -- Fixed interaction between openvpn.spec and
1524 suse/openvpn.init where the .spec file was writing the
1525 OpenVPN binary to a different location than where the
1526 .init script was referencing it (Stefan Engel).
1527 * Solaris only -- Split Solaris ifconfig command into two
1528 parts (Jan Just Keijser).
1529 * Some cleanup in add_option().
1530 * Better error checking on input dotted quad IP addresses.
1531 * Verify that --push argument is quoted, if there is
1533 * More miscellaneous option sanity checks.
1535 2004.12.13 -- Version 2.0-rc3
1537 * On Windows, when --log or --log-append is used,
1538 save the original stderr for username and password
1540 * Fixed a bug introduced in the late 2.0 betas where
1541 if a "verb" parameter >= 16 was used, it would be
1542 ignored and the actual verb level would remain at 1.
1543 * Fixed a bug mostly seen on OS X where --management-hold
1544 or --management-query-passwords would cause the management
1545 interface to be unresponsive to incoming client connections.
1546 * Trigger an options error if one of the management-modifying
1547 options is used without "management" itself.
1549 2004.12.12 -- Version 2.0-rc2
1551 * Amplified warnings in documentation about possible
1552 man-in-the-middle attack when clients do not properly
1553 verify server certificate. Changes to easy-rsa README,
1554 FAQ, HOWTO, man page, and sample client config file.
1555 * Added a warning message if --tls-client or --client
1556 is used without also specifying one of either
1557 --ns-cert-type, --tls-remote, or --tls-verify.
1558 * status_open() fixes for MSVC builds (Blaine Fleming).
1559 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
1560 compiler error which has been reported on some platforms.
1561 * The openvpn.spec file for rpmbuild has several
1562 new build-time options. See comments in the file.
1563 * Plugins are now built and packaged in the RPM and
1564 will be saved in /usr/share/openvpn/plugin/lib.
1565 * Added --management-hold directive to start OpenVPN
1566 in a hibernating state until released by the
1567 management interface. Also added "hold" command
1568 to the management interface.
1570 2004.12.07 -- Version 2.0-rc1
1572 * openvpn.spec workaround for SuSE confusion regarding
1573 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
1575 2004.12.05 -- Version 2.0-beta20
1577 * The ability to read --askpass and --auth-user-pass
1578 passwords from a file has been disabled by default.
1579 To re-enable, use ./configure --enable-password-save.
1580 * Added additional pre-connected states to management
1581 interface. See management/management-notes.txt
1583 * State history is now recorded by the management
1584 interface, and the "state" command now works like
1585 the log or echo commands.
1586 * State history and real-time state change notifications
1587 are now prepended with an integer unix timestamp.
1588 * Added --http-proxy-timeout option, previously
1589 the timeout was hardcoded to 5 seconds.
1591 2004.12.02 -- Version 2.0-beta19
1593 * Fixed bug in management interface line termination
1594 where output lines incorrectly contained a \00 char
1595 after the customary \0d \0a.
1596 * Fixed bug introduced in beta18 where Windows version
1597 would segfault on options errors.
1598 * Fixed bug in management interface where an empty
1599 quoted string ("") entered as a parameter would cause
1601 * Fixed bug where --resolv-retry was not working
1602 properly with multiple --remote hosts.
1603 * Added additional ./configure options to reduce
1604 executable size for embedded applications.
1605 See ./configure --help.
1607 2004.11.28 -- Version 2.0-beta18
1609 * Added management interface. See new --management-*
1610 options or the full management interface documentation
1611 in management/management-notes.txt in the tarball.
1612 Management interface inclusion can be disabled by
1613 ./configure --disable-management.
1614 * Added two new plugin modules: auth-pam and down-root.
1615 Auth-pam supports pam-based authentication using a
1616 split privilege execution model, while down-root enables
1617 a down script to be executed with root privileges, even
1618 when --user/--group is used to drop root privileges.
1619 See the plugin directory in the tarball for READMEs,
1620 source code, and Makefiles.
1621 * Plugin developers should note that some changes were
1622 made to the plugin interface since beta17. See
1623 openvpn-plugin.h for details.
1624 Plugin interface inclusion can be disabled with
1625 ./configure --disable-plugins
1626 * Added easy-rsa/build-key-server script which will
1627 build a certificate with with nsCertType=server.
1628 * Added --ns-cert-type option for verification
1629 of nsCertType field in peer certificate.
1630 * If --fragment n is specified and --mssfix is specified
1631 without a parameter, default --mssfix to n. This restores
1632 the 1.6 behavior when using --mssfix without a parameter.
1633 * Fixed SSL context initialization bug introduced in beta14
1634 where this error might occur on restarts: "Cannot load
1635 certificate chain ... PEM_read_bio:no start line".
1637 2004.11.11 -- Version 2.0-beta17
1639 * Changed default port number to 1194 per IANA official
1640 port number assignment.
1641 * Added --plugin directive which allows compiled
1642 modules to intercept script callbacks. See
1643 plugin folder in tarball for more info.
1644 * Fixed bug introduced in beta12 where --key-method 1
1645 authentications which should have succeeded would fail.
1646 * Ignore SIGUSR1 during DNS resolution.
1647 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
1648 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
1651 2004.11.07 -- Version 2.0-beta16
1653 * Modified sample-scripts/auth-pam.pl to get username
1654 and password from OpenVPN via a file rather than
1655 via environmental variables.
1656 * Added bytes_sent and bytes_received environmental
1657 variables to be set prior to client-disconnect script.
1658 * Changed client virtual IP derivation precedence:
1659 (1) use --ifconfig-push directive from --client-connect
1660 script, (2) use --ifconfig-push directive from
1661 --client-config-dir, and (3) use --ifconfig-pool
1663 * If a --client-config-dir file specifies --ifconfig-push,
1664 it will be visible to the --client-connect-script in
1665 the ifconfig_pool_remote_ip environmental variable.
1666 * For tun-style tunnels, the ifconfig_pool_local_ip
1667 environmental variable will be set, while for
1668 tap-style tunnels, the ifconfig_pool_netmask variable
1670 * Added intelligence to autoconf script to test
1671 compiler for the accepted form of zero-length arrays.
1672 * Fixed a bug introduced in beta12 where --ip-win32
1673 netsh would fail if --dev-node was not explicitly
1675 * --ip-win32 netsh will now work on hidden adapters.
1676 * Fix attempt of "Assertion failed at crypto.c:149".
1677 This assertion has also been reported on 1.x with a
1678 slightly different line number. The fix is twofold:
1679 (1) In previous releases, --mtu-test may trigger this
1680 assertion -- this bug has been fixed. (2) If something
1681 else causes the assertion to be thrown, don't panic,
1682 just output a nonfatal warning to the log and drop
1683 the packet which generated the error.
1684 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
1685 * Added --echo directive.
1686 * Added --auth-nocache directive.
1688 2004.10.28 -- Version 2.0-beta15
1690 * Changed environmental variable character classes
1691 so that names must consist of alphanumeric or
1692 underbar chars and values must consist of printable
1693 characters. Illegal chars will be deleted.
1694 Versions prior to 2.0-beta12 were more restrictive
1695 and would map spaces to '.'.
1696 * On Windows, when the TAP adapter fails to
1697 initialize with the correct IP address, output
1698 "Initialization Sequence Completed with Errors"
1699 to the console or log file.
1700 * Added a warning when user/group/chroot is used
1701 without persist-tun and persist-key.
1702 * Added cryptoapi.[ch] to tarball and source zip.
1703 * --tls-remote option now works with common name
1704 prefixes as well as with the full X509 subject
1705 string. This is a useful alternative to using
1706 a CRL on the client.
1707 * common names associated with a static
1708 --ifconfig-push setting will no longer leave
1709 any state in the --ifconfig-pool-persist file.
1710 * Hard TLS errors (TLS handshake failed) will now
1711 trigger either a SIGUSR1 signal by default
1712 or SIGTERM (if --tls-exit is specified). In TCP
1713 mode, all TLS errors are considered to be hard.
1714 In server mode, the signal will be local to the
1716 * Added method parameter to --auth-user-pass-verify
1717 directive to select whether username/password
1718 is passed to script via environment or a temporary
1720 * Added --status-version option to control format
1721 of --status file. The --mode server
1722 --status-version 2 format now includes a line
1723 type token, the virtual IP address is shown
1724 in the client list (even in --dev tap mode),
1725 and the integer time_t value is shown anywhere
1726 an ascii-formatted time/date is also shown.
