2 Copyright (C) 2002-2015 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2016.01.04 -- Version 2.3.10
6 Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
9 Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
12 Repair IPv6 netsh calls if Win XP is detected
15 Use bob.example.com and alice.example.com to improve clarity of documentation
18 Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
19 Upgrade OpenVPN 2.3 to PolarSSL 1.3
20 Warn user if their certificate has expired
21 Make assert_failed() print the failed condition
22 cleanup: get rid of httpdigest.c type warnings
23 Fix regression in setups without a client certificate
26 polarssl: fix unreachable code
28 2015.12.15 -- Version 2.3.9
30 Show extra-certs in current parameters.
31 Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
32 Do not set the buffer size by default but rely on the operation system default.
33 Remove --enable-password-save option
34 Reflect enable-password-save change in documentation
35 Also remove second instance of enable-password-save in the man page
36 Detect config lines that are too long and give a warning/error
39 Log serial number of revoked certificate
41 Christos Trochalakis (1):
42 Adjust server-ipv6 documentation
45 Avoid partial authentication state when using --disabled in CCD configs
48 Make "block-outside-dns" option platform agnostic
51 Un-break --auth-user-pass on windows
52 Replace unaligned 16bit access to TCP MSS value with bytewise access
53 Repair test_local_addr() on WIN32
54 Fix possible heap overflow on read accessing getaddrinfo() result.
55 Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
56 remove unused gc_arena in FreeBSD close_tun()
57 Fix isatty() check for good.
60 put virtual IPv6 addresses into env
63 Use adapter index instead of name for windows IPv6 interface config
64 Client-side part for server restart notification
65 Use adapter index for add/delete_route_ipv6
66 Pass adapter index to up/down scripts
67 Fix VS2013 compilation
70 Fix privilege drop if first connection attempt fails
73 Support for username-only auth file.
77 Updates to Changes.rst
80 Fix termination when windows suspends/sleeps
81 Do not hard-code windows systemroot in env_block
82 Handle ctrl-C and ctrl-break events on Windows
83 Unbreak read username password from management
86 Replace strdup() calls for string_alloc() calls
87 Check return value of ms_error_text()
88 Increase control channel packet size for faster handshakes
89 hardening: add insurance to exit on a failed ASSERT()
90 Fix memory leak in auth-pam plugin
91 Fix (potential) memory leak in init_route_list()
92 Fix unintialized variable in plugin_vlog()
93 Add macro to ensure we exit on fatal errors
94 Fix memory leak in add_option() by simplifying get_ipv6_addr
95 openssl: properly check return value of RAND_bytes()
96 Fix rand_bytes return value checking
99 Add Windows DNS Leak fix using WFP ('block-outside-dns')
102 Fix "White space before end tags can break the config parser"
105 2015.08.03 -- Version 2.3.8
107 Report missing endtags of inline files as warnings
108 Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
111 Produce a meaningful error message if --daemon gets in the way of asking for passwords.
112 Document --daemon changes and consequences (--askpass, --auth-nocache).
115 Del ipv6 addr on close of linux tun interface
118 Fix --askpass not allowing for password input via stdin
121 write pid file immediately after daemonizing
122 Make __func__ work with Visual Studio too
123 fix regression: query password before becoming daemon
124 Fix using management interface to get passwords.
125 Fix overflow check in openvpn_decrypt()
128 2015.06.02 -- Version 2.3.7
129 Alexander Pyhalov (1):
130 Default gateway can't be determined on illumos/Solaris platforms
133 Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
135 David Sommerseth (6):
136 autotools: Fix wrong ./configure help screen default values
137 down-root plugin: Replaced system() calls with execve()
138 down-root: Improve error messages
139 plugin, down-root: Fix compiler warnings
140 sockets: Remove the limitation of --tcp-nodelay to be server-only
141 plugins, down-root: Code style clean-up
144 pkcs11: Load p11-kit-proxy.so module by default
145 Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
148 Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
151 New approach to handle peer-id related changes to link-mtu (2.3 version)
152 Fix incorrect use of get_ipv6_addr() for iroute options.
153 Print helpful error message on --mktun/--rmtun if not available.
154 explain effect of --topology subnet on --ifconfig
155 Add note about file permissions and --crl-verify to manpage.
156 repair --dev null breakage caused by db950be85d37
157 assume res_init() is always there.
158 Correct note about DNS randomization in openvpn.8
159 Disallow usage of --server-poll-timeout in --secret key mode.
160 slightly enhance documentation about --cipher
161 Enforce "serial-tests" behaviour for tests/Makefile
162 Revert "Enforce "serial-tests" behaviour for tests/Makefile"
163 On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
164 Use configure.ac hack to apply serial_test AM option only if supported.
165 Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
166 Move res_init() call to inner openvpn_getaddrinfo() loop
167 Fix FreeBSD ifconfig for topology subnet tunnels.
170 Fix --redirect-private in --dev tap mode.
172 Jan Just Keijser (1):
173 include ifconfig_ environment variables in --up-restart env set
175 Jonathan K. Bullard (1):
176 Fix null pointer dereference in options.c
179 Fix mssfix default value in connection_list context
182 Manual page update for Re-enabled TLS version negotiation.
185 Include systemd units in the source tarball (make dist)
188 Updated manpage for --rport and --lport
191 Properly escape dashes on the man-page
192 Improve documentation in --script-security section of the man-page
195 Really fix '--cipher none' regression
196 Update doxygen (a bit)
197 Set tls-version-max to 1.1 if cryptoapicert is used
198 Account for peer-id in frame size calculation
199 Disable SSL compression
200 Fix frame size calculation for non-CBC modes.
201 Allow for CN/username of 64 characters (fixes off-by-one)
202 Remove unneeded parameter 'first_time' from possibly_become_daemon()
203 Re-enable TLS version negotiation by default
204 Remove size limit for files inlined in config
205 Improve --tls-cipher and --show-tls man page description
206 Re-read auth-user-pass file on (re)connect if required
207 Clarify --capath option in manpage
208 Call daemon() before initializing crypto library
211 2014.11.28 -- Version 2.3.6
212 David Sommerseth (1):
213 systemd: Reworked the systemd unit file to handle server and client configs better
216 Add client-only support for peer-id.
219 Fix to --shaper documentation on the man-page
222 Fix assertion error when using --cipher none
223 Add --tls-version-max
224 Modernize sample keys and sample configs
225 Drop too-short control channel packets instead of asserting out.
228 2014.10.24 -- Version 2.3.5
229 Andris Kalnozols (2):
230 Fix some typos in the man page.
231 Do not upcase x509-username-field for mixed-case arguments.
234 Fix server routes not working in topology subnet with --server [v3]
236 David Sommerseth (4):
237 Improve error reporting on file access to --client-config-dir and --ccd-exclusive
238 Don't let openvpn_popen() keep zombies around
239 Add systemd unit file for OpenVPN
240 systemd: Use systemd functions to consider systemd availability
243 Drop incoming fe80:: packets silently now.
244 Fix t_lpback.sh platform-dependent failures
245 Call init script helpers with explicit path (./)
248 refine assertion to allow other modes than CBC
251 ocsp_check - signature verification and cert staus results are separate
252 ocsp_check - double check if ocsp didn't report any errors in execution
255 Fix socket-flag/TCP_NODELAY on Mac OS X
258 Fixed several instances of declarations after statements.
259 In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
260 Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
261 MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
262 Define PATH_SEPARATOR for MSVC builds.
263 Fixed some compile issues with show_library_versions()
266 Remove quadratic complexity from openvpn_base64_decode()
269 Add configure check for the path to systemd-ask-password
271 Philipp Hagemeister (2):
272 Add topology in sample server configuration file
273 Implement on-link route adding for iproute2
276 Ensure that client-connect files are always deleted
279 Remove function without effect (cipher_ok() always returned true).
280 Remove unneeded wrapper functions in crypto_openssl.c
281 Fix bug that incorrectly refuses oid representation eku's in polar builds
282 Update README.polarssl
283 Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
284 Add proper check for crypto modes (CBC or OFB/CFB)
285 Improve --show-ciphers to show if a cipher can be used in static key mode
286 Extend t_lpback tests to test all ciphers reported by --show-ciphers
287 Don't exit daemon if opening or parsing the CRL fails.
288 Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
289 Fix regression with password protected private keys (polarssl)
290 ssl_polarssl.c: fix includes and make casts explicit
291 Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
294 Fix "code=995" bug with windows NDIS6 tap driver.
297 2014.04.30 -- Version 2.3.4
299 Fix man page and OSCP script: tls_serial_{n} is decimal
302 Fix is_ipv6 in case of tap interface.
305 IPv6 address/route delete fix for Win8
306 Add SSL library version reporting.
307 Minor t_client.sh cleanups
308 Repair --multihome on FreeBSD for IPv4 sockets.
309 Rewrite manpage section about --multihome
310 More IPv6-related updates to the openvpn man page.
311 Conditionalize calls to print_default_gateway on !ENABLE_SMALL
314 Use native strtoull() with MSVC 2013.
315 When tls-version-min is unspecified, revert to original versioning approach.
318 Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
319 Fix OCSP_check.sh to also use decimal for stdout verification.
320 Fix build system to accept non-system crypto library locations for plugins.
321 Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
324 Fix SOCKSv5 method selection
327 Fix typo in sample build script to use LDFLAGS
330 2014.04.08 -- Version 2.3.3
332 pkcs11: use generic evp key instead of rsa
335 Add support of utun devices under Mac OS X
336 Add support to ignore specific options.
337 Add a note what setenv opt does for OpenVPN < 2.3.3
338 Add reporting of UI version to basic push-peer-info set.
339 Fix compile error in ssl_openssl introduced by polar external-management patch
340 Fix assertion when SIGUSR1 is received while getaddrinfo is successful
341 Add warning for using connection block variables after connection blocks
342 Introduce safety check for http proxy options
344 David Sommerseth (5):
345 man page: Update man page about the tls_digest_{n} environment variable
346 Remove the --disable-eurephia configure option
347 plugin: Extend the plug-in v3 API to identify the SSL implementation used
349 Fix file checks when --chroot is being used
352 Document authfile for socks server
355 Fix IPv6 examples in t_client.rc-sample
356 Fix slow memory drain on each client renegotiation.
357 t_client.sh: ignore fields from "ip -6 route show" output that distort results.
358 Make code and documentation for --remote-random-hostname consistent.
359 Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
360 Document issue with --chroot, /dev/urandom and PolarSSL.
361 Rename 'struct route' to 'struct route_ipv4'
362 Replace copied structure elements with including <net/route.h>
363 Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
365 Heikki Hannikainen (1):
366 Always load intermediate certificates from a PKCS#12 file
369 Support non-ASCII TAP adapter names on Windows
370 Support non-ASCII characters in Windows tmp path
373 TLS version negotiation
374 Added "setenv opt" directive prefix.
375 Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
378 Fix spurious ignoring of pushed config options (trac#349).
380 Joachim Schipper (3):
381 Refactor tls_ctx_use_external_private_key()
382 --management-external-key for PolarSSL
383 external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
386 Correct error text when no Windows TAP device is present
387 Require a 1.2.x PolarSSL version
390 tls_ctx_load_ca: Improve certificate error messages
393 Remove duplicate cipher entries from TLS translation table.
396 Fix configure interaction with static OpenSSL libraries
399 Do not pass struct tls_session* as void* in key_state_ssl_init().
400 Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
401 Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
402 Also update TLSv1_method() calls in support code to SSLv23_method() calls.
403 Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
404 If --tls-cipher is supplied, make --show-tls parse the list.
405 Add openssl-specific common cipher list names to ssl.c.
408 Add support for client-cert-not-required for PolarSSL.
411 Fix "." in description of utun.
414 2013.05.31 -- Version 2.3.2
416 Only print script warnings when a script is used. Remove stray mention of script-security system.
417 Move settings of user script into set_user_script function
418 Move checking of script file access into set_user_script
421 Provide more accurate warning message
424 Fix NULL-pointer crash in route_list_add_vpn_gateway().
425 Fix problem with UDP tunneling due to mishandled pktinfo structures.
428 Always push basic set of peer info values to server.
430 Jan Just Keijser (1):
431 make 'explicit-exit-notify' pullable again
434 Fix proto tcp6 for server & non-P2MP modes
435 Fix Windows script execution when called from script hooks
438 Fixed tls-cipher translation bug in openssl-build
439 Fixed usage of stale define USE_SSL to ENABLE_SSL
442 Fix segfault when enabling pf plug-ins
446 2013.03.29 -- Version 2.3.1
448 Remove dead code path and putenv functionality
449 Remove unused function xor
450 Move static prototype definition from header into c file
451 Remove unused function no_tap_ifconfig
454 fix build with automake 1.13(.1)
456 Christian Niessner (1):
457 Fix corner case in NTLM authentication (trac #172)
460 Update README.IPv6 to match what is in 2.3.0
461 Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
462 Permit pool size of /64.../112 for ifconfig-ipv6-pool
463 Add MIN() compatibility macro
464 Fix directly connected routes for "topology subnet" on Solaris.
467 close more file descriptors on exec
468 Ignore UTF-8 byte order mark
469 reintroduce --no-name-remapping option
470 make --tls-remote compatible with pre 2.3 configs
471 add new option for X.509 name verification
473 Jan Just Keijser (1):
474 man page patch for missing options
477 Fix parameter listing in non-debug builds at verb 4
478 (updated) [PATCH] Warn when using verb levels >=7 without debug
481 Enable TCP_NODELAY configuration on FreeBSD.
484 Removed ChangeLog.IPv6
485 Added cross-compilation information INSTALL-win32.txt
487 Cleaned up and updated INSTALL
491 Improve PolarSSL key_state_read_{cipher, plain}text messages
492 Improve verify_callback messages
493 Config compatibility patch. Added translate_cipher_name.
494 Switch to IANA names for TLS ciphers.
495 Fixed autoconf script to properly detect missing pkcs11 with polarssl.
496 Use constant time memcmp when comparing HMACs in openvpn_decrypt.
499 2013.01.07 -- Version 2.3.0
501 Fix parameter type for IP_TOS setsockopt on non-Linux systems.
502 Fix client crash on double PUSH_REPLY.
504 2012.12.17 -- Version 2.3_rc2
506 Fix --show-pkcs11-ids (Bug #239)
509 Error message if max-routes used incorrectly
510 Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
511 Remove dnsflags_to_socktype, it is not used anywhere
512 Fix the proto is used inconsistently warning
514 David Sommerseth (3):
515 Fix double-free issue in pf_destroy_context()
516 The get_default_gateway() function uses warn() instead of msg()
517 Avoid recursion in virtual_output_callback_func()
520 Implement --mssfix handling for IPv6 packets.
521 Fix option inconsistency warnings about "proto" and "tun-ipv6"
523 Joachim Schipper (2):
524 doc/management-notes.txt: fix typo
525 Fix typo in ./configure message
527 2012.10.31 -- Version 2.3_rc1
529 Fixed a bug where PolarSSL gave an error when using an inline file tag.
532 Document man agent-external-key
533 Options parsing demands unnecessary configuration if PKCS11 is used
535 David Sommerseth (2):
536 Make git ignore some more files
537 Remove the support for using system() when executing external programs or scripts
540 Fix display of plugin hook types
541 Support UTF-8 --client-config-dir
544 Fix v3 plugins to support returning values back to OpenVPN.
546 2012.09.12 -- Version 2.3_beta1
548 Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used
549 Merge almost identical create_socket_tcp and create_socket_tcp6
550 Document the inlining of files in openvpn and document key-direction
551 Merge getaddr_multi and getaddr6 into one function
552 Document --management-client and --management-signal a bit better
553 Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen.
554 Add checks for external-key-managements
556 David Sommerseth (1):
557 Fix reconnect issues when --push and UDP is used on the server
560 Reduce --version string detail about IPv6 to just "[IPv6]".
561 Put actual OpenVPN command line on top of corresponding log file.
562 Keep pre-existing tun/tap devices around on *BSD
563 make "ipv6 ifconfig" on linux compatible with busybox ifconfig
566 fix regression with --http-proxy[-*] options
567 add x_msg_va() log function
568 add API for plug-ins to write to openvpn log
569 remove stale _openssl_get_subject() prototype
570 remove unused flag SSLF_NO_NAME_REMAPPING
571 Add --compat-names option
573 2012.07.20 -- Version 2.3_alpha3
575 Fix compiling with --disable-management
578 Repair "tap server" mode brokenness caused by <stdbool.h> fallout
581 make non-blocking connect work on Windows
582 don't treat socket related errors special anymore
583 remove unused show_connection_list debug function
584 add option --management-query-proxy
586 2012.06.29 -- Version 2.3_alpha2
587 Adriaan de Jong (11):
588 Fixed off-by-one in serial length calculation
589 Migrated x509_get_subject to use of the garbage collector
590 Migrated x509_get_serial to use the garbage collector
591 Migrated x509_get_sha1_hash to use the garbage collector
592 Ensure sys/un.h autoconf detection includes sys/socket.h
593 Added support for new PolarSSL 1.1 RNG
594 Added a configuration option to enable prediction resistance in the PolarSSL random number generator.
595 Use POLARSSL_CFLAGS instead of POLARSSL_CRYPTO_CFLAGS in configure.ac
596 Removed support for PolarSSL < 1.1
597 Updated README.polarssl with build system changes.
598 Removed stray "Fox-IT hardening" string.
601 build: version should not contain '-'
602 package: rpm: strip should be handled by package management
603 cleanup: options.c: remove redundant include
604 cleanup: remove C++ warnings
605 cleanup: win32.c: wrong printf format
606 cleanup: remove redundant ';'
607 cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
608 cleanup: tun.c: fix incorrect option in message (ip-win32)
609 cleanup: memcmp.c: remove unused source
610 fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
611 build: correct place to alter WINVER is at build system
613 build: handle printf style format in mingw
614 build: rename plugin directory to plugins
615 build: plugins: properly use CC, CFLAGS and LDFLAGS
616 build: we need the sample.ovpn in future
620 cleanup: rename tap-windows function from win32 to win
621 build: remove windows specific build system
622 build: split acinclude.m4 into m4/*
623 build: m4/ax_varargs.m4: cleanup
624 build: m4/ax_emptyarray.m4: cleanup
625 build: m4/ax_socklen_t.m4: cleanup
626 build: autotools: first pass of trivial autotools changes
627 build: autoconf: remove OPENVPN_ADD_LIBS useless macro
628 build: remove awk and non-standard autoconf output processing
629 build: standard directory layout
630 build: add libtool + windows resources for executables
631 build: autoconf: commands as environment
633 build: properly detect and use socket libs
634 build: autoconf: minor cleanups
635 build: proper selinux detection and usage
636 build: distribute pkg.m4
637 build: proper pkcs11-helper detection and usage
638 build: properly process lzo-stub
639 build: proper lzo detection and usage
640 build: proper crypto detection and usage
641 build: autoconf: update defaults for options
642 build: win-msvc: msbuild format
643 build: move out config.h include from syshead
644 build: split out compat
645 build: move gettimeofday() emulation to compat
646 build: move daemon() emulation into compat
647 build: move inet_ntop(), inet_pton() emulation into compat
648 cleanup: move console related function into its own module
649 build: move wrappers into platform module
650 build: windows: install version.sh to allow installer read version
651 build: distribute samples in windows
652 build: use tap-windows.h as external dependency
653 build: ax_varargs.m4: fixups
654 build: autoconf: misc sockets fixups
655 build: enable lzo by default
656 build: windows: set vendor to openvpn project + cleanups
657 build: assume dlfcn is available on all supported platforms
658 build: openbsd: detect netinet/ip.h correctly
659 build: tap: search for tap header
660 build: msvc: upgrade to Visual Studio 2010 + fixups
661 Enable pedantic in windows compilation
662 cleanup: flags should not be bool
663 cleanup: avoid using ~0 - generic
664 cleanup: avoid using ~0 - ipv6
665 cleanup: avoid using ~0 - netmask
666 cleanup: avoid using ~0 - windows
668 build: fix some statement left from conversion
669 build: properly detect netinet/ip.h structs
670 build: properly detect TUNSETPERSIST
671 cleanup: plugin: support C++ plugin
672 cleanup: remove C++ comments
673 cleanup: add .gitattributes to control eol style explicitly
674 crash: packet_id_debug_print: sl may be null
675 build: use stdbool.h if available
676 build: fix typo in --enable-save-password
677 build: windows: convert resources to UTF-8
678 build: check minimum polarssl version
679 cleanup: update .gitignore
680 cleanup: spec: make space/tab consistent
681 build: spec: we support openssl >= 0.9.7
682 build: insall README* document using build system
683 build: detect sys/wait.h required for *bsd
684 build: add git revision to --version output if build from git repository
685 build: cleanup: yet another forgotten brackets
686 build: update INSTALL to recent changes
687 build: support platforms that does not need explicit tun headers
688 build: do not support <polarssl-1.1.0
689 build: add --with-special-build to provide special build string
690 cleanup: pkcs11.c: resolve wanings
691 build: integrate plugins build into core build
692 build: plugins: set defaults based on platform
693 cleanup: windows: convert argv (UCS-2 to UTF-8) at earliest
694 build: msvc: chdir with change drive to script location
697 Add the query to the error message.
698 Explain that route-nopull also causes the client to ignore dhcp options.
699 Add the name of the context where option is not allowed to the error message.
700 Only use tmpdir if tmp_dir is really used.
701 Completely remove ancient IANA port warning.
702 Remove ENABLE_INLINE_FILES conditionals
703 Remove ENABLE_CONNECTIONS ifdefs
705 David Sommerseth (5):
706 Clean-up: Presume that Linux is always IPv6 capable at build time
707 Simplify check_cmd_access() function
708 Change version to indicate the master branch is not a version
709 Some filesystems don't like ':', which is a path 'make dist' would use
710 Remove two unused functions
712 Frank de Brabander (1):
713 Fix reported compile issues on OSX 10.6.8
716 repair t_client.sh test after build system revolution
717 t_client.sh iproute2 script fixes
718 t_client.sh - fix for iproute2, print summary line
719 Implement search for "first free" tun/tap device on Solaris
720 cleanup and redefine metric handling for IPv6 routes
721 remove "*option" element in "struct route_ipv6"
722 Remove warning about explicit support for IPv6 support not provided MacOS X
723 Add missing pieces to IPv6 route gateway handling.
724 Update TODO.IPv6 list
725 Remove #include "config.h" from ssl_polarssl.h
728 remove wrapper code for Windows CryptoAPI function
729 fix warnings in event.c when building for win32-64
730 remove the --auto-proxy option from openvpn
733 Remove calls to OpenSSL when building with --disable-ssl
735 Jonathan K. Bullard (2):
736 Fix file access checks on commands
737 Clarified the docs and help screen about what a 'cmd' is
740 Added notes about upgrading from 2.3-alpha1 and earlier to INSTALL-win32.txt
742 2012.02.21 -- Version 2.3-alpha1
743 Adriaan de Jong (127):
744 Added Doxygen doxyfile
745 Changed configure to accept --with-ssl-type=openssl
746 Refactored to rand_bytes for OpenSSL-independency
747 Refactored OpenSSL-specific constants
748 Refactored maximum cipher and hmac length constants
749 Refactored show_available_* functions
750 Refactored SSL_clear_error()
751 Refactored crypto initialisation functions
752 Refactored DES key manipulation functions
753 Refactored NTLM DES key generation
754 Refactored message digest type functions
755 Refactored message digest functions
756 Refactored HMAC functions
757 Refactored cipher key types
758 Refactored cipher functions
760 Refactored: Moved crypto.h inline functions to end of file
761 Removed stale OpenSSL defines from crypto.h
762 Added a check for Openssl or PolarSSL defines
763 Refactored: Added stubs for new files
764 Refactored SSL initialisation functions
765 Refactored TLS_PRF to new hmac and md primitives
766 Refactored tls_show_available_ciphers
767 Refactored get_highest_preference_tls_cipher
768 Refactored root SSL context initialisation
769 Refactored new external key code
770 Refactored DH paramater loading
771 Refactored root TLS option settings
772 Refactored PKCS#12 key loading
773 Refactored PKCS#11 loading
774 Refactored windows cert loading
775 Refactored load certificate functions
776 Refactored private key loading code
777 Refactored external key loading from management
778 Refactored CA and extra certs code
779 Refactored cipher restriction code
780 Refactored tls_options, key_state, and key_source data structures
781 Refactored initalisation of key_states
782 Refactored key_state free code
783 Refactored print_details
784 Refactored key_state read code (including bio_read())
785 Refactored key_state write functions
786 Refactored: Moved BIO debug functions to OpenSSL backend
787 Refactored: removed ks and ks_lame macro for clarity
788 Refactored: moved write_empty_string function back
789 Refactored Doxygen for tls_multi functions
790 Migrated data structures needed by verification functions to ssl_common.h
791 Refactored client_config_dir_exclusive function
792 Refactored certificate hash lock checks
793 Refactored common name locking functions
794 Refactored username and password authentication code
795 Add some extra comments
796 Refactored: split verify_callback into two parts
797 Added function to extract and verify the subject from a certificate
798 Added function to verify and extract the username
799 Refactored: removed global x509_username_field
800 Refactored: separated environment setup during verification
801 Refactored: Netscape certificate type verification
802 Refactored key usage verification code
803 Refactored EKU verification
804 Refactored tls-remote checking
805 Refactored tls-verify-plugin code
806 Refactored tls-verify script code
807 Refactored CRL checks
808 Minor cleanup in verify_cert:
809 Refactored: Moved verify_cert to ssl_verify
811 Refactored: made M_SSL dependent on USE_OPENSSL
812 Refactored: renamed X509 functions from verify_*
813 Separated OpenSSL-specific parts of the PKCS#11 driver
814 Modified base64 code in preparation for PolarSSL merge
815 Final cleanup before PolarSSL addition:
816 Refactored X509 track feature to be contained within the openssl backend
817 Added PolarSSL support:
818 Fixed a missing include in ssl_backend.h
819 Fixed a bug in the hash generation in ssl_verify_openssl.c
820 Added SHA_DIGEST_SIZE definition
821 Changed PolarSSL crypto backend to support v0.99-pre5
822 Updated ssl_polarssl.c to work with 0.99-pre5
823 Fixed a compilation warning for size_t key sizes
824 Added a warning that the PolarSSL library does not support pkcs12 files.
825 Added warning that --capath is not available with PolarSSL
826 Disable CryptoAPI when not using OpenSSL, and document that fact.
827 Removed support for management external keys in PolarSSL
828 Removed stray X509_free from ssl.c
829 Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
830 Added an extra define to allow building without PKCS#11
831 Added SSL library to title string
832 Disabled X.509 track and username selection for PolarSSL
833 Hardening: periodically reset the PRNG's nonce value
834 Fixes for the plugin system:
835 Further improvements to plugin support:
836 Fixed an unintentional change in the options calculated key size.
837 Moved print messages back to generic crypto.c from cipher backends
838 Moved HMAC prints back to main crypto module
839 Added back checks for ks->authenticated in verify_user_pass
840 Moved gc_new and gc_free to begin end of function
841 Fixed a bug in the return value of ssl_verify when pre_verify failed
842 Unified verification function return values:
843 Removed a stray Fox-IT tag
844 Fixed a typo: print the subject instead of the serial for verification errors
845 Made SSL_CIPHER const in print_details, to fix warning
846 Moved to PolarSSL 1.0.0:
847 Added missing #ifdef to allow --disable-managent to work again
848 Fixed disabling crypto and SSL
849 Got rid of a few magic numbers in ntlm.c
850 Removed obsolete des_cblock and des_keyschedule
851 Further removal of des_old.h based calls
852 Fixed missing comma in plugin.h
853 Moved prng_uninit out of crypto_uninit_lib
854 Moved CryptoAPI header include to the ssl_openssl.c
855 Reordered functions to ensure warning-free Windows build
856 Added options to switch between OpenSSL and PolarSSL and PKCS11...
857 Moved from strsep to strtok, for Windows compatibility
858 Minor cleanup to enable warning-free Windows build:
859 Fixed a typo when initialising cryptoapi certs
860 Minor code cleanup: cleaned up error handling in verify_cert.
861 Moved out of memory prototype to error.h, as the definition is in error.c
862 Removed support for calling gc_malloc with a NULL gc_arena struct
864 (The follwing patches from Adriaan was mistakenly merged with
865 the wrong commit author in the git tree)
866 Doxygen: Added data channel crypto docs
867 Added control channel crypto docs
868 Added compression docs
869 Added reliability layer documentation
870 Added memory management documentation
871 Added data channel fragmentation docs
872 Added main/control docs
873 Moved doxygen-specific files to a separate directory
876 autoconf fixes for building on OSX
878 David Sommerseth (50):
879 Provide 'dev_type' environment variable to plug-ins and script hooks
880 Define the new openvpn_plugin_{open,func}_v3() API
881 Implement the core v3 plug-in function calls.
882 Extend the v3 plug-in API to send over X509 certificates
883 Added a simple plug-in demonstrating the v3 plug-in API.
884 Separate the general plug-in version constant and v3 plug-in structs version
885 Use a version-less version identifier on the master branch
886 Fix the --client-cert-not-required feature
887 Change the default --tmp-dir path to a more suitable path
888 Improve the mysprintf() issue in openvpnserv.c
889 Add a simple comment regarding openvpn_snprintf() is duplicated
890 Merge branch 'feat_ipv6_transport'
891 Merge branch 'feat_ipv6_payload'
892 Merge branch 'svn-branch-2.1' into merge
893 Solved hidden merge conflicts between master and svn-branch-2.1
894 Fix const declarations in plug-in v3 structs
895 Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'
896 Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
897 Fix compiling issues with pkcs11 when --disable-management is configured
898 Remove support for Linux 2.2 configuration fallback
899 Revert "Add new openssl.cnf to easy-rsa/Windows"
900 Merge remote branch SVN 2.1 into the git tree
901 Merge branch 'svn-merger'
902 Fix Microsoft Visual Studio incompatibility in plugin.c
903 Fixed compile issues on FreeBSD and Solaris
904 Fix PolarSSL and --pkcs12 option issues
905 Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
906 Make '--win-sys env' default
907 Do some file/directory tests before really starting openvpn
908 Fix bug after removing Linux 2.2 support
909 Don't look for 'stdin' file when using --auth-user-pass
910 Fix compiling with --disable-crypto and/or --disable-ssl
911 Fix a couple of issues in openvpn_execve()
912 Move away from openvpn_basename() over to platform provided basename()
913 Enable access() when building in Visual Studio
914 New Windows build fixes
915 Fix compilation errors on Linux platforms without SO_MARK
916 autotools ./configure don't like compat.h
917 Fix pool logging when IPv6 is not enabled
918 Don't check for file presence on inline files
919 Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook
920 Enhance the error handling in _openssl_get_subject()
921 Fix assert() situations where gc_malloc() is called without a gc_arena object
922 Fix compile issues when plug-ins are disabled.
923 Remove --show-gateway if debug info is not enabled (--disable-debug)
924 Fix compile issues with status.c
925 Connection entry {tun,link}_mtu_defined not set correctly
926 Makefile.am referenced a now non-existing config-win32.h
927 Makefile.am was missing ssl_common.h
928 Revamp check_file_access() checks in stdin scenarios
931 New feauture: Add --stale-routes-check
933 Frank de Brabander (1):
934 Fixed wrong return type of cipher_kt_mode
937 Add support to forward console query to systemd
940 Add more detailed explanation regarding the function of "--rdns-internal"
941 Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.
942 remove NOTES file from commit - private scribbling
943 NetBSD fixes - on 4.0 and up, use multi-af mode.
944 new feature: "ifconfig-ipv6-push" (from ccd/ config)
945 add some TODOs to TODO.IPv6
946 undo accidential duplication of existing "--iroute" line in the help text
947 basic documentation of IPv6 related options and their syntax
948 Enable IPv6 Payload in OpenVPN p2mp tun server mode.
949 remove NOTES file from commit - private scribbling
950 env_block(): if PATH is not set, add standard PATH setting to env
951 add IPv6 route add / route delete code for windows (using "netsh")
952 - Win32 IPv6 ifconfig support, using "netsh" calls
953 drop "book ipv6" from open_tun() and tuncfg() prototypes
954 document recent changes and open TODOs, adapt --version info, tag release
955 Win32: set next-hop for IPv6 routes according to TUN/TAP mode
956 when deleting a route on win32, also add gateway address
957 WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7
958 revert unconditionally-enabling of setenv_es() logging
959 implement IPv6 ifconfig + route setup/deletion on OpenBSD
960 full "VPN client connect" test framework for OpenVPN t_client.rc-sample
961 renamed t_client.sh to t_client.sh.in
962 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8
963 correct URL for "more information about IPv6 patch is *here*"
964 bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet"
965 bump IPv6 version number (openvpn --version) to 20100922-1
966 Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces
967 rebased to 2.2RC2 (beta 2.2 branch)
968 Windows IPv6 cleanup - properly remove IPv6 routes and interface config
969 For all accesses to "struct route_list * rl", check first that rl is non-NULL
970 Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
971 Platform cleanup for NetBSD
972 Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block
973 add missing break between "case IPv4" and "case IPv6"
974 bump tap driver version from 9.8 to 9.9
975 log error message and exit for "win32, tun mode, tap driver version 9.8"
976 work around inet_ntop/inet_pton problems for MSVC builds on WinXP
977 Fix build-up of duplicate IPv6 routes on reconnect.
978 Fix list-overrun checks in copy_route_[ipv6_]option_list()
979 add "print test titles" and "use sudo" functionality to t_client.rc
980 Platform cleanup for FreeBSD
981 Implement IPv6 interface config with non-/64 prefix lengths.
982 Fix RUN_SUDO functionality for t_client.sh
983 Document IPv6-related environment variables.
984 Platform cleanup for OpenBSD
987 Avoid re-defining uint32_t when using mingw compiler
989 Gustavo Zacarias (1):
990 Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto
993 add .gitignore to official repository
994 remove function is_proto_tcp()
995 remove legacy code to query IE proxy information
996 lowercase include header name in syshead.h
997 define IN6_ARE_ADDR_EQUAL macro for WIN32
998 add --mark option to set SO_MARK sockopt
999 Windows UTF-8 input/output
1000 UTF-8 X.509 distinguished names
1001 set Windows environment variables as UCS-2
1002 handle Windows unicode paths
1003 replace check for TARGET_WIN32 with WIN32
1004 do not use mode_t on Windows
1005 use the underscore version of stat on Windows
1006 make MSVC link against shell32 as well
1007 move variable declaration to top of function
1008 define access mode flag X_OK as 0 on Windows
1010 Igor Novgorodov (1):
1011 The code blocks enabled by ENABLE_CLIENT_CR depends on management
1014 Added "management-external-key" option.
1015 Minor addition of logging info before and after execution of Windows net commands.
1016 Misc fixes to r6708.
1017 Added --x509-track option.
1018 * added --management-up-down option to allow management interface to be notified of tunnel up/down events.
1019 Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled.
1020 Implemented get_default_gateway_mac_addr for Mac OS X
1022 Properly handle certificate serial numbers > 32 bits.
1023 Added "client-nat" option for stateless, one-to-one NAT on the client side.
1024 Renamed branch to reflect that it is no longer beta.
1025 env_filter_match now includes the serial number of all certs
1026 Fixed issue where a client might receive multiple push replies from a server
1027 Fixed bug introduced in r7031 that might cause this error message:
1028 Extended "client-kill" management interface command (server-side)
1029 Client will now try to reconnect if no push reply received within handshake-window seconds.
1031 Fixed compiling issues when using --disable-crypto
1032 Added "management-external-key" option.
1033 Misc fixes to r6708.
1034 win/sign.py now accepts an optional tap-dir argument.
1035 Added "auth-token" client directive
1036 Added ./configure --enable-osxipconfig option for Mac OS X
1037 Added more packet ID debug info at debug level 3 for debugging false positive packet replays.
1038 Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions
1039 Fixed bug in port-share that could cause port share process to crash
1040 For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure
1042 Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option.
1043 Added 'dir' flag to "crl-verify" (see man page for info).
1044 Added new "extra-certs" and "verify-hash" options
1045 Fixed compile issues on Windows.
1046 Added --enable-lzo-stub configure option to build an OpenVPN client without LZO
1047 Added optional journal directory argument to "port-share" directive
1048 Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity.
1049 env_filter_match now includes the serial number of all certs in chain
1050 Added support for static challenge/response protocol.
1052 Added redirect-gateway block-local flag, with support for Linux, Mac OS X
1053 Extended x509-track to allow SHA1 certificate hash to be extracted
1054 Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive.
1056 Fixed MSVC compile error related to r7408.
1057 Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data.
1058 Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars.
1059 Changed CC_PRINT character class to allow UTF-8 chars.
1060 Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3.
1061 Fixed issue where redirect-gateway block-local code was not correctly calculating...
1062 CC_PRINT character class now allows any 8-bit character value >= 32.
1063 "status" management interface command (version >= 2) will now include the username for each connected user.
1064 Minor fix to CC_PRINT char class
1065 Fixed management interface bug where >FATAL notifications were not being output properly
1066 Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3.
1067 Added "memstats" option to maintain real-time operating stats in a memory-mapped file.
1068 Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy:
1069 Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode.
1070 Added support for "on-link" routes on Linux client
1072 Jan Just Keijser (1):
1073 Made some options connection-entry specific
1076 common_name passing in auth_pam plugin
1078 JuanJo Ciarlante (40):
1079 * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch
1080 * created getaddr6(), use it from resolve_remote()
1081 * migrated all getaddrinfo() to getaddr6
1082 * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,
1083 * support --disable-ipv6 build properly:
1084 * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket
1085 * added README.ipv6.txt
1086 * fixed win32 non-ipv6 build
1087 * ipv6 on win32 "milestone": 1st snapshot that passes all unittests
1088 * document ipv6 milestone status
1089 * doc update w/unittests results
1090 * make possible to x-compile openvpn/win32 in Linux
1091 * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6.
1092 * renamed README.ipv6{.txt,}
1093 * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist
1094 * init.c: document the ENABLE_MANAGEMENT place to work on
1095 * init.c: small in-doc tweaks
1096 * fix multi-tcp crash (corrected assertion)
1098 * socket.c: better buf logic in print_sockaddr_ex
1099 * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)
1101 * openbsd: no IFF_MULTICAST, #ifdef around it
1102 * no new funcionality, just small cleanups
1103 * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints
1104 * polished redirect-gateway (ipv4 on ipv6 endpoints) support
1106 * fix --disable-ipv6 build
1108 * rebased to v2.1.1 release
1109 * undo mroute.c changes related to ipv6 payload
1110 * fix --multihome for ipv4
1111 * fix --multihome for ipv6
1112 * ipv6-0.4.14: fix xinetd usage
1113 * ipv6-0.4.15: add --multihome support to xBSD
1114 * ipv6-0.4.15b: rebase over openvpn-testing-master
1115 * ipv6-0.4.16: fix mingw32 build
1116 * make ipv6_payload compile under windowze
1117 USE_PF_INET6 by default for v2.3
1118 fix ipv6 compilation under macosx >= 1070 - v3
1121 Add extv3 X509 field support to --x509-username-field
1123 Matthew L. Creech (1):
1124 Fix 2.2.0 build failure when management interface disabled
1126 Matthias Andree (1):
1127 Skip rather than fail test in addressless FreeBSD jails.
1130 Update man page with info about --capath
1131 Update man page with info about --connect-timeout
1132 Added info about --show-proxy-settings
1133 Documented --x509-username-field option
1134 Documented --errors-to-stderr option
1135 Documented --push-peer-info option
1136 Update man page with info about --remote-random-hostname
1137 Added man page entry for --management-client
1139 Samuli Seppänen (19):
1140 Add man page entry for --redirect-private
1141 Change all CRLF linefeeds to LF linefeeds
1142 Fix a bug in devcon source code handling
1143 Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
1144 Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers
1145 Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
1146 Fix a build-ca issue on Windows
1147 Add new openssl.cnf to easy-rsa/Windows
1148 Updated "easy-rsa" for OpenSSL 1.0.0
1149 Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
1150 Fixes to easy-rsa/2.0
1151 Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
1152 Fixed a number of fatal build errors on Visual Studio 2008
1153 Fix a Visual Studio 2008 build issue in socket.c
1154 Additional Visual Studio 2008 build fixes to tun.c
1155 Fixed a typo in win32.h that prevented building with Visual Studio
1156 Fixed a regression causing VS2008/Python build failure
1157 Fix a Visual Studio 2008 build error in tun.c
1158 Fix a Visual Studio 2008 build error in options.c
1161 Fix issues with some older GCC compilers
1163 Stefan Hellermann (2):
1164 plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
1165 Fixed typo in plugin.h
1168 Clarify --tmp-dir option
1171 Change the netsh.exe command from "add" to "set".
1173 2011.12.25 -- Version 2.x-master
1175 Added support for "on-link" routes on Linux client -- these are
1176 routes where the gateway is specified as an interface rather than
1177 an address. This allows redirect-gateway to work on Linux clients
1178 whose connection to the internet is via a point-to-point link
1181 Note that at the moment, this capability is incompatible with
1182 the "redirect-gateway block-local" directive -- this is because
1183 the block-local directive blocks all traffic from the local LAN
1184 except for the local and gateway addresses. Since a PPP link
1185 is essentially a subnet of two addresses, local and remote (i.e.
1186 gateway), the set of addresses that would be blocked by block-local
1187 is empty. Therefore, the "redirect-gateway block-local" directive
1188 will be ignored on PPP links.
1190 To view the OpenVPN client's current determination of the default
1191 gateway, use this command:
1193 ./openvpn --show-gateway
1195 2011.03.24 -- Version 2.2-RC2
1197 Windows cross-compile cleanup
1199 David Sommerseth (2):
1200 Open log files as text files on Windows
1201 Clarify default value for the --inactive option.
1204 Implement IPv6 in TUN mode for Windows TAP driver.
1206 Samuli Seppänen (6):
1207 Added support for prebuilt TAP-drivers. Automated embedding manifests.
1208 Fixes to win/openvpn.nsi
1209 Replaced config-win32.h with win/config.h.in
1210 Updated INSTALL-win32.txt
1211 Fixes to Makefile.am
1212 Clarified --client-config-dir section on the man-page.
1215 Fix line continuation in chkconfig init script description.
1217 2011.02.28 -- Version 2.2-RC
1218 David Sommerseth (3):
1219 Make the --x509-username-field feature an opt-in feature
1220 Fix compiler warning when compiling against OpenSSL 1.0.0
1221 Fix packaging of config-win32.h and service-win32/msvc.mak
1224 Minor addition of logging info before and after execution of Windows net commands.
1226 Matthias Andree (1):
1227 Change variadic macros to C99 style.
1229 Samuli Seppänen (15):
1230 Added ENABLE_PASSWORD_SAVE to config-win32.h
1231 Added a nmake makefile for openvpnserv.exe building
1232 Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
1233 Added helper functionality to win/wb.py
1234 Added support for viewing config-win32.h paramters to win/show.py
1235 Added comments and made small modifications to win/msvc.mak.in
1236 Added command-line switch to win/build_all.py to skip TAP driver building
1237 Added configure.h and version.m4 variable parsing to win/config.py
1238 Added openvpnserv.exe building to win/build.py
1239 Added comments to win/build_ddk.py
1240 Several modifications to win/make_dist.py to allow building the NSI installer
1241 Copied install-win32/setpath.nsi to win/setpath.nsi
1242 Added first version of NSI installer script to win/openvpn.nsi
1243 Changes to buildsystem patchset
1244 Temporary snprintf-related fix to service-win32/openvpnserv.c
1246 2010.11.25 -- Version 2.2-beta5
1248 Samuli Seppänen (1):
1249 Fixed an issue causing a build failure with MS Visual Studio 2008.
1251 2010.11.18 -- Version 2.2-beta4
1253 David Sommerseth (10):
1254 Clarified --explicit-exit-notify man page entry
1255 Clean-up: Remove pthread and mutex locking code
1256 Clean-up: Remove more dead and inactive code paths
1257 Clean-up: Removing useless code - hash related functions
1258 Use stricter snprintf() formatting in socks_username_password_auth() (v3)
1259 Fix compiler warnings about not used dummy() functions
1260 Fixed potential misinterpretation of boolean logic
1261 Only add some functions when really needed
1262 Removed functions not being used anywhere
1263 Merged add_bypass_address() and add_host_route_if_nonlocal()
1266 Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa <admin2@whiteboard.ne.jp>.
1267 Make "topology subnet" work on Solaris
1268 Improved man page entry for script_type
1271 Fixed initialization bug in route_list_add_default_gateway (Gert Doering).
1272 Implement challenge/response authentication support in client mode
1273 Make base64.h have the same conditional compilation expression as base64.c.
1274 Fixed compiling issues when using --disable-crypto
1275 In verify_callback, the subject var should be freed by OPENSSL_free, not free
1278 Remove hardcoded path to resolvconf
1281 Add HTTP/1.1 Host header
1284 Adding support for SOCKS plain text authentication
1286 Samuli Seppänen (2):
1287 Added check for variable CONFIGURE_DEFINES into options.c
1288 Added command-line option parser and an unsigned build option to build_all.py
1290 2010.08.21 -- Version 2.2-beta3
1292 * Attempt to fix issue where domake-win build system was not properly
1293 signing drivers and .exe files.
1295 Added win/tap_span.py for building multiple versions of the TAP driver
1296 and tapinstall binaries using different DDK versions to span from Win2K
1300 David Sommerseth (2):
1301 Test framework improvment - Do not FAIL if t_client.rc is missing
1302 More t_client.sh updates - exit with SKIP when we want to skip
1305 Fix compile problems on NetBSD and OpenBSD
1306 Fix <net/if.h> compile time problems on OpenBSD for good
1307 full "VPN client connect" test framework for OpenVPN
1308 Build t_client.sh by configure at run-time.
1311 Fixes openssl-1.0.0 compilation warning
1313 2010.08.16 -- Version 2.2-beta2
1315 * Windows security issue:
1316 Fixed potential local privilege escalation vulnerability in
1317 Windows service. The Windows service did not properly quote the
1318 executable filename passed to CreateService. A local attacker
1319 with write access to the root directory C:\ could create an
1320 executable that would be run with the same privilege level as
1321 the OpenVPN Windows service. However, since non-Administrative
1322 users normally lack write permission on C:\, this vulnerability
1323 is generally not exploitable except on older versions of Windows
1324 (such as Win2K) where the default permissions on C:\ would allow
1325 any user to create files there.
1326 Credit: Scott Laurie, MWR InfoSecurity
1328 * Added Python-based based alternative build system for Windows using
1329 Visual Studio 2008 (in win directory).
1331 * When aborting in a non-graceful way, try to execute do_close_tun in
1332 init.c prior to daemon exit to ensure that the tun/tap interface is
1333 closed and any added routes are deleted.
1335 * Fixed an issue where AUTH_FAILED was not being properly delivered
1336 to the client when a bad password is given for mid-session reauth,
1337 causing the connection to fail without an error indication.
1339 * Don't advance to the next connection profile on AUTH_FAILED errors.
1341 * Fixed an issue in the Management Interface that could cause
1342 a process hang with 100% CPU utilization in --management-client
1343 mode if the management interface client disconnected at the
1344 point where credentials are queried.
1346 * Fixed an issue where if reneg-sec was set to 0 on the client,
1347 so that the server-side value would take precedence,
1348 the auth_deferred_expire_window function would incorrectly
1349 return a window period of 0 seconds. In this case, the
1350 correct window period should be the handshake window
1353 * Modified ">PASSWORD:Verification Failed" management interface
1354 notification to include a client reason string:
1356 >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
1358 * Enable exponential backoff in reliability layer
1361 * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
1362 socket is created rather than waiting until after connect/listen.
1364 * Management interface performance optimizations:
1366 1. Added env-filter MI command to perform filtering on env vars
1367 passed through as a part of --management-client-auth
1369 2. man_write will now try to aggregate output into larger blocks
1370 (up to 1024 bytes) for more efficient i/o
1372 * Fixed minor issue in Windows TAP driver DEBUG builds
1373 where non-null-terminated unicode strings were being
1374 printed incorrectly.
1376 * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
1377 was not being compiled in.
1379 * Proxy improvements:
1381 Improved the ability of http-auth "auto" flag to dynamically detect
1382 the auth method required by the proxy.
1384 Added http-auth "auto-nct" flag to reject weak proxy auth methods.
1386 Added HTTP proxy digest authentication method.
1388 Removed extraneous openvpn_sleep calls from proxy.c.
1390 * Implemented http-proxy-override and http-proxy-fallback directives to make it
1391 easier for OpenVPN client UIs to start a pre-existing client config file with
1392 proxy options, or to adaptively fall back to a proxy connection if a direct
1395 * Implemented a key/value auth channel from client to server.
1397 * Fixed issue where bad creds provided by the management interface
1398 for HTTP Proxy Basic Authentication would go into an infinite
1399 retry-fail loop instead of requerying the management interface for
1402 * Added support for MSVC debugging of openvpn.exe in settings.in:
1404 # Build debugging version of openvpn.exe
1405 !define PRODUCT_OPENVPN_DEBUG
1407 * Implemented multi-address DNS expansion on the network field of route
1410 When only a single IP address is desired from a multi-address DNS
1411 expansion, use the first address rather than a random selection.
1413 * Added --register-dns option for Windows.
1415 Fixed some issues on Windows with --log, subprocess creation
1416 for command execution, and stdout/stderr redirection.
1418 * Fixed an issue where application payload transmissions on the
1419 TLS control channel (such as AUTH_FAILED) that occur during
1420 or immediately after a TLS renegotiation might be dropped.
1422 * Added warning about tls-remote option in man page.
1424 2009.12.11 -- Version 2.1.1
1426 * Fixed some breakage in openvpn.spec (which is required to build an
1427 RPM distribution) where it was referencing a non-existent
1428 subdirectory in the tarball, causing it to fail (patch from
1431 2009.12.11 -- Version 2.1.0
1433 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
1434 (1) Fail gracefully rather than segfault if calloc returns NULL.
1435 (2) The openvpn_plugin_abort_v1 function can potentially be called
1436 with handle == NULL. Add code to detect this case, and if so, avoid
1437 dereferencing pointers derived from handle (Thanks to David
1438 Sommerseth for finding this bug).
1440 * Documented "multihome" option in the man page.
1442 2009.11.20 -- Version 2.1_rc22
1444 * Fixed a client-side bug on Windows that occurred when the
1445 "dhcp-pre-release" or "dhcp-renew" options were combined with
1446 "route-gateway dhcp". The release/renew would not occur
1447 because the Windows DHCP renew function is blocking and
1448 therefore must be called from another process or thread
1449 so as not to stall the tunnel.
1451 * Added a hard failure when peer provides a certificate chain
1452 with depth > 16. Previously, a warning was issued.
1454 2009.11.12 -- Version 2.1_rc21
1456 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
1457 CVE-2009-3555. Note that OpenVPN has never relied on the session
1458 renegotiation capabilities that are built into the SSL/TLS protocol,
1459 therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
1460 completely) will not adversely affect OpenVPN mid-session SSL/TLS
1461 renegotation or any other OpenVPN capabilities.
1463 * Added additional session renegotiation hardening. OpenVPN has always
1464 required that mid-session renegotiations build up a new SSL/TLS
1465 session from scratch. While the client certificate common name is
1466 already locked against changes in mid-session TLS renegotiations, we
1467 now extend this locking to the auth-user-pass username as well as all
1468 certificate content in the full client certificate chain.
1470 2009.10.01 -- Version 2.1_rc20
1472 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
1473 redirect-gateway option by itself, without any extra parameters,
1474 would cause the option to be ignored.
1476 * Fixed build problem when ./configure --disable-server is used.
1478 * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
1480 * Added --remote-random-hostname option.
1482 * Added "load-stats" management interface command to get global server
1485 * Added new ./configure flags:
1487 --disable-def-auth Disable deferred authentication
1488 --disable-pf Disable internal packet filter
1490 * Added "setcon" directive for interoperability with SELinux (Sebastien
1493 * Optimized PUSH_REQUEST handshake sequence to shave several seconds
1494 off of a typical client connection initiation.
1496 * The maximum number of "route" directives (specified in the config
1497 file or pulled from a server) can now be configured via the new
1498 "max-routes" directive.
1500 * Eliminated the limitation on the number of options that can be pushed
1501 to clients, including routes. Previously, all pushed options needed
1502 to fit within a 1024 byte options string.
1504 * Added --server-poll-timeout option : when polling possible remote
1505 servers to connect to in a round-robin fashion, spend no more than
1506 n seconds waiting for a response before trying the next server.
1508 * Added the ability for the server to provide a custom reason string
1509 when an AUTH_FAILED message is returned to the client. This
1510 string can be set by the server-side managment interface and read
1511 by the client-side management interface.
1513 * client-kill management interface command, when issued on server, will
1514 now send a RESTART message to client.
1515 This feature is intended to make UDP clients respond the same as TCP
1516 clients in the case where the server issues a RESTART message in
1517 order to force the client to reconnect and pull a new options/route
1520 2009.07.16 -- Version 2.1_rc19
1522 * In Windows TAP driver, refactor DHCP/ARP packet injection code to
1523 use a DPC (deferred procedure call) to defer packet injection until
1524 IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
1525 in the context of AdapterTransmit. This is an attempt to reduce kernel
1526 stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
1527 observed on Vista. Updated TAP driver version number to 9.6.
1529 * In configure.ac, use datadir instead of datarootdir for compatibility
1530 with <autoconf-2.60.
1532 2009.06.07 -- Version 2.1_rc18
1534 * Fixed compile error on ./configure --enable-small
1536 * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
1537 does not build on Windows on non-MINGW32.
1539 2009.05.30 -- Version 2.1_rc17
1541 * Reduce the debug level (--verb) at which received management interface
1542 commands are echoed from 7 to 3. Passwords will be filtered.
1544 * Fixed race condition in management interface recv code on
1545 Windows, where sending a set of several commands to the
1546 management interface in quick succession might cause the
1547 latter commands in the set to be ignored.
1549 * Increased management interface input command buffer size
1550 from 256 to 1024 bytes.
1552 * Minor tweaks to Windows build system.
1554 * Added "redirect-private" option which allows private subnets
1555 to be pushed to the client in such a way that they don't accidently
1556 obscure critical local addresses such as the DHCP server address and
1557 DNS server addresses.
1559 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
1560 client will examine the routing table and determine whether (a) the
1561 OpenVPN server is reachable via a locally connected interface, or (b)
1562 traffic to the server must be forwarded through the default router.
1563 Only add a special bypass route for the OpenVPN server if (b) is true.
1564 If (a) is true, behave as if the 'local' flag is specified, and do not
1567 The new 'autolocal' flag depends on the non-portable test_local_addr()
1568 function in route.c, which is currently only implemented for Windows.
1569 The 'autolocal' flag will act as a no-op on platforms that have not
1570 yet defined a test_local_addr() function.
1572 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
1573 more option content to be pushed from server to client).
1575 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
1576 levels <=3) a common and usually innocuous warning.
1578 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
1579 functionality (Alon Bar-Lev).
1581 * Fixed bug where the remote_X environmental variables were not being
1582 set correctly when the 'local' option is specifed.
1584 2009.05.17 -- Version 2.1_rc16
1586 * Windows installer changes:
1588 1. ifdefed out the check Windows version code which is causing
1589 problems on Windows 7
1591 2. don't define SF_SELECTED if it is already defined
1593 3. Use LZMA instead of BZIP2 compression for better compression
1595 4. Upgraded OpenSSL to 0.9.8k
1597 * Added the ability to read the configuration file
1598 from stdin, when "stdin" is given as the config
1601 * Allow "management-client" directive to be used
1602 with unix domain sockets.
1604 * Added errors-to-stderr option. When enabled, fatal errors
1605 that result in the termination of the daemon will be written
1608 * Added optional "nogw" (no gateway) flag to --server-bridge
1609 to inhibit the pushing of the route-gateway parameter to
1612 * Added new management interface command "pid" to show the
1613 process ID of the current OpenVPN process (Angelo Laub).
1615 * Fixed issue where SIGUSR1 restarts would fail if private
1616 key was specified as an inline file.
1618 * Added daemon_start_time and daemon_pid environmental variables.
1620 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
1624 1. Fixed some issues with C++ style comments that leaked into the code.
1626 2. Updated configure.ac to work on MinGW64.
1628 3. Updated common.h types for _WIN64.
1630 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
1633 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
1634 OpenVPNCryptAcquireCertificatePrivateKey to work around
1635 a symbol conflict in MinGW-5.1.4.
1637 2008.11.19 -- Version 2.1_rc15
1639 * Fixed issue introduced in 2.1_rc14 that may cause a
1640 segfault when a --plugin module is used.
1642 * Added server-side --opt-verify option: clients that connect
1643 with options that are incompatible with those of the server
1644 will be disconnected (without this option, incompatible
1645 clients would trigger a warning message in the server log
1646 but would not be disconnected).
1648 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
1649 flag on the server as well as pushes it to connecting clients.
1651 * Minor options check fix: --no-name-remapping is a
1652 server-only option and should therefore generate an
1653 error when used on the client.
1655 * Added --prng option to control PRNG (pseudo-random
1656 number generator) parameters. In previous OpenVPN
1657 versions, the PRNG was hardcoded to use the SHA1
1658 hash. Now any OpenSSL hash may be used. This is
1659 part of an effort to remove hardcoded references to
1660 a specific cipher or cryptographic hash algorithm.
1662 * Cleaned up man page synopsis.
1664 2008.11.16 -- Version 2.1_rc14
1666 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
1667 with the goal of fixing a build issue on Fedora 9 that was
1668 introduced in 2.1_rc13.
1670 * Added additional method parameter to --script-security to preserve
1671 backward compatibility with system() call semantics used in OpenVPN
1672 2.1_rc8 and earlier. To preserve backward compatibility use:
1674 script-security 3 system
1676 * Added additional warning messages about --script-security 2
1677 or higher being required to execute user-defined scripts or
1680 * Windows build system changes:
1682 Modified Windows domake-win build system to write all openvpn.nsi
1683 input files to gen, so that gen can be disconnected from
1684 the rest of the source tree and makensis openvpn.nsi will
1685 still function correctly.
1687 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
1688 (commented out by default).
1690 Added optional files SAMPCONF_CONF2 (second sample configuration
1691 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
1692 build system, and may be defined in settings.in.
1694 * Extended Management Interface "bytecount" command
1695 to work when OpenVPN is running as a server.
1696 Documented Management Interface "bytecount" command in
1697 management/management-notes.txt.
1699 * Fixed informational message in ssl.c to properly indicate
1700 deferred authentication.
1702 * Added server-side --auth-user-pass-optional directive, to allow
1703 connections by clients that do not specify a username/password, when a
1704 user-defined authentication script/module is in place (via
1705 --auth-user-pass-verify, --management-client-auth, or a plugin module).
1707 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
1709 Calling scripts can set the KEY_NAME environmental variable to set
1710 the "name" X509 subject field in generated certificates.
1712 Modified pkitool to allow flexibility in separating the Common Name
1713 convention from the cert/key filename convention.
1717 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
1719 will create a client certificate/key pair of james.crt/james.key
1720 having a Common Name of "James's Laptop" and a Name of "james".
1722 * Added --no-name-remapping option to allow Common Name, X509 Subject,
1723 and username strings to include any printable character including
1724 space, but excluding control characters such as tab, newline, and
1725 carriage-return (this is important for compatibility with external
1726 authentication systems).
1728 As a related change, added --status-version 3 format (and "status 3"
1729 in the management interface) which uses the version 2 format except
1730 that tabs are used as delimiters instead of commas so that there
1731 is no ambiguity when parsing a Common Name that contains a comma.
1733 Also, save X509 Subject fields to environment, using the naming
1736 X509_{cert_depth}_{name}={value}
1738 This is to avoid ambiguities when parsing out the X509 subject string
1739 since "/" characters could potentially be used in the common name.
1741 * Fixed some ifconfig-pool issues that precluded it from being combined
1742 with --server directive.
1744 Now, for example, we can configure thusly:
1746 server 10.8.0.0 255.255.255.0 nopool
1747 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
1749 to have ifconfig-pool manage only a subset
1752 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
1753 config file syntax checking to allow directives for future OpenVPN
1754 versions to be ignored.
1756 2008.10.07 -- Version 2.1_rc13
1758 * Bundled OpenSSL 0.9.8i with Windows installer.
1760 * Management interface can now listen on a unix
1761 domain socket, for example:
1763 management /tmp/openvpn unix
1765 Also added management-client-user and management-client-group
1766 directives to control which processes are allowed to connect
1769 * Copyright change to OpenVPN Technologies, Inc.
1771 2008.09.23 -- Version 2.1_rc12
1773 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
1774 part of the tarball (Matthias Andree).
1776 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
1777 was incorrectly expecting the lladdr parameter to be an IP address
1778 when it is actually a MAC address (HoverHell).
1780 2008.09.14 -- Version 2.1_rc11
1782 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
1783 to fail if UDP packets are dropped.
1785 2008.09.10 -- Version 2.1_rc10
1787 * Added "--server-bridge" (without parameters) to enable
1788 DHCP proxy mode: Configure server mode for ethernet
1789 bridging using a DHCP-proxy, where clients talk to the
1790 OpenVPN server-side DHCP server to receive their IP address
1791 allocation and DNS server addresses.
1793 * Added "--route-gateway dhcp", to enable the extraction
1794 of the gateway address from a DHCP negotiation with the
1795 OpenVPN server-side LAN.
1797 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
1798 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
1801 * Warn when ethernet bridging that the IP address of the bridge adapter
1802 is probably not the same address that the LAN adapter was set to
1805 * When running as a server, warn if the LAN network address is
1806 the all-popular 192.168.[0|1].x, since this condition commonly
1807 leads to subnet conflicts down the road.
1809 * Primarily on the client, check for subnet conflicts between
1810 the local LAN and the VPN subnet.
1812 * Added a 'netmask' parameter to get_default_gateway, to return
1813 the netmask of the adapter containing the default gateway.
1814 Only implemented on Windows so far. Other platforms will
1815 return 255.255.255.0. Currently the netmask information is
1816 only used to warn about subnet conflicts.
1818 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
1819 and USE_SSL flags are enabled (Alon Bar-Lev).
1821 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
1822 --script-security rules. Also adds retrying if the addresses are in
1823 use (Matthias Andree).
1825 * Fixed build issue with ./configure --disable-socks --disable-http.
1827 * Fixed separate compile errors in options.c and ntlm.c that occur
1828 on strict C compilers (such as old versions of gcc) that require
1829 that C variable declarations occur at the start of a {} block,
1832 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
1833 the new implementation of extract_x509_field_ssl depends on.
1835 * LZO compression buffer overflow errors will now invalidate
1836 the packet rather than trigger a fatal assertion.
1838 * Fixed minor compile issue in ntlm.c (mid-block declaration).
1840 * Added --allow-pull-fqdn option which allows client to pull DNS names
1841 from server (rather than only IP address) for --ifconfig, --route, and
1842 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
1843 for these options to be pulled and translated to IP addresses by default.
1844 Now --allow-pull-fqdn will be explicitly required on the client to enable
1845 DNS-name-to-IP-address translation of pulled options.
1847 * 2.1_rc8 and earlier did implicit shell expansion on script
1848 arguments since all scripts were called by system().
1849 The security hardening changes made to 2.1_rc9 no longer
1850 use system(), but rather use the safer execve or CreateProcess
1851 system calls. The security hardening also introduced a
1852 backward incompatibility with 2.1_rc8 and earlier in that
1853 script parameters were no longer shell-expanded, so
1856 client-connect "docc CLIENT-CONNECT"
1858 would fail to work because execve would try to execute
1859 a script called "docc CLIENT-CONNECT" instead of "docc"
1860 with "CLIENT-CONNECT" as the first argument.
1862 This patch fixes the issue, bringing the script argument
1863 semantics back to pre 2.1_rc9 behavior in order to preserve
1864 backward compatibility while still using execve or CreateProcess
1865 to execute the script/executable.
1867 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
1868 to more closely conform to RFC 3696:
1870 (1) DNS name length must not exceed 255 characters
1872 (2) DNS name characters must be limited to alphanumeric,
1873 dash ('-'), and dot ('.')
1875 * Fixed bug in intra-session TLS key rollover that was introduced with
1876 deferred authentication features in 2.1_rc8.
1878 2008.07.31 -- Version 2.1_rc9
1880 * Security Fix -- affects non-Windows OpenVPN clients running
1881 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
1882 vulnerable nor are any versions of the OpenVPN server vulnerable).
1883 An OpenVPN client connecting to a malicious or compromised
1884 server could potentially receive an "lladdr" or "iproute" configuration
1885 directive from the server which could cause arbitrary code execution on
1886 the client. A successful attack requires that (a) the client has agreed
1887 to allow the server to push configuration directives to it by including
1888 "pull" or the macro "client" in its configuration file, (b) the client
1889 successfully authenticates the server, (c) the server is malicious or has
1890 been compromised and is under the control of the attacker, and (d) the
1891 client is running a non-Windows OS. Credit: David Wagner.
1894 * Miscellaneous defensive programming changes to multiple
1895 areas of the code. In particular, use of the system() call
1896 for calling executables such as ifconfig, route, and
1897 user-defined scripts has been completely revamped in favor
1898 of execve() on unix and CreateProcess() on Windows.
1900 * In Windows build, package a statically linked openssl.exe to work around
1901 observed instabilities in the dynamic build since the migration to
1904 2008.06.11 -- Version 2.1_rc8
1906 * Added client authentication and packet filtering capability
1907 to management interface. In addition, allow OpenVPN plugins
1908 to take advantage of deferred authentication and packet
1909 filtering capability.
1911 * Added support for client-side connection profiles.
1913 * Fixed unbounded memory growth bug in environmental variable
1914 code that could have caused long-running OpenVPN sessions
1915 with many TLS renegotiations to incrementally
1916 increase memory usage over time.
1918 * Windows release now packages openssl-0.9.8h.
1920 * Build system changes -- allow building on Windows using
1921 autoconf/automake scripts (Alon Bar-Lev).
1923 * Changes to Windows build system to make it easier to do
1924 partial builds, with a reduced set of prerequisites,
1925 where only a subset of OpenVPN installer
1926 components are built. See ./domake-win comments.
1928 * Cleanup IP address for persistence interfaces for tap and also
1929 using ifconfig, gentoo#209055 (Alon Bar-Lev).
1931 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
1933 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
1935 * Added new OpenVPN icon and installer graphic.
1937 * Minor pkitool changes.
1939 * Added --pkcs11-id-management option, which will cause OpenVPN to
1940 query the management interface via the new NEED-STR asynchronous
1941 notification query to get additional PKCS#11 options (Alon Bar-Lev).
1943 * Added NEED-STR management interface asynchronous query and
1944 "needstr" management interface command to respond to the query
1947 * Added Dragonfly BSD support (Francis-Gudin).
1949 * Quote device names before passing to up/down script (Josh Cepek).
1951 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
1952 prevent structure padding from causing an incorrect length
1953 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
1956 * On systems that support res_init, always call it
1957 before calling gethostbyname to ensure that
1958 resolver configuration state is current.
1960 * Added NTLMv2 proxy support (Miroslav Zajic).
1962 * Fixed an issue in extract_x509_field_ssl where the extraction
1963 would fail on the first field of the subject name, such as
1964 the common name in: /CN=foo/emailAddress=foo@bar.com
1966 * Made "Linux ip addr del failed" error nonfatal.
1968 * Amplified --client-cert-not-required warning.
1970 * Added #pragma pack to proto.h.
1972 2008.01.29 -- Version 2.1_rc7
1974 * Added a few extra files that exist in the svn repo but were
1975 not being copied into the tarball by make dist.
1977 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
1979 2008.01.24 -- Version 2.1_rc6
1981 * Fixed options checking bug introduced in rc5 where legitimate configuration
1982 files might elicit the error: "Options error: Parameter pkcs11_private_mode
1983 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
1986 2008.01.23 -- Version 2.1_rc5
1988 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
1989 incremented driver version to 9.4.
1991 * Windows build system changes:
1993 Incremented included OpenSSL version to openssl-0.9.7m.
1995 Updated openssl.patch for openssl-0.9.7m and added some
1996 brief usage comments to the head of the patch.
1998 Added build-pkcs11-helper.sh for building the pkcs11-helper
2001 Integrated inclusion of pkcs11-helper into Windows build
2004 Upgraded TAP build scripts to use WDK 6001.17121
2005 (Windows 2008 Server pre-RTM).
2007 * Windows installer changes:
2009 Clean up the start menu folder.
2011 Allow for a site-specific sample configuration file and keys
2012 to be included in a custom installer (see SAMPCONF macros
2015 New icon (temporary).
2017 * Added "forget-passwords" command to the management interface
2020 * Added --management-signal option to signal SIGUSR1 when the
2021 management interface disconnects (Alon Bar-Lev).
2023 * Modified command line and config file parser to allow
2024 quoted strings using single quotes ('') (Alon Bar-Lev).
2026 * Use pkcs11-helper as external library, can be downloaded from
2027 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
2029 * Fixed interim memory growth issue in TCP connect loop where
2030 "TCP: connect to %s failed, will try again in %d seconds: %s"
2033 * Fixed bug in epoll driver in event.c, where the lack of a
2034 handler for EPOLLHUP could cause 99% CPU usage.
2036 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
2037 want to use a CBC cipher for OpenVPN's data channel.
2039 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
2040 plugin directory to the dlopen search list when the user
2041 specifies the basename of the plugin only (Marius Tomaschewski).
2043 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
2044 to allow forward slash characters ("/") in the X509 common name
2047 * Allow OpenVPN to run completely unprivileged under Linux
2048 by allowing openvpn --mktun to be used with --user and --group
2049 to set the UID/GID of the tun device node. Also added --iproute
2050 option to allow an alternative command to be executed in place
2051 of the default iproute2 command (Alon Bar-Lev).
2053 * Fixed --disable-iproute2 in ./configure to actually disable
2054 iproute2 usage (Alon Bar-Lev).
2056 * Added --management-forget-disconnect option -- forget
2057 passwords when management session disconnects (Alon Bar-Lev).
2059 2007.04.25 -- Version 2.1_rc4
2061 * Worked out remaining issues with TAP driver signing
2062 on Vista x64. OpenVPN will now run on Vista x64
2063 with driver signing enforcement enabled.
2065 * Fixed 64-bit portability bug in time_string function
2068 2007.04.22 -- Version 2.1_rc3
2070 * Additional fixes to TAP driver for Windows x64. Driver
2071 now runs successfully on Vista x64 if driver signing
2072 enforcement is disabled.
2074 * The Windows Installer and TAP driver are now signed by
2075 OpenVPN Solutions LLC (in addition to the usual GnuPG
2078 * Added OpenVPN GUI (Mathias Sundman version) as install
2079 option in Windows installer.
2081 * Clean up configure on FreeBSD for recent autotool versions
2082 that require that all .h files have to be compiled.
2083 Also, FreeBSD install does not support GNU long options
2084 which the Makefile in easy-rsa/2.0 uses (not checked the
2085 others as we don't install those on Gentoo) (Roy Marples).
2087 * Added additional scripts to easy-rsa/Windows for working
2088 with password-protected keys; also add -extensions server
2089 option when generating server cert via
2090 build-key-server-pass.bat (Daniel Zauft).
2092 2007.02.27 -- Version 2.1_rc2
2094 * auth-pam change: link with -lpam rather
2095 than dlopen (Roy Marples).
2097 * Prevent SIGUSR1 or SIGHUP from causing program
2098 exit from initial management hold.
2100 * SO_REUSEADDR should not be set on Windows TCP sockets
2101 because it will cause bind to succeed on port conflicts.
2103 * Added time_ascii, time_duration, and time_unix
2104 environmental variables for plugins and callback
2107 * Fixed issue where OpenVPN does not apply the --txqueuelen option
2108 to persistent interfaces made with --mktun (Roy Marples).
2110 * Attempt at rational signal handling when in the
2111 management hold state. During management hold, ignore
2112 SIGUSR1/SIGHUP signals thrown with the "signal" command.
2113 Also, "signal" command will now apply remapping as
2114 specified with the --remap-usr1 option.
2115 When a signal entered using the "signal" command from a management
2116 hold is ignored, output: >HOLD:Waiting for hold release
2118 * Fixed issue where struct env_set methods that
2119 change the value of an existing name=value pair
2120 would delay the freeing of the memory held by
2121 the previous name=value pair until the underlying
2122 client instance object is closed.
2123 This could cause a server that handles long-term
2124 client connections, resulting in many periodic calls
2125 to verify_callback, to needlessly grow the env_set
2126 memory allocation until the underlying client instance
2129 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
2130 to reflect the fact that Vista has blacklisted the tap0801.sys
2131 file name due to previous compatibility issues which have now
2132 been resolved. TAP-Win32 major/minor version number is now 9/1.
2134 * Windows installer will delete a previously installed
2135 tap0801.sys TAP driver before installing tap0901.sys.
2137 * Added code to Windows installer to fail gracefully on 64 bit
2138 installs until 64-bit TAP driver issues can be resolved.
2140 * Added code to Windows installer to fail gracefully on
2141 versions of Windows which are not explicitly supported.
2143 * The Windows version will now use a default route-delay
2144 of 5 seconds to deal with an apparent routing table race
2147 * Worked around an incompatibility in the Windows Vista
2148 version of CreateIpForwardEntry as described in
2149 http://www.nynaeve.net/?p=59
2150 This issue would cause route additions using the
2151 IP Helper API to fail on Vista.
2153 * On Windows, revert to "ip-win32 dynamic" as the default.
2155 2006.10.31 -- Version 2.1_rc1
2157 * Support recovery (return to hold) from signal at
2158 management password prompt.
2160 * Added workaround for OpenSC PKCS#11 bug#108
2163 2006.10.01 -- Version 2.1-beta16
2165 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
2166 published vulnerabilities.
2168 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
2171 * Autodetect 32/64 bit Windows in installer and install
2172 appropriate TAP driver (Mathias Sundman, Hypherion).
2174 * Fixed bug in loopback self-test introduced
2175 in 2.1-beta15 where self test as invoked by
2176 "make check" would not properly exit after
2177 2 minutes (Paul Howarth).
2179 2006.09.12 -- Version 2.1-beta15
2181 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
2182 RSA Signature Forgery (CVE-2006-4339).
2184 * Fixed bug introduced with the --port-share directive
2185 (back in 2.1-beta9 which causes TLS soft resets
2186 (1 per hour by default) in TCP server mode to force
2187 a blockage of tunnel packets and later time-out and
2188 restart the connection.
2190 * easy-rsa update (Alon Bar-Lev)
2191 Makefile (install) is now available so that
2192 distribs will be able to install it safely.
2194 * PKCS#11 changes: (Alon Bar-Lev)
2195 - Modified ssl.c to not FATAL and return to init.c
2196 so auth-retry will work.
2197 - Modifed pkcs11-helper.c to fix some problem with
2199 - Added retry counter to PKCS#11 PIN hook.
2200 - Modified PKCS#11 PIN retry loop to return correct error
2201 code when PIN is incorrect.
2202 - Fix handling (ignoring) zero sized attributes.
2204 - Fix openssl 0.9.6 (first version) issues.
2206 * Minor fixes of lladdr (Alon Bar-Lev)
2207 Updated makefile.w32-vc to include lladdr.*, updated
2209 Modified lladdr.c to be compiled under visual C.
2211 * Added two new management states:
2212 OPENVPN_STATE_RESOLVE -- DNS lookup
2213 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
2215 * Echo management state change to log.
2217 * Minor syshead.h change for NetBSD to allow
2218 TCP_NODELAY flag to work.
2220 * Modified --port-share code to remove the assumption that
2221 CMSG_SPACE always evaluates to a constant, to enable
2222 compilation on NetBSD and possibly other BSDs as well.
2224 * Eliminated gcc 3.3.3 warnings on NetBSD
2225 when ./configure --enable-strict is used.
2227 * Added optional minimum-number-of-bytes parameter
2228 to --inactive directive.
2230 2006.04.13 -- Version 2.1-beta14
2232 * Fixed Windows server bug in time backtrack handling code which
2233 could cause TLS negotiation failures on legitimate clients.
2235 * Rewrote gettimeofday function for Windows to be
2236 simpler and more efficient.
2238 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
2240 * Added --route-metric option to set a default route metric
2241 for --route (Roy Marples).
2243 * Added --lladdr option to specify the link layer (MAC) address
2244 for the tap interface on non-Windows platforms (Roy Marples).
2246 2006.04.12 -- Version 2.1-beta13
2248 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
2249 to 64 bits caused a bug in the Windows version which has now
2250 been fixed. The bug could cause intermittent crashes.
2252 2006.04.05 -- Version 2.1-beta12
2254 * Security Vulnerability -- An OpenVPN client connecting to a
2255 malicious or compromised server could potentially receive
2256 "setenv" configuration directives from the server which could
2257 cause arbitrary code execution on the client via a LD_PRELOAD
2258 attack. A successful attack appears to require that (a) the
2259 client has agreed to allow the server to push configuration
2260 directives to it by including "pull" or the macro "client" in
2261 its configuration file, (b) the client configuration file uses
2262 a scripting directive such as "up" or "down", (c) the client
2263 succesfully authenticates the server, (d) the server is
2264 malicious or has been compromised and is under the control of
2265 the attacker, and (e) the attacker has at least some level of
2266 pre-existing control over files on the client (this might be
2267 accomplished by having the server respond to a client web request
2268 with a specially crafted file). Credit: Hendrik Weimer.
2271 The fix is to disallow "setenv" to be pushed to clients from
2272 the server, and to add a new directive "setenv-safe" which is
2273 pushable from the server, but which appends "OPENVPN_" to the
2274 name of each remotely set environmental variable.
2276 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
2278 * PKCS11 fixes (Alon Bar-Lev). For full description:
2279 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
2281 * When deleting routes under Linux, use the route metric
2282 as a differentiator to ensure that the route teardown
2283 process only deletes the identical route which was originally
2284 added via the "route" directive (Roy Marples).
2286 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
2287 (Matthias Andree, Dirk Meyer, Vasil Dimov).
2289 * Extended tun device configure code to support ethernet
2290 bridging on NetBSD (Emmanuel Kasper).
2292 2006.02.19 -- Version 2.1-beta11
2294 * Fixed --port-share bug that caused premature closing
2295 of proxied sessions.
2297 2006.02.17 -- Version 2.1-beta10
2299 * Fixed --port-share breakage introduced in 2.1-beta9.
2301 2006.02.16 -- Version 2.1-beta9
2303 * Added --port-share option for allowing OpenVPN and HTTPS
2304 server to share the same port number.
2305 * Added --management-client option to connect as a client
2306 to management GUI app rather than be connected to as a
2308 * Added "bytecount" command to management interface.
2309 * --remote-cert-tls fixes (Alon Bar-Lev).
2311 2006.01.03 -- Version 2.1-beta8
2313 * --remap-usr1 will now also remap signals thrown during
2315 * Added --connect-timeout option to control the timeout
2316 on TCP client connection attempts (doesn't work on all
2317 OSes). This patch also makes OpenVPN signalable during
2318 TCP connection attempts.
2319 * Fixed bug in acinclude.m4 where capability of compiler
2320 to handle zero-length arrays in structs is tested
2322 * Fixed typo in manage.c where inline function declaration
2323 was declared without the "static" keyword (David Stipp).
2324 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
2325 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
2326 proxy settings (currently Windows only).
2327 * Removed redundant base64 code.
2328 * Better sanity checking of --server and --server-bridge
2329 IP pool ranges, so as not to hit the assertion at
2331 * Fixed bug where --daemon and --management-query-passwords
2332 used together would cause OpenVPN to block prior to
2334 * Fixed client/server race condition which could occur
2335 when --auth-retry interact is set and the initially
2336 provided auth-user-pass credentials are incorrect,
2337 forcing a username/password re-query.
2338 * Fixed bug where if --daemon and --management-hold are
2339 used together, --user or --group options would be ignored.
2340 * --ip-win32 adaptive is now the default.
2341 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
2342 mode) can now set DNS/WINS addresses on the TAP-Win32
2344 * Added new option --route-method adaptive (Win32)
2345 which tries IP helper API first, then falls back to
2347 * Made --route-method adaptive the default.
2349 2005.11.12 -- Version 2.1-beta7
2351 * Allow blank passwords to be passed via the management
2353 * Fixed bug where "make check" inside a FreeBSD "jail"
2354 would never complete (Matthias Andree).
2355 * Fixed bug where --server directive in --dev tap mode
2356 claimed that it would support subnets of /30 or less
2357 but actually would only accept /29 or less.
2358 * Extend byte counters to 64 bits (M. van Cuijk).
2359 * Fixed bug in Linux get_default_gateway function
2360 introduced in 2.0.4, which would cause redirect-gateway
2361 on Linux clients to fail.
2362 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
2363 be compatible with 2.0.x distribution.
2364 * Documented --route-nopull.
2365 * Documented --ip-win32 adaptive.
2366 * Windows build now linked with LZO2.
2367 * Allow ca, cert, key, and dh files to be specified
2368 inline via XML-like syntax without needing to
2369 reference an explicit file.
2374 * Allow plugin and push directives to have multi-line
2375 parameter lists such as:
2381 * Added connect-retry-max option (Alon Bar-Lev).
2382 * Fixed problems where signals thrown during initialization
2383 were not returning to a management-hold state.
2384 * Added a backtrack-hardened system time algorithm.
2385 * Added --remote-cert-ku, --remote-cert-eku, and
2386 --remote-cert-tls options for verifying certificate
2387 attributes (Alon Bar-Lev).
2388 * For Windows, reverted --ip-win32 default back to "dynamic".
2389 To use new adaptive mode, set explicitly.
2391 2005.11.01 -- Version 2.1-beta6
2393 * Security fix (merged from 2.0.4) -- Affects non-Windows
2394 OpenVPN clients of version 2.0 or higher which connect to
2395 a malicious or compromised server. A format string
2396 vulnerability in the foreign_option function in options.c
2397 could potentially allow a malicious or compromised server
2398 to execute arbitrary code on the client. Only
2399 non-Windows clients are affected. The vulnerability
2400 only exists if (a) the client's TLS negotiation with
2401 the server succeeds, (b) the server is malicious or
2402 has been compromised such that it is configured to
2403 push a maliciously crafted options string to the client,
2404 and (c) the client indicates its willingness to accept
2405 pushed options from the server by having "pull" or
2406 "client" in its configuration file (Credit: Vade79).
2408 * Security fix -- (merged from 2.0.4) Potential DoS
2409 vulnerability on the server in TCP mode. If the TCP
2410 server accept() call returns an error status, the resulting
2411 exception handler may attempt to indirect through a NULL
2412 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
2414 * Fix attempt of assertion at multi.c:1586 (note that
2415 this precise line number will vary across different
2416 versions of OpenVPN).
2417 * Windows reliability changes:
2418 (a) Added code to make sure that the local PATH environmental
2419 variable points to the Windows system32 directory.
2420 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
2421 and then fails over to 'netsh' if the DHCP negotiation fails.
2422 (c) Made --ip-win32 adaptive the default.
2423 * More PKCS#11 additions/changes (Alon Bar-Lev).
2424 * Added ".PHONY: plugin" to Makefile.am to work around
2426 * Fixed double fork issue that occurs when --management-hold
2428 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
2429 * Warn when multiple clients having the same common name or
2430 username usurp each other when --duplicate-cn is not used.
2431 * Modified Windows and Linux versions of get_default_gateway
2432 to return the route with the smallest metric
2433 if multiple 0.0.0.0/0.0.0.0 entries are present.
2434 * Added ">NEED-OK" alert and "needok" command to management
2435 interface to provide a general interface for sending
2436 alerts to the end-user. Used by the PKCS#11 code
2437 to send Token Insertion Requests to the user.
2438 * Added actual remote address used to the ">STATE" alert
2439 in the management interface (Rolf Fokkens).
2441 2005.10.17 -- Version 2.1-beta4
2443 * Fixed bug introduced in 2.1-beta3 where management
2444 socket bind would fail.
2445 * --capath fix in ssl.c (Zhuang Yuyao).
2446 * Added ".PHONY: plugin" to Makefile.am, reverted
2447 location of "plugin" directory (thanks to
2448 Matthias Andree for figuring this out).
2450 2005.10.16 -- Version 2.1-beta3
2452 * Added PKCS#11 support (Alon Bar-Lev).
2453 * Enable the use of --ca together with --pkcs12. If --ca is
2454 used at the same time as --pkcs12, the CA certificate is loaded
2455 from the file specified by --ca regardless if the pkcs12 file
2456 contains a CA cert or not (Mathias Sundman).
2457 * Merged --capath patch (Thomas Noel).
2458 * Merged --multihome patch.
2459 * Added --bind option for TCP client connections (Ewan Bhamrah
2461 * Moved "plugin" directory to "plugins" to deal with strange
2462 automake problem that ended up being also fixable with
2463 ".PHONY: plugin" in Makefile.am.
2465 2005.10.13 -- Version 2.1-beta2
2467 * Made --sndbuf and --rcvbuf pushable.
2469 2005.10.01 -- Version 2.1-beta1
2471 * Made LZO setting pushable.
2472 * Renamed sample-keys/tmp-ca.crt to ca.crt.
2473 * Fixed bug where remove_iroutes_from_push_route_list
2474 was missing routes if those routes had
2475 an implied netmask (by omission) of 255.255.255.255.
2476 * Merged with 2.0.3-rc1
2477 * easy-rsa/2.0 moved to easy-rsa
2478 * old easy-rsa moved to easy-rsa/1.0
2480 2005.09.23 -- Version 2.0.2-TO4
2482 * Added feature to TAP-Win32 adapter to allow it to be
2483 opened from non-administrator mode. This feature
2484 is enabled by default, and can be enabled/disabled
2485 in the adapter advanced properties dialog.
2486 * Added --allow-nonadmin standalone option for Windows to
2487 set TAP adapter to allow non-admin access. This
2488 is a user-mode version of the code, and duplicates
2489 the same feature as the above entry.
2490 * Added fix that attempts to solve corner case of tunnel not
2491 forwarding packets when system clock is reset to an earlier time.
2492 * Added --redirect-gateway bypass-dns option. (Developers:
2493 To add bypass-dhcp or bypass-dns support to other OSes,
2494 add a get_bypass_addresses function to route.c for
2496 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
2497 allows a client-connect plugin to return configuration text
2498 in memory, rather than via a file.
2499 * Fixed a bug where --mode server --proto tcp-server --cipher none
2500 operation could cause tunnel packet truncation.
2501 * openvpn --version will show [LZO1] or [LZO2], depending on
2502 version that was linked.
2504 2005.09.07 -- Version 2.0.2-TO1
2506 * Added --topology directive. See man page.
2507 * Added --redirect-gateway bypass-dhcp option to add a route
2508 allowing DHCP packets to bypass the tunnel, when the
2509 DHCP server is non-local. Currently only implemented
2511 * Modified OpenVPN Service on Windows to declare the DHCP
2512 client service as a dependency.
2513 * Extended the plugin interface to allow plugins to declare
2514 per-client constructor and destructor functions, to make
2515 it simpler for plugins to maintain per-client state.
2517 2005.09.25 -- Version 2.0.3-rc1
2519 * openvpn_plugin_abort_v1 function wasn't being properly
2520 registered on Windows.
2521 * Fixed a bug where --mode server --proto tcp-server --cipher none
2522 operation could cause tunnel packet truncation.
2524 2005.08.25 -- Version 2.0.2
2526 * No change from 2.0.2-rc1.
2528 2005.08.24 -- Version 2.0.2-rc1
2530 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
2531 which incorrectly set OpenVPN service to autostart.
2532 * Don't package source code zip file in Windows installer
2533 in order to reduce the size of the installer. The source
2534 zip file can always be downloaded separately if needed.
2535 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
2536 version of get_default_gateway. Allocated socket for route
2537 manipulation is never freed so number of mbufs continuously
2538 grow and exhaust system resources after a while (Jaroslav Klaus).
2539 * Fixed bug where "--proto tcp-server --mode p2p --management
2540 host port" would cause the management port to not respond until
2541 the OpenVPN peer connects.
2542 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
2544 2005.08.16 -- Version 2.0.1
2546 * Security Fix -- DoS attack against server when run with "verb 0" and
2547 without "tls-auth". If a client connection to the server fails
2548 certificate verification, the OpenSSL error queue is not properly
2549 flushed, which can result in another unrelated client instance on the
2550 server seeing the error and responding to it, resulting in disconnection
2551 of the unrelated client (CAN-2005-2531).
2552 * Security Fix -- DoS attack against server by authenticated client.
2553 This bug presents a potential DoS attack vector against the server
2554 which can only be initiated by a connected and authenticated client.
2555 If the client sends a packet which fails to decrypt on the server,
2556 the OpenSSL error queue is not properly flushed, which can result in
2557 another unrelated client instance on the server seeing the error and
2558 responding to it, resulting in disconnection of the unrelated client
2559 (CAN-2005-2532). Credit: Mike Ireton.
2560 * Security Fix -- DoS attack against server by authenticated client.
2561 A malicious client in "dev tap" ethernet bridging mode could
2562 theoretically flood the server with packets appearing to come from
2563 hundreds of thousands of different MAC addresses, causing the OpenVPN
2564 process to deplete system virtual memory as it expands its internal
2565 routing table. A --max-routes-per-client directive has been added
2566 (default=256) to limit the maximum number of routes in OpenVPN's
2567 internal routing table which can be associated with a given client
2569 * Security Fix -- DoS attack against server by authenticated client.
2570 If two or more client machines try to connect to the server at the
2571 same time via TCP, using the same client certificate, and when
2572 --duplicate-cn is not enabled on the server, a race condition can
2573 crash the server with "Assertion failed at mtcp.c:411"
2575 * Fixed server bug where under certain circumstances, the client instance
2576 object deletion function would try to delete iroutes which had never been
2577 added in the first place, triggering "Assertion failed at mroute.c:349".
2578 * Added --auth-retry option to prevent auth errors from being fatal
2579 on the client side, and to permit username/password requeries in case
2580 of error. Also controllable via new "auth-retry" management interface
2581 command. See man page for more info.
2582 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
2583 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
2584 would fail to build.
2585 * Implement "make check" to perform loopback tests (Matthias Andree).
2587 2005.07.21 -- Version 2.0.1-rc7
2589 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
2590 * Include linux/types.h before checking for linux/errqueue.h (Matthias
2593 2005.07.15 -- Version 2.0.1-rc6
2595 * Commented out "user nobody" and "group nobody" in sample
2596 client/server config files.
2597 * Allow '@' character to be used in --client-config-dir
2600 2005.07.04 -- Version 2.0.1-rc5
2602 * Windows version will log a for-further-info URL when
2603 initialization sequence is completed with errors.
2604 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
2605 to control whether auth-pam plugin links to PAM via
2606 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
2607 behavior should be preserved. DLOPEN_PAM=0 is the preferred
2608 setting to link via -lpam, but DLOPEN_PAM=1 works around
2609 a bug in SuSE 9.1 (and possibly other distros as well)
2610 where the PAM modules are not linked with -lpam. See
2611 thread on openvpn-devel for more discussion about this
2612 patch (Simon Perreault).
2614 2005.06.15 -- Version 2.0.1-rc4
2616 * Support LZO 2.00, including changes to configure script to
2617 autodetect LZO version.
2619 2005.06.12 -- Version 2.0.1-rc3
2621 * Fixed a bug which caused standard file handles to not be closed
2622 after daemonization when --plugin and --daemon are used together,
2623 and if the plugin initialization function forks (as does auth-pam
2624 and down-root) (Simon Perreault).
2625 * Added client-side up/down scripts in contrib/pull-resolv-conf
2626 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
2627 on Linux/Unix systems (Jesse Adelman).
2628 * Fixed bug where if client-connect scripts/plugins were cascaded,
2629 and one (but not all) of them returned an error status, there might
2630 be cases where for an individual script/plugin, client-connect was
2631 called but not client-disconnect. The goal of this fix is to
2632 ensure that if client-connect is called on a given client instance,
2633 then client-disconnect will definitely be called. A potential
2634 complication of this fix is that when client-connect functions are
2635 cascaded, it's possible that the client-disconnect function would
2636 be called in cases where the related client-connect function returned
2637 an error status. This fix should not alter OpenVPN behavior when
2638 scripts/plugins are not cascaded.
2639 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
2640 fatal error to a warning: "FRAG: outgoing buffer is not empty".
2641 Need more info on how to reproduce this one.
2642 * When --duplicate-cn is used, the --ifconfig-pool allocation
2643 algorithm will now allocate the first available IP address.
2644 * When --daemon and --management-hold are used together,
2645 OpenVPN will daemonize before it enters the management hold state.
2647 2005.05.16 -- Version 2.0.1-rc2
2649 * Modified vendor test in openvpn.spec file to match against
2650 "Mandrakesoft" in addition to "MandrakeSoft".
2651 * Using --iroute in a --client-config-dir file while in --dev tap
2652 mode is not currently supported and will produce a warning
2653 message. Fixed bug where in certain cases, in addition to
2654 generating a warning message, this combination of options
2655 would also produce a fatal assertion in mroute.c.
2656 * Pass --auth-user-pass username to server-side plugin without
2657 performing any string remapping (plugins, unlike scripts,
2658 don't get any security benefit from string remapping).
2659 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
2660 where backslash characters in a username ('\') were being remapped
2661 to underscore ('_').
2662 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
2663 * Documented --explicit-exit-notify in man page.
2664 * --explicit-exit-notify seconds parameter defaults to 1 if
2667 2005.04.30 -- Version 2.0.1-rc1
2669 * Fixed bug where certain kinds of fatal errors after
2670 initialization (such as port in use) would leave plugin
2671 processes (such as openvpn-auth-pam) still running.
2672 * Added optional openvpn_plugin_abort_v1 plugin function for
2673 closing initialized plugin objects in the event of a fatal
2674 error by main OpenVPN process.
2675 * When the --remote list is > 1, and --resolv-retry is not
2676 specified (meaning that it defaults to "infinite"), apply the
2677 infinite timeout to the --remote list as a whole, but try each
2678 list item only once before moving on to the next item.
2679 * Added new --syslog directive which redirects output
2680 to syslog without requiring the use of the --daemon or --inetd
2682 * Added openvpn.spec option to allow RPM to be built with support
2683 for passwords read from a file:
2684 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
2686 2005.04.17 -- Version 2.0
2688 * Fixed minor options string typo in options.c.
2690 2005.04.10 -- Version 2.0-rc21
2692 * Change license description from "GPL Version 2 or (at your
2693 option) any later version" to just "GPL Version 2".
2695 2005.04.04 -- Version 2.0-rc20
2697 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
2698 excellent distro/version coverage for RH/EL/Fedora, though
2699 using his own SPEC. I modified openvpn.spec to follow some of
2700 the same conventions such as putting sample scripts and doc
2701 files in %doc rather than /usr/share/openvpn.
2702 * Minor change to init scripts to run the user-defined script
2703 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
2704 configs are started, and to run /etc/openvpn/openvpn-shutdown
2705 after all OpenVPN configs have been stopped. The
2706 openvpn-startup script can be used for stuff like
2707 insmod tun.o, setting up firewall rules, or starting
2710 2005.03.29 -- Version 2.0-rc19
2712 * Omit additions of routes where the network and
2713 gateway are equal and the netmask is 255.255.255.255.
2714 This can come up if you are using both
2715 server/ifconfig-pool and client-config-dir with
2716 ifconfig-push static addresses for some subset of clients
2717 which directly reference the server IP address as the
2720 2005.03.28 -- Version 2.0-rc18
2722 * Packaged Windows installer with OpenSSL 0.9.7f.
2723 * Built Windows installer with NSIS 2.06.
2725 2005.03.12 -- Version 2.0-rc17
2727 * "MANAGEMENT: CMD" log file output will now only occur
2728 at --verb 7 or greater.
2729 * Added an optional name/value configuration list to
2730 the openvpn-auth-pam plugin module argument list. See
2731 plugin/auth-pam/README for documentation. This is necessary
2732 in order for openvpn-auth-pam to work with queries generated
2733 by arbitrary PAM modules.
2734 * In both auth-pam and down-root plugins, in the forked process,
2735 a read error on the parent process socket is no longer fatal.
2736 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
2737 A conditional test of the vendor has been added to
2738 Require the appropriately named 'lzo' (liblzo1 / lzo).
2739 (Tom Walsh - http://openhardware.net)
2742 2005.02.20 -- Version 2.0-rc16
2744 * Fixed bug introduced in rc13 where Windows service wrapper
2745 would be installed with a startup type of Automatic.
2746 This fix restores the previous behavior of installing
2747 with a startup type of Manual.
2749 2005.02.19 -- Version 2.0-rc15
2751 * Added warning when --keepalive is not used in a server
2753 * Don't include OpenSSL md4.h file if we are not building
2754 NTLM proxy support (Waldemar Brodkorb).
2755 * Added easy-rsa/build-key-pkcs12 and
2756 easy-rsa/Windows/build-key-pkcs12.bat scripts
2759 2005.02.16 -- Version 2.0-rc14
2761 * Fixed small memory leak that occurs when --crl-verify
2763 * Upgraded Windows installer and .nsi script to NSIS 2.05
2765 * Changed #include backslash usage in cryptoapi.c to use
2766 forward slashes instead (Gisle Vanem).
2767 * Created easy-rsa/revoke-full to handle revocations in
2768 a single step: (a) revoke crt, (b) regenerate CRL, and
2769 (c) verify that revocation succeeded.
2770 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
2771 that both *nix and Windows scripts are equivalent.
2773 2005.02.11 -- Version 2.0-rc13
2775 * Improve human-readability of local/remote options
2776 diff, when inconsistencies are present.
2777 * For Windows easy-rsa, distribute vars.bat.sample and
2778 openssl.cnf.sample, then copy them to their normal
2779 filenames (without the .sample) when init-config.bat
2780 is run. This is to prevent OpenVPN upgrades from
2781 wiping out vars.bat and openssl.cnf edits.
2782 * Modified service wrapper (Windows) to use a
2783 case-insensitive search when scanning for .ovpn files
2784 in \Program Files\OpenVPN\config. Prior versions
2785 required an all-lower-case .ovpn file extension.
2786 * Miscellaneous service wrapper code cleanup.
2787 * If --user/--group is used on Windows, treat it
2788 as a no-op with a warning (this makes it easier to
2789 distribute the same client config file to Windows
2791 * Warn if --ifconfig-pool-persist is used with
2794 2005.02.05 -- Version 2.0-rc12
2796 * Removed some debugging code inadvertently included
2797 in rc11 which would print the --auth-user-pass
2798 username/password provided by clients in the server
2800 * Client code for cycling through --remote list will
2801 retry the last address which successfully authenticated
2802 before moving on through the list.
2803 * Windows installer will now install sample configuration
2804 files in \Program Files\OpenVPN\sample-configs as well
2805 as generate a start menu shortcut to this directory.
2806 * Minor type change in buffer.[ch] to work around char-type
2807 ambiguity bug. Caused management interface lock-ups on
2808 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
2810 2005.02.03 -- Version 2.0-rc11
2812 * Windows installer will now install easy-rsa directory
2813 in \Program Files\OpenVPN
2814 * Allow syslog facility to be controlled at compile time,
2815 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
2816 * Changed certain shell scripts in distribution to use
2817 #!/bin/sh rather than #!/bin/bash for better portability.
2818 * If --ifconfig-pool-persist seconds parameter is 0, treat
2819 persist file as an allocation of fixed IP addresses
2820 (previous versions took IP-to-common-name associations
2821 from this list as hints, not mandatory static allocations).
2822 * Fixed bug on *nix where if --auth-user-pass and --log
2823 were used together, the username prompt would be sent to
2824 the log file rather than /dev/tty.
2825 * Spurious text in openvpn.8 detected by doclifter
2827 * Call closelog later on daemon kill so that process
2828 exit message is written to syslog.
2830 2005.01.27 -- Version 2.0-rc10
2832 * When ./configure is run with plugins enabled (the default),
2833 check whether or not dlopen exists in libc before testing
2834 for libdl. This is to fix an issue on FreeBSD and possibly
2835 other OSes which bundle libdl functions in libc.
2836 * On Windows, filter initial WSAEINVAL warning which occurs
2837 on the initial read attempt of an unbound socket.
2838 * The easy-rsa scripts build-key, build-key-pass, and
2839 build-key-server will now chmod the .key file
2840 to 0600. This is in addition to the fact the generated
2841 keys directory has always been similarly protected
2844 2005.01.23 -- Version 2.0-rc9
2846 * Fixed error "ROUTE: route addition failed using
2847 CreateIpForwardEntry ..." on Windows when --redirect-gateway
2848 is used over a RRAS internet link.
2849 * When using --route-method exe on Windows, include the
2850 gateway parameter on route delete commands (Mathias Sundman).
2851 * Try not to do a hard reset (i.e. SIGHUP) when two
2852 SIGUSR1 signals are received in close succession.
2853 * If the push list tries to grow beyond its buffer capacity,
2854 the resulting error will be non-fatal.
2855 * To increase the push list capacity (must be done on both
2856 client and server), increase TLS_CHANNEL_BUF_SIZE in
2857 common.h (default=1024).
2859 2005.01.15 -- Version 2.0-rc8
2861 * Fixed bug introduced in rc7 where options error
2862 "--auth-user-pass requires --pull" might occur even
2863 if --pull was correctly specified.
2864 * Changed management interface code to bind once
2865 to TCP socket, rather than rebinding after every
2867 * Added "disable" directive for client-config-dir
2869 * Windows binary install is now distributed with
2871 * Query the management interface for --http-proxy
2872 username/password if authfile is set to "stdin".
2873 * Added current OpenVPN version number to "Unrecognized
2874 option or missing parameter" error message.
2875 * Added "-extensions server" to "openssl req" command
2876 in easy-rsa/build-key-server (Nir Yeffet).
2878 2005.01.10 -- Version 2.0-rc7
2880 * Fixed bug in management interface which could cause
2881 100% CPU utilization in --proto tcp-server mode
2882 on all *nix OSes except for Linux 2.6.
2883 * --ifconfig-push now accepts DNS names as well as
2885 * Added sanity check errors when --pull or
2886 --auth-user-pass is used in an incorrect mode.
2887 * Updated man page entries for --client-connect and
2889 * Added "String Types and Remapping" section to man
2890 page to consisely document the way which OpenVPN
2891 may convert certain types of characters in strings
2893 * Modified bridging description in HOWTO to emphasize
2894 the fact that bridging allows Windows file and print
2895 sharing without a WINS server (Charles Duffy).
2897 2004.12.20 -- Version 2.0-rc6
2899 * Improved checking for epoll support in ./configure
2900 to fix false positive on RH9 (Jan Just Keijser).
2901 * Made the "MULTI TCP: I/O wait required blocking in
2902 multi_tcp_action, action=7" error nonfatal and replaced
2903 with "MULTI: Outgoing TUN queue full, dropped packet".
2904 So far the issue only seems to occur on Linux 2.2
2905 in --mode server --proto tcp mode. It occurs when
2906 the TUN/TAP driver locks up and refuses to accept
2907 new packet writes for a second or more.
2908 * Fixed bug where if a --client-config-dir file tried
2909 to include another file using "config", and if that
2910 include failed, OpenVPN would abort with a fatal
2911 error. Now such inclusion failures will be logged
2912 but are no longer fatal.
2913 * Global changes to the way that packet buffer alignment
2914 is handled. Previously we didn't care about alignment
2915 and took care, when handling 16 and 32 bit words
2916 in buffers, to always use alignment-safe transfers.
2917 This approach appears to be inadequate on some
2918 architectures such as alpha. The new approach is
2919 to initialize packet buffers in a way that anticipates
2920 how component structures will be allocated within
2921 them, to maintain correct alignment.
2922 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
2923 over TCP (Jan Just Keijser).
2924 * Added --http-proxy-option directive for controlling
2925 miscellaneous HTTP proxy options.
2926 * Management state will no longer transition to "WAIT"
2927 during TLS renegotiations.
2929 2004.12.16 -- Version 2.0-rc5
2931 * The --client-config-dir option will now try to open
2932 a default file called "DEFAULT" if no file matching
2933 the common name of the incoming client was found.
2934 * The --client-connect script/plugin can now veto client
2935 authentication by returning a failure code.
2936 * The --learn-address script/plugin can now prevent a
2937 client-instance/address association from being learned
2938 by returning a failure code.
2939 * Changed RPM group in .spec file to Applications/Internet.
2941 2004.12.14 -- Version 2.0-rc4
2943 * SuSE only -- Fixed interaction between openvpn.spec and
2944 suse/openvpn.init where the .spec file was writing the
2945 OpenVPN binary to a different location than where the
2946 .init script was referencing it (Stefan Engel).
2947 * Solaris only -- Split Solaris ifconfig command into two
2948 parts (Jan Just Keijser).
2949 * Some cleanup in add_option().
2950 * Better error checking on input dotted quad IP addresses.
2951 * Verify that --push argument is quoted, if there is
2953 * More miscellaneous option sanity checks.
2955 2004.12.13 -- Version 2.0-rc3
2957 * On Windows, when --log or --log-append is used,
2958 save the original stderr for username and password
2960 * Fixed a bug introduced in the late 2.0 betas where
2961 if a "verb" parameter >= 16 was used, it would be
2962 ignored and the actual verb level would remain at 1.
2963 * Fixed a bug mostly seen on OS X where --management-hold
2964 or --management-query-passwords would cause the management
2965 interface to be unresponsive to incoming client connections.
2966 * Trigger an options error if one of the management-modifying
2967 options is used without "management" itself.
2969 2004.12.12 -- Version 2.0-rc2
2971 * Amplified warnings in documentation about possible
2972 man-in-the-middle attack when clients do not properly
2973 verify server certificate. Changes to easy-rsa README,
2974 FAQ, HOWTO, man page, and sample client config file.
2975 * Added a warning message if --tls-client or --client
2976 is used without also specifying one of either
2977 --ns-cert-type, --tls-remote, or --tls-verify.
2978 * status_open() fixes for MSVC builds (Blaine Fleming).
2979 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
2980 compiler error which has been reported on some platforms.
2981 * The openvpn.spec file for rpmbuild has several
2982 new build-time options. See comments in the file.
2983 * Plugins are now built and packaged in the RPM and
2984 will be saved in /usr/share/openvpn/plugin/lib.
2985 * Added --management-hold directive to start OpenVPN
2986 in a hibernating state until released by the
2987 management interface. Also added "hold" command
2988 to the management interface.
2990 2004.12.07 -- Version 2.0-rc1
2992 * openvpn.spec workaround for SuSE confusion regarding
2993 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
2995 2004.12.05 -- Version 2.0-beta20
2997 * The ability to read --askpass and --auth-user-pass
2998 passwords from a file has been disabled by default.
2999 To re-enable, use ./configure --enable-password-save.
3000 * Added additional pre-connected states to management
3001 interface. See management/management-notes.txt
3003 * State history is now recorded by the management
3004 interface, and the "state" command now works like
3005 the log or echo commands.
3006 * State history and real-time state change notifications
3007 are now prepended with an integer unix timestamp.
3008 * Added --http-proxy-timeout option, previously
3009 the timeout was hardcoded to 5 seconds.
3011 2004.12.02 -- Version 2.0-beta19
3013 * Fixed bug in management interface line termination
3014 where output lines incorrectly contained a \00 char
3015 after the customary \0d \0a.
3016 * Fixed bug introduced in beta18 where Windows version
3017 would segfault on options errors.
3018 * Fixed bug in management interface where an empty
3019 quoted string ("") entered as a parameter would cause
3021 * Fixed bug where --resolv-retry was not working
3022 properly with multiple --remote hosts.
3023 * Added additional ./configure options to reduce
3024 executable size for embedded applications.
3025 See ./configure --help.
3027 2004.11.28 -- Version 2.0-beta18
3029 * Added management interface. See new --management-*
3030 options or the full management interface documentation
3031 in management/management-notes.txt in the tarball.
3032 Management interface inclusion can be disabled by
3033 ./configure --disable-management.
3034 * Added two new plugin modules: auth-pam and down-root.
3035 Auth-pam supports pam-based authentication using a
3036 split privilege execution model, while down-root enables
3037 a down script to be executed with root privileges, even
3038 when --user/--group is used to drop root privileges.
3039 See the plugin directory in the tarball for READMEs,
3040 source code, and Makefiles.
3041 * Plugin developers should note that some changes were
3042 made to the plugin interface since beta17. See
3043 openvpn-plugin.h for details.
3044 Plugin interface inclusion can be disabled with
3045 ./configure --disable-plugins
3046 * Added easy-rsa/build-key-server script which will
3047 build a certificate with with nsCertType=server.
3048 * Added --ns-cert-type option for verification
3049 of nsCertType field in peer certificate.
3050 * If --fragment n is specified and --mssfix is specified
3051 without a parameter, default --mssfix to n. This restores
3052 the 1.6 behavior when using --mssfix without a parameter.
3053 * Fixed SSL context initialization bug introduced in beta14
3054 where this error might occur on restarts: "Cannot load
3055 certificate chain ... PEM_read_bio:no start line".
3057 2004.11.11 -- Version 2.0-beta17
3059 * Changed default port number to 1194 per IANA official
3060 port number assignment.
3061 * Added --plugin directive which allows compiled
3062 modules to intercept script callbacks. See
3063 plugin folder in tarball for more info.
3064 * Fixed bug introduced in beta12 where --key-method 1
3065 authentications which should have succeeded would fail.
3066 * Ignore SIGUSR1 during DNS resolution.
3067 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
3068 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
3071 2004.11.07 -- Version 2.0-beta16
3073 * Modified sample-scripts/auth-pam.pl to get username
3074 and password from OpenVPN via a file rather than
3075 via environmental variables.
3076 * Added bytes_sent and bytes_received environmental
3077 variables to be set prior to client-disconnect script.
3078 * Changed client virtual IP derivation precedence:
3079 (1) use --ifconfig-push directive from --client-connect
3080 script, (2) use --ifconfig-push directive from
3081 --client-config-dir, and (3) use --ifconfig-pool
3083 * If a --client-config-dir file specifies --ifconfig-push,
3084 it will be visible to the --client-connect-script in
3085 the ifconfig_pool_remote_ip environmental variable.
3086 * For tun-style tunnels, the ifconfig_pool_local_ip
3087 environmental variable will be set, while for
3088 tap-style tunnels, the ifconfig_pool_netmask variable
3090 * Added intelligence to autoconf script to test
3091 compiler for the accepted form of zero-length arrays.
3092 * Fixed a bug introduced in beta12 where --ip-win32
3093 netsh would fail if --dev-node was not explicitly
3095 * --ip-win32 netsh will now work on hidden adapters.
3096 * Fix attempt of "Assertion failed at crypto.c:149".
3097 This assertion has also been reported on 1.x with a
3098 slightly different line number. The fix is twofold:
3099 (1) In previous releases, --mtu-test may trigger this
3100 assertion -- this bug has been fixed. (2) If something
3101 else causes the assertion to be thrown, don't panic,
3102 just output a nonfatal warning to the log and drop
3103 the packet which generated the error.
3104 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
3105 * Added --echo directive.
3106 * Added --auth-nocache directive.
3108 2004.10.28 -- Version 2.0-beta15
3110 * Changed environmental variable character classes
3111 so that names must consist of alphanumeric or
3112 underbar chars and values must consist of printable
3113 characters. Illegal chars will be deleted.
3114 Versions prior to 2.0-beta12 were more restrictive
3115 and would map spaces to '.'.
3116 * On Windows, when the TAP adapter fails to
3117 initialize with the correct IP address, output
3118 "Initialization Sequence Completed with Errors"
3119 to the console or log file.
3120 * Added a warning when user/group/chroot is used
3121 without persist-tun and persist-key.
3122 * Added cryptoapi.[ch] to tarball and source zip.
3123 * --tls-remote option now works with common name
3124 prefixes as well as with the full X509 subject
3125 string. This is a useful alternative to using
3126 a CRL on the client.
3127 * common names associated with a static
3128 --ifconfig-push setting will no longer leave
3129 any state in the --ifconfig-pool-persist file.
3130 * Hard TLS errors (TLS handshake failed) will now
3131 trigger either a SIGUSR1 signal by default
3132 or SIGTERM (if --tls-exit is specified). In TCP
3133 mode, all TLS errors are considered to be hard.
3134 In server mode, the signal will be local to the
3136 * Added method parameter to --auth-user-pass-verify
3137 directive to select whether username/password
3138 is passed to script via environment or a temporary
3140 * Added --status-version option to control format
3141 of --status file. The --mode server
3142 --status-version 2 format now includes a line
3143 type token, the virtual IP address is shown
3144 in the client list (even in --dev tap mode),
3145 and the integer time_t value is shown anywhere
3146 an ascii-formatted time/date is also shown.
3147 * Added --remap-usr1 directive which can be used
3148 to control whether internally or externally
3149 generated SIGUSR1 signals are remapped to
3150 SIGHUP (restart without persisting state) or
3152 * When running as a Windows service (using
3153 --service option), check the exit event before
3154 and after reading one line of input from
3155 stdin, when reading username/password info.
3156 * For developers: Extended the --gremlin function
3157 to better stress-test the new 2.0 features,
3158 added Valgrind support on Linux and Dmalloc
3161 2004.10.19 -- Version 2.0-beta14
3163 * Fixed a bug introduced in Beta12 that would occur
3164 if you use a --client-connect script without also
3166 * Fixed a bug introduced in Beta12 where a learn-address
3167 script might segfault on the delete method.
3168 * Added Crypto API support in Windows version via
3169 the --cryptoapicert option (Peter 'Luna' Runestig).
3171 2004.10.18 -- Version 2.0-beta13
3173 * Fixed an issue introduced in Beta12 where the private
3174 key password would not be prompted for unless --askpass
3175 was explicitly specified in the config.
3177 2004.10.17 -- Version 2.0-beta12
3179 * Added support for username/password-based authentication.
3180 Clients can now authentication themselves with the server
3181 using either a certificate, a username/password, or both.
3182 New directives: --auth-user-pass, --auth-user-pass-verify,
3183 --client-cert-not-required, and --username-as-common-name.
3184 * Added NTLM proxy patch (William Preston).
3185 * Added --ifconfig-pool-linear server flag to allocate
3186 individual tun addresses for clients rather than /30
3187 subnets (won't work with Windows clients).
3188 * Modified --http-proxy code to cache username/password
3190 * Modified --http-proxy code to read username/password
3191 from the console when the auth file is given as "stdin".
3192 * Modified --askpass to take an optional filename argument.
3193 * --persist-tun and --persist-key now work in client mode
3194 and can be pushed to clients as well.
3195 * Added --ifconfig-pool-persist directive, to maintain
3196 ifconfig-pool info in a file which is persistent across
3197 daemon instantiations.
3198 * --user and --group privilege downgrades as well as
3199 --chroot now also work in client mode (the
3200 dowgrade/chroot will be delayed until the initialization
3201 sequence is completed).
3202 * Added --show-engines standalone directive to show
3203 available OpenSSL crypto accelerator engine support.
3204 * --engine directive now accepts an optional engine-ID
3205 parameter to control which engine is used.
3206 * "Connection reset, restarting" log message now shows
3207 which client is being reset.
3208 * Added --dhcp-pre-release directive in Windows version.
3209 * Second parm to --ip-win32 can be "default", e.g.
3210 --ip-win32 dynamic default 60.
3211 * Fixed documentation bug regarding environmental
3212 variable settings for --ifconfig-pool IP addresses.
3213 The correct environmental variable names are:
3214 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
3215 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
3216 environmental variables are now passed to the
3217 client-disconnect script.
3218 * In server mode, environmental variables are now scoped
3219 according to the client they are associated with,
3220 to solve the problem of "crosstalk" between different
3221 client's environmental variable sets.
3222 * Added --down-pre flag to cause --down script to be
3223 called before TUN/TAP close (rather than after).
3224 * Added --tls-exit flag which will cause OpenVPN
3225 to exit on any TLS errors.
3226 * Don't push a route to a client if it exactly
3227 matches an iroute (this lets you push routes to
3228 all clients, and OpenVPN will automatically remove
3229 the route from the route push list only for that client
3230 which the route actually belongs to).
3231 * Made '--resolv-retry infinite' the default.
3232 --resolv-retry can be disabled by using a parameter of 0.
3233 * For clients which plan to pull config info from server,
3234 set an initial default ping-restart of 60 seconds.
3235 * Optimized mute code to lessen the load on the processor
3236 when messages are being muted at a higher frequency.
3237 * Made route log messages non-mutable.
3238 * Silence the Linux "No buffer space available" message.
3239 * Added miscellaneous additional option sanity checks.
3240 * Added Windows version of easy-rsa scripts in
3241 easy-rsa/Windows directory (Andrew J. Richardson).
3242 * Added NetBSD route patch (Ed Ravin).
3243 * Added OpenBSD patch for TAP + --redirect-gateway
3244 (Waldemar Brodkorb).
3245 * Directives which prompt for a username and/or password
3246 will now work with --daemon (OpenVPN will prompt
3248 * Warn if CRL is from a different issuer than the
3249 issuer of the peer certificate (Bernhard Weisshuhn).
3250 * Changed init script chkconfig parameters to start
3251 OpenVPN daemon(s) before NFS.
3252 * Bug fix attempt of "too many I/O wait events" which occurs
3253 on OSes which prefer select() over poll() such as Mac OS X.
3254 * Added --ccd-exclusive flag. This flag will require, as a
3255 condition of authentication, that a connecting client has
3256 a --client-config-dir file.
3257 * TAP-Win32 open code will attempt to open a free adapter
3258 if --dev-node is not specified (Mathias Sundman).
3259 * Resequenced --nice and --chroot ordering so that --nice
3261 * Added --suppress-timestamps flag (Charles Duffy).
3262 * Source code changes to allow compilation by MSVC
3263 (Peter 'Luna' Runestig).
3264 * Added experimental --fast-io flag which optimizes
3265 TUN/TAP/UDP writes on non-Windows systems.
3267 2004.08.18 -- Version 2.0-beta11
3269 * Added --server, --server-bridge, --client, and
3270 --keepalive helper directives. See client.conf
3271 and server.conf in sample-config-files for sample
3272 configurations which use the new directives.
3273 * On Windows, added --route-method to control
3274 whether IP Helper API or route.exe is used
3275 to add/delete routes.
3276 * On Windows, added a second parameter to
3277 --route-delay to control the maximum time period
3278 to wait for the TAP-Win32 adapter to come up
3279 before adding routes.
3280 * Fixed bug in Windows version where configurations
3281 which omit --ifconfig might fail to recognize when
3282 the TAP adapter is up.
3283 * Proxy connection failures will now retry according
3284 to the --connect-retry parameter.
3285 * Fixed --dev null handling on Windows so that TLS
3286 loopback test described in INSTALL file works
3287 correctly on Windows.
3288 * Added "Initialization Sequence Completed" message
3289 after all initialization steps have been completed
3290 and the VPN can be considered "up".
3291 * Better sanity-checking on --ifconfig-pool parameters.
3292 * Added --tcp-queue-limit option to control
3293 TUN/TAP -> TCP socket overflow.
3294 * --ifconfig-nowarn flag will now silence general
3295 warnings about possible --ifconfig address
3296 conflicts, including the warning about --ifconfig
3297 and --remote addresses being in same /24 subnet.
3298 * Fixed case where server mode did not correctly
3299 identify certain types of ethernet multicast packets
3301 * Added --explicit-exit-notify option (experimental).
3303 2004.08.02 -- Version 2.0-beta10
3305 * Fixed possible reference after free of option strings
3306 after a restart, bug was introduced in beta8.
3307 * Fixed segfault at route.c:919 in the beta9
3308 Windows version that was being caused by indirection
3309 through a NULL pointer.
3310 * Mistakenly built debug version of TAP-Win32 driver
3311 for beta9. Beta10 has correct release build.
3313 2004.07.30 -- Version 2.0-beta9
3315 * Fixed --route issue on Windows that was introduced with
3316 the new beta8 route implementation based on the
3319 2004.07.27 -- Version 2.0-beta8
3321 * Added TCP support in server mode.
3322 * Added PKCS #12 support (Mathias Sundman).
3323 * Added patch to make revoke-crt and make-crl work
3324 seamlessly within the easy-rsa environment (Jan Kiszka).
3325 * Modified --mode server ethernet bridge code to forward
3326 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
3327 * Added --dhcp-renew and --dhcp-release flags to Windows
3328 version. Normally DHCP renewal and release on the TAP
3329 adapter occurs automatically under Windows, however
3330 if you set the TAP-Win32 adapter Media Status property
3331 to "Always Connected", you may need these flags.
3332 * Added --show-net standalone flag to Windows version to
3333 show OpenVPN's view of the system adapter and routing
3335 * Added --show-net-up flag to Windows version to output
3336 the system routing table and network adapter list to
3337 the log file after the TAP-Win32 adapter has been brought
3338 up and any routes have been added.
3339 * Modified Windows version to add routes using the IP Helper
3340 API rather than by calling route.exe.
3341 * Fixed bug where --route-up script was not being called
3342 if no --route options were specified.
3343 * Added --mute-replay-warnings to suppress packet replay
3344 warnings. This is a common false alarm on WiFi nets.
3345 * Added "def1" flag to --redirect-gateway option to override
3346 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
3347 rather than 0.0.0.0/0. This has the benefit of overriding
3348 but not wiping out the original default gateway.
3349 (Thanks to Jim Carter for pointing out this idea).
3350 * You can now run OpenVPN with a single config file argument.
3351 For example, you can now say "openvpn config.conf"
3352 rather than "openvpn --config config.conf".
3353 * On Windows, made --route and --route-delay more adaptive
3354 with respect to waiting for interfaces referenced by the
3355 route destination to come up. Routes added by --route
3356 should now be added as soon as the interface comes up,
3357 rather than after an obligatory 10 second delay. The
3358 way this works internally is that --route-delay now
3359 defaults to 0 on Windows. Previous versions would
3360 wait for --route-delay seconds then add the routes.
3361 This version will wait --route-delay seconds and then
3362 test the routing table at one second intervals for the
3363 next 30 seconds and will not add the routes until they
3364 can be added without errors.
3365 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
3366 default on TCP/UDP socket in light of reports that this
3367 action can have undesirable global side effects on the
3368 MTU settings of other adapters. These parameters can
3369 still be set, but you need to explicitly specify
3370 --sndbuf and/or --rcvbuf.
3371 * Added --max-clients option to limit the maximum number
3372 of simultaneously connected clients in server mode.
3373 * Added error message to illuminate shell escape gotcha when
3374 single backslashes are used in Windows path names.
3375 * Added optional netmask parm to --ifconfig-pool.
3376 * Fixed bug where http-proxy connect retry attempts were
3377 incorrectly going to the remote OpenVPN server,
3378 not to the HTTP proxy server.
3380 2004.06.29 -- Version 2.0-beta7
3382 * Fixed bug in link_socket_verify_incoming_addr() which
3383 under certain circumstances could have caused --float
3384 behavior even if --float was not specified.
3385 * --tls-auth option now works with --mode server.
3386 All clients and the server should use the same
3387 --tls-auth key when operating in client/server mode.
3388 * Added --engine option to make use of OpenSSL-supported
3389 crypto acceleration hardware.
3390 * Fixed some high verbosity print format size issues
3391 in event.c for 64 bit platforms (Janne Johansson).
3392 * Made failure to open --log or --log-append file
3395 2004.06.23 -- Version 2.0-beta6
3397 * Fixed Windows installer to intelligently put
3398 up a reboot dialog only if tapinstall tells
3399 us that it's really necessary.
3400 * Fixed "Assertion failed at fragment.c:309"
3401 bug when --mode server and --fragment are used
3403 * Ignore HUP, USR1, and USR2 signals during
3404 initialization. Prior versions would abort.
3405 * Fixed bug on OS X: "Assertion failed at event.c:406".
3406 * Added --service option to Windows version, for use
3407 when OpenVPN is being programmatically instantiated
3408 by another process (see man page for info).
3409 * --log and --log-append options now work on Windows.
3410 * Update OpenBSD INSTALL notes (Janne Johansson).
3411 * Enable multicast on tun interface when running on
3412 OpenBSD (Pavlin Radoslavov).
3413 * Fixed recent --test-crypto breakage, where options
3414 such as --cipher were not being parsed correctly.
3415 * Modified options compatibility string by removing
3416 ifconfig substring if it is empty. Incremented
3417 options compatibility string version number to 4.
3418 * Fixed typo in --tls-timeout option parsing
3421 2004.06.13 -- Version 2.0-beta5
3423 * Fixed rare --mode server crash that could occur
3424 if data was being routed to a client at
3425 high bandwidth at the precise moment that the
3426 client instance object on the server was being
3428 * Fixed issue on machines which have epoll.h and
3429 the epoll_create glibc call defined, but which
3430 don't actually implement epoll in the kernel.
3431 OpenVPN will now gracefully fall back to the
3432 poll API in this case.
3433 * Fixed Windows bug which would cause the following
3434 error in a --mode server --dev tap configuration:
3435 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
3437 * Added CRL (certificate revocation list) management
3438 scripts to easy-rsa directory (Jon Bendtsen).
3439 * Do a better job of getting the ifconfig component
3440 of the options consistency check to work correctly
3441 when --up-delay is used.
3442 * De-inlined some functions which were too complex
3443 to be inlined anyway with gcc.
3444 * If a --dhcp-option option is pushed to a non-windows
3445 client, the option will be saved in the client's
3446 environment before the --up script is called, under
3447 the name "foreign_option_{n}".
3448 * Added --learn-address script (see man page) which
3449 allows for firewall access through the VPN to be
3450 controlled based on the client common name.
3451 * In mode --server mode, when a client connects to
3452 the server, the server will disconnect any
3453 still-active clients which use the same common
3454 name. Use --duplicate-cn flag to revert to
3455 previous behavior of allowing multiple clients
3456 to concurrently connect with the same common name.
3458 2004.06.08 -- Version 2.0-beta4
3460 * Fixed issue with beta3 where Win32 service wrapper
3461 was keying off of old TAP HWID as a dependency. To
3462 ensure that the new service wrapper is correctly
3463 installed, the Windows install script will uninstall
3464 the old wrapper before installing the new one,
3465 causing a reset of service properties.
3466 * Fixed permissions issue on --status output file,
3467 with default access permissions of owner read/write
3468 only (default permissions can be changed of course with
3471 2004.06.05 -- Version 2.0-beta3
3473 * More changes to TAP-Win32 driver's INF file which
3474 affects the placement of the driver in the Windows
3475 device namespace. This is done to work around an
3476 apparent bug in Windows when short HWIDs are used,
3477 and will also ease the upgrade from 1.x to 2.0 by
3478 reducing the chances that a reboot will be needed
3479 on upgrade. Like beta2, this upgrade will
3480 delete existing TAP-Win32 interfaces, and reinstall
3481 a single new interface with default properties.
3482 * Major rewrite of I/O event wait layer in the style
3483 of libevent. This is a precursor to TCP support
3485 * New feature: --status. Outputs a SIGUSR2-like
3486 status summary to a given file, updated once
3487 per n seconds. The status file is comma delimited
3488 for easy machine parsing.
3489 * --ifconfig-pool now remembers common names and
3490 will try to assign a consistent IP to a given
3491 common name. Still to do: persist --ifconfig-pool
3492 memory across restarts by saving state in file.
3493 * Fixed bug in event timer queue which could cause
3494 recurring timer events such as --ping to not
3495 correctly schedule again after firing. This in
3496 turn would cause spurrious ping restarts and possible
3497 connection outages. Thanks to Denis Vlasenko for
3499 * Possible fix to reported bug where --daemon argument
3500 was not printing to syslog correctly after restart.
3501 * Fixed bug where pulling --route or --dhcp-option
3502 directives from a server would problematically
3503 interact with --persist-tun on the client.
3504 * Updated contrib/multilevel-init.patch (Farkas Levente).
3505 * Added RPM build option to .spec and .spec.in files
3506 to optionally disable LZO inclusion (Ian Pilcher).
3507 * The latest MingW runtime and headers define
3508 'ssize_t', so a patch is needed (Gisle Vanem).
3510 2004.05.14 -- Version 2.0-beta2
3512 * Fixed signal handling bug in --mode server, where
3513 SIGHUP and SIGUSR1 were treated as SIGTERM.
3514 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
3515 Apparently the larger string may work around
3516 a problem where the TAP adapter is sometimes missing
3517 from the network connections panel, especially under
3518 XP SP2. Also note that installing this upgrade will
3519 uninstall any pre-existing TAP-Win32 adapters, and then
3520 install a single new adapter, meaning that old adapter
3521 properties will be lost. Thanks to Md5Chap for solving
3523 * For --mode server --dev tap, the options --ifconfig and
3524 --ifconfig-pool are now optional. This allows address
3525 assignment via DHCP or use of a TAP VPN without
3526 IP support, as has always been possible with 1.x.
3527 * Fixed bug where --ifconfig may not work correctly on
3529 * Added 'local' flag to --redirect-gateway for use on
3530 networks where both OpenVPN daemons are connected
3531 to a shared subnet, such as wireless.
3533 2004.05.09 -- Version 2.0-beta1
3535 * Unchanged from test29 except for version number
3538 2004.05.08 -- Version 2.0-test29
3540 * Modified --dev-node on Windows to accept a TAP-Win32
3541 GUID name. In addition, --show-adapters will now
3542 display the high-level name and GUID of each adapter.
3543 This is an attempt to work around an issue in Windows
3544 where sometimes the TAP-Win32 adapter installs correctly
3545 but has no icon in the network connections control
3546 panel. In such cases, being able to specify
3547 --dev-node {TAP-GUID} can work around the missing icon.
3549 2004.05.07 -- Version 2.0-test28
3551 * Fixed bug which could cause segfault on program
3552 shutdown if --route and --persist-tun are used
3555 2004.05.06 -- Version 2.0-test27
3557 * Fixed bug in close_instance() which might cause
3558 memory to be accessed after it had already been freed.
3559 * Fixed bug in verify_callback() that might have
3560 caused uninitialized data to be referenced.
3561 * --iroute now allows full CIDR subnet routing.
3562 * In "--mode server --dev tun" usage, source addresses
3563 on VPN packets coming from a particular client must
3564 be associated with that client in the OpenVPN internal
3567 2004.04.28 -- Version 2.0-test26
3569 * Optimized broadcast path in multi-client mode.
3570 * Added socket buffer size options --rcvbuf & --sndbuf.
3571 * Configure Linux tun/tap driver to use a more sensible
3572 txqueuelen default. Also allow explicit setting
3573 via --txqueuelen option (Harald Roelle).
3574 * The --remote option now allows the port number
3575 to be specified as the second parameter. If
3576 unspecified, the port number defaults to the
3578 * Multiple --remote options on the client can now be
3579 specified for load balancing and failover. The
3580 --remote-random flag can be used to initially randomize
3581 the --remote list for basic load balancing.
3582 * If a remote DNS name resolves to multiple DNS addresses,
3583 one will be chosen by random as a kind of basic
3584 load-balancing feature if --remote-random is used.
3585 * Added --connect-freq option to control maximum
3586 new connection frequency in multi-client mode.
3587 * In multi-client mode, all syslog messages associated
3588 with a specific client now include a client-ID prefix.
3589 * For Windows, use a gettimeofday() function based
3590 on QueryPerformanceCounter (Derek Burdick).
3591 * Fixed bug in interaction between --key-method 2
3592 and DES ciphers, where dynamic keys would be generated
3593 with bad parity and then be rejected.
3595 2004.04.17 -- Version 2.0-test24
3597 * Reworked multi-client broadcast handling.
3599 2004.04.13 -- Version 2.0-test23
3601 * Fixed bug in --dev tun --client-to-client routing.
3602 * Fixed a potential deadlock in --pull.
3603 * Fixed a problem with select() usage which could
3604 cause a repeating sequence of "select : Invalid
3607 2004.04.11 -- Version 2.0-test22
3609 * Fixed bug where --mode server + --daemon was
3610 prematurely closing syslog connection.
3611 * Added support for --redirect-gateway on Mac OS X
3613 * Minor changes to TAP-Win32 driver based on feedback
3614 from the NDISTest tool.
3616 2004.04.11 -- Version 2.0-test21
3618 * Optimizations in multi-client server event loop.
3620 2004.04.10 -- Version 2.0-test20
3622 * --mode server capability now works with either tun
3623 or tap interfaces. When used with tap interfaces,
3624 OpenVPN will internally bridge all client tap
3625 interfaces with the server tap interface.
3626 * Connecting clients can now have a client-specific
3627 configuration on the server, based on the client
3628 common name embedded in the client certificate.
3629 See --client-config-dir and --client-connect.
3630 These options can be used to configure client-specific
3632 * Added an option --client-to-client that enables
3633 internal client-to-client routing or bridging.
3634 Otherwise, clients will only "see" the server,
3635 not other connected clients.
3636 * Fixed bug in route scheduling which would have caused
3637 --mode server to not work on Windows in test18
3638 and test19 with the sample config file.
3639 * Man page is up to date with all new options.
3640 * OpenVPN 2.0 release notes on web site updated
3641 with tap-style tunnel examples.
3643 2004.04.02 -- Version 2.0-test19
3645 * Fixed bug where routes pushed from server were
3646 not working correctly on Windows clients.
3647 * Added Mac OS X route patch (Jeremