2 Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2009.06.07 -- Version 2.1_rc18
6 * Fixed compile error on ./configure --enable-small
8 * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
9 does not build on Windows on non-MINGW32.
11 2009.05.30 -- Version 2.1_rc17
13 * Reduce the debug level (--verb) at which received management interface
14 commands are echoed from 7 to 3. Passwords will be filtered.
16 * Fixed race condition in management interface recv code on
17 Windows, where sending a set of several commands to the
18 management interface in quick succession might cause the
19 latter commands in the set to be ignored.
21 * Increased management interface input command buffer size
22 from 256 to 1024 bytes.
24 * Minor tweaks to Windows build system.
26 * Added "redirect-private" option which allows private subnets
27 to be pushed to the client in such a way that they don't accidently
28 obscure critical local addresses such as the DHCP server address and
31 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
32 client will examine the routing table and determine whether (a) the
33 OpenVPN server is reachable via a locally connected interface, or (b)
34 traffic to the server must be forwarded through the default router.
35 Only add a special bypass route for the OpenVPN server if (b) is true.
36 If (a) is true, behave as if the 'local' flag is specified, and do not
39 The new 'autolocal' flag depends on the non-portable test_local_addr()
40 function in route.c, which is currently only implemented for Windows.
41 The 'autolocal' flag will act as a no-op on platforms that have not
42 yet defined a test_local_addr() function.
44 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
45 more option content to be pushed from server to client).
47 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
48 levels <=3) a common and usually innocuous warning.
50 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
51 functionality (Alon Bar-Lev).
53 * Fixed bug where the remote_X environmental variables were not being
54 set correctly when the 'local' option is specifed.
56 2009.05.17 -- Version 2.1_rc16
58 * Windows installer changes:
60 1. ifdefed out the check Windows version code which is causing
63 2. don't define SF_SELECTED if it is already defined
65 3. Use LZMA instead of BZIP2 compression for better compression
67 4. Upgraded OpenSSL to 0.9.8k
69 * Added the ability to read the configuration file
70 from stdin, when "stdin" is given as the config
73 * Allow "management-client" directive to be used
74 with unix domain sockets.
76 * Added errors-to-stderr option. When enabled, fatal errors
77 that result in the termination of the daemon will be written
80 * Added optional "nogw" (no gateway) flag to --server-bridge
81 to inhibit the pushing of the route-gateway parameter to
84 * Added new management interface command "pid" to show the
85 process ID of the current OpenVPN process (Angelo Laub).
87 * Fixed issue where SIGUSR1 restarts would fail if private
88 key was specified as an inline file.
90 * Added daemon_start_time and daemon_pid environmental variables.
92 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
96 1. Fixed some issues with C++ style comments that leaked into the code.
98 2. Updated configure.ac to work on MinGW64.
100 3. Updated common.h types for _WIN64.
102 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
105 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
106 OpenVPNCryptAcquireCertificatePrivateKey to work around
107 a symbol conflict in MinGW-5.1.4.
109 2008.11.19 -- Version 2.1_rc15
111 * Fixed issue introduced in 2.1_rc14 that may cause a
112 segfault when a --plugin module is used.
114 * Added server-side --opt-verify option: clients that connect
115 with options that are incompatible with those of the server
116 will be disconnected (without this option, incompatible
117 clients would trigger a warning message in the server log
118 but would not be disconnected).
120 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
121 flag on the server as well as pushes it to connecting clients.
123 * Minor options check fix: --no-name-remapping is a
124 server-only option and should therefore generate an
125 error when used on the client.
127 * Added --prng option to control PRNG (pseudo-random
128 number generator) parameters. In previous OpenVPN
129 versions, the PRNG was hardcoded to use the SHA1
130 hash. Now any OpenSSL hash may be used. This is
131 part of an effort to remove hardcoded references to
132 a specific cipher or cryptographic hash algorithm.
134 * Cleaned up man page synopsis.
136 2008.11.16 -- Version 2.1_rc14
138 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
139 with the goal of fixing a build issue on Fedora 9 that was
140 introduced in 2.1_rc13.
142 * Added additional method parameter to --script-security to preserve
143 backward compatibility with system() call semantics used in OpenVPN
144 2.1_rc8 and earlier. To preserve backward compatibility use:
146 script-security 3 system
148 * Added additional warning messages about --script-security 2
149 or higher being required to execute user-defined scripts or
152 * Windows build system changes:
154 Modified Windows domake-win build system to write all openvpn.nsi
155 input files to gen, so that gen can be disconnected from
156 the rest of the source tree and makensis openvpn.nsi will
157 still function correctly.
159 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
160 (commented out by default).
162 Added optional files SAMPCONF_CONF2 (second sample configuration
163 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
164 build system, and may be defined in settings.in.
166 * Extended Management Interface "bytecount" command
167 to work when OpenVPN is running as a server.
168 Documented Management Interface "bytecount" command in
169 management/management-notes.txt.
171 * Fixed informational message in ssl.c to properly indicate
172 deferred authentication.
174 * Added server-side --auth-user-pass-optional directive, to allow
175 connections by clients that do not specify a username/password, when a
176 user-defined authentication script/module is in place (via
177 --auth-user-pass-verify, --management-client-auth, or a plugin module).
179 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
181 Calling scripts can set the KEY_NAME environmental variable to set
182 the "name" X509 subject field in generated certificates.
184 Modified pkitool to allow flexibility in separating the Common Name
185 convention from the cert/key filename convention.
189 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
191 will create a client certificate/key pair of james.crt/james.key
192 having a Common Name of "James's Laptop" and a Name of "james".
194 * Added --no-name-remapping option to allow Common Name, X509 Subject,
195 and username strings to include any printable character including
196 space, but excluding control characters such as tab, newline, and
197 carriage-return (this is important for compatibility with external
198 authentication systems).
200 As a related change, added --status-version 3 format (and "status 3"
201 in the management interface) which uses the version 2 format except
202 that tabs are used as delimiters instead of commas so that there
203 is no ambiguity when parsing a Common Name that contains a comma.
205 Also, save X509 Subject fields to environment, using the naming
208 X509_{cert_depth}_{name}={value}
210 This is to avoid ambiguities when parsing out the X509 subject string
211 since "/" characters could potentially be used in the common name.
213 * Fixed some ifconfig-pool issues that precluded it from being combined
214 with --server directive.
216 Now, for example, we can configure thusly:
218 server 10.8.0.0 255.255.255.0 nopool
219 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
221 to have ifconfig-pool manage only a subset
224 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
225 config file syntax checking to allow directives for future OpenVPN
226 versions to be ignored.
228 2008.10.07 -- Version 2.1_rc13
230 * Bundled OpenSSL 0.9.8i with Windows installer.
232 * Management interface can now listen on a unix
233 domain socket, for example:
235 management /tmp/openvpn unix
237 Also added management-client-user and management-client-group
238 directives to control which processes are allowed to connect
241 * Copyright change to OpenVPN Technologies, Inc.
243 2008.09.23 -- Version 2.1_rc12
245 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
246 part of the tarball (Matthias Andree).
248 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
249 was incorrectly expecting the lladdr parameter to be an IP address
250 when it is actually a MAC address (HoverHell).
252 2008.09.14 -- Version 2.1_rc11
254 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
255 to fail if UDP packets are dropped.
257 2008.09.10 -- Version 2.1_rc10
259 * Added "--server-bridge" (without parameters) to enable
260 DHCP proxy mode: Configure server mode for ethernet
261 bridging using a DHCP-proxy, where clients talk to the
262 OpenVPN server-side DHCP server to receive their IP address
263 allocation and DNS server addresses.
265 * Added "--route-gateway dhcp", to enable the extraction
266 of the gateway address from a DHCP negotiation with the
267 OpenVPN server-side LAN.
269 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
270 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
273 * Warn when ethernet bridging that the IP address of the bridge adapter
274 is probably not the same address that the LAN adapter was set to
277 * When running as a server, warn if the LAN network address is
278 the all-popular 192.168.[0|1].x, since this condition commonly
279 leads to subnet conflicts down the road.
281 * Primarily on the client, check for subnet conflicts between
282 the local LAN and the VPN subnet.
284 * Added a 'netmask' parameter to get_default_gateway, to return
285 the netmask of the adapter containing the default gateway.
286 Only implemented on Windows so far. Other platforms will
287 return 255.255.255.0. Currently the netmask information is
288 only used to warn about subnet conflicts.
290 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
291 and USE_SSL flags are enabled (Alon Bar-Lev).
293 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
294 --script-security rules. Also adds retrying if the addresses are in
295 use (Matthias Andree).
297 * Fixed build issue with ./configure --disable-socks --disable-http.
299 * Fixed separate compile errors in options.c and ntlm.c that occur
300 on strict C compilers (such as old versions of gcc) that require
301 that C variable declarations occur at the start of a {} block,
304 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
305 the new implementation of extract_x509_field_ssl depends on.
307 * LZO compression buffer overflow errors will now invalidate
308 the packet rather than trigger a fatal assertion.
310 * Fixed minor compile issue in ntlm.c (mid-block declaration).
312 * Added --allow-pull-fqdn option which allows client to pull DNS names
313 from server (rather than only IP address) for --ifconfig, --route, and
314 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
315 for these options to be pulled and translated to IP addresses by default.
316 Now --allow-pull-fqdn will be explicitly required on the client to enable
317 DNS-name-to-IP-address translation of pulled options.
319 * 2.1_rc8 and earlier did implicit shell expansion on script
320 arguments since all scripts were called by system().
321 The security hardening changes made to 2.1_rc9 no longer
322 use system(), but rather use the safer execve or CreateProcess
323 system calls. The security hardening also introduced a
324 backward incompatibility with 2.1_rc8 and earlier in that
325 script parameters were no longer shell-expanded, so
328 client-connect "docc CLIENT-CONNECT"
330 would fail to work because execve would try to execute
331 a script called "docc CLIENT-CONNECT" instead of "docc"
332 with "CLIENT-CONNECT" as the first argument.
334 This patch fixes the issue, bringing the script argument
335 semantics back to pre 2.1_rc9 behavior in order to preserve
336 backward compatibility while still using execve or CreateProcess
337 to execute the script/executable.
339 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
340 to more closely conform to RFC 3696:
342 (1) DNS name length must not exceed 255 characters
344 (2) DNS name characters must be limited to alphanumeric,
345 dash ('-'), and dot ('.')
347 * Fixed bug in intra-session TLS key rollover that was introduced with
348 deferred authentication features in 2.1_rc8.
350 2008.07.31 -- Version 2.1_rc9
352 * Security Fix -- affects non-Windows OpenVPN clients running
353 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
354 vulnerable nor are any versions of the OpenVPN server vulnerable).
355 An OpenVPN client connecting to a malicious or compromised
356 server could potentially receive an "lladdr" or "iproute" configuration
357 directive from the server which could cause arbitrary code execution on
358 the client. A successful attack requires that (a) the client has agreed
359 to allow the server to push configuration directives to it by including
360 "pull" or the macro "client" in its configuration file, (b) the client
361 successfully authenticates the server, (c) the server is malicious or has
362 been compromised and is under the control of the attacker, and (d) the
363 client is running a non-Windows OS. Credit: David Wagner.
366 * Miscellaneous defensive programming changes to multiple
367 areas of the code. In particular, use of the system() call
368 for calling executables such as ifconfig, route, and
369 user-defined scripts has been completely revamped in favor
370 of execve() on unix and CreateProcess() on Windows.
372 * In Windows build, package a statically linked openssl.exe to work around
373 observed instabilities in the dynamic build since the migration to
376 2008.06.11 -- Version 2.1_rc8
378 * Added client authentication and packet filtering capability
379 to management interface. In addition, allow OpenVPN plugins
380 to take advantage of deferred authentication and packet
381 filtering capability.
383 * Added support for client-side connection profiles.
385 * Fixed unbounded memory growth bug in environmental variable
386 code that could have caused long-running OpenVPN sessions
387 with many TLS renegotiations to incrementally
388 increase memory usage over time.
390 * Windows release now packages openssl-0.9.8h.
392 * Build system changes -- allow building on Windows using
393 autoconf/automake scripts (Alon Bar-Lev).
395 * Changes to Windows build system to make it easier to do
396 partial builds, with a reduced set of prerequisites,
397 where only a subset of OpenVPN installer
398 components are built. See ./domake-win comments.
400 * Cleanup IP address for persistence interfaces for tap and also
401 using ifconfig, gentoo#209055 (Alon Bar-Lev).
403 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
405 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
407 * Added new OpenVPN icon and installer graphic.
409 * Minor pkitool changes.
411 * Added --pkcs11-id-management option, which will cause OpenVPN to
412 query the management interface via the new NEED-STR asynchronous
413 notification query to get additional PKCS#11 options (Alon Bar-Lev).
415 * Added NEED-STR management interface asynchronous query and
416 "needstr" management interface command to respond to the query
419 * Added Dragonfly BSD support (Francis-Gudin).
421 * Quote device names before passing to up/down script (Josh Cepek).
423 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
424 prevent structure padding from causing an incorrect length
425 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
428 * On systems that support res_init, always call it
429 before calling gethostbyname to ensure that
430 resolver configuration state is current.
432 * Added NTLMv2 proxy support (Miroslav Zajic).
434 * Fixed an issue in extract_x509_field_ssl where the extraction
435 would fail on the first field of the subject name, such as
436 the common name in: /CN=foo/emailAddress=foo@bar.com
438 * Made "Linux ip addr del failed" error nonfatal.
440 * Amplified --client-cert-not-required warning.
442 * Added #pragma pack to proto.h.
444 2008.01.29 -- Version 2.1_rc7
446 * Added a few extra files that exist in the svn repo but were
447 not being copied into the tarball by make dist.
449 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
451 2008.01.24 -- Version 2.1_rc6
453 * Fixed options checking bug introduced in rc5 where legitimate configuration
454 files might elicit the error: "Options error: Parameter pkcs11_private_mode
455 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
458 2008.01.23 -- Version 2.1_rc5
460 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
461 incremented driver version to 9.4.
463 * Windows build system changes:
465 Incremented included OpenSSL version to openssl-0.9.7m.
467 Updated openssl.patch for openssl-0.9.7m and added some
468 brief usage comments to the head of the patch.
470 Added build-pkcs11-helper.sh for building the pkcs11-helper
473 Integrated inclusion of pkcs11-helper into Windows build
476 Upgraded TAP build scripts to use WDK 6001.17121
477 (Windows 2008 Server pre-RTM).
479 * Windows installer changes:
481 Clean up the start menu folder.
483 Allow for a site-specific sample configuration file and keys
484 to be included in a custom installer (see SAMPCONF macros
487 New icon (temporary).
489 * Added "forget-passwords" command to the management interface
492 * Added --management-signal option to signal SIGUSR1 when the
493 management interface disconnects (Alon Bar-Lev).
495 * Modified command line and config file parser to allow
496 quoted strings using single quotes ('') (Alon Bar-Lev).
498 * Use pkcs11-helper as external library, can be downloaded from
499 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
501 * Fixed interim memory growth issue in TCP connect loop where
502 "TCP: connect to %s failed, will try again in %d seconds: %s"
505 * Fixed bug in epoll driver in event.c, where the lack of a
506 handler for EPOLLHUP could cause 99% CPU usage.
508 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
509 want to use a CBC cipher for OpenVPN's data channel.
511 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
512 plugin directory to the dlopen search list when the user
513 specifies the basename of the plugin only (Marius Tomaschewski).
515 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
516 to allow forward slash characters ("/") in the X509 common name
519 * Allow OpenVPN to run completely unprivileged under Linux
520 by allowing openvpn --mktun to be used with --user and --group
521 to set the UID/GID of the tun device node. Also added --iproute
522 option to allow an alternative command to be executed in place
523 of the default iproute2 command (Alon Bar-Lev).
525 * Fixed --disable-iproute2 in ./configure to actually disable
526 iproute2 usage (Alon Bar-Lev).
528 * Added --management-forget-disconnect option -- forget
529 passwords when management session disconnects (Alon Bar-Lev).
531 2007.04.25 -- Version 2.1_rc4
533 * Worked out remaining issues with TAP driver signing
534 on Vista x64. OpenVPN will now run on Vista x64
535 with driver signing enforcement enabled.
537 * Fixed 64-bit portability bug in time_string function
540 2007.04.22 -- Version 2.1_rc3
542 * Additional fixes to TAP driver for Windows x64. Driver
543 now runs successfully on Vista x64 if driver signing
544 enforcement is disabled.
546 * The Windows Installer and TAP driver are now signed by
547 OpenVPN Solutions LLC (in addition to the usual GnuPG
550 * Added OpenVPN GUI (Mathias Sundman version) as install
551 option in Windows installer.
553 * Clean up configure on FreeBSD for recent autotool versions
554 that require that all .h files have to be compiled.
555 Also, FreeBSD install does not support GNU long options
556 which the Makefile in easy-rsa/2.0 uses (not checked the
557 others as we don't install those on Gentoo) (Roy Marples).
559 * Added additional scripts to easy-rsa/Windows for working
560 with password-protected keys; also add -extensions server
561 option when generating server cert via
562 build-key-server-pass.bat (Daniel Zauft).
564 2007.02.27 -- Version 2.1_rc2
566 * auth-pam change: link with -lpam rather
567 than dlopen (Roy Marples).
569 * Prevent SIGUSR1 or SIGHUP from causing program
570 exit from initial management hold.
572 * SO_REUSEADDR should not be set on Windows TCP sockets
573 because it will cause bind to succeed on port conflicts.
575 * Added time_ascii, time_duration, and time_unix
576 environmental variables for plugins and callback
579 * Fixed issue where OpenVPN does not apply the --txqueuelen option
580 to persistent interfaces made with --mktun (Roy Marples).
582 * Attempt at rational signal handling when in the
583 management hold state. During management hold, ignore
584 SIGUSR1/SIGHUP signals thrown with the "signal" command.
585 Also, "signal" command will now apply remapping as
586 specified with the --remap-usr1 option.
587 When a signal entered using the "signal" command from a management
588 hold is ignored, output: >HOLD:Waiting for hold release
590 * Fixed issue where struct env_set methods that
591 change the value of an existing name=value pair
592 would delay the freeing of the memory held by
593 the previous name=value pair until the underlying
594 client instance object is closed.
595 This could cause a server that handles long-term
596 client connections, resulting in many periodic calls
597 to verify_callback, to needlessly grow the env_set
598 memory allocation until the underlying client instance
601 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
602 to reflect the fact that Vista has blacklisted the tap0801.sys
603 file name due to previous compatibility issues which have now
604 been resolved. TAP-Win32 major/minor version number is now 9/1.
606 * Windows installer will delete a previously installed
607 tap0801.sys TAP driver before installing tap0901.sys.
609 * Added code to Windows installer to fail gracefully on 64 bit
610 installs until 64-bit TAP driver issues can be resolved.
612 * Added code to Windows installer to fail gracefully on
613 versions of Windows which are not explicitly supported.
615 * The Windows version will now use a default route-delay
616 of 5 seconds to deal with an apparent routing table race
619 * Worked around an incompatibility in the Windows Vista
620 version of CreateIpForwardEntry as described in
621 http://www.nynaeve.net/?p=59
622 This issue would cause route additions using the
623 IP Helper API to fail on Vista.
625 * On Windows, revert to "ip-win32 dynamic" as the default.
627 2006.10.31 -- Version 2.1_rc1
629 * Support recovery (return to hold) from signal at
630 management password prompt.
632 * Added workaround for OpenSC PKCS#11 bug#108
635 2006.10.01 -- Version 2.1-beta16
637 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
638 published vulnerabilities.
640 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
643 * Autodetect 32/64 bit Windows in installer and install
644 appropriate TAP driver (Mathias Sundman, Hypherion).
646 * Fixed bug in loopback self-test introduced
647 in 2.1-beta15 where self test as invoked by
648 "make check" would not properly exit after
649 2 minutes (Paul Howarth).
651 2006.09.12 -- Version 2.1-beta15
653 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
654 RSA Signature Forgery (CVE-2006-4339).
656 * Fixed bug introduced with the --port-share directive
657 (back in 2.1-beta9 which causes TLS soft resets
658 (1 per hour by default) in TCP server mode to force
659 a blockage of tunnel packets and later time-out and
660 restart the connection.
662 * easy-rsa update (Alon Bar-Lev)
663 Makefile (install) is now available so that
664 distribs will be able to install it safely.
666 * PKCS#11 changes: (Alon Bar-Lev)
667 - Modified ssl.c to not FATAL and return to init.c
668 so auth-retry will work.
669 - Modifed pkcs11-helper.c to fix some problem with
671 - Added retry counter to PKCS#11 PIN hook.
672 - Modified PKCS#11 PIN retry loop to return correct error
673 code when PIN is incorrect.
674 - Fix handling (ignoring) zero sized attributes.
676 - Fix openssl 0.9.6 (first version) issues.
678 * Minor fixes of lladdr (Alon Bar-Lev)
679 Updated makefile.w32-vc to include lladdr.*, updated
681 Modified lladdr.c to be compiled under visual C.
683 * Added two new management states:
684 OPENVPN_STATE_RESOLVE -- DNS lookup
685 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
687 * Echo management state change to log.
689 * Minor syshead.h change for NetBSD to allow
690 TCP_NODELAY flag to work.
692 * Modified --port-share code to remove the assumption that
693 CMSG_SPACE always evaluates to a constant, to enable
694 compilation on NetBSD and possibly other BSDs as well.
696 * Eliminated gcc 3.3.3 warnings on NetBSD
697 when ./configure --enable-strict is used.
699 * Added optional minimum-number-of-bytes parameter
700 to --inactive directive.
702 2006.04.13 -- Version 2.1-beta14
704 * Fixed Windows server bug in time backtrack handling code which
705 could cause TLS negotiation failures on legitimate clients.
707 * Rewrote gettimeofday function for Windows to be
708 simpler and more efficient.
710 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
712 * Added --route-metric option to set a default route metric
713 for --route (Roy Marples).
715 * Added --lladdr option to specify the link layer (MAC) address
716 for the tap interface on non-Windows platforms (Roy Marples).
718 2006.04.12 -- Version 2.1-beta13
720 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
721 to 64 bits caused a bug in the Windows version which has now
722 been fixed. The bug could cause intermittent crashes.
724 2006.04.05 -- Version 2.1-beta12
726 * Security Vulnerability -- An OpenVPN client connecting to a
727 malicious or compromised server could potentially receive
728 "setenv" configuration directives from the server which could
729 cause arbitrary code execution on the client via a LD_PRELOAD
730 attack. A successful attack appears to require that (a) the
731 client has agreed to allow the server to push configuration
732 directives to it by including "pull" or the macro "client" in
733 its configuration file, (b) the client configuration file uses
734 a scripting directive such as "up" or "down", (c) the client
735 succesfully authenticates the server, (d) the server is
736 malicious or has been compromised and is under the control of
737 the attacker, and (e) the attacker has at least some level of
738 pre-existing control over files on the client (this might be
739 accomplished by having the server respond to a client web request
740 with a specially crafted file). Credit: Hendrik Weimer.
743 The fix is to disallow "setenv" to be pushed to clients from
744 the server, and to add a new directive "setenv-safe" which is
745 pushable from the server, but which appends "OPENVPN_" to the
746 name of each remotely set environmental variable.
748 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
750 * PKCS11 fixes (Alon Bar-Lev). For full description:
751 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
753 * When deleting routes under Linux, use the route metric
754 as a differentiator to ensure that the route teardown
755 process only deletes the identical route which was originally
756 added via the "route" directive (Roy Marples).
758 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
759 (Matthias Andree, Dirk Meyer, Vasil Dimov).
761 * Extended tun device configure code to support ethernet
762 bridging on NetBSD (Emmanuel Kasper).
764 2006.02.19 -- Version 2.1-beta11
766 * Fixed --port-share bug that caused premature closing
769 2006.02.17 -- Version 2.1-beta10
771 * Fixed --port-share breakage introduced in 2.1-beta9.
773 2006.02.16 -- Version 2.1-beta9
775 * Added --port-share option for allowing OpenVPN and HTTPS
776 server to share the same port number.
777 * Added --management-client option to connect as a client
778 to management GUI app rather than be connected to as a
780 * Added "bytecount" command to management interface.
781 * --remote-cert-tls fixes (Alon Bar-Lev).
783 2006.01.03 -- Version 2.1-beta8
785 * --remap-usr1 will now also remap signals thrown during
787 * Added --connect-timeout option to control the timeout
788 on TCP client connection attempts (doesn't work on all
789 OSes). This patch also makes OpenVPN signalable during
790 TCP connection attempts.
791 * Fixed bug in acinclude.m4 where capability of compiler
792 to handle zero-length arrays in structs is tested
794 * Fixed typo in manage.c where inline function declaration
795 was declared without the "static" keyword (David Stipp).
796 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
797 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
798 proxy settings (currently Windows only).
799 * Removed redundant base64 code.
800 * Better sanity checking of --server and --server-bridge
801 IP pool ranges, so as not to hit the assertion at
803 * Fixed bug where --daemon and --management-query-passwords
804 used together would cause OpenVPN to block prior to
806 * Fixed client/server race condition which could occur
807 when --auth-retry interact is set and the initially
808 provided auth-user-pass credentials are incorrect,
809 forcing a username/password re-query.
810 * Fixed bug where if --daemon and --management-hold are
811 used together, --user or --group options would be ignored.
812 * --ip-win32 adaptive is now the default.
813 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
814 mode) can now set DNS/WINS addresses on the TAP-Win32
816 * Added new option --route-method adaptive (Win32)
817 which tries IP helper API first, then falls back to
819 * Made --route-method adaptive the default.
821 2005.11.12 -- Version 2.1-beta7
823 * Allow blank passwords to be passed via the management
825 * Fixed bug where "make check" inside a FreeBSD "jail"
826 would never complete (Matthias Andree).
827 * Fixed bug where --server directive in --dev tap mode
828 claimed that it would support subnets of /30 or less
829 but actually would only accept /29 or less.
830 * Extend byte counters to 64 bits (M. van Cuijk).
831 * Fixed bug in Linux get_default_gateway function
832 introduced in 2.0.4, which would cause redirect-gateway
833 on Linux clients to fail.
834 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
835 be compatible with 2.0.x distribution.
836 * Documented --route-nopull.
837 * Documented --ip-win32 adaptive.
838 * Windows build now linked with LZO2.
839 * Allow ca, cert, key, and dh files to be specified
840 inline via XML-like syntax without needing to
841 reference an explicit file.
846 * Allow plugin and push directives to have multi-line
847 parameter lists such as:
853 * Added connect-retry-max option (Alon Bar-Lev).
854 * Fixed problems where signals thrown during initialization
855 were not returning to a management-hold state.
856 * Added a backtrack-hardened system time algorithm.
857 * Added --remote-cert-ku, --remote-cert-eku, and
858 --remote-cert-tls options for verifying certificate
859 attributes (Alon Bar-Lev).
860 * For Windows, reverted --ip-win32 default back to "dynamic".
861 To use new adaptive mode, set explicitly.
863 2005.11.01 -- Version 2.1-beta6
865 * Security fix (merged from 2.0.4) -- Affects non-Windows
866 OpenVPN clients of version 2.0 or higher which connect to
867 a malicious or compromised server. A format string
868 vulnerability in the foreign_option function in options.c
869 could potentially allow a malicious or compromised server
870 to execute arbitrary code on the client. Only
871 non-Windows clients are affected. The vulnerability
872 only exists if (a) the client's TLS negotiation with
873 the server succeeds, (b) the server is malicious or
874 has been compromised such that it is configured to
875 push a maliciously crafted options string to the client,
876 and (c) the client indicates its willingness to accept
877 pushed options from the server by having "pull" or
878 "client" in its configuration file (Credit: Vade79).
880 * Security fix -- (merged from 2.0.4) Potential DoS
881 vulnerability on the server in TCP mode. If the TCP
882 server accept() call returns an error status, the resulting
883 exception handler may attempt to indirect through a NULL
884 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
886 * Fix attempt of assertion at multi.c:1586 (note that
887 this precise line number will vary across different
888 versions of OpenVPN).
889 * Windows reliability changes:
890 (a) Added code to make sure that the local PATH environmental
891 variable points to the Windows system32 directory.
892 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
893 and then fails over to 'netsh' if the DHCP negotiation fails.
894 (c) Made --ip-win32 adaptive the default.
895 * More PKCS#11 additions/changes (Alon Bar-Lev).
896 * Added ".PHONY: plugin" to Makefile.am to work around
898 * Fixed double fork issue that occurs when --management-hold
900 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
901 * Warn when multiple clients having the same common name or
902 username usurp each other when --duplicate-cn is not used.
903 * Modified Windows and Linux versions of get_default_gateway
904 to return the route with the smallest metric
905 if multiple 0.0.0.0/0.0.0.0 entries are present.
906 * Added ">NEED-OK" alert and "needok" command to management
907 interface to provide a general interface for sending
908 alerts to the end-user. Used by the PKCS#11 code
909 to send Token Insertion Requests to the user.
910 * Added actual remote address used to the ">STATE" alert
911 in the management interface (Rolf Fokkens).
913 2005.10.17 -- Version 2.1-beta4
915 * Fixed bug introduced in 2.1-beta3 where management
916 socket bind would fail.
917 * --capath fix in ssl.c (Zhuang Yuyao).
918 * Added ".PHONY: plugin" to Makefile.am, reverted
919 location of "plugin" directory (thanks to
920 Matthias Andree for figuring this out).
922 2005.10.16 -- Version 2.1-beta3
924 * Added PKCS#11 support (Alon Bar-Lev).
925 * Enable the use of --ca together with --pkcs12. If --ca is
926 used at the same time as --pkcs12, the CA certificate is loaded
927 from the file specified by --ca regardless if the pkcs12 file
928 contains a CA cert or not (Mathias Sundman).
929 * Merged --capath patch (Thomas Noel).
930 * Merged --multihome patch.
931 * Added --bind option for TCP client connections (Ewan Bhamrah
933 * Moved "plugin" directory to "plugins" to deal with strange
934 automake problem that ended up being also fixable with
935 ".PHONY: plugin" in Makefile.am.
937 2005.10.13 -- Version 2.1-beta2
939 * Made --sndbuf and --rcvbuf pushable.
941 2005.10.01 -- Version 2.1-beta1
943 * Made LZO setting pushable.
944 * Renamed sample-keys/tmp-ca.crt to ca.crt.
945 * Fixed bug where remove_iroutes_from_push_route_list
946 was missing routes if those routes had
947 an implied netmask (by omission) of 255.255.255.255.
948 * Merged with 2.0.3-rc1
949 * easy-rsa/2.0 moved to easy-rsa
950 * old easy-rsa moved to easy-rsa/1.0
952 2005.09.23 -- Version 2.0.2-TO4
954 * Added feature to TAP-Win32 adapter to allow it to be
955 opened from non-administrator mode. This feature
956 is enabled by default, and can be enabled/disabled
957 in the adapter advanced properties dialog.
958 * Added --allow-nonadmin standalone option for Windows to
959 set TAP adapter to allow non-admin access. This
960 is a user-mode version of the code, and duplicates
961 the same feature as the above entry.
962 * Added fix that attempts to solve corner case of tunnel not
963 forwarding packets when system clock is reset to an earlier time.
964 * Added --redirect-gateway bypass-dns option. (Developers:
965 To add bypass-dhcp or bypass-dns support to other OSes,
966 add a get_bypass_addresses function to route.c for
968 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
969 allows a client-connect plugin to return configuration text
970 in memory, rather than via a file.
971 * Fixed a bug where --mode server --proto tcp-server --cipher none
972 operation could cause tunnel packet truncation.
973 * openvpn --version will show [LZO1] or [LZO2], depending on
974 version that was linked.
976 2005.09.07 -- Version 2.0.2-TO1
978 * Added --topology directive. See man page.
979 * Added --redirect-gateway bypass-dhcp option to add a route
980 allowing DHCP packets to bypass the tunnel, when the
981 DHCP server is non-local. Currently only implemented
983 * Modified OpenVPN Service on Windows to declare the DHCP
984 client service as a dependency.
985 * Extended the plugin interface to allow plugins to declare
986 per-client constructor and destructor functions, to make
987 it simpler for plugins to maintain per-client state.
989 2005.09.25 -- Version 2.0.3-rc1
991 * openvpn_plugin_abort_v1 function wasn't being properly
992 registered on Windows.
993 * Fixed a bug where --mode server --proto tcp-server --cipher none
994 operation could cause tunnel packet truncation.
996 2005.08.25 -- Version 2.0.2
998 * No change from 2.0.2-rc1.
1000 2005.08.24 -- Version 2.0.2-rc1
1002 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
1003 which incorrectly set OpenVPN service to autostart.
1004 * Don't package source code zip file in Windows installer
1005 in order to reduce the size of the installer. The source
1006 zip file can always be downloaded separately if needed.
1007 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
1008 version of get_default_gateway. Allocated socket for route
1009 manipulation is never freed so number of mbufs continuously
1010 grow and exhaust system resources after a while (Jaroslav Klaus).
1011 * Fixed bug where "--proto tcp-server --mode p2p --management
1012 host port" would cause the management port to not respond until
1013 the OpenVPN peer connects.
1014 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
1016 2005.08.16 -- Version 2.0.1
1018 * Security Fix -- DoS attack against server when run with "verb 0" and
1019 without "tls-auth". If a client connection to the server fails
1020 certificate verification, the OpenSSL error queue is not properly
1021 flushed, which can result in another unrelated client instance on the
1022 server seeing the error and responding to it, resulting in disconnection
1023 of the unrelated client (CAN-2005-2531).
1024 * Security Fix -- DoS attack against server by authenticated client.
1025 This bug presents a potential DoS attack vector against the server
1026 which can only be initiated by a connected and authenticated client.
1027 If the client sends a packet which fails to decrypt on the server,
1028 the OpenSSL error queue is not properly flushed, which can result in
1029 another unrelated client instance on the server seeing the error and
1030 responding to it, resulting in disconnection of the unrelated client
1031 (CAN-2005-2532). Credit: Mike Ireton.
1032 * Security Fix -- DoS attack against server by authenticated client.
1033 A malicious client in "dev tap" ethernet bridging mode could
1034 theoretically flood the server with packets appearing to come from
1035 hundreds of thousands of different MAC addresses, causing the OpenVPN
1036 process to deplete system virtual memory as it expands its internal
1037 routing table. A --max-routes-per-client directive has been added
1038 (default=256) to limit the maximum number of routes in OpenVPN's
1039 internal routing table which can be associated with a given client
1041 * Security Fix -- DoS attack against server by authenticated client.
1042 If two or more client machines try to connect to the server at the
1043 same time via TCP, using the same client certificate, and when
1044 --duplicate-cn is not enabled on the server, a race condition can
1045 crash the server with "Assertion failed at mtcp.c:411"
1047 * Fixed server bug where under certain circumstances, the client instance
1048 object deletion function would try to delete iroutes which had never been
1049 added in the first place, triggering "Assertion failed at mroute.c:349".
1050 * Added --auth-retry option to prevent auth errors from being fatal
1051 on the client side, and to permit username/password requeries in case
1052 of error. Also controllable via new "auth-retry" management interface
1053 command. See man page for more info.
1054 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
1055 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
1056 would fail to build.
1057 * Implement "make check" to perform loopback tests (Matthias Andree).
1059 2005.07.21 -- Version 2.0.1-rc7
1061 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
1062 * Include linux/types.h before checking for linux/errqueue.h (Matthias
1065 2005.07.15 -- Version 2.0.1-rc6
1067 * Commented out "user nobody" and "group nobody" in sample
1068 client/server config files.
1069 * Allow '@' character to be used in --client-config-dir
1072 2005.07.04 -- Version 2.0.1-rc5
1074 * Windows version will log a for-further-info URL when
1075 initialization sequence is completed with errors.
1076 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
1077 to control whether auth-pam plugin links to PAM via
1078 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
1079 behavior should be preserved. DLOPEN_PAM=0 is the preferred
1080 setting to link via -lpam, but DLOPEN_PAM=1 works around
1081 a bug in SuSE 9.1 (and possibly other distros as well)
1082 where the PAM modules are not linked with -lpam. See
1083 thread on openvpn-devel for more discussion about this
1084 patch (Simon Perreault).
1086 2005.06.15 -- Version 2.0.1-rc4
1088 * Support LZO 2.00, including changes to configure script to
1089 autodetect LZO version.
1091 2005.06.12 -- Version 2.0.1-rc3
1093 * Fixed a bug which caused standard file handles to not be closed
1094 after daemonization when --plugin and --daemon are used together,
1095 and if the plugin initialization function forks (as does auth-pam
1096 and down-root) (Simon Perreault).
1097 * Added client-side up/down scripts in contrib/pull-resolv-conf
1098 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
1099 on Linux/Unix systems (Jesse Adelman).
1100 * Fixed bug where if client-connect scripts/plugins were cascaded,
1101 and one (but not all) of them returned an error status, there might
1102 be cases where for an individual script/plugin, client-connect was
1103 called but not client-disconnect. The goal of this fix is to
1104 ensure that if client-connect is called on a given client instance,
1105 then client-disconnect will definitely be called. A potential
1106 complication of this fix is that when client-connect functions are
1107 cascaded, it's possible that the client-disconnect function would
1108 be called in cases where the related client-connect function returned
1109 an error status. This fix should not alter OpenVPN behavior when
1110 scripts/plugins are not cascaded.
1111 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
1112 fatal error to a warning: "FRAG: outgoing buffer is not empty".
1113 Need more info on how to reproduce this one.
1114 * When --duplicate-cn is used, the --ifconfig-pool allocation
1115 algorithm will now allocate the first available IP address.
1116 * When --daemon and --management-hold are used together,
1117 OpenVPN will daemonize before it enters the management hold state.
1119 2005.05.16 -- Version 2.0.1-rc2
1121 * Modified vendor test in openvpn.spec file to match against
1122 "Mandrakesoft" in addition to "MandrakeSoft".
1123 * Using --iroute in a --client-config-dir file while in --dev tap
1124 mode is not currently supported and will produce a warning
1125 message. Fixed bug where in certain cases, in addition to
1126 generating a warning message, this combination of options
1127 would also produce a fatal assertion in mroute.c.
1128 * Pass --auth-user-pass username to server-side plugin without
1129 performing any string remapping (plugins, unlike scripts,
1130 don't get any security benefit from string remapping).
1131 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
1132 where backslash characters in a username ('\') were being remapped
1133 to underscore ('_').
1134 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
1135 * Documented --explicit-exit-notify in man page.
1136 * --explicit-exit-notify seconds parameter defaults to 1 if
1139 2005.04.30 -- Version 2.0.1-rc1
1141 * Fixed bug where certain kinds of fatal errors after
1142 initialization (such as port in use) would leave plugin
1143 processes (such as openvpn-auth-pam) still running.
1144 * Added optional openvpn_plugin_abort_v1 plugin function for
1145 closing initialized plugin objects in the event of a fatal
1146 error by main OpenVPN process.
1147 * When the --remote list is > 1, and --resolv-retry is not
1148 specified (meaning that it defaults to "infinite"), apply the
1149 infinite timeout to the --remote list as a whole, but try each
1150 list item only once before moving on to the next item.
1151 * Added new --syslog directive which redirects output
1152 to syslog without requiring the use of the --daemon or --inetd
1154 * Added openvpn.spec option to allow RPM to be built with support
1155 for passwords read from a file:
1156 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
1158 2005.04.17 -- Version 2.0
1160 * Fixed minor options string typo in options.c.
1162 2005.04.10 -- Version 2.0-rc21
1164 * Change license description from "GPL Version 2 or (at your
1165 option) any later version" to just "GPL Version 2".
1167 2005.04.04 -- Version 2.0-rc20
1169 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
1170 excellent distro/version coverage for RH/EL/Fedora, though
1171 using his own SPEC. I modified openvpn.spec to follow some of
1172 the same conventions such as putting sample scripts and doc
1173 files in %doc rather than /usr/share/openvpn.
1174 * Minor change to init scripts to run the user-defined script
1175 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
1176 configs are started, and to run /etc/openvpn/openvpn-shutdown
1177 after all OpenVPN configs have been stopped. The
1178 openvpn-startup script can be used for stuff like
1179 insmod tun.o, setting up firewall rules, or starting
1182 2005.03.29 -- Version 2.0-rc19
1184 * Omit additions of routes where the network and
1185 gateway are equal and the netmask is 255.255.255.255.
1186 This can come up if you are using both
1187 server/ifconfig-pool and client-config-dir with
1188 ifconfig-push static addresses for some subset of clients
1189 which directly reference the server IP address as the
1192 2005.03.28 -- Version 2.0-rc18
1194 * Packaged Windows installer with OpenSSL 0.9.7f.
1195 * Built Windows installer with NSIS 2.06.
1197 2005.03.12 -- Version 2.0-rc17
1199 * "MANAGEMENT: CMD" log file output will now only occur
1200 at --verb 7 or greater.
1201 * Added an optional name/value configuration list to
1202 the openvpn-auth-pam plugin module argument list. See
1203 plugin/auth-pam/README for documentation. This is necessary
1204 in order for openvpn-auth-pam to work with queries generated
1205 by arbitrary PAM modules.
1206 * In both auth-pam and down-root plugins, in the forked process,
1207 a read error on the parent process socket is no longer fatal.
1208 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
1209 A conditional test of the vendor has been added to
1210 Require the appropriately named 'lzo' (liblzo1 / lzo).
1211 (Tom Walsh - http://openhardware.net)
1214 2005.02.20 -- Version 2.0-rc16
1216 * Fixed bug introduced in rc13 where Windows service wrapper
1217 would be installed with a startup type of Automatic.
1218 This fix restores the previous behavior of installing
1219 with a startup type of Manual.
1221 2005.02.19 -- Version 2.0-rc15
1223 * Added warning when --keepalive is not used in a server
1225 * Don't include OpenSSL md4.h file if we are not building
1226 NTLM proxy support (Waldemar Brodkorb).
1227 * Added easy-rsa/build-key-pkcs12 and
1228 easy-rsa/Windows/build-key-pkcs12.bat scripts
1231 2005.02.16 -- Version 2.0-rc14
1233 * Fixed small memory leak that occurs when --crl-verify
1235 * Upgraded Windows installer and .nsi script to NSIS 2.05
1237 * Changed #include backslash usage in cryptoapi.c to use
1238 forward slashes instead (Gisle Vanem).
1239 * Created easy-rsa/revoke-full to handle revocations in
1240 a single step: (a) revoke crt, (b) regenerate CRL, and
1241 (c) verify that revocation succeeded.
1242 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
1243 that both *nix and Windows scripts are equivalent.
1245 2005.02.11 -- Version 2.0-rc13
1247 * Improve human-readability of local/remote options
1248 diff, when inconsistencies are present.
1249 * For Windows easy-rsa, distribute vars.bat.sample and
1250 openssl.cnf.sample, then copy them to their normal
1251 filenames (without the .sample) when init-config.bat
1252 is run. This is to prevent OpenVPN upgrades from
1253 wiping out vars.bat and openssl.cnf edits.
1254 * Modified service wrapper (Windows) to use a
1255 case-insensitive search when scanning for .ovpn files
1256 in \Program Files\OpenVPN\config. Prior versions
1257 required an all-lower-case .ovpn file extension.
1258 * Miscellaneous service wrapper code cleanup.
1259 * If --user/--group is used on Windows, treat it
1260 as a no-op with a warning (this makes it easier to
1261 distribute the same client config file to Windows
1263 * Warn if --ifconfig-pool-persist is used with
1266 2005.02.05 -- Version 2.0-rc12
1268 * Removed some debugging code inadvertently included
1269 in rc11 which would print the --auth-user-pass
1270 username/password provided by clients in the server
1272 * Client code for cycling through --remote list will
1273 retry the last address which successfully authenticated
1274 before moving on through the list.
1275 * Windows installer will now install sample configuration
1276 files in \Program Files\OpenVPN\sample-configs as well
1277 as generate a start menu shortcut to this directory.
1278 * Minor type change in buffer.[ch] to work around char-type
1279 ambiguity bug. Caused management interface lock-ups on
1280 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
1282 2005.02.03 -- Version 2.0-rc11
1284 * Windows installer will now install easy-rsa directory
1285 in \Program Files\OpenVPN
1286 * Allow syslog facility to be controlled at compile time,
1287 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
1288 * Changed certain shell scripts in distribution to use
1289 #!/bin/sh rather than #!/bin/bash for better portability.
1290 * If --ifconfig-pool-persist seconds parameter is 0, treat
1291 persist file as an allocation of fixed IP addresses
1292 (previous versions took IP-to-common-name associations
1293 from this list as hints, not mandatory static allocations).
1294 * Fixed bug on *nix where if --auth-user-pass and --log
1295 were used together, the username prompt would be sent to
1296 the log file rather than /dev/tty.
1297 * Spurious text in openvpn.8 detected by doclifter
1299 * Call closelog later on daemon kill so that process
1300 exit message is written to syslog.
1302 2005.01.27 -- Version 2.0-rc10
1304 * When ./configure is run with plugins enabled (the default),
1305 check whether or not dlopen exists in libc before testing
1306 for libdl. This is to fix an issue on FreeBSD and possibly
1307 other OSes which bundle libdl functions in libc.
1308 * On Windows, filter initial WSAEINVAL warning which occurs
1309 on the initial read attempt of an unbound socket.
1310 * The easy-rsa scripts build-key, build-key-pass, and
1311 build-key-server will now chmod the .key file
1312 to 0600. This is in addition to the fact the generated
1313 keys directory has always been similarly protected
1316 2005.01.23 -- Version 2.0-rc9
1318 * Fixed error "ROUTE: route addition failed using
1319 CreateIpForwardEntry ..." on Windows when --redirect-gateway
1320 is used over a RRAS internet link.
1321 * When using --route-method exe on Windows, include the
1322 gateway parameter on route delete commands (Mathias Sundman).
1323 * Try not to do a hard reset (i.e. SIGHUP) when two
1324 SIGUSR1 signals are received in close succession.
1325 * If the push list tries to grow beyond its buffer capacity,
1326 the resulting error will be non-fatal.
1327 * To increase the push list capacity (must be done on both
1328 client and server), increase TLS_CHANNEL_BUF_SIZE in
1329 common.h (default=1024).
1331 2005.01.15 -- Version 2.0-rc8
1333 * Fixed bug introduced in rc7 where options error
1334 "--auth-user-pass requires --pull" might occur even
1335 if --pull was correctly specified.
1336 * Changed management interface code to bind once
1337 to TCP socket, rather than rebinding after every
1339 * Added "disable" directive for client-config-dir
1341 * Windows binary install is now distributed with
1343 * Query the management interface for --http-proxy
1344 username/password if authfile is set to "stdin".
1345 * Added current OpenVPN version number to "Unrecognized
1346 option or missing parameter" error message.
1347 * Added "-extensions server" to "openssl req" command
1348 in easy-rsa/build-key-server (Nir Yeffet).
1350 2005.01.10 -- Version 2.0-rc7
1352 * Fixed bug in management interface which could cause
1353 100% CPU utilization in --proto tcp-server mode
1354 on all *nix OSes except for Linux 2.6.
1355 * --ifconfig-push now accepts DNS names as well as
1357 * Added sanity check errors when --pull or
1358 --auth-user-pass is used in an incorrect mode.
1359 * Updated man page entries for --client-connect and
1361 * Added "String Types and Remapping" section to man
1362 page to consisely document the way which OpenVPN
1363 may convert certain types of characters in strings
1365 * Modified bridging description in HOWTO to emphasize
1366 the fact that bridging allows Windows file and print
1367 sharing without a WINS server (Charles Duffy).
1369 2004.12.20 -- Version 2.0-rc6
1371 * Improved checking for epoll support in ./configure
1372 to fix false positive on RH9 (Jan Just Keijser).
1373 * Made the "MULTI TCP: I/O wait required blocking in
1374 multi_tcp_action, action=7" error nonfatal and replaced
1375 with "MULTI: Outgoing TUN queue full, dropped packet".
1376 So far the issue only seems to occur on Linux 2.2
1377 in --mode server --proto tcp mode. It occurs when
1378 the TUN/TAP driver locks up and refuses to accept
1379 new packet writes for a second or more.
1380 * Fixed bug where if a --client-config-dir file tried
1381 to include another file using "config", and if that
1382 include failed, OpenVPN would abort with a fatal
1383 error. Now such inclusion failures will be logged
1384 but are no longer fatal.
1385 * Global changes to the way that packet buffer alignment
1386 is handled. Previously we didn't care about alignment
1387 and took care, when handling 16 and 32 bit words
1388 in buffers, to always use alignment-safe transfers.
1389 This approach appears to be inadequate on some
1390 architectures such as alpha. The new approach is
1391 to initialize packet buffers in a way that anticipates
1392 how component structures will be allocated within
1393 them, to maintain correct alignment.
1394 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
1395 over TCP (Jan Just Keijser).
1396 * Added --http-proxy-option directive for controlling
1397 miscellaneous HTTP proxy options.
1398 * Management state will no longer transition to "WAIT"
1399 during TLS renegotiations.
1401 2004.12.16 -- Version 2.0-rc5
1403 * The --client-config-dir option will now try to open
1404 a default file called "DEFAULT" if no file matching
1405 the common name of the incoming client was found.
1406 * The --client-connect script/plugin can now veto client
1407 authentication by returning a failure code.
1408 * The --learn-address script/plugin can now prevent a
1409 client-instance/address association from being learned
1410 by returning a failure code.
1411 * Changed RPM group in .spec file to Applications/Internet.
1413 2004.12.14 -- Version 2.0-rc4
1415 * SuSE only -- Fixed interaction between openvpn.spec and
1416 suse/openvpn.init where the .spec file was writing the
1417 OpenVPN binary to a different location than where the
1418 .init script was referencing it (Stefan Engel).
1419 * Solaris only -- Split Solaris ifconfig command into two
1420 parts (Jan Just Keijser).
1421 * Some cleanup in add_option().
1422 * Better error checking on input dotted quad IP addresses.
1423 * Verify that --push argument is quoted, if there is
1425 * More miscellaneous option sanity checks.
1427 2004.12.13 -- Version 2.0-rc3
1429 * On Windows, when --log or --log-append is used,
1430 save the original stderr for username and password
1432 * Fixed a bug introduced in the late 2.0 betas where
1433 if a "verb" parameter >= 16 was used, it would be
1434 ignored and the actual verb level would remain at 1.
1435 * Fixed a bug mostly seen on OS X where --management-hold
1436 or --management-query-passwords would cause the management
1437 interface to be unresponsive to incoming client connections.
1438 * Trigger an options error if one of the management-modifying
1439 options is used without "management" itself.
1441 2004.12.12 -- Version 2.0-rc2
1443 * Amplified warnings in documentation about possible
1444 man-in-the-middle attack when clients do not properly
1445 verify server certificate. Changes to easy-rsa README,
1446 FAQ, HOWTO, man page, and sample client config file.
1447 * Added a warning message if --tls-client or --client
1448 is used without also specifying one of either
1449 --ns-cert-type, --tls-remote, or --tls-verify.
1450 * status_open() fixes for MSVC builds (Blaine Fleming).
1451 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
1452 compiler error which has been reported on some platforms.
1453 * The openvpn.spec file for rpmbuild has several
1454 new build-time options. See comments in the file.
1455 * Plugins are now built and packaged in the RPM and
1456 will be saved in /usr/share/openvpn/plugin/lib.
1457 * Added --management-hold directive to start OpenVPN
1458 in a hibernating state until released by the
1459 management interface. Also added "hold" command
1460 to the management interface.
1462 2004.12.07 -- Version 2.0-rc1
1464 * openvpn.spec workaround for SuSE confusion regarding
1465 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
1467 2004.12.05 -- Version 2.0-beta20
1469 * The ability to read --askpass and --auth-user-pass
1470 passwords from a file has been disabled by default.
1471 To re-enable, use ./configure --enable-password-save.
1472 * Added additional pre-connected states to management
1473 interface. See management/management-notes.txt
1475 * State history is now recorded by the management
1476 interface, and the "state" command now works like
1477 the log or echo commands.
1478 * State history and real-time state change notifications
1479 are now prepended with an integer unix timestamp.
1480 * Added --http-proxy-timeout option, previously
1481 the timeout was hardcoded to 5 seconds.
1483 2004.12.02 -- Version 2.0-beta19
1485 * Fixed bug in management interface line termination
1486 where output lines incorrectly contained a \00 char
1487 after the customary \0d \0a.
1488 * Fixed bug introduced in beta18 where Windows version
1489 would segfault on options errors.
1490 * Fixed bug in management interface where an empty
1491 quoted string ("") entered as a parameter would cause
1493 * Fixed bug where --resolv-retry was not working
1494 properly with multiple --remote hosts.
1495 * Added additional ./configure options to reduce
1496 executable size for embedded applications.
1497 See ./configure --help.
1499 2004.11.28 -- Version 2.0-beta18
1501 * Added management interface. See new --management-*
1502 options or the full management interface documentation
1503 in management/management-notes.txt in the tarball.
1504 Management interface inclusion can be disabled by
1505 ./configure --disable-management.
1506 * Added two new plugin modules: auth-pam and down-root.
1507 Auth-pam supports pam-based authentication using a
1508 split privilege execution model, while down-root enables
1509 a down script to be executed with root privileges, even
1510 when --user/--group is used to drop root privileges.
1511 See the plugin directory in the tarball for READMEs,
1512 source code, and Makefiles.
1513 * Plugin developers should note that some changes were
1514 made to the plugin interface since beta17. See
1515 openvpn-plugin.h for details.
1516 Plugin interface inclusion can be disabled with
1517 ./configure --disable-plugins
1518 * Added easy-rsa/build-key-server script which will
1519 build a certificate with with nsCertType=server.
1520 * Added --ns-cert-type option for verification
1521 of nsCertType field in peer certificate.
1522 * If --fragment n is specified and --mssfix is specified
1523 without a parameter, default --mssfix to n. This restores
1524 the 1.6 behavior when using --mssfix without a parameter.
1525 * Fixed SSL context initialization bug introduced in beta14
1526 where this error might occur on restarts: "Cannot load
1527 certificate chain ... PEM_read_bio:no start line".
1529 2004.11.11 -- Version 2.0-beta17
1531 * Changed default port number to 1194 per IANA official
1532 port number assignment.
1533 * Added --plugin directive which allows compiled
1534 modules to intercept script callbacks. See
1535 plugin folder in tarball for more info.
1536 * Fixed bug introduced in beta12 where --key-method 1
1537 authentications which should have succeeded would fail.
1538 * Ignore SIGUSR1 during DNS resolution.
1539 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
1540 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
1543 2004.11.07 -- Version 2.0-beta16
1545 * Modified sample-scripts/auth-pam.pl to get username
1546 and password from OpenVPN via a file rather than
1547 via environmental variables.
1548 * Added bytes_sent and bytes_received environmental
1549 variables to be set prior to client-disconnect script.
1550 * Changed client virtual IP derivation precedence:
1551 (1) use --ifconfig-push directive from --client-connect
1552 script, (2) use --ifconfig-push directive from
1553 --client-config-dir, and (3) use --ifconfig-pool
1555 * If a --client-config-dir file specifies --ifconfig-push,
1556 it will be visible to the --client-connect-script in
1557 the ifconfig_pool_remote_ip environmental variable.
1558 * For tun-style tunnels, the ifconfig_pool_local_ip
1559 environmental variable will be set, while for
1560 tap-style tunnels, the ifconfig_pool_netmask variable
1562 * Added intelligence to autoconf script to test
1563 compiler for the accepted form of zero-length arrays.
1564 * Fixed a bug introduced in beta12 where --ip-win32
1565 netsh would fail if --dev-node was not explicitly
1567 * --ip-win32 netsh will now work on hidden adapters.
1568 * Fix attempt of "Assertion failed at crypto.c:149".
1569 This assertion has also been reported on 1.x with a
1570 slightly different line number. The fix is twofold:
1571 (1) In previous releases, --mtu-test may trigger this
1572 assertion -- this bug has been fixed. (2) If something
1573 else causes the assertion to be thrown, don't panic,
1574 just output a nonfatal warning to the log and drop
1575 the packet which generated the error.
1576 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
1577 * Added --echo directive.
1578 * Added --auth-nocache directive.
1580 2004.10.28 -- Version 2.0-beta15
1582 * Changed environmental variable character classes
1583 so that names must consist of alphanumeric or
1584 underbar chars and values must consist of printable
1585 characters. Illegal chars will be deleted.
1586 Versions prior to 2.0-beta12 were more restrictive
1587 and would map spaces to '.'.
1588 * On Windows, when the TAP adapter fails to
1589 initialize with the correct IP address, output
1590 "Initialization Sequence Completed with Errors"
1591 to the console or log file.
1592 * Added a warning when user/group/chroot is used
1593 without persist-tun and persist-key.
1594 * Added cryptoapi.[ch] to tarball and source zip.
1595 * --tls-remote option now works with common name
1596 prefixes as well as with the full X509 subject
1597 string. This is a useful alternative to using
1598 a CRL on the client.
1599 * common names associated with a static
1600 --ifconfig-push setting will no longer leave
1601 any state in the --ifconfig-pool-persist file.
1602 * Hard TLS errors (TLS handshake failed) will now
1603 trigger either a SIGUSR1 signal by default
1604 or SIGTERM (if --tls-exit is specified). In TCP
1605 mode, all TLS errors are considered to be hard.
1606 In server mode, the signal will be local to the
1608 * Added method parameter to --auth-user-pass-verify
1609 directive to select whether username/password
1610 is passed to script via environment or a temporary
1612 * Added --status-version option to control format
1613 of --status file. The --mode server
1614 --status-version 2 format now includes a line
1615 type token, the virtual IP address is shown
1616 in the client list (even in --dev tap mode),
1617 and the integer time_t value is shown anywhere
1618 an ascii-formatted time/date is also shown.
1619 * Added --remap-usr1 directive which can be used
1620 to control whether internally or externally
1621 generated SIGUSR1 signals are remapped to
1622 SIGHUP (restart without persisting state) or
1624 * When running as a Windows service (using
1625 --service option), check the exit event before
1626 and after reading one line of input from
1627 stdin, when reading username/password info.
1628 * For developers: Extended the --gremlin function
1629 to better stress-test the new 2.0 features,
1630 added Valgrind support on Linux and Dmalloc
1633 2004.10.19 -- Version 2.0-beta14
1635 * Fixed a bug introduced in Beta12 that would occur
1636 if you use a --client-connect script without also
1638 * Fixed a bug introduced in Beta12 where a learn-address
1639 script might segfault on the delete method.
1640 * Added Crypto API support in Windows version via
1641 the --cryptoapicert option (Peter 'Luna' Runestig).
1643 2004.10.18 -- Version 2.0-beta13
1645 * Fixed an issue introduced in Beta12 where the private
1646 key password would not be prompted for unless --askpass
1647 was explicitly specified in the config.
1649 2004.10.17 -- Version 2.0-beta12
1651 * Added support for username/password-based authentication.
1652 Clients can now authentication themselves with the server
1653 using either a certificate, a username/password, or both.
1654 New directives: --auth-user-pass, --auth-user-pass-verify,
1655 --client-cert-not-required, and --username-as-common-name.
1656 * Added NTLM proxy patch (William Preston).
1657 * Added --ifconfig-pool-linear server flag to allocate
1658 individual tun addresses for clients rather than /30
1659 subnets (won't work with Windows clients).
1660 * Modified --http-proxy code to cache username/password
1662 * Modified --http-proxy code to read username/password
1663 from the console when the auth file is given as "stdin".
1664 * Modified --askpass to take an optional filename argument.
1665 * --persist-tun and --persist-key now work in client mode
1666 and can be pushed to clients as well.
1667 * Added --ifconfig-pool-persist directive, to maintain
1668 ifconfig-pool info in a file which is persistent across
1669 daemon instantiations.
1670 * --user and --group privilege downgrades as well as
1671 --chroot now also work in client mode (the
1672 dowgrade/chroot will be delayed until the initialization
1673 sequence is completed).
1674 * Added --show-engines standalone directive to show
1675 available OpenSSL crypto accelerator engine support.
1676 * --engine directive now accepts an optional engine-ID
1677 parameter to control which engine is used.
1678 * "Connection reset, restarting" log message now shows
1679 which client is being reset.
1680 * Added --dhcp-pre-release directive in Windows version.
1681 * Second parm to --ip-win32 can be "default", e.g.
1682 --ip-win32 dynamic default 60.
1683 * Fixed documentation bug regarding environmental
1684 variable settings for --ifconfig-pool IP addresses.
1685 The correct environmental variable names are:
1686 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
1687 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
1688 environmental variables are now passed to the
1689 client-disconnect script.
1690 * In server mode, environmental variables are now scoped
1691 according to the client they are associated with,
1692 to solve the problem of "crosstalk" between different
1693 client's environmental variable sets.
1694 * Added --down-pre flag to cause --down script to be
1695 called before TUN/TAP close (rather than after).
1696 * Added --tls-exit flag which will cause OpenVPN
1697 to exit on any TLS errors.
1698 * Don't push a route to a client if it exactly
1699 matches an iroute (this lets you push routes to
1700 all clients, and OpenVPN will automatically remove
1701 the route from the route push list only for that client
1702 which the route actually belongs to).
1703 * Made '--resolv-retry infinite' the default.
1704 --resolv-retry can be disabled by using a parameter of 0.
1705 * For clients which plan to pull config info from server,
1706 set an initial default ping-restart of 60 seconds.
1707 * Optimized mute code to lessen the load on the processor
1708 when messages are being muted at a higher frequency.
1709 * Made route log messages non-mutable.
1710 * Silence the Linux "No buffer space available" message.
1711 * Added miscellaneous additional option sanity checks.
1712 * Added Windows version of easy-rsa scripts in
1713 easy-rsa/Windows directory (Andrew J. Richardson).
1714 * Added NetBSD route patch (Ed Ravin).
1715 * Added OpenBSD patch for TAP + --redirect-gateway
1716 (Waldemar Brodkorb).
1717 * Directives which prompt for a username and/or password
1718 will now work with --daemon (OpenVPN will prompt
1720 * Warn if CRL is from a different issuer than the
1721 issuer of the peer certificate (Bernhard Weisshuhn).
1722 * Changed init script chkconfig parameters to start
1723 OpenVPN daemon(s) before NFS.
1724 * Bug fix attempt of "too many I/O wait events" which occurs
1725 on OSes which prefer select() over poll() such as Mac OS X.
1726 * Added --ccd-exclusive flag. This flag will require, as a
1727 condition of authentication, that a connecting client has
1728 a --client-config-dir file.
1729 * TAP-Win32 open code will attempt to open a free adapter
1730 if --dev-node is not specified (Mathias Sundman).
1731 * Resequenced --nice and --chroot ordering so that --nice
1733 * Added --suppress-timestamps flag (Charles Duffy).
1734 * Source code changes to allow compilation by MSVC
1735 (Peter 'Luna' Runestig).
1736 * Added experimental --fast-io flag which optimizes
1737 TUN/TAP/UDP writes on non-Windows systems.
1739 2004.08.18 -- Version 2.0-beta11
1741 * Added --server, --server-bridge, --client, and
1742 --keepalive helper directives. See client.conf
1743 and server.conf in sample-config-files for sample
1744 configurations which use the new directives.
1745 * On Windows, added --route-method to control
1746 whether IP Helper API or route.exe is used
1747 to add/delete routes.
1748 * On Windows, added a second parameter to
1749 --route-delay to control the maximum time period
1750 to wait for the TAP-Win32 adapter to come up
1751 before adding routes.
1752 * Fixed bug in Windows version where configurations
1753 which omit --ifconfig might fail to recognize when
1754 the TAP adapter is up.
1755 * Proxy connection failures will now retry according
1756 to the --connect-retry parameter.
1757 * Fixed --dev null handling on Windows so that TLS
1758 loopback test described in INSTALL file works
1759 correctly on Windows.
1760 * Added "Initialization Sequence Completed" message
1761 after all initialization steps have been completed
1762 and the VPN can be considered "up".
1763 * Better sanity-checking on --ifconfig-pool parameters.
1764 * Added --tcp-queue-limit option to control
1765 TUN/TAP -> TCP socket overflow.
1766 * --ifconfig-nowarn flag will now silence general
1767 warnings about possible --ifconfig address
1768 conflicts, including the warning about --ifconfig
1769 and --remote addresses being in same /24 subnet.
1770 * Fixed case where server mode did not correctly
1771 identify certain types of ethernet multicast packets
1773 * Added --explicit-exit-notify option (experimental).
1775 2004.08.02 -- Version 2.0-beta10
1777 * Fixed possible reference after free of option strings
1778 after a restart, bug was introduced in beta8.
1779 * Fixed segfault at route.c:919 in the beta9
1780 Windows version that was being caused by indirection
1781 through a NULL pointer.
1782 * Mistakenly built debug version of TAP-Win32 driver
1783 for beta9. Beta10 has correct release build.
1785 2004.07.30 -- Version 2.0-beta9
1787 * Fixed --route issue on Windows that was introduced with
1788 the new beta8 route implementation based on the
1791 2004.07.27 -- Version 2.0-beta8
1793 * Added TCP support in server mode.
1794 * Added PKCS #12 support (Mathias Sundman).
1795 * Added patch to make revoke-crt and make-crl work
1796 seamlessly within the easy-rsa environment (Jan Kiszka).
1797 * Modified --mode server ethernet bridge code to forward
1798 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
1799 * Added --dhcp-renew and --dhcp-release flags to Windows
1800 version. Normally DHCP renewal and release on the TAP
1801 adapter occurs automatically under Windows, however
1802 if you set the TAP-Win32 adapter Media Status property
1803 to "Always Connected", you may need these flags.
1804 * Added --show-net standalone flag to Windows version to
1805 show OpenVPN's view of the system adapter and routing
1807 * Added --show-net-up flag to Windows version to output
1808 the system routing table and network adapter list to
1809 the log file after the TAP-Win32 adapter has been brought
1810 up and any routes have been added.
1811 * Modified Windows version to add routes using the IP Helper
1812 API rather than by calling route.exe.
1813 * Fixed bug where --route-up script was not being called
1814 if no --route options were specified.
1815 * Added --mute-replay-warnings to suppress packet replay
1816 warnings. This is a common false alarm on WiFi nets.
1817 * Added "def1" flag to --redirect-gateway option to override
1818 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1819 rather than 0.0.0.0/0. This has the benefit of overriding
1820 but not wiping out the original default gateway.
1821 (Thanks to Jim Carter for pointing out this idea).
1822 * You can now run OpenVPN with a single config file argument.
1823 For example, you can now say "openvpn config.conf"
1824 rather than "openvpn --config config.conf".
1825 * On Windows, made --route and --route-delay more adaptive
1826 with respect to waiting for interfaces referenced by the
1827 route destination to come up. Routes added by --route
1828 should now be added as soon as the interface comes up,
1829 rather than after an obligatory 10 second delay. The
1830 way this works internally is that --route-delay now
1831 defaults to 0 on Windows. Previous versions would
1832 wait for --route-delay seconds then add the routes.
1833 This version will wait --route-delay seconds and then
1834 test the routing table at one second intervals for the
1835 next 30 seconds and will not add the routes until they
1836 can be added without errors.
1837 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
1838 default on TCP/UDP socket in light of reports that this
1839 action can have undesirable global side effects on the
1840 MTU settings of other adapters. These parameters can
1841 still be set, but you need to explicitly specify
1842 --sndbuf and/or --rcvbuf.
1843 * Added --max-clients option to limit the maximum number
1844 of simultaneously connected clients in server mode.
1845 * Added error message to illuminate shell escape gotcha when
1846 single backslashes are used in Windows path names.
1847 * Added optional netmask parm to --ifconfig-pool.
1848 * Fixed bug where http-proxy connect retry attempts were
1849 incorrectly going to the remote OpenVPN server,
1850 not to the HTTP proxy server.
1852 2004.06.29 -- Version 2.0-beta7
1854 * Fixed bug in link_socket_verify_incoming_addr() which
1855 under certain circumstances could have caused --float
1856 behavior even if --float was not specified.
1857 * --tls-auth option now works with --mode server.
1858 All clients and the server should use the same
1859 --tls-auth key when operating in client/server mode.
1860 * Added --engine option to make use of OpenSSL-supported
1861 crypto acceleration hardware.
1862 * Fixed some high verbosity print format size issues
1863 in event.c for 64 bit platforms (Janne Johansson).
1864 * Made failure to open --log or --log-append file
1867 2004.06.23 -- Version 2.0-beta6
1869 * Fixed Windows installer to intelligently put
1870 up a reboot dialog only if tapinstall tells
1871 us that it's really necessary.
1872 * Fixed "Assertion failed at fragment.c:309"
1873 bug when --mode server and --fragment are used
1875 * Ignore HUP, USR1, and USR2 signals during
1876 initialization. Prior versions would abort.
1877 * Fixed bug on OS X: "Assertion failed at event.c:406".
1878 * Added --service option to Windows version, for use
1879 when OpenVPN is being programmatically instantiated
1880 by another process (see man page for info).
1881 * --log and --log-append options now work on Windows.
1882 * Update OpenBSD INSTALL notes (Janne Johansson).
1883 * Enable multicast on tun interface when running on
1884 OpenBSD (Pavlin Radoslavov).
1885 * Fixed recent --test-crypto breakage, where options
1886 such as --cipher were not being parsed correctly.
1887 * Modified options compatibility string by removing
1888 ifconfig substring if it is empty. Incremented
1889 options compatibility string version number to 4.
1890 * Fixed typo in --tls-timeout option parsing
1893 2004.06.13 -- Version 2.0-beta5
1895 * Fixed rare --mode server crash that could occur
1896 if data was being routed to a client at
1897 high bandwidth at the precise moment that the
1898 client instance object on the server was being
1900 * Fixed issue on machines which have epoll.h and
1901 the epoll_create glibc call defined, but which
1902 don't actually implement epoll in the kernel.
1903 OpenVPN will now gracefully fall back to the
1904 poll API in this case.
1905 * Fixed Windows bug which would cause the following
1906 error in a --mode server --dev tap configuration:
1907 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
1909 * Added CRL (certificate revocation list) management
1910 scripts to easy-rsa directory (Jon Bendtsen).
1911 * Do a better job of getting the ifconfig component
1912 of the options consistency check to work correctly
1913 when --up-delay is used.
1914 * De-inlined some functions which were too complex
1915 to be inlined anyway with gcc.
1916 * If a --dhcp-option option is pushed to a non-windows
1917 client, the option will be saved in the client's
1918 environment before the --up script is called, under
1919 the name "foreign_option_{n}".
1920 * Added --learn-address script (see man page) which
1921 allows for firewall access through the VPN to be
1922 controlled based on the client common name.
1923 * In mode --server mode, when a client connects to
1924 the server, the server will disconnect any
1925 still-active clients which use the same common
1926 name. Use --duplicate-cn flag to revert to
1927 previous behavior of allowing multiple clients
1928 to concurrently connect with the same common name.
1930 2004.06.08 -- Version 2.0-beta4
1932 * Fixed issue with beta3 where Win32 service wrapper
1933 was keying off of old TAP HWID as a dependency. To
1934 ensure that the new service wrapper is correctly
1935 installed, the Windows install script will uninstall
1936 the old wrapper before installing the new one,
1937 causing a reset of service properties.
1938 * Fixed permissions issue on --status output file,
1939 with default access permissions of owner read/write
1940 only (default permissions can be changed of course with
1943 2004.06.05 -- Version 2.0-beta3
1945 * More changes to TAP-Win32 driver's INF file which
1946 affects the placement of the driver in the Windows
1947 device namespace. This is done to work around an
1948 apparent bug in Windows when short HWIDs are used,
1949 and will also ease the upgrade from 1.x to 2.0 by
1950 reducing the chances that a reboot will be needed
1951 on upgrade. Like beta2, this upgrade will
1952 delete existing TAP-Win32 interfaces, and reinstall
1953 a single new interface with default properties.
1954 * Major rewrite of I/O event wait layer in the style
1955 of libevent. This is a precursor to TCP support
1957 * New feature: --status. Outputs a SIGUSR2-like
1958 status summary to a given file, updated once
1959 per n seconds. The status file is comma delimited
1960 for easy machine parsing.
1961 * --ifconfig-pool now remembers common names and
1962 will try to assign a consistent IP to a given
1963 common name. Still to do: persist --ifconfig-pool
1964 memory across restarts by saving state in file.
1965 * Fixed bug in event timer queue which could cause
1966 recurring timer events such as --ping to not
1967 correctly schedule again after firing. This in
1968 turn would cause spurrious ping restarts and possible
1969 connection outages. Thanks to Denis Vlasenko for
1971 * Possible fix to reported bug where --daemon argument
1972 was not printing to syslog correctly after restart.
1973 * Fixed bug where pulling --route or --dhcp-option
1974 directives from a server would problematically
1975 interact with --persist-tun on the client.
1976 * Updated contrib/multilevel-init.patch (Farkas Levente).
1977 * Added RPM build option to .spec and .spec.in files
1978 to optionally disable LZO inclusion (Ian Pilcher).
1979 * The latest MingW runtime and headers define
1980 'ssize_t', so a patch is needed (Gisle Vanem).
1982 2004.05.14 -- Version 2.0-beta2
1984 * Fixed signal handling bug in --mode server, where
1985 SIGHUP and SIGUSR1 were treated as SIGTERM.
1986 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
1987 Apparently the larger string may work around
1988 a problem where the TAP adapter is sometimes missing
1989 from the network connections panel, especially under
1990 XP SP2. Also note that installing this upgrade will
1991 uninstall any pre-existing TAP-Win32 adapters, and then
1992 install a single new adapter, meaning that old adapter
1993 properties will be lost. Thanks to Md5Chap for solving
1995 * For --mode server --dev tap, the options --ifconfig and
1996 --ifconfig-pool are now optional. This allows address
1997 assignment via DHCP or use of a TAP VPN without
1998 IP support, as has always been possible with 1.x.
1999 * Fixed bug where --ifconfig may not work correctly on
2001 * Added 'local' flag to --redirect-gateway for use on
2002 networks where both OpenVPN daemons are connected
2003 to a shared subnet, such as wireless.
2005 2004.05.09 -- Version 2.0-beta1
2007 * Unchanged from test29 except for version number
2010 2004.05.08 -- Version 2.0-test29
2012 * Modified --dev-node on Windows to accept a TAP-Win32
2013 GUID name. In addition, --show-adapters will now
2014 display the high-level name and GUID of each adapter.
2015 This is an attempt to work around an issue in Windows
2016 where sometimes the TAP-Win32 adapter installs correctly
2017 but has no icon in the network connections control
2018 panel. In such cases, being able to specify
2019 --dev-node {TAP-GUID} can work around the missing icon.
2021 2004.05.07 -- Version 2.0-test28
2023 * Fixed bug which could cause segfault on program
2024 shutdown if --route and --persist-tun are used
2027 2004.05.06 -- Version 2.0-test27
2029 * Fixed bug in close_instance() which might cause
2030 memory to be accessed after it had already been freed.
2031 * Fixed bug in verify_callback() that might have
2032 caused uninitialized data to be referenced.
2033 * --iroute now allows full CIDR subnet routing.
2034 * In "--mode server --dev tun" usage, source addresses
2035 on VPN packets coming from a particular client must
2036 be associated with that client in the OpenVPN internal
2039 2004.04.28 -- Version 2.0-test26
2041 * Optimized broadcast path in multi-client mode.
2042 * Added socket buffer size options --rcvbuf & --sndbuf.
2043 * Configure Linux tun/tap driver to use a more sensible
2044 txqueuelen default. Also allow explicit setting
2045 via --txqueuelen option (Harald Roelle).
2046 * The --remote option now allows the port number
2047 to be specified as the second parameter. If
2048 unspecified, the port number defaults to the
2050 * Multiple --remote options on the client can now be
2051 specified for load balancing and failover. The
2052 --remote-random flag can be used to initially randomize
2053 the --remote list for basic load balancing.
2054 * If a remote DNS name resolves to multiple DNS addresses,
2055 one will be chosen by random as a kind of basic
2056 load-balancing feature if --remote-random is used.
2057 * Added --connect-freq option to control maximum
2058 new connection frequency in multi-client mode.
2059 * In multi-client mode, all syslog messages associated
2060 with a specific client now include a client-ID prefix.
2061 * For Windows, use a gettimeofday() function based
2062 on QueryPerformanceCounter (Derek Burdick).
2063 * Fixed bug in interaction between --key-method 2
2064 and DES ciphers, where dynamic keys would be generated
2065 with bad parity and then be rejected.
2067 2004.04.17 -- Version 2.0-test24
2069 * Reworked multi-client broadcast handling.
2071 2004.04.13 -- Version 2.0-test23
2073 * Fixed bug in --dev tun --client-to-client routing.
2074 * Fixed a potential deadlock in --pull.
2075 * Fixed a problem with select() usage which could
2076 cause a repeating sequence of "select : Invalid
2079 2004.04.11 -- Version 2.0-test22
2081 * Fixed bug where --mode server + --daemon was
2082 prematurely closing syslog connection.
2083 * Added support for --redirect-gateway on Mac OS X
2085 * Minor changes to TAP-Win32 driver based on feedback
2086 from the NDISTest tool.
2088 2004.04.11 -- Version 2.0-test21
2090 * Optimizations in multi-client server event loop.
2092 2004.04.10 -- Version 2.0-test20
2094 * --mode server capability now works with either tun
2095 or tap interfaces. When used with tap interfaces,
2096 OpenVPN will internally bridge all client tap
2097 interfaces with the server tap interface.
2098 * Connecting clients can now have a client-specific
2099 configuration on the server, based on the client
2100 common name embedded in the client certificate.
2101 See --client-config-dir and --client-connect.
2102 These options can be used to configure client-specific
2104 * Added an option --client-to-client that enables
2105 internal client-to-client routing or bridging.
2106 Otherwise, clients will only "see" the server,
2107 not other connected clients.
2108 * Fixed bug in route scheduling which would have caused
2109 --mode server to not work on Windows in test18
2110 and test19 with the sample config file.
2111 * Man page is up to date with all new options.
2112 * OpenVPN 2.0 release notes on web site updated
2113 with tap-style tunnel examples.
2115 2004.04.02 -- Version 2.0-test19
2117 * Fixed bug where routes pushed from server were
2118 not working correctly on Windows clients.
2119 * Added Mac OS X route patch (Jeremy Apple).
2121 2004.03.30 -- Version 2.0-test18
2123 * Minor fixes + Windows self-install modified
2124 to use OpenSSL 0.9.7d.
2126 2004.03.29 -- Version 2.0-test17
2128 * Fixed some bugs related to instance timeout and deletion.
2129 * Extended --push/--pull option to support additional
2132 2004.03.28 -- Version 2.0-test16
2134 * Successful test of --mode udp-server, --push,
2135 --pull, and --ifconfig-pool with server on
2136 Linux 2.4 and clients on Linux and Windows.
2138 2004.03.25 -- Version 2.0-test15
2140 * Implemented hash-table lookup of client instances
2141 based either on remote UDP address/port or remote
2143 * Implemented a randomized binary tree based
2144 scheduler for scalably scheduling a large number
2145 of client instance events. Uses the treap
2146 data structure and node rotation algorithm
2147 to keep the tree balanced.
2148 * Initial implementation of ifconfig-pool.
2149 * Made --key-method 2 the default.
2151 2004.03.20 -- Version 2.0-test14
2153 * Implemented --push and --pull.
2155 2004.03.20 -- Version 2.0-test13
2157 * Reduced struct tls_multi and --single-session
2159 * Modified --single-session flag to be used
2160 in multi-client UDP server client instances.
2162 2004.03.19 -- Version 2.0-test12
2164 * Added the key multi-client UDP server options,
2165 --mode, --push, --pull, and --ifconfig-pool.
2166 * Revamped GC (garbage collection) code to not rely
2168 * Modifications to thread.[ch] to allow a more
2169 flexible thread model.
2171 2004.03.16 -- Version 2.0-test11
2173 * Moved all timer code to interval.h, added new file
2175 * Fixed missing include.
2177 2004.03.16 -- Version 2.0-test10
2179 * More TAP-Win32 fixes.
2180 * Initial debugging and testing of multi.[ch].
2182 2004.03.14 -- Version 2.0-test9
2184 * Branch merge with 1.6-rc3
2185 * More point-to-multipoint work in multi.[ch].
2186 * Major TAP-Win32 driver restructuring to use
2187 NdisMRegisterDevice instead of
2188 IoCreateDevice/IoCreateSymbolicLink.
2189 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
2191 * In the majority of cases, TAP-Win32 should now be
2192 able to install and uninstall on Win2K without requiring
2194 * TAP-Win32 MAC address can now be explicitly set in the
2195 adapter advanced properties page.
2197 2004.03.04 -- Version 2.0-test8
2199 * Branch merge with 1.6-rc2.
2201 2004.03.03 -- Version 2.0-test7
2203 * Branch merge with 1.6-rc1.2.
2205 2004.03.02 -- Version 2.0-test6
2207 * Branch merge with 1.6-rc1.
2209 2004.03.02 -- Version 2.0-test5
2211 * Move Socks5 UDP header append/remove to socks.c, and is
2212 called from forward.c.
2213 * Moved verify statics from ssl.c into struct tls_session.
2214 * Wrote multi.[ch] to handle top level of point-to-multipoint
2216 * Wrote some code to allow a struct link_socket in a child context
2217 to be slaved to the parent context.
2218 * Broke up packet read and process functions in forward.c
2219 (from socket or tuntap) into separate functions for read
2220 and process, so that point-to-point and point-to-multipoint can
2221 share the same code.
2222 * Expand TLS control channel to allow the passing of configuration
2224 * Wrote mroute.[ch] to handle internal packet routing for
2225 point-to-multipoint mode.
2227 2004.02.22 -- Version 2.0-test3
2229 * Initial work on UDP multi-client server.
2230 * Branch merge of 1.6-beta7
2232 2004.02.14 -- Version 2.0-test2
2234 * Refactorization of openvpn.c into openvpn.[ch]
2235 init.[ch] forward.[ch] forward-inline.h
2236 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
2237 sig.[ch]. Created a master per-tunnel
2238 struct context in openvpn.h.
2239 * Branch merge of 1.6-beta6.2
2241 2003.11.06 -- Version 2.0-test1
2243 * Initial testbed for 2.0.
2245 2004.05.09 -- Version 1.6.0
2247 * Unchanged from 1.6-rc4 except for version number
2250 2004.04.01 -- Version 1.6-rc4
2252 * Made minor customizations to devcon and
2253 renamed as tapinstall.exe for Windows version.
2254 * Fixed "storage size of `iv' isn't known" build
2256 * OpenSSL 0.9.7d bundled with Windows self-install.
2258 2004.03.13 -- Version 1.6-rc3
2260 * Minor Windows fixes for --ip-win32 dynamic, relating to
2261 the way the TAP-Win32 driver responds to a DHCP request
2262 from the Windows DHCP client.
2263 * The net_gateway environmental variable wasn't being
2264 set correctly for called scripts (Paul Zuber).
2265 * Added code to determine the default gateway on FreeBSD,
2266 allowing the --redirect-gateway option to work
2267 (Juan Rodriguez Hervella).
2269 2004.03.04 -- Version 1.6-rc2
2271 * Fixed bug in Windows version where the NetBIOS node-type
2272 DHCP option might have been passed even if it was not
2274 * Fixed bug in Windows version introduced in 1.6-rc1, where
2275 DHCP timeout would be set to 0 seconds if --ifconfig option
2276 was used and --ip-win32 option was not explicitly specified.
2277 * Added some new --dhcp-option types for Windows version.
2279 2004.03.02 -- Version 1.6-rc1
2281 * For Windows, make "--ip-win32 dynamic" the default.
2282 * For Windows, make "--route-delay 10" the default
2283 unless --ip-win32 dynamic is not used or --route-delay
2284 is explicitly specified.
2285 * L_TLS mutex could have been left in a locked state
2286 for certain kinds of TLS errors.
2288 2004.02.22 -- Version 1.6-beta7
2290 * Allow scheduling priority increase (--nice) together
2291 with UID/GID downgrade (--user/--group).
2292 * Code that causes SIGUSR1 restart on TLS errors in TCP
2293 mode was not activated in pthread builds.
2294 * Save the certificate serial number in an environmental
2295 variable called tls_serial_{n} prior to calling the
2296 --tls-verify script. n is the current cert chain level.
2297 * Added NetBSD IPv6 tunnel capability (also requires
2298 a kernel patch) (Horst Laschinsky).
2299 * Fixed bug in checking the return value of the nice()
2300 function (Ian Pilcher).
2301 * Bug fix in new FreeBSD IPv6 over TUN code which was
2302 originally added in 1.6-beta5 (Nathanael Rensen).
2303 * More Socks5 fixes -- extended the struct frame
2304 infrastructure to accomodate proxy-based encapsulation
2306 * Added --dhcp-option to Windows version for setting
2307 adapter properties such as WINS & DNS servers.
2308 * Use a default route-delay of 5 seconds when
2309 --ip-win32 dynamic is specified (only applicable when
2310 --route-delay is not explicitly specified).
2311 * Added "log_append" registry variable to control
2312 whether the OpenVPN service wrapper on Windows
2313 opens log files in append (log_append="1") or
2314 truncate (log_append="0") mode. The default
2317 2004.02.05 -- Version 1.6-beta6
2319 * UDP over Socks5 fix to accomodate Socks5 encapsulation
2320 overhead (Christof Meerwald).
2321 * Minor --ip-win32 dynamic tweaks (use long lease time,
2322 invalidate existing lease with DHCPNAK).
2324 2004.02.01 -- Version 1.6-beta5
2326 * Added Socks5 proxy support (Christof Meerwald).
2327 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
2328 * Special TAP-Win32 debug mode for Windows self-install that was
2329 enabled in beta4 is now turned off.
2330 * Added some new Solaris notes to INSTALL (Koen Maris).
2331 * More work on --ip-win32 dynamic.
2333 2004.01.27 -- Version 1.6-beta4
2335 * For this beta, the Windows self-install is a debug version
2336 and will run slower -- use only for testing.
2337 * Reverted the --ip-win32 default back to 'ipapi'
2339 * Added the offset parameter to '--ip-win32 dynamic' which
2340 can be used to control the address of the masqueraded
2341 DHCP server which replies to Windows DHCP requests.
2342 * Added a wait/nowait option to --inetd (nowait can only
2343 be used with TCP sockets, TLS authentication, and over
2344 a bridged configuration -- see FAQ for more info)
2345 (Stefan `Sec` Zehl).
2346 * Added a build-time capability where TAP-Win32 driver
2347 debug messages can be output by OpenVPN at --verb 6
2350 2004.01.20 -- Version 1.6-beta2
2352 * Added ./configure --enable-iproute2 flag which
2353 uses iproute2 instead of route + ifconfig --
2354 this is necessary for the LEAF Linux distro
2356 * Added renewal-time and rebind-time to set of
2357 DHCP options returned by the TAP-Win32 driver when
2358 "--ip-win32 dynamic" is used.
2360 2004.01.14 -- Version 1.6-beta1
2362 * Fixed --proxy bug that sometimes caused plaintext
2363 control info generated by the proxy prior to http
2364 CONNECT method establishment to be incorrectly
2365 parsed as OpenVPN data.
2366 * For Windows version, implemented the
2367 "--ip-win32 dynamic" method and made it the default.
2368 This method sets the TAP-Win32 adapter IP address
2369 and netmask by replying to the kernel's DHCP queries.
2370 See the man page for more detailed info.
2371 * Added --connect-retry parameter which controls
2372 the time interval (in seconds) between connect()
2373 retries when --proto tcp-client is used. Previously,
2374 this value was hardcoded to 5 seconds, and still
2376 * --resolv-retry can now be used with a parameter
2377 of "infinite" to retry indefinitely.
2378 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
2379 for support of multi-level certificate chains
2381 * Fixed --tls-auth incompatibility with 1.4.x and earlier
2382 versions of OpenVPN when the passphrase file is an
2383 OpenVPN static key file (as generated by --genkey).
2384 * Added shell-escape support in config files using
2385 the backslash character ("\") so that (for example)
2386 double quotes can be passed to the shell.
2387 * Added "contrib" subdirectory on tarball, source zip,
2388 and CVS containing user-submitted contributions.
2389 * Added an optional patch to the Redhat init script to
2390 allow the configuration file directory to be a
2391 multi-level directory hierarchy (Farkas Levente).
2392 See contrib/multilevel-init.patch
2393 * Added some scripts and documentation on using
2394 Linux "fwmark" iptables rules to enable
2395 fine-grained routing control over the VPN
2396 (Sean Reifschneider, <jafo@tummy.com>).
2397 See contrib/openvpn-fwmarkroute-1.00
2399 2003.11.20 -- Version 1.5.0
2401 * Minor documentation changes.
2403 2003.11.04 -- Version 1.5-beta14
2405 * Fixed build problem with ./configure --disable-ssl
2406 that was reported on Debian woody.
2407 * Fixed bug where --redirect-gateway could not be used
2408 together with --resolv-retry.
2410 2003.11.03 -- Version 1.5-beta13
2412 * Added CRL (certificate revocation list) capability using
2413 --crl-verify option (Stefano Bracalenti).
2414 * Added --replay-window option for variable replay-protection
2416 * Fixed --fragment bug which might have caused certain large
2417 packets to be sent unfragmented.
2418 * Modified --secret and --tls-auth to permit different cipher and
2419 HMAC keys to be used for each data flow direction. Also
2420 increased static key file size generated by --genkey from
2421 1024 to 2048 bits, where 512 bits each are reserved for
2422 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
2423 and backward compatibility is maintained. See --secret option
2424 documentation on the man page for more info.
2425 * Added --tls-remote option (Teemu Kiviniemi).
2426 * Fixed --tls-cipher documention regarding correct delimiter
2427 usage (Teemu Kiviniemi).
2428 * Added --key-method option for selecting alternative data
2429 channel key negotiation methods. Method 1 is the default.
2430 Method 2 has been added (see man page for more info).
2431 * Added French translation of HOWTO to web site
2432 (Guillaume Lehmann).
2433 * Fixed problem caused by late resolver library load on
2434 certain platforms when --resolv-retry and --chroot are
2435 used together (Teemu Kiviniemi).
2436 * In TCP mode, all decryption or TLS errors will abort the current
2437 connection (this is not done in UDP mode because UDP is
2439 * Fixed a TCP client reconnect bug that only occurs on the
2440 BSDs, where connect() fails with an invalid argument. This
2441 bug was partially (but not completely) fixed in beta7.
2442 * Added "route_net_gateway" environmental variable which contains
2443 the pre-existing default gateway address from the routing table
2444 (there's no standard API for getting the default gateway, so
2445 right now this feature only works on Windows or Linux).
2446 * Renamed the "route_default_gateway" enviromental variable to
2447 "route_vpn_gateway" -- this is the remote VPN endpoint.
2448 * The special keywords vpn_gateway, net_gateway, and remote_host
2449 can now be used for the network or gateway components of the
2450 --route option. See the man page for more info.
2451 * Added the --redirect-gateway option to configure the VPN
2452 as the default gateway (implemented on Linux and Windows only).
2453 * Added the --http-proxy option with basic authentication
2454 support for use in TCP client mode. Successfully tested
2455 using Squid as the HTTP proxy, with and without authentication.
2457 2003.10.12 -- Version 1.5-beta12
2459 * Fixed Linux-only bug in --mktun and --rmtun which was
2460 introduced around beta8 or so, which would cause
2461 an error such as "I don't recognize device tun0 as a
2462 tun or tap device1".
2463 * Added --ifconfig-nowarn option to disable options
2464 consistency warnings about --ifconfig parameters.
2465 * Don't allow any kind of sequence number backtracking or
2466 message reordering when in TCP mode.
2467 * Changed beta naming convention to use '_' (underscore)
2468 rather than '-' (dash) to pacify rpmbuild.
2470 2003.10.08 -- Version 1.5-beta11
2472 * Modified code in the Windows version which sets the IP address
2473 and netmask of the TAP-Win32 adapter using the IP Helper API.
2474 Most of the changes involve better error recovery when
2475 the IP Helper API returns an error status. See the
2476 manual page entry on --ip-win32 for more info.
2478 2003.10.08 -- Version 1.5-beta10
2480 * Added getpass() function for Windows version so that --askpass
2481 option works correctly (Stefano Bracalenti).
2482 * Added reboot advisory to end of Win32 install script.
2483 * Changed crypto code to use pseudo-random IVs rather than
2484 carrying forward the IV state from the previous packet.
2485 This is in response to item 2 in the following document:
2486 http://www.openssl.org/~bodo/tls-cbc.txt which points
2487 out weaknesses in TLS's use of the same IV carryforward
2488 approach. This change does not break protocol compatibility
2489 with previous versions of OpenVPN.
2490 * Made a change to the crypto replay protection code to also
2491 protect against certain kinds of packet reordering attacks.
2492 This change does not break protocol compatibility with
2493 previous versions of OpenVPN.
2494 * Added --ip-win32 option to provide several choices for
2495 setting the IP address on the TAP-Win32 adapter.
2496 * #ifdefed out non-CBC crypto modes by default.
2497 * Added --up-delay option to delay TUN/TAP open and --up script
2498 execution until after connection establishment. This option
2499 replaces the earlier windows-only option --tap-delay.
2501 2003.10.01 -- Version 1.5-beta9
2503 * Fixed --route-noexec bug where option was not parsed correctly.
2504 * Complain if --dev tun is specified without --ifconfig on Windows.
2505 * Fixed bug where TCP connections on windows would sometimes cause
2506 an assertion failure.
2507 * Added a new flag to TAP-Win32 advanced properties that allows one
2508 to set the adapter to be always "connected" even when an OpenVPN
2509 process doesn't have it open. The default behavior is to report
2510 a media status of connected only when an OpenVPN process has the
2512 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
2513 DLLs in response to an OpenSSL security advisory.
2515 2003.09.30 -- Version 1.5-beta8
2517 * Extended the --ifconfig option to work on tap devices as well
2519 * Implemented the --ifconfig option for Windows, by calling the
2521 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
2522 refresh the MAC cache. This behaviour can be disabled with
2524 * On Windows, allow the --dev-node parameter (which specifies
2525 the name of the TAP-Win32 adapter) to be omitted in cases where
2526 there is a single TAP-Win32 adapter on the system which can be
2527 assumed to be the default.
2528 * Modified the diagnostic --verb 5 debugging level to print 'R'
2529 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
2530 and 'w' for TUN/TAP write.
2531 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
2533 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
2534 * Make the --enable-mtu-dynamic ./configure option enabled by
2536 * Deprecated the --mtu-dynamic run-time option, in favor of
2538 * DNS names can now be used as --ifconfig parameters.
2539 * Significant work on TAP-Win32 driver to bring up to SMP standards.
2540 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
2541 unloaded or disabled, while a user-space process has it open.
2542 * On Windows, if --tun-mtu is not specified, it will be read from
2543 the TAP-Win32 driver via ioctl.
2544 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
2545 signal (only when run from a console window).
2546 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
2547 * Renamed --mtu-dynamic option to --fragment to more accurately
2548 reflect its function. Fragment accepts a single parameter which
2549 is the upper limit on acceptable UDP packet size.
2550 * Changed default --tun-mtu-extra parameter to 32 from 64.
2551 * Eliminated reference to malloc.o in configure.ac.
2552 * Added tun device emulation to the TAP-Win32 driver.
2553 * Added --route and related options.
2554 * Added init script for SuSE Linux (Frank Plohmann).
2555 * Extended option consistency check between peers to function
2556 in all crypto modes, including static-key and cleartext modes.
2557 Previously only TLS mode was supported. Disable with
2559 * Overall, increased the amount of configuration option sanity
2560 checking, especially of networking parameters.
2561 * Added --mtu-test option for empirical MTU measurement.
2562 * Added Windows-only option --tap-delay to not set the TAP-Win32
2563 adapter media state to 'connected' until TCP/UDP connection
2564 establishment with peer.
2565 * Slightly modified --route/--route-delay semantics so that when
2566 --route is given without --route-delay, routes are added
2567 immediately after tun/tap device open. When --route-delay is
2568 specified, routes will be added n seconds after connection
2569 initiation, where n is the --route-delay parameter (which
2571 * Made TCP framing error into a non-fatal error that triggers a
2574 2003.08.28 -- Version 1.5-beta7
2576 * Fixed bug that caused OpenVPN not to respond to exit/restart
2577 signals when --resolv-retry is used and a local or remote DNS
2578 name cannot be resolved.
2579 * Exported a series of environmental variables with useful
2580 info for scripts. See man page for more info. Based
2581 on a suggestion by Anthony Ciaravalo.
2582 * Moved TCP/UDP socket bind to a point in the initialization
2583 before the --up script gets called. This is desirable
2584 because (a) a socket bind failure will happen before
2585 daemonization, allowing an error status code to be returned
2586 to the shell and (b) the possibility is eliminated of a
2587 socket bind failure causing the --up script to be run
2588 but not the --down script. This change has a side effect
2589 that --resolv-retry will no longer work with --local.
2590 * Fixed bug where if an OpenVPN TCP server went down and back
2591 up again, Solaris or FreeBSD clients would fail to reconnect
2593 * Fixed bug that prevented OpenVPN from being run by
2594 inetd/xinetd in TCP mode.
2595 * Added --log and --log-append options for logging messages to
2597 * On Windows, check that the current user is a member of the
2598 Administrator group before attempting install or uninstall.
2600 2003.08.16 -- Version 1.5-beta6
2602 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
2604 2003.08.14 -- Version 1.5-beta5
2606 * Added user-configurability of the TAP-Win32 adapter MTU
2607 through the adapter advanced properties page.
2608 * Added Windows Service support.
2609 * On Windows, added file association and right-clickability
2610 for .ovpn files (OpenVPN config files).
2612 2003.08.05 -- Version 1.5-beta4
2614 * Extra refinements and error checking added to Windows
2615 NSIS install script.
2617 2003.08.05 -- Version 1.5-beta3
2619 * Added md5.h include to crypto.c to fix build problem on
2621 * Created a Win32 installer using NSIS.
2622 * Removed DelService command from TAP-Win32 INF file. It appears
2623 to be not necessary and it interfered with the ability to
2624 uninstall and reinstall the driver without needing to reboot.
2625 * On Windows version, added "addtap" and "deltapall" batch
2626 files to add and delete TAP-Win32 adapter instances.
2628 2003.07.31 -- Version 1.5-beta2
2630 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
2631 in Windows ASCII so it's easier to click and view.
2632 * Added postscript and PDF versions of the HOWTO to the web
2634 * Merged Michael Clarke's stability patch into TAP-Win32
2635 driver which appears to fix the suspend/resume driver bug
2636 and significantly improve driver stability.
2637 * Added Christof Meerwald's Media Status patch to the
2638 TAP-Win32 driver which shows the TAP adapter to be
2639 disconnected when OpenVPN is not running.
2640 * Moved socket connect and TCP server listen code to a later
2641 point in openvpn() function so that the TCP server listen
2642 state is entered after daemonization.
2643 * Added keyboard shortcuts to simulate signals in the Windows
2644 version, see the window title bar for descriptions.
2646 2003.07.24 -- Version 1.5-beta1
2648 * Added TCP support via the new --proto option.
2649 * Renamed udp-centric options such as --udp-mtu to
2650 --link-mtu (old option names preserved for compatibility).
2651 * Ported to Windows 2000 + XP using mingw and a TAP driver
2652 derived from the Cipe-Win32 project by Damion K. Wilson.
2653 * Added --show-adapters flag for windows version.
2654 * Reworked the SSL/TLS packet acknowledge code to better
2655 handle certain corner cases.
2656 * Turned off the default enabling of IP forwarding in the
2657 sample-scripts/openvpn.init script for Redhat.
2658 Forwarding can be enabled by users in their --up scripts
2660 * Added --up-restart option based on suggestion from Sean
2662 * If --dev tap or --dev-type tap is specified, --tun-mtu
2663 defaults to 1500 and --tun-mtu-extra defaults to 64.
2664 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
2665 for each packet read or write on the TCP/UDP socket.
2667 2003.08.04 -- Version 1.4.3
2669 * Added md5.h include to crypto.c
2670 to fix build problem on OpenBSD.
2672 2003.07.15 -- Version 1.4.2
2674 * Removed adaptive bandwidth from
2675 --mtu-dynamic -- its absence appears
2676 to work better than its existence (1.4.1.2).
2677 * Minor changes to --shaper to fix long
2678 retransmit timeouts at low bandwidth
2680 * Added LOG_RW flag to openvpn.h for
2681 debugging (1.4.1.2).
2682 * Silenced spurious configure warnings (1.4.1.2).
2683 * Backed out --dev-name patch, modified --dev
2684 to offer equivalent functionality (1.4.1.4).
2685 * Added an optional parameter to --daemon and
2686 --inetd to support the passing of a custom
2687 program name to the system logger (1.4.1.5).
2688 * Add compiled-in options to the program title
2690 * Coded the beginnings of a WIN32 port (1.4.1.5).
2691 * Succeeded in porting to Win32 Mingw environment
2692 and running loopback tests (1.4.1.6). Still
2693 need a kernel driver for full Win32
2695 * Fixed a bug in error.h where
2696 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
2697 This would have caused a significant slowdown
2698 of OpenVPN when built by compilers that
2699 lack ISO C99 vararg macros (1.4.1.6).
2700 * Created an init script for Gentoo Linux
2701 in ./gentoo directory (1.4.1.6).
2703 2003.05.15 -- Version 1.4.1
2705 * Modified the Linux 2.4 TUN/TAP open code to
2706 fall back to the 2.2 TUN/TAP interface if the
2707 open or ioctl fails.
2708 * Fixed bug when --verb is set to 0 and non-fatal
2709 socket errors occur, causing 100% CPU utilization.
2710 Occurs on platorms where
2711 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
2713 * Fixed typo in tun.c that was preventing
2715 * Added --enable-mtu-dynamic configure option
2716 to enable --mtu-dynamic experimental option.
2718 2003.05.07 -- Version 1.4.0
2720 * Added --replay-persist feature to allow replay
2721 protection across sessions.
2722 * Fixed bug where --ifconfig could not be used
2724 * Added --tun-mtu-extra parameter to deal with
2725 the situation where a read on a TUN/TAP device
2726 returns more data than the device's MTU size.
2727 * Fixed bug where some IPv6 support code for
2728 Linux was not being properly ifdefed out for
2729 Linux 2.2, causing compile errors.
2730 * Added OPENVPN_EXIT_STATUS_x codes to
2731 openvpn.h to control which status value
2732 openvpn returns to its caller (such as
2733 a shell or inetd/xinetd) for various conditions.
2734 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
2735 openvpn.h to allow debugging in situations
2736 where stdout, stderr, and syslog cannot be used
2737 for message output, such as when OpenVPN is
2738 instantiated by inetd/xinetd.
2739 * Removed owner-execute permission from file
2740 created by static key generator (Herbert Xu
2741 and Alberto Gonzalez Iniesta).
2742 * Added --passtos option to allow IPv4 TOS bits
2743 to be passed from TUN/TAP input packets to
2744 the outgoing UDP socket (Craig Knox).
2745 * Added code to prevent open socket file descriptors
2746 from being accessible to called scripts.
2747 * Added --dev-name option (Christian Lademann).
2748 * Added --mtu-disc option for manual control
2750 * Show OS MTU value on UDP socket write failures
2752 * Numerous build system and portability
2753 fixes (Matthias Andree).
2754 * Added better sensing of compiler support for
2755 variable argument macros, including (a) gcc
2756 style, (b) ISO C 1999 style, and (c) no support.
2757 * Removed generated files from CVS. Note INSTALL
2758 file for new CVS build commands.
2759 * Changed certain internal symbol names
2760 for C standards compliance.
2761 * Added TUN/TAP open code to cycle dynamically
2762 through unit numbers until it finds a free
2763 unit (based on code from Thomas Gielfeldt
2765 * Added dynamic MTU and fragmenting infrastructure
2766 (Experimental). Rebuild with FRAGMENT_ENABLE
2768 * Minor changes to SSL/TLS negotiation, use
2769 exponential backoff on retransmits, and use
2770 a smaller MTU size (note that no protocol
2771 changes have been made which would break
2772 compatibility with 1.3.x).
2773 * Added --enable-strict-options flag
2774 to ./configure. This option will cause
2775 a more strict check for options compatibility
2776 between peers when SSL/TLS negotiation is used,
2777 but should only be used when both OpenVPN peers
2778 are of the same version.
2779 * Reorganization of debugging levels.
2780 * Added a workaround in configure.ac for
2781 default SSL header location on Linux
2782 to fix RH9 build problem.
2783 * Fixed potential deadlock when pthread support
2784 is used on OSes that allocate a small socketpair()
2786 * Fixed openvpn.init to be sh compliant
2788 * Changed --daemon to wait until all
2789 initialization is finished before becoming a
2790 daemon, for the benefit of initialization
2791 scripts that want a useful return status from
2792 the openvpn command.
2793 * Made openvpn.init script more robust, including
2794 positive indication of initialization errors
2795 in the openvpn daemon and better sanity checks.
2796 * Changed --chroot to wait until initialization
2797 is finished before calling chroot(), and allow
2798 the use of --user and --group with --chroot.
2799 * When syslog logging is enabled (--daemon or
2800 --inetd), set stdin/stdout/stderr to point
2802 * For inetd instantiations, dup socket descriptor
2804 * Fixed bug in verify-cn script, where test would
2805 incorrectly fail if CN=x was the last component
2806 of the X509 composite string (Anonymous).
2807 * Added Markus F.X.J. Oberhumer's special
2808 license exception to COPYING.
2810 2002.10.23 -- Version 1.3.2
2812 * Added SSL_CTX_set_client_CA_list call
2813 to follow the canonical form for TLS initialization
2814 recommended by the OpenSSL docs. This change allows
2815 better support for intermediate CAs and has no impact
2817 * Added build-inter script to easy-rsa package, to
2818 facilitate the generation of intermediate CAs.
2819 * Ported to NetBSD (Dimitri Goldin).
2820 * Fixed minor bug in easy-rsa/sign-req. It refers to
2821 openssl.cnf file, instead of $KEY_CONFIG, like all
2822 other scripts (Ernesto Baschny).
2823 * Added --days 3650 to the root CA generation command
2824 in the HOWTO to override the woefully small 30 day
2825 default (Dominik 'Aeneas' Schnitzer).
2826 * Fixed bug where --ping-restart would sometimes
2827 not re-resolve remote DNS hostname.
2828 * Added --tun-ipv6 option and related infrastructure
2829 support for IPv6 over tun.
2830 * Added IPv6 over tun support for Linux (Aaron Sethman).
2831 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
2832 INSTALL (Matthias Andree).
2833 * Added inetd/xinetd support (--inetd) including
2834 documentation in the HOWTO.
2835 * Added "Important Note on the use of commercial certificate
2836 authorities (CAs) with OpenVPN" to HOWTO based on
2837 issues raised on the openvpn-users list.
2839 2002.07.10 -- Version 1.3.1
2841 * Fixed bug in openvpn.spec and openvpn.init
2842 which caused RPM upgrade to fail.
2844 2002.07.10 -- Version 1.3.0
2846 * Added --dev-node option to allow explicit selection of
2847 tun/tap device node.
2848 * Removed mlockall call from child thread, as it doesn't
2849 appear to be necessary (child thread inherits mlockall
2851 * Added --ping-timer-rem which causes timer for --ping-exit
2852 and --ping-restart not to run unless we have a remote IP
2854 * Added condrestart to openvpn.init and openvpn.spec
2856 * Added --ifconfig case for FreeBSD (Matthias Andree).
2857 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
2858 * Changed LOG_INFO messages to LOG_NOTICE.
2859 * Added warning when key files are group/others accessible.
2860 * Added --single-session flag for TLS mode.
2861 * Fixed bug where --writepid would segfault if used with
2862 an invalid filename.
2863 * Fixed bug where --ipchange status message was formatted
2865 * Print more concise error message when system() call
2867 * Added --disable-occ option.
2868 * Added --local, --remote, and --ifconfig options sanity
2870 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
2872 * Successfully tested with OpenSSL 0.9.7 Beta 2.
2873 * Broke out debug level definitions to errlevel.h
2874 * Minor documentation and web site changes.
2875 * All changes maintain protocol compatibility
2876 with OpenVPN versions since 1.1.0, however default
2877 MTU changes will require setting the MTU explicitly
2878 by command line option, if you want 1.3.0 to
2879 communicate with previous versions.
2881 2002.06.12 -- Version 1.2.1
2883 * Added --ping-restart option to restart
2884 connection on ping timeout using SIGUSR1
2885 logic (Matthias Andree).
2886 * Added --persist-tun, --persist-key,
2887 --persist-local-ip, and --persist-remote-ip
2888 options for finer-grained control over SIGUSR1
2889 and --ping-restart restarts. To
2890 replicate previous SIGUSR1 functionality,
2891 use --persist-remote-ip.
2892 * Changed residual IV fetching code to take
2893 IV from tail of ciphertext.
2894 * Added check to make sure that CFB or OFB
2895 cipher modes are only used with SSL/TLS
2896 authentication mode, and added a caveat
2898 * Changed signal handling during initialization
2899 (including re-initialization during restarts)
2900 to exit on SIGTERM or SIGINT and ignore other
2901 signals which would ordinarily be caught.
2902 * Added --resolv-retry option to allow
2903 retries on hostname resolution.
2904 * Expanded the --float option to also
2905 allow dynamic changes in source port number
2906 on incoming datagrams.
2907 * Added --mute option to limit repetitive
2908 logging of similar message types.
2909 * Added --group option to downgrade GID
2910 after initialization.
2911 * Try to set ifconfig path automatically
2913 * Added --ifconfig code for Mac OS X
2914 (Christoph Pfisterer).
2915 * Moved "Peer Connection Initiated" message
2917 * Successfully tested with
2918 OpenSSL 0.9.7 Beta 1 and AES cipher.
2919 * Added RPM notes to INSTALL.
2920 * Added ACX_PTHREAD (from the autoconf
2921 macro archive) to configure.ac
2922 to figure out the right pthread
2923 options for a given platform.
2924 * Broke out macro definitions from
2925 configure.ac to acinclude.m4.
2926 * Minor changes to docs and HOWTO.
2927 * All changes maintain protocol compatibility
2928 with OpenVPN versions since 1.1.0.
2930 2002.05.22 -- Version 1.2.0
2932 * Added configuration file support via
2933 the --config option.
2934 * Added pthread support to improve latency.
2935 With pthread support, OpenVPN
2936 will offload CPU-intensive tasks such as RSA
2937 key number crunching to a background thread
2938 to improve tunnel packet forwarding
2939 latency. pthread support can be enabled
2940 with the --enable-pthread configure option.
2941 Pthread support is currently available
2942 only for Linux and Solaris.
2943 * Added --dev-type option so that tun/tap
2944 device names don't need to begin with
2946 * Added --writepid option to write main
2947 process ID to a file.
2948 * Numerous portability fixes to ease
2949 porting to other OSes including changing
2950 all network types to uint8_t and uint32_t,
2951 and not assuming that time_t is 32 bits.
2952 * Backported to OpenSSL 0.9.5.
2953 * Ported to Solaris.
2954 * Finished OpenBSD port except for
2956 * Added initialization script:
2957 sample-scripts/openvpn.init
2959 * Ported to Mac OS X (Christoph Pfisterer).
2960 * Improved resilience to DoS attacks when
2961 TLS mode is used without --remote or
2962 --tls-auth, or when --float is used
2963 with --remote. Note however that the best
2964 defense against DoS attacks in TLS mode
2965 is to use --tls-auth.
2966 * Eliminated automake/autoconf dependency
2968 * Ported configure.in to configure.ac
2970 * SIGHUP signal now causes OpenVPN to restart
2971 and re-read command line and or config file,
2972 in conformance with canonical daemon behaviour.
2973 * SIGUSR1 now does what SIGHUP did in
2974 version 1.1.1 and earlier -- close and reopen
2975 the UDP socket for use when DHCP changes
2976 host's IP address and preserve most recently
2977 authenticated peer address without rereading
2979 * SIGUSR2 added -- outputs current statistics,
2980 including compression statistics.
2981 * All changes maintain protocol compatibility
2982 with 1.1.1 and 1.1.0.
2984 2002.04.22 -- Version 1.1.1
2986 * Added --ifconfig option to automatically configure
2988 * Added inactivity disconnect (--inactive
2989 and --ping-exit options).
2990 * Added --ping option to keep stateful firewalls
2992 * Added sanity check to command line parser to
2993 err if any TLS options are used in non-TLS mode.
2994 * Fixed build problem with compiler environments that
2995 define printf as a macro.
2996 * Fixed build problem on linux systems that have
2997 an integrated TUN/TAP driver but lack the persistent
2998 tunnel feature (TUNSETPERSIST). Some linux kernels
2999 >= 2.4.0 and < 2.4.7 fall into this category.
3000 * Changed all calls to EVP_CipherInit to use explicit
3001 encrypt/decrypt mode in order to fix problem with
3002 IDEA-CBC and AES-256-CBC ciphers.
3003 * Minor changes to control channel transmit limiter
3004 algorithm to fix problem where TLS control channel
3005 might not renegotiate within the default 60 second window.
3006 * Simplified man page examples by taking advantage
3007 of the new --ifconfig option.
3008 * Minor changes to configure.in to check more
3009 rigourously for OpenSSL 0.9.6 or greater.
3010 * Put back openvpn.spec, eliminated
3012 * Modified openvpn.spec to reflect new automake-based
3013 build environment (Bishop Clark).
3014 * Other documentation changes.
3015 * Added --test-crypto option for debugging.
3016 * Added "missing" and "mkinstalldirs" automake
3020 2002.04.09 -- Version 1.1.0
3022 * Strengthened replay protection and IV handling,
3023 extending it fully to both static key and
3024 TLS dynamic key exchange modes.
3025 * Added --mlock option to disable paging and ensure that key
3026 material and tunnel data is never paged to disk.
3027 * Added optional traffic shaping feature to cap the maximum
3028 data rate of the tunnel.
3029 * Converted to automake (The Platypus Brothers 2002-04-01).
3030 * Ported to OpenBSD by Janne Johansson.
3031 * Added --tun-af-inet option to work around an incompatibility
3032 between Linux and BSD tun drivers.
3033 * Sequence number-based replay protection using the
3034 IPSec sliding window model is now the default,
3035 disable with --no-replay.
3036 * Explicit IV is now the default, disable with --no-iv.
3037 * Disabled all cipher modes except CBC, CFB, and OFB.
3038 * In CBC mode, use explicit IV and carry forward residuals,
3040 * In CFB/OFB mode, IV is timestamp, sequence number.
3041 * Eliminated --packet-id, --timestamp, and max-delta parameter to
3042 the --tls-auth option as they are now supplanted by improved
3043 replay code which is enabled by default.
3044 * Eliminated --rand-iv as it is now obsolete with improved
3046 * Eliminated --reneg-err option as it increases vulnerability
3048 * Added weak key check for DES ciphers.
3049 * --tls-freq option is no longer specified on the command line,
3050 instead it now inherits its parameter from the
3051 --tls-timeout option.
3052 * Fixed bug that would try to free memory on exit that was
3053 never malloced if --comp-lzo was not specified.
3054 * Errata fixed in the man page examples: "test-ca" should be
3056 * Updated manual page.
3057 * Preliminary work in porting to OpenSSL 0.9.7.
3058 * Changed license to allowing linking with OpenSSL.
3060 2002.03.29 -- Version 1.0.3
3062 * Fixed a problem in configure with library ordering on the
3065 2002.03.28 -- Version 1.0.2
3067 * Improved the efficiency of the inner event loop.
3068 * Fixed a minor bug with timeout handling.
3069 * Improved the build system to build on RH 6.2 through 7.2.
3070 * Added an openvpn.spec file for RPM builders (Bishop Clark).
3072 2002.03.23 -- Version 1.0
3074 * Added TLS-based authentication and key exchange.
3075 * Added gremlin mode to stress test.
3078 2001.12.26 -- Version 0.91
3080 * Added any choice of cipher or HMAC digest.
3082 2001.5.13 -- Version 0.90
3085 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.