1727 * Added --remap-usr1 directive which can be used
1728 to control whether internally or externally
1729 generated SIGUSR1 signals are remapped to
1730 SIGHUP (restart without persisting state) or
1732 * When running as a Windows service (using
1733 --service option), check the exit event before
1734 and after reading one line of input from
1735 stdin, when reading username/password info.
1736 * For developers: Extended the --gremlin function
1737 to better stress-test the new 2.0 features,
1738 added Valgrind support on Linux and Dmalloc
1741 2004.10.19 -- Version 2.0-beta14
1743 * Fixed a bug introduced in Beta12 that would occur
1744 if you use a --client-connect script without also
1746 * Fixed a bug introduced in Beta12 where a learn-address
1747 script might segfault on the delete method.
1748 * Added Crypto API support in Windows version via
1749 the --cryptoapicert option (Peter 'Luna' Runestig).
1751 2004.10.18 -- Version 2.0-beta13
1753 * Fixed an issue introduced in Beta12 where the private
1754 key password would not be prompted for unless --askpass
1755 was explicitly specified in the config.
1757 2004.10.17 -- Version 2.0-beta12
1759 * Added support for username/password-based authentication.
1760 Clients can now authentication themselves with the server
1761 using either a certificate, a username/password, or both.
1762 New directives: --auth-user-pass, --auth-user-pass-verify,
1763 --client-cert-not-required, and --username-as-common-name.
1764 * Added NTLM proxy patch (William Preston).
1765 * Added --ifconfig-pool-linear server flag to allocate
1766 individual tun addresses for clients rather than /30
1767 subnets (won't work with Windows clients).
1768 * Modified --http-proxy code to cache username/password
1770 * Modified --http-proxy code to read username/password
1771 from the console when the auth file is given as "stdin".
1772 * Modified --askpass to take an optional filename argument.
1773 * --persist-tun and --persist-key now work in client mode
1774 and can be pushed to clients as well.
1775 * Added --ifconfig-pool-persist directive, to maintain
1776 ifconfig-pool info in a file which is persistent across
1777 daemon instantiations.
1778 * --user and --group privilege downgrades as well as
1779 --chroot now also work in client mode (the
1780 dowgrade/chroot will be delayed until the initialization
1781 sequence is completed).
1782 * Added --show-engines standalone directive to show
1783 available OpenSSL crypto accelerator engine support.
1784 * --engine directive now accepts an optional engine-ID
1785 parameter to control which engine is used.
1786 * "Connection reset, restarting" log message now shows
1787 which client is being reset.
1788 * Added --dhcp-pre-release directive in Windows version.
1789 * Second parm to --ip-win32 can be "default", e.g.
1790 --ip-win32 dynamic default 60.
1791 * Fixed documentation bug regarding environmental
1792 variable settings for --ifconfig-pool IP addresses.
1793 The correct environmental variable names are:
1794 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
1795 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
1796 environmental variables are now passed to the
1797 client-disconnect script.
1798 * In server mode, environmental variables are now scoped
1799 according to the client they are associated with,
1800 to solve the problem of "crosstalk" between different
1801 client's environmental variable sets.
1802 * Added --down-pre flag to cause --down script to be
1803 called before TUN/TAP close (rather than after).
1804 * Added --tls-exit flag which will cause OpenVPN
1805 to exit on any TLS errors.
1806 * Don't push a route to a client if it exactly
1807 matches an iroute (this lets you push routes to
1808 all clients, and OpenVPN will automatically remove
1809 the route from the route push list only for that client
1810 which the route actually belongs to).
1811 * Made '--resolv-retry infinite' the default.
1812 --resolv-retry can be disabled by using a parameter of 0.
1813 * For clients which plan to pull config info from server,
1814 set an initial default ping-restart of 60 seconds.
1815 * Optimized mute code to lessen the load on the processor
1816 when messages are being muted at a higher frequency.
1817 * Made route log messages non-mutable.
1818 * Silence the Linux "No buffer space available" message.
1819 * Added miscellaneous additional option sanity checks.
1820 * Added Windows version of easy-rsa scripts in
1821 easy-rsa/Windows directory (Andrew J. Richardson).
1822 * Added NetBSD route patch (Ed Ravin).
1823 * Added OpenBSD patch for TAP + --redirect-gateway
1824 (Waldemar Brodkorb).
1825 * Directives which prompt for a username and/or password
1826 will now work with --daemon (OpenVPN will prompt
1828 * Warn if CRL is from a different issuer than the
1829 issuer of the peer certificate (Bernhard Weisshuhn).
1830 * Changed init script chkconfig parameters to start
1831 OpenVPN daemon(s) before NFS.
1832 * Bug fix attempt of "too many I/O wait events" which occurs
1833 on OSes which prefer select() over poll() such as Mac OS X.
1834 * Added --ccd-exclusive flag. This flag will require, as a
1835 condition of authentication, that a connecting client has
1836 a --client-config-dir file.
1837 * TAP-Win32 open code will attempt to open a free adapter
1838 if --dev-node is not specified (Mathias Sundman).
1839 * Resequenced --nice and --chroot ordering so that --nice
1841 * Added --suppress-timestamps flag (Charles Duffy).
1842 * Source code changes to allow compilation by MSVC
1843 (Peter 'Luna' Runestig).
1844 * Added experimental --fast-io flag which optimizes
1845 TUN/TAP/UDP writes on non-Windows systems.
1847 2004.08.18 -- Version 2.0-beta11
1849 * Added --server, --server-bridge, --client, and
1850 --keepalive helper directives. See client.conf
1851 and server.conf in sample-config-files for sample
1852 configurations which use the new directives.
1853 * On Windows, added --route-method to control
1854 whether IP Helper API or route.exe is used
1855 to add/delete routes.
1856 * On Windows, added a second parameter to
1857 --route-delay to control the maximum time period
1858 to wait for the TAP-Win32 adapter to come up
1859 before adding routes.
1860 * Fixed bug in Windows version where configurations
1861 which omit --ifconfig might fail to recognize when
1862 the TAP adapter is up.
1863 * Proxy connection failures will now retry according
1864 to the --connect-retry parameter.
1865 * Fixed --dev null handling on Windows so that TLS
1866 loopback test described in INSTALL file works
1867 correctly on Windows.
1868 * Added "Initialization Sequence Completed" message
1869 after all initialization steps have been completed
1870 and the VPN can be considered "up".
1871 * Better sanity-checking on --ifconfig-pool parameters.
1872 * Added --tcp-queue-limit option to control
1873 TUN/TAP -> TCP socket overflow.
1874 * --ifconfig-nowarn flag will now silence general
1875 warnings about possible --ifconfig address
1876 conflicts, including the warning about --ifconfig
1877 and --remote addresses being in same /24 subnet.
1878 * Fixed case where server mode did not correctly
1879 identify certain types of ethernet multicast packets
1881 * Added --explicit-exit-notify option (experimental).
1883 2004.08.02 -- Version 2.0-beta10
1885 * Fixed possible reference after free of option strings
1886 after a restart, bug was introduced in beta8.
1887 * Fixed segfault at route.c:919 in the beta9
1888 Windows version that was being caused by indirection
1889 through a NULL pointer.
1890 * Mistakenly built debug version of TAP-Win32 driver
1891 for beta9. Beta10 has correct release build.
1893 2004.07.30 -- Version 2.0-beta9
1895 * Fixed --route issue on Windows that was introduced with
1896 the new beta8 route implementation based on the
1899 2004.07.27 -- Version 2.0-beta8
1901 * Added TCP support in server mode.
1902 * Added PKCS #12 support (Mathias Sundman).
1903 * Added patch to make revoke-crt and make-crl work
1904 seamlessly within the easy-rsa environment (Jan Kiszka).
1905 * Modified --mode server ethernet bridge code to forward
1906 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
1907 * Added --dhcp-renew and --dhcp-release flags to Windows
1908 version. Normally DHCP renewal and release on the TAP
1909 adapter occurs automatically under Windows, however
1910 if you set the TAP-Win32 adapter Media Status property
1911 to "Always Connected", you may need these flags.
1912 * Added --show-net standalone flag to Windows version to
1913 show OpenVPN's view of the system adapter and routing
1915 * Added --show-net-up flag to Windows version to output
1916 the system routing table and network adapter list to
1917 the log file after the TAP-Win32 adapter has been brought
1918 up and any routes have been added.
1919 * Modified Windows version to add routes using the IP Helper
1920 API rather than by calling route.exe.
1921 * Fixed bug where --route-up script was not being called
1922 if no --route options were specified.
1923 * Added --mute-replay-warnings to suppress packet replay
1924 warnings. This is a common false alarm on WiFi nets.
1925 * Added "def1" flag to --redirect-gateway option to override
1926 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1927 rather than 0.0.0.0/0. This has the benefit of overriding
1928 but not wiping out the original default gateway.
1929 (Thanks to Jim Carter for pointing out this idea).
1930 * You can now run OpenVPN with a single config file argument.
1931 For example, you can now say "openvpn config.conf"
1932 rather than "openvpn --config config.conf".
1933 * On Windows, made --route and --route-delay more adaptive
1934 with respect to waiting for interfaces referenced by the
1935 route destination to come up. Routes added by --route
1936 should now be added as soon as the interface comes up,
1937 rather than after an obligatory 10 second delay. The
1938 way this works internally is that --route-delay now
1939 defaults to 0 on Windows. Previous versions would
1940 wait for --route-delay seconds then add the routes.
1941 This version will wait --route-delay seconds and then
1942 test the routing table at one second intervals for the
1943 next 30 seconds and will not add the routes until they
1944 can be added without errors.
1945 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
1946 default on TCP/UDP socket in light of reports that this
1947 action can have undesirable global side effects on the
1948 MTU settings of other adapters. These parameters can
1949 still be set, but you need to explicitly specify
1950 --sndbuf and/or --rcvbuf.
1951 * Added --max-clients option to limit the maximum number
1952 of simultaneously connected clients in server mode.
1953 * Added error message to illuminate shell escape gotcha when
1954 single backslashes are used in Windows path names.
1955 * Added optional netmask parm to --ifconfig-pool.
1956 * Fixed bug where http-proxy connect retry attempts were
1957 incorrectly going to the remote OpenVPN server,
1958 not to the HTTP proxy server.
1960 2004.06.29 -- Version 2.0-beta7
1962 * Fixed bug in link_socket_verify_incoming_addr() which
1963 under certain circumstances could have caused --float
1964 behavior even if --float was not specified.
1965 * --tls-auth option now works with --mode server.
1966 All clients and the server should use the same
1967 --tls-auth key when operating in client/server mode.
1968 * Added --engine option to make use of OpenSSL-supported
1969 crypto acceleration hardware.
1970 * Fixed some high verbosity print format size issues
1971 in event.c for 64 bit platforms (Janne Johansson).
1972 * Made failure to open --log or --log-append file
1975 2004.06.23 -- Version 2.0-beta6
1977 * Fixed Windows installer to intelligently put
1978 up a reboot dialog only if tapinstall tells
1979 us that it's really necessary.
1980 * Fixed "Assertion failed at fragment.c:309"
1981 bug when --mode server and --fragment are used
1983 * Ignore HUP, USR1, and USR2 signals during
1984 initialization. Prior versions would abort.
1985 * Fixed bug on OS X: "Assertion failed at event.c:406".
1986 * Added --service option to Windows version, for use
1987 when OpenVPN is being programmatically instantiated
1988 by another process (see man page for info).
1989 * --log and --log-append options now work on Windows.
1990 * Update OpenBSD INSTALL notes (Janne Johansson).
1991 * Enable multicast on tun interface when running on
1992 OpenBSD (Pavlin Radoslavov).
1993 * Fixed recent --test-crypto breakage, where options
1994 such as --cipher were not being parsed correctly.
1995 * Modified options compatibility string by removing
1996 ifconfig substring if it is empty. Incremented
1997 options compatibility string version number to 4.
1998 * Fixed typo in --tls-timeout option parsing
2001 2004.06.13 -- Version 2.0-beta5
2003 * Fixed rare --mode server crash that could occur
2004 if data was being routed to a client at
2005 high bandwidth at the precise moment that the
2006 client instance object on the server was being
2008 * Fixed issue on machines which have epoll.h and
2009 the epoll_create glibc call defined, but which
2010 don't actually implement epoll in the kernel.
2011 OpenVPN will now gracefully fall back to the
2012 poll API in this case.
2013 * Fixed Windows bug which would cause the following
2014 error in a --mode server --dev tap configuration:
2015 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
2017 * Added CRL (certificate revocation list) management
2018 scripts to easy-rsa directory (Jon Bendtsen).
2019 * Do a better job of getting the ifconfig component
2020 of the options consistency check to work correctly
2021 when --up-delay is used.
2022 * De-inlined some functions which were too complex
2023 to be inlined anyway with gcc.
2024 * If a --dhcp-option option is pushed to a non-windows
2025 client, the option will be saved in the client's
2026 environment before the --up script is called, under
2027 the name "foreign_option_{n}".
2028 * Added --learn-address script (see man page) which
2029 allows for firewall access through the VPN to be
2030 controlled based on the client common name.
2031 * In mode --server mode, when a client connects to
2032 the server, the server will disconnect any
2033 still-active clients which use the same common
2034 name. Use --duplicate-cn flag to revert to
2035 previous behavior of allowing multiple clients
2036 to concurrently connect with the same common name.
2038 2004.06.08 -- Version 2.0-beta4
2040 * Fixed issue with beta3 where Win32 service wrapper
2041 was keying off of old TAP HWID as a dependency. To
2042 ensure that the new service wrapper is correctly
2043 installed, the Windows install script will uninstall
2044 the old wrapper before installing the new one,
2045 causing a reset of service properties.
2046 * Fixed permissions issue on --status output file,
2047 with default access permissions of owner read/write
2048 only (default permissions can be changed of course with
2051 2004.06.05 -- Version 2.0-beta3
2053 * More changes to TAP-Win32 driver's INF file which
2054 affects the placement of the driver in the Windows
2055 device namespace. This is done to work around an
2056 apparent bug in Windows when short HWIDs are used,
2057 and will also ease the upgrade from 1.x to 2.0 by
2058 reducing the chances that a reboot will be needed
2059 on upgrade. Like beta2, this upgrade will
2060 delete existing TAP-Win32 interfaces, and reinstall
2061 a single new interface with default properties.
2062 * Major rewrite of I/O event wait layer in the style
2063 of libevent. This is a precursor to TCP support
2065 * New feature: --status. Outputs a SIGUSR2-like
2066 status summary to a given file, updated once
2067 per n seconds. The status file is comma delimited
2068 for easy machine parsing.
2069 * --ifconfig-pool now remembers common names and
2070 will try to assign a consistent IP to a given
2071 common name. Still to do: persist --ifconfig-pool
2072 memory across restarts by saving state in file.
2073 * Fixed bug in event timer queue which could cause
2074 recurring timer events such as --ping to not
2075 correctly schedule again after firing. This in
2076 turn would cause spurrious ping restarts and possible
2077 connection outages. Thanks to Denis Vlasenko for
2079 * Possible fix to reported bug where --daemon argument
2080 was not printing to syslog correctly after restart.
2081 * Fixed bug where pulling --route or --dhcp-option
2082 directives from a server would problematically
2083 interact with --persist-tun on the client.
2084 * Updated contrib/multilevel-init.patch (Farkas Levente).
2085 * Added RPM build option to .spec and .spec.in files
2086 to optionally disable LZO inclusion (Ian Pilcher).
2087 * The latest MingW runtime and headers define
2088 'ssize_t', so a patch is needed (Gisle Vanem).
2090 2004.05.14 -- Version 2.0-beta2
2092 * Fixed signal handling bug in --mode server, where
2093 SIGHUP and SIGUSR1 were treated as SIGTERM.
2094 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
2095 Apparently the larger string may work around
2096 a problem where the TAP adapter is sometimes missing
2097 from the network connections panel, especially under
2098 XP SP2. Also note that installing this upgrade will
2099 uninstall any pre-existing TAP-Win32 adapters, and then
2100 install a single new adapter, meaning that old adapter
2101 properties will be lost. Thanks to Md5Chap for solving
2103 * For --mode server --dev tap, the options --ifconfig and
2104 --ifconfig-pool are now optional. This allows address
2105 assignment via DHCP or use of a TAP VPN without
2106 IP support, as has always been possible with 1.x.
2107 * Fixed bug where --ifconfig may not work correctly on
2109 * Added 'local' flag to --redirect-gateway for use on
2110 networks where both OpenVPN daemons are connected
2111 to a shared subnet, such as wireless.
2113 2004.05.09 -- Version 2.0-beta1
2115 * Unchanged from test29 except for version number
2118 2004.05.08 -- Version 2.0-test29
2120 * Modified --dev-node on Windows to accept a TAP-Win32
2121 GUID name. In addition, --show-adapters will now
2122 display the high-level name and GUID of each adapter.
2123 This is an attempt to work around an issue in Windows
2124 where sometimes the TAP-Win32 adapter installs correctly
2125 but has no icon in the network connections control
2126 panel. In such cases, being able to specify
2127 --dev-node {TAP-GUID} can work around the missing icon.
2129 2004.05.07 -- Version 2.0-test28
2131 * Fixed bug which could cause segfault on program
2132 shutdown if --route and --persist-tun are used
2135 2004.05.06 -- Version 2.0-test27
2137 * Fixed bug in close_instance() which might cause
2138 memory to be accessed after it had already been freed.
2139 * Fixed bug in verify_callback() that might have
2140 caused uninitialized data to be referenced.
2141 * --iroute now allows full CIDR subnet routing.
2142 * In "--mode server --dev tun" usage, source addresses
2143 on VPN packets coming from a particular client must
2144 be associated with that client in the OpenVPN internal
2147 2004.04.28 -- Version 2.0-test26
2149 * Optimized broadcast path in multi-client mode.
2150 * Added socket buffer size options --rcvbuf & --sndbuf.
2151 * Configure Linux tun/tap driver to use a more sensible
2152 txqueuelen default. Also allow explicit setting
2153 via --txqueuelen option (Harald Roelle).
2154 * The --remote option now allows the port number
2155 to be specified as the second parameter. If
2156 unspecified, the port number defaults to the
2158 * Multiple --remote options on the client can now be
2159 specified for load balancing and failover. The
2160 --remote-random flag can be used to initially randomize
2161 the --remote list for basic load balancing.
2162 * If a remote DNS name resolves to multiple DNS addresses,
2163 one will be chosen by random as a kind of basic
2164 load-balancing feature if --remote-random is used.
2165 * Added --connect-freq option to control maximum
2166 new connection frequency in multi-client mode.
2167 * In multi-client mode, all syslog messages associated
2168 with a specific client now include a client-ID prefix.
2169 * For Windows, use a gettimeofday() function based
2170 on QueryPerformanceCounter (Derek Burdick).
2171 * Fixed bug in interaction between --key-method 2
2172 and DES ciphers, where dynamic keys would be generated
2173 with bad parity and then be rejected.
2175 2004.04.17 -- Version 2.0-test24
2177 * Reworked multi-client broadcast handling.
2179 2004.04.13 -- Version 2.0-test23
2181 * Fixed bug in --dev tun --client-to-client routing.
2182 * Fixed a potential deadlock in --pull.
2183 * Fixed a problem with select() usage which could
2184 cause a repeating sequence of "select : Invalid
2187 2004.04.11 -- Version 2.0-test22
2189 * Fixed bug where --mode server + --daemon was
2190 prematurely closing syslog connection.
2191 * Added support for --redirect-gateway on Mac OS X
2193 * Minor changes to TAP-Win32 driver based on feedback
2194 from the NDISTest tool.
2196 2004.04.11 -- Version 2.0-test21
2198 * Optimizations in multi-client server event loop.
2200 2004.04.10 -- Version 2.0-test20
2202 * --mode server capability now works with either tun
2203 or tap interfaces. When used with tap interfaces,
2204 OpenVPN will internally bridge all client tap
2205 interfaces with the server tap interface.
2206 * Connecting clients can now have a client-specific
2207 configuration on the server, based on the client
2208 common name embedded in the client certificate.
2209 See --client-config-dir and --client-connect.
2210 These options can be used to configure client-specific
2212 * Added an option --client-to-client that enables
2213 internal client-to-client routing or bridging.
2214 Otherwise, clients will only "see" the server,
2215 not other connected clients.
2216 * Fixed bug in route scheduling which would have caused
2217 --mode server to not work on Windows in test18
2218 and test19 with the sample config file.
2219 * Man page is up to date with all new options.
2220 * OpenVPN 2.0 release notes on web site updated
2221 with tap-style tunnel examples.
2223 2004.04.02 -- Version 2.0-test19
2225 * Fixed bug where routes pushed from server were
2226 not working correctly on Windows clients.
2227 * Added Mac OS X route patch (Jeremy Apple).
2229 2004.03.30 -- Version 2.0-test18
2231 * Minor fixes + Windows self-install modified
2232 to use OpenSSL 0.9.7d.
2234 2004.03.29 -- Version 2.0-test17
2236 * Fixed some bugs related to instance timeout and deletion.
2237 * Extended --push/--pull option to support additional
2240 2004.03.28 -- Version 2.0-test16
2242 * Successful test of --mode udp-server, --push,
2243 --pull, and --ifconfig-pool with server on
2244 Linux 2.4 and clients on Linux and Windows.
2246 2004.03.25 -- Version 2.0-test15
2248 * Implemented hash-table lookup of client instances
2249 based either on remote UDP address/port or remote
2251 * Implemented a randomized binary tree based
2252 scheduler for scalably scheduling a large number
2253 of client instance events. Uses the treap
2254 data structure and node rotation algorithm
2255 to keep the tree balanced.
2256 * Initial implementation of ifconfig-pool.
2257 * Made --key-method 2 the default.
2259 2004.03.20 -- Version 2.0-test14
2261 * Implemented --push and --pull.
2263 2004.03.20 -- Version 2.0-test13
2265 * Reduced struct tls_multi and --single-session
2267 * Modified --single-session flag to be used
2268 in multi-client UDP server client instances.
2270 2004.03.19 -- Version 2.0-test12
2272 * Added the key multi-client UDP server options,
2273 --mode, --push, --pull, and --ifconfig-pool.
2274 * Revamped GC (garbage collection) code to not rely
2276 * Modifications to thread.[ch] to allow a more
2277 flexible thread model.
2279 2004.03.16 -- Version 2.0-test11
2281 * Moved all timer code to interval.h, added new file
2283 * Fixed missing include.
2285 2004.03.16 -- Version 2.0-test10
2287 * More TAP-Win32 fixes.
2288 * Initial debugging and testing of multi.[ch].
2290 2004.03.14 -- Version 2.0-test9
2292 * Branch merge with 1.6-rc3
2293 * More point-to-multipoint work in multi.[ch].
2294 * Major TAP-Win32 driver restructuring to use
2295 NdisMRegisterDevice instead of
2296 IoCreateDevice/IoCreateSymbolicLink.
2297 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
2299 * In the majority of cases, TAP-Win32 should now be
2300 able to install and uninstall on Win2K without requiring
2302 * TAP-Win32 MAC address can now be explicitly set in the
2303 adapter advanced properties page.
2305 2004.03.04 -- Version 2.0-test8
2307 * Branch merge with 1.6-rc2.
2309 2004.03.03 -- Version 2.0-test7
2311 * Branch merge with 1.6-rc1.2.
2313 2004.03.02 -- Version 2.0-test6
2315 * Branch merge with 1.6-rc1.
2317 2004.03.02 -- Version 2.0-test5
2319 * Move Socks5 UDP header append/remove to socks.c, and is
2320 called from forward.c.
2321 * Moved verify statics from ssl.c into struct tls_session.
2322 * Wrote multi.[ch] to handle top level of point-to-multipoint
2324 * Wrote some code to allow a struct link_socket in a child context
2325 to be slaved to the parent context.
2326 * Broke up packet read and process functions in forward.c
2327 (from socket or tuntap) into separate functions for read
2328 and process, so that point-to-point and point-to-multipoint can
2329 share the same code.
2330 * Expand TLS control channel to allow the passing of configuration
2332 * Wrote mroute.[ch] to handle internal packet routing for
2333 point-to-multipoint mode.
2335 2004.02.22 -- Version 2.0-test3
2337 * Initial work on UDP multi-client server.
2338 * Branch merge of 1.6-beta7
2340 2004.02.14 -- Version 2.0-test2
2342 * Refactorization of openvpn.c into openvpn.[ch]
2343 init.[ch] forward.[ch] forward-inline.h
2344 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
2345 sig.[ch]. Created a master per-tunnel
2346 struct context in openvpn.h.
2347 * Branch merge of 1.6-beta6.2
2349 2003.11.06 -- Version 2.0-test1
2351 * Initial testbed for 2.0.
2353 2004.05.09 -- Version 1.6.0
2355 * Unchanged from 1.6-rc4 except for version number
2358 2004.04.01 -- Version 1.6-rc4
2360 * Made minor customizations to devcon and
2361 renamed as tapinstall.exe for Windows version.
2362 * Fixed "storage size of `iv' isn't known" build
2364 * OpenSSL 0.9.7d bundled with Windows self-install.
2366 2004.03.13 -- Version 1.6-rc3
2368 * Minor Windows fixes for --ip-win32 dynamic, relating to
2369 the way the TAP-Win32 driver responds to a DHCP request
2370 from the Windows DHCP client.
2371 * The net_gateway environmental variable wasn't being
2372 set correctly for called scripts (Paul Zuber).
2373 * Added code to determine the default gateway on FreeBSD,
2374 allowing the --redirect-gateway option to work
2375 (Juan Rodriguez Hervella).
2377 2004.03.04 -- Version 1.6-rc2
2379 * Fixed bug in Windows version where the NetBIOS node-type
2380 DHCP option might have been passed even if it was not
2382 * Fixed bug in Windows version introduced in 1.6-rc1, where
2383 DHCP timeout would be set to 0 seconds if --ifconfig option
2384 was used and --ip-win32 option was not explicitly specified.
2385 * Added some new --dhcp-option types for Windows version.
2387 2004.03.02 -- Version 1.6-rc1
2389 * For Windows, make "--ip-win32 dynamic" the default.
2390 * For Windows, make "--route-delay 10" the default
2391 unless --ip-win32 dynamic is not used or --route-delay
2392 is explicitly specified.
2393 * L_TLS mutex could have been left in a locked state
2394 for certain kinds of TLS errors.
2396 2004.02.22 -- Version 1.6-beta7
2398 * Allow scheduling priority increase (--nice) together
2399 with UID/GID downgrade (--user/--group).
2400 * Code that causes SIGUSR1 restart on TLS errors in TCP
2401 mode was not activated in pthread builds.
2402 * Save the certificate serial number in an environmental
2403 variable called tls_serial_{n} prior to calling the
2404 --tls-verify script. n is the current cert chain level.
2405 * Added NetBSD IPv6 tunnel capability (also requires
2406 a kernel patch) (Horst Laschinsky).
2407 * Fixed bug in checking the return value of the nice()
2408 function (Ian Pilcher).
2409 * Bug fix in new FreeBSD IPv6 over TUN code which was
2410 originally added in 1.6-beta5 (Nathanael Rensen).
2411 * More Socks5 fixes -- extended the struct frame
2412 infrastructure to accomodate proxy-based encapsulation
2414 * Added --dhcp-option to Windows version for setting
2415 adapter properties such as WINS & DNS servers.
2416 * Use a default route-delay of 5 seconds when
2417 --ip-win32 dynamic is specified (only applicable when
2418 --route-delay is not explicitly specified).
2419 * Added "log_append" registry variable to control
2420 whether the OpenVPN service wrapper on Windows
2421 opens log files in append (log_append="1") or
2422 truncate (log_append="0") mode. The default
2425 2004.02.05 -- Version 1.6-beta6
2427 * UDP over Socks5 fix to accomodate Socks5 encapsulation
2428 overhead (Christof Meerwald).
2429 * Minor --ip-win32 dynamic tweaks (use long lease time,
2430 invalidate existing lease with DHCPNAK).
2432 2004.02.01 -- Version 1.6-beta5
2434 * Added Socks5 proxy support (Christof Meerwald).
2435 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
2436 * Special TAP-Win32 debug mode for Windows self-install that was
2437 enabled in beta4 is now turned off.
2438 * Added some new Solaris notes to INSTALL (Koen Maris).
2439 * More work on --ip-win32 dynamic.
2441 2004.01.27 -- Version 1.6-beta4
2443 * For this beta, the Windows self-install is a debug version
2444 and will run slower -- use only for testing.
2445 * Reverted the --ip-win32 default back to 'ipapi'
2447 * Added the offset parameter to '--ip-win32 dynamic' which
2448 can be used to control the address of the masqueraded
2449 DHCP server which replies to Windows DHCP requests.
2450 * Added a wait/nowait option to --inetd (nowait can only
2451 be used with TCP sockets, TLS authentication, and over
2452 a bridged configuration -- see FAQ for more info)
2453 (Stefan `Sec` Zehl).
2454 * Added a build-time capability where TAP-Win32 driver
2455 debug messages can be output by OpenVPN at --verb 6
2458 2004.01.20 -- Version 1.6-beta2
2460 * Added ./configure --enable-iproute2 flag which
2461 uses iproute2 instead of route + ifconfig --
2462 this is necessary for the LEAF Linux distro
2464 * Added renewal-time and rebind-time to set of
2465 DHCP options returned by the TAP-Win32 driver when
2466 "--ip-win32 dynamic" is used.
2468 2004.01.14 -- Version 1.6-beta1
2470 * Fixed --proxy bug that sometimes caused plaintext
2471 control info generated by the proxy prior to http
2472 CONNECT method establishment to be incorrectly
2473 parsed as OpenVPN data.
2474 * For Windows version, implemented the
2475 "--ip-win32 dynamic" method and made it the default.
2476 This method sets the TAP-Win32 adapter IP address
2477 and netmask by replying to the kernel's DHCP queries.
2478 See the man page for more detailed info.
2479 * Added --connect-retry parameter which controls
2480 the time interval (in seconds) between connect()
2481 retries when --proto tcp-client is used. Previously,
2482 this value was hardcoded to 5 seconds, and still
2484 * --resolv-retry can now be used with a parameter
2485 of "infinite" to retry indefinitely.
2486 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
2487 for support of multi-level certificate chains
2489 * Fixed --tls-auth incompatibility with 1.4.x and earlier
2490 versions of OpenVPN when the passphrase file is an
2491 OpenVPN static key file (as generated by --genkey).
2492 * Added shell-escape support in config files using
2493 the backslash character ("\") so that (for example)
2494 double quotes can be passed to the shell.
2495 * Added "contrib" subdirectory on tarball, source zip,
2496 and CVS containing user-submitted contributions.
2497 * Added an optional patch to the Redhat init script to
2498 allow the configuration file directory to be a
2499 multi-level directory hierarchy (Farkas Levente).
2500 See contrib/multilevel-init.patch
2501 * Added some scripts and documentation on using
2502 Linux "fwmark" iptables rules to enable
2503 fine-grained routing control over the VPN
2504 (Sean Reifschneider, <jafo@tummy.com>).
2505 See contrib/openvpn-fwmarkroute-1.00
2507 2003.11.20 -- Version 1.5.0
2509 * Minor documentation changes.
2511 2003.11.04 -- Version 1.5-beta14
2513 * Fixed build problem with ./configure --disable-ssl
2514 that was reported on Debian woody.
2515 * Fixed bug where --redirect-gateway could not be used
2516 together with --resolv-retry.
2518 2003.11.03 -- Version 1.5-beta13
2520 * Added CRL (certificate revocation list) capability using
2521 --crl-verify option (Stefano Bracalenti).
2522 * Added --replay-window option for variable replay-protection
2524 * Fixed --fragment bug which might have caused certain large
2525 packets to be sent unfragmented.
2526 * Modified --secret and --tls-auth to permit different cipher and
2527 HMAC keys to be used for each data flow direction. Also
2528 increased static key file size generated by --genkey from
2529 1024 to 2048 bits, where 512 bits each are reserved for
2530 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
2531 and backward compatibility is maintained. See --secret option
2532 documentation on the man page for more info.
2533 * Added --tls-remote option (Teemu Kiviniemi).
2534 * Fixed --tls-cipher documention regarding correct delimiter
2535 usage (Teemu Kiviniemi).
2536 * Added --key-method option for selecting alternative data
2537 channel key negotiation methods. Method 1 is the default.
2538 Method 2 has been added (see man page for more info).
2539 * Added French translation of HOWTO to web site
2540 (Guillaume Lehmann).
2541 * Fixed problem caused by late resolver library load on
2542 certain platforms when --resolv-retry and --chroot are
2543 used together (Teemu Kiviniemi).
2544 * In TCP mode, all decryption or TLS errors will abort the current
2545 connection (this is not done in UDP mode because UDP is
2547 * Fixed a TCP client reconnect bug that only occurs on the
2548 BSDs, where connect() fails with an invalid argument. This
2549 bug was partially (but not completely) fixed in beta7.
2550 * Added "route_net_gateway" environmental variable which contains
2551 the pre-existing default gateway address from the routing table
2552 (there's no standard API for getting the default gateway, so
2553 right now this feature only works on Windows or Linux).
2554 * Renamed the "route_default_gateway" enviromental variable to
2555 "route_vpn_gateway" -- this is the remote VPN endpoint.
2556 * The special keywords vpn_gateway, net_gateway, and remote_host
2557 can now be used for the network or gateway components of the
2558 --route option. See the man page for more info.
2559 * Added the --redirect-gateway option to configure the VPN
2560 as the default gateway (implemented on Linux and Windows only).
2561 * Added the --http-proxy option with basic authentication
2562 support for use in TCP client mode. Successfully tested
2563 using Squid as the HTTP proxy, with and without authentication.
2565 2003.10.12 -- Version 1.5-beta12
2567 * Fixed Linux-only bug in --mktun and --rmtun which was
2568 introduced around beta8 or so, which would cause
2569 an error such as "I don't recognize device tun0 as a
2570 tun or tap device1".
2571 * Added --ifconfig-nowarn option to disable options
2572 consistency warnings about --ifconfig parameters.
2573 * Don't allow any kind of sequence number backtracking or
2574 message reordering when in TCP mode.
2575 * Changed beta naming convention to use '_' (underscore)
2576 rather than '-' (dash) to pacify rpmbuild.
2578 2003.10.08 -- Version 1.5-beta11
2580 * Modified code in the Windows version which sets the IP address
2581 and netmask of the TAP-Win32 adapter using the IP Helper API.
2582 Most of the changes involve better error recovery when
2583 the IP Helper API returns an error status. See the
2584 manual page entry on --ip-win32 for more info.
2586 2003.10.08 -- Version 1.5-beta10
2588 * Added getpass() function for Windows version so that --askpass
2589 option works correctly (Stefano Bracalenti).
2590 * Added reboot advisory to end of Win32 install script.
2591 * Changed crypto code to use pseudo-random IVs rather than
2592 carrying forward the IV state from the previous packet.
2593 This is in response to item 2 in the following document:
2594 http://www.openssl.org/~bodo/tls-cbc.txt which points
2595 out weaknesses in TLS's use of the same IV carryforward
2596 approach. This change does not break protocol compatibility
2597 with previous versions of OpenVPN.
2598 * Made a change to the crypto replay protection code to also
2599 protect against certain kinds of packet reordering attacks.
2600 This change does not break protocol compatibility with
2601 previous versions of OpenVPN.
2602 * Added --ip-win32 option to provide several choices for
2603 setting the IP address on the TAP-Win32 adapter.
2604 * #ifdefed out non-CBC crypto modes by default.
2605 * Added --up-delay option to delay TUN/TAP open and --up script
2606 execution until after connection establishment. This option
2607 replaces the earlier windows-only option --tap-delay.
2609 2003.10.01 -- Version 1.5-beta9
2611 * Fixed --route-noexec bug where option was not parsed correctly.
2612 * Complain if --dev tun is specified without --ifconfig on Windows.
2613 * Fixed bug where TCP connections on windows would sometimes cause
2614 an assertion failure.
2615 * Added a new flag to TAP-Win32 advanced properties that allows one
2616 to set the adapter to be always "connected" even when an OpenVPN
2617 process doesn't have it open. The default behavior is to report
2618 a media status of connected only when an OpenVPN process has the
2620 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
2621 DLLs in response to an OpenSSL security advisory.
2623 2003.09.30 -- Version 1.5-beta8
2625 * Extended the --ifconfig option to work on tap devices as well
2627 * Implemented the --ifconfig option for Windows, by calling the
2629 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
2630 refresh the MAC cache. This behaviour can be disabled with
2632 * On Windows, allow the --dev-node parameter (which specifies
2633 the name of the TAP-Win32 adapter) to be omitted in cases where
2634 there is a single TAP-Win32 adapter on the system which can be
2635 assumed to be the default.
2636 * Modified the diagnostic --verb 5 debugging level to print 'R'
2637 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
2638 and 'w' for TUN/TAP write.
2639 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
2641 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
2642 * Make the --enable-mtu-dynamic ./configure option enabled by
2644 * Deprecated the --mtu-dynamic run-time option, in favor of
2646 * DNS names can now be used as --ifconfig parameters.
2647 * Significant work on TAP-Win32 driver to bring up to SMP standards.
2648 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
2649 unloaded or disabled, while a user-space process has it open.
2650 * On Windows, if --tun-mtu is not specified, it will be read from
2651 the TAP-Win32 driver via ioctl.
2652 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
2653 signal (only when run from a console window).
2654 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
2655 * Renamed --mtu-dynamic option to --fragment to more accurately
2656 reflect its function. Fragment accepts a single parameter which
2657 is the upper limit on acceptable UDP packet size.
2658 * Changed default --tun-mtu-extra parameter to 32 from 64.
2659 * Eliminated reference to malloc.o in configure.ac.
2660 * Added tun device emulation to the TAP-Win32 driver.
2661 * Added --route and related options.
2662 * Added init script for SuSE Linux (Frank Plohmann).
2663 * Extended option consistency check between peers to function
2664 in all crypto modes, including static-key and cleartext modes.
2665 Previously only TLS mode was supported. Disable with
2667 * Overall, increased the amount of configuration option sanity
2668 checking, especially of networking parameters.
2669 * Added --mtu-test option for empirical MTU measurement.
2670 * Added Windows-only option --tap-delay to not set the TAP-Win32
2671 adapter media state to 'connected' until TCP/UDP connection
2672 establishment with peer.
2673 * Slightly modified --route/--route-delay semantics so that when
2674 --route is given without --route-delay, routes are added
2675 immediately after tun/tap device open. When --route-delay is
2676 specified, routes will be added n seconds after connection
2677 initiation, where n is the --route-delay parameter (which
2679 * Made TCP framing error into a non-fatal error that triggers a
2682 2003.08.28 -- Version 1.5-beta7
2684 * Fixed bug that caused OpenVPN not to respond to exit/restart
2685 signals when --resolv-retry is used and a local or remote DNS
2686 name cannot be resolved.
2687 * Exported a series of environmental variables with useful
2688 info for scripts. See man page for more info. Based
2689 on a suggestion by Anthony Ciaravalo.
2690 * Moved TCP/UDP socket bind to a point in the initialization
2691 before the --up script gets called. This is desirable
2692 because (a) a socket bind failure will happen before
2693 daemonization, allowing an error status code to be returned
2694 to the shell and (b) the possibility is eliminated of a
2695 socket bind failure causing the --up script to be run
2696 but not the --down script. This change has a side effect
2697 that --resolv-retry will no longer work with --local.
2698 * Fixed bug where if an OpenVPN TCP server went down and back
2699 up again, Solaris or FreeBSD clients would fail to reconnect
2701 * Fixed bug that prevented OpenVPN from being run by
2702 inetd/xinetd in TCP mode.
2703 * Added --log and --log-append options for logging messages to
2705 * On Windows, check that the current user is a member of the
2706 Administrator group before attempting install or uninstall.
2708 2003.08.16 -- Version 1.5-beta6
2710 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
2712 2003.08.14 -- Version 1.5-beta5
2714 * Added user-configurability of the TAP-Win32 adapter MTU
2715 through the adapter advanced properties page.
2716 * Added Windows Service support.
2717 * On Windows, added file association and right-clickability
2718 for .ovpn files (OpenVPN config files).
2720 2003.08.05 -- Version 1.5-beta4
2722 * Extra refinements and error checking added to Windows
2723 NSIS install script.
2725 2003.08.05 -- Version 1.5-beta3
2727 * Added md5.h include to crypto.c to fix build problem on
2729 * Created a Win32 installer using NSIS.
2730 * Removed DelService command from TAP-Win32 INF file. It appears
2731 to be not necessary and it interfered with the ability to
2732 uninstall and reinstall the driver without needing to reboot.
2733 * On Windows version, added "addtap" and "deltapall" batch
2734 files to add and delete TAP-Win32 adapter instances.
2736 2003.07.31 -- Version 1.5-beta2
2738 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
2739 in Windows ASCII so it's easier to click and view.
2740 * Added postscript and PDF versions of the HOWTO to the web
2742 * Merged Michael Clarke's stability patch into TAP-Win32
2743 driver which appears to fix the suspend/resume driver bug
2744 and significantly improve driver stability.
2745 * Added Christof Meerwald's Media Status patch to the
2746 TAP-Win32 driver which shows the TAP adapter to be
2747 disconnected when OpenVPN is not running.
2748 * Moved socket connect and TCP server listen code to a later
2749 point in openvpn() function so that the TCP server listen
2750 state is entered after daemonization.
2751 * Added keyboard shortcuts to simulate signals in the Windows
2752 version, see the window title bar for descriptions.
2754 2003.07.24 -- Version 1.5-beta1
2756 * Added TCP support via the new --proto option.
2757 * Renamed udp-centric options such as --udp-mtu to
2758 --link-mtu (old option names preserved for compatibility).
2759 * Ported to Windows 2000 + XP using mingw and a TAP driver
2760 derived from the Cipe-Win32 project by Damion K. Wilson.
2761 * Added --show-adapters flag for windows version.
2762 * Reworked the SSL/TLS packet acknowledge code to better
2763 handle certain corner cases.
2764 * Turned off the default enabling of IP forwarding in the
2765 sample-scripts/openvpn.init script for Redhat.
2766 Forwarding can be enabled by users in their --up scripts
2768 * Added --up-restart option based on suggestion from Sean
2770 * If --dev tap or --dev-type tap is specified, --tun-mtu
2771 defaults to 1500 and --tun-mtu-extra defaults to 64.
2772 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
2773 for each packet read or write on the TCP/UDP socket.
2775 2003.08.04 -- Version 1.4.3
2777 * Added md5.h include to crypto.c
2778 to fix build problem on OpenBSD.
2780 2003.07.15 -- Version 1.4.2
2782 * Removed adaptive bandwidth from
2783 --mtu-dynamic -- its absence appears
2784 to work better than its existence (1.4.1.2).
2785 * Minor changes to --shaper to fix long
2786 retransmit timeouts at low bandwidth
2788 * Added LOG_RW flag to openvpn.h for
2789 debugging (1.4.1.2).
2790 * Silenced spurious configure warnings (1.4.1.2).
2791 * Backed out --dev-name patch, modified --dev
2792 to offer equivalent functionality (1.4.1.4).
2793 * Added an optional parameter to --daemon and
2794 --inetd to support the passing of a custom
2795 program name to the system logger (1.4.1.5).
2796 * Add compiled-in options to the program title
2798 * Coded the beginnings of a WIN32 port (1.4.1.5).
2799 * Succeeded in porting to Win32 Mingw environment
2800 and running loopback tests (1.4.1.6). Still
2801 need a kernel driver for full Win32
2803 * Fixed a bug in error.h where
2804 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
2805 This would have caused a significant slowdown
2806 of OpenVPN when built by compilers that
2807 lack ISO C99 vararg macros (1.4.1.6).
2808 * Created an init script for Gentoo Linux
2809 in ./gentoo directory (1.4.1.6).
2811 2003.05.15 -- Version 1.4.1
2813 * Modified the Linux 2.4 TUN/TAP open code to
2814 fall back to the 2.2 TUN/TAP interface if the
2815 open or ioctl fails.
2816 * Fixed bug when --verb is set to 0 and non-fatal
2817 socket errors occur, causing 100% CPU utilization.
2818 Occurs on platorms where
2819 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
2821 * Fixed typo in tun.c that was preventing
2823 * Added --enable-mtu-dynamic configure option
2824 to enable --mtu-dynamic experimental option.
2826 2003.05.07 -- Version 1.4.0
2828 * Added --replay-persist feature to allow replay
2829 protection across sessions.
2830 * Fixed bug where --ifconfig could not be used
2832 * Added --tun-mtu-extra parameter to deal with
2833 the situation where a read on a TUN/TAP device
2834 returns more data than the device's MTU size.
2835 * Fixed bug where some IPv6 support code for
2836 Linux was not being properly ifdefed out for
2837 Linux 2.2, causing compile errors.
2838 * Added OPENVPN_EXIT_STATUS_x codes to
2839 openvpn.h to control which status value
2840 openvpn returns to its caller (such as
2841 a shell or inetd/xinetd) for various conditions.
2842 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
2843 openvpn.h to allow debugging in situations
2844 where stdout, stderr, and syslog cannot be used
2845 for message output, such as when OpenVPN is
2846 instantiated by inetd/xinetd.
2847 * Removed owner-execute permission from file
2848 created by static key generator (Herbert Xu
2849 and Alberto Gonzalez Iniesta).
2850 * Added --passtos option to allow IPv4 TOS bits
2851 to be passed from TUN/TAP input packets to
2852 the outgoing UDP socket (Craig Knox).
2853 * Added code to prevent open socket file descriptors
2854 from being accessible to called scripts.
2855 * Added --dev-name option (Christian Lademann).
2856 * Added --mtu-disc option for manual control
2858 * Show OS MTU value on UDP socket write failures
2860 * Numerous build system and portability
2861 fixes (Matthias Andree).
2862 * Added better sensing of compiler support for
2863 variable argument macros, including (a) gcc
2864 style, (b) ISO C 1999 style, and (c) no support.
2865 * Removed generated files from CVS. Note INSTALL
2866 file for new CVS build commands.
2867 * Changed certain internal symbol names
2868 for C standards compliance.
2869 * Added TUN/TAP open code to cycle dynamically
2870 through unit numbers until it finds a free
2871 unit (based on code from Thomas Gielfeldt
2873 * Added dynamic MTU and fragmenting infrastructure
2874 (Experimental). Rebuild with FRAGMENT_ENABLE
2876 * Minor changes to SSL/TLS negotiation, use
2877 exponential backoff on retransmits, and use
2878 a smaller MTU size (note that no protocol
2879 changes have been made which would break
2880 compatibility with 1.3.x).
2881 * Added --enable-strict-options flag
2882 to ./configure. This option will cause
2883 a more strict check for options compatibility
2884 between peers when SSL/TLS negotiation is used,
2885 but should only be used when both OpenVPN peers
2886 are of the same version.
2887 * Reorganization of debugging levels.
2888 * Added a workaround in configure.ac for
2889 default SSL header location on Linux
2890 to fix RH9 build problem.
2891 * Fixed potential deadlock when pthread support
2892 is used on OSes that allocate a small socketpair()
2894 * Fixed openvpn.init to be sh compliant
2896 * Changed --daemon to wait until all
2897 initialization is finished before becoming a
2898 daemon, for the benefit of initialization
2899 scripts that want a useful return status from
2900 the openvpn command.
2901 * Made openvpn.init script more robust, including
2902 positive indication of initialization errors
2903 in the openvpn daemon and better sanity checks.
2904 * Changed --chroot to wait until initialization
2905 is finished before calling chroot(), and allow
2906 the use of --user and --group with --chroot.
2907 * When syslog logging is enabled (--daemon or
2908 --inetd), set stdin/stdout/stderr to point
2910 * For inetd instantiations, dup socket descriptor
2912 * Fixed bug in verify-cn script, where test would
2913 incorrectly fail if CN=x was the last component
2914 of the X509 composite string (Anonymous).
2915 * Added Markus F.X.J. Oberhumer's special
2916 license exception to COPYING.
2918 2002.10.23 -- Version 1.3.2
2920 * Added SSL_CTX_set_client_CA_list call
2921 to follow the canonical form for TLS initialization
2922 recommended by the OpenSSL docs. This change allows
2923 better support for intermediate CAs and has no impact
2925 * Added build-inter script to easy-rsa package, to
2926 facilitate the generation of intermediate CAs.
2927 * Ported to NetBSD (Dimitri Goldin).
2928 * Fixed minor bug in easy-rsa/sign-req. It refers to
2929 openssl.cnf file, instead of $KEY_CONFIG, like all
2930 other scripts (Ernesto Baschny).
2931 * Added --days 3650 to the root CA generation command
2932 in the HOWTO to override the woefully small 30 day
2933 default (Dominik 'Aeneas' Schnitzer).
2934 * Fixed bug where --ping-restart would sometimes
2935 not re-resolve remote DNS hostname.
2936 * Added --tun-ipv6 option and related infrastructure
2937 support for IPv6 over tun.
2938 * Added IPv6 over tun support for Linux (Aaron Sethman).
2939 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
2940 INSTALL (Matthias Andree).
2941 * Added inetd/xinetd support (--inetd) including
2942 documentation in the HOWTO.
2943 * Added "Important Note on the use of commercial certificate
2944 authorities (CAs) with OpenVPN" to HOWTO based on
2945 issues raised on the openvpn-users list.
2947 2002.07.10 -- Version 1.3.1
2949 * Fixed bug in openvpn.spec and openvpn.init
2950 which caused RPM upgrade to fail.
2952 2002.07.10 -- Version 1.3.0
2954 * Added --dev-node option to allow explicit selection of
2955 tun/tap device node.
2956 * Removed mlockall call from child thread, as it doesn't
2957 appear to be necessary (child thread inherits mlockall
2959 * Added --ping-timer-rem which causes timer for --ping-exit
2960 and --ping-restart not to run unless we have a remote IP
2962 * Added condrestart to openvpn.init and openvpn.spec
2964 * Added --ifconfig case for FreeBSD (Matthias Andree).
2965 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
2966 * Changed LOG_INFO messages to LOG_NOTICE.
2967 * Added warning when key files are group/others accessible.
2968 * Added --single-session flag for TLS mode.
2969 * Fixed bug where --writepid would segfault if used with
2970 an invalid filename.
2971 * Fixed bug where --ipchange status message was formatted
2973 * Print more concise error message when system() call
2975 * Added --disable-occ option.
2976 * Added --local, --remote, and --ifconfig options sanity
2978 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
2980 * Successfully tested with OpenSSL 0.9.7 Beta 2.
2981 * Broke out debug level definitions to errlevel.h
2982 * Minor documentation and web site changes.
2983 * All changes maintain protocol compatibility
2984 with OpenVPN versions since 1.1.0, however default
2985 MTU changes will require setting the MTU explicitly
2986 by command line option, if you want 1.3.0 to
2987 communicate with previous versions.
2989 2002.06.12 -- Version 1.2.1
2991 * Added --ping-restart option to restart
2992 connection on ping timeout using SIGUSR1
2993 logic (Matthias Andree).
2994 * Added --persist-tun, --persist-key,
2995 --persist-local-ip, and --persist-remote-ip
2996 options for finer-grained control over SIGUSR1
2997 and --ping-restart restarts. To
2998 replicate previous SIGUSR1 functionality,
2999 use --persist-remote-ip.
3000 * Changed residual IV fetching code to take
3001 IV from tail of ciphertext.
3002 * Added check to make sure that CFB or OFB
3003 cipher modes are only used with SSL/TLS
3004 authentication mode, and added a caveat
3006 * Changed signal handling during initialization
3007 (including re-initialization during restarts)
3008 to exit on SIGTERM or SIGINT and ignore other
3009 signals which would ordinarily be caught.
3010 * Added --resolv-retry option to allow
3011 retries on hostname resolution.
3012 * Expanded the --float option to also
3013 allow dynamic changes in source port number
3014 on incoming datagrams.
3015 * Added --mute option to limit repetitive
3016 logging of similar message types.
3017 * Added --group option to downgrade GID
3018 after initialization.
3019 * Try to set ifconfig path automatically
3021 * Added --ifconfig code for Mac OS X
3022 (Christoph Pfisterer).
3023 * Moved "Peer Connection Initiated" message
3025 * Successfully tested with
3026 OpenSSL 0.9.7 Beta 1 and AES cipher.
3027 * Added RPM notes to INSTALL.
3028 * Added ACX_PTHREAD (from the autoconf
3029 macro archive) to configure.ac
3030 to figure out the right pthread
3031 options for a given platform.
3032 * Broke out macro definitions from
3033 configure.ac to acinclude.m4.
3034 * Minor changes to docs and HOWTO.
3035 * All changes maintain protocol compatibility
3036 with OpenVPN versions since 1.1.0.
3038 2002.05.22 -- Version 1.2.0
3040 * Added configuration file support via
3041 the --config option.
3042 * Added pthread support to improve latency.
3043 With pthread support, OpenVPN
3044 will offload CPU-intensive tasks such as RSA
3045 key number crunching to a background thread
3046 to improve tunnel packet forwarding
3047 latency. pthread support can be enabled
3048 with the --enable-pthread configure option.
3049 Pthread support is currently available
3050 only for Linux and Solaris.
3051 * Added --dev-type option so that tun/tap
3052 device names don't need to begin with
3054 * Added --writepid option to write main
3055 process ID to a file.
3056 * Numerous portability fixes to ease
3057 porting to other OSes including changing
3058 all network types to uint8_t and uint32_t,
3059 and not assuming that time_t is 32 bits.
3060 * Backported to OpenSSL 0.9.5.
3061 * Ported to Solaris.
3062 * Finished OpenBSD port except for
3064 * Added initialization script:
3065 sample-scripts/openvpn.init
3067 * Ported to Mac OS X (Christoph Pfisterer).
3068 * Improved resilience to DoS attacks when
3069 TLS mode is used without --remote or
3070 --tls-auth, or when --float is used
3071 with --remote. Note however that the best
3072 defense against DoS attacks in TLS mode
3073 is to use --tls-auth.
3074 * Eliminated automake/autoconf dependency
3076 * Ported configure.in to configure.ac
3078 * SIGHUP signal now causes OpenVPN to restart
3079 and re-read command line and or config file,
3080 in conformance with canonical daemon behaviour.
3081 * SIGUSR1 now does what SIGHUP did in
3082 version 1.1.1 and earlier -- close and reopen
3083 the UDP socket for use when DHCP changes
3084 host's IP address and preserve most recently
3085 authenticated peer address without rereading
3087 * SIGUSR2 added -- outputs current statistics,
3088 including compression statistics.
3089 * All changes maintain protocol compatibility
3090 with 1.1.1 and 1.1.0.
3092 2002.04.22 -- Version 1.1.1
3094 * Added --ifconfig option to automatically configure
3096 * Added inactivity disconnect (--inactive
3097 and --ping-exit options).
3098 * Added --ping option to keep stateful firewalls
3100 * Added sanity check to command line parser to
3101 err if any TLS options are used in non-TLS mode.
3102 * Fixed build problem with compiler environments that
3103 define printf as a macro.
3104 * Fixed build problem on linux systems that have
3105 an integrated TUN/TAP driver but lack the persistent
3106 tunnel feature (TUNSETPERSIST). Some linux kernels
3107 >= 2.4.0 and < 2.4.7 fall into this category.
3108 * Changed all calls to EVP_CipherInit to use explicit
3109 encrypt/decrypt mode in order to fix problem with
3110 IDEA-CBC and AES-256-CBC ciphers.
3111 * Minor changes to control channel transmit limiter
3112 algorithm to fix problem where TLS control channel
3113 might not renegotiate within the default 60 second window.
3114 * Simplified man page examples by taking advantage
3115 of the new --ifconfig option.
3116 * Minor changes to configure.in to check more
3117 rigourously for OpenSSL 0.9.6 or greater.
3118 * Put back openvpn.spec, eliminated
3120 * Modified openvpn.spec to reflect new automake-based
3121 build environment (Bishop Clark).
3122 * Other documentation changes.
3123 * Added --test-crypto option for debugging.
3124 * Added "missing" and "mkinstalldirs" automake
3128 2002.04.09 -- Version 1.1.0
3130 * Strengthened replay protection and IV handling,
3131 extending it fully to both static key and
3132 TLS dynamic key exchange modes.
3133 * Added --mlock option to disable paging and ensure that key
3134 material and tunnel data is never paged to disk.
3135 * Added optional traffic shaping feature to cap the maximum
3136 data rate of the tunnel.
3137 * Converted to automake (The Platypus Brothers 2002-04-01).
3138 * Ported to OpenBSD by Janne Johansson.
3139 * Added --tun-af-inet option to work around an incompatibility
3140 between Linux and BSD tun drivers.
3141 * Sequence number-based replay protection using the
3142 IPSec sliding window model is now the default,
3143 disable with --no-replay.
3144 * Explicit IV is now the default, disable with --no-iv.
3145 * Disabled all cipher modes except CBC, CFB, and OFB.
3146 * In CBC mode, use explicit IV and carry forward residuals,
3148 * In CFB/OFB mode, IV is timestamp, sequence number.
3149 * Eliminated --packet-id, --timestamp, and max-delta parameter to
3150 the --tls-auth option as they are now supplanted by improved
3151 replay code which is enabled by default.
3152 * Eliminated --rand-iv as it is now obsolete with improved
3154 * Eliminated --reneg-err option as it increases vulnerability
3156 * Added weak key check for DES ciphers.
3157 * --tls-freq option is no longer specified on the command line,
3158 instead it now inherits its parameter from the
3159 --tls-timeout option.
3160 * Fixed bug that would try to free memory on exit that was
3161 never malloced if --comp-lzo was not specified.
3162 * Errata fixed in the man page examples: "test-ca" should be
3164 * Updated manual page.
3165 * Preliminary work in porting to OpenSSL 0.9.7.
3166 * Changed license to allowing linking with OpenSSL.
3168 2002.03.29 -- Version 1.0.3
3170 * Fixed a problem in configure with library ordering on the
3173 2002.03.28 -- Version 1.0.2
3175 * Improved the efficiency of the inner event loop.
3176 * Fixed a minor bug with timeout handling.
3177 * Improved the build system to build on RH 6.2 through 7.2.
3178 * Added an openvpn.spec file for RPM builders (Bishop Clark).
3180 2002.03.23 -- Version 1.0
3182 * Added TLS-based authentication and key exchange.
3183 * Added gremlin mode to stress test.
3186 2001.12.26 -- Version 0.91
3188 * Added any choice of cipher or HMAC digest.
3190 2001.5.13 -- Version 0.90
3193 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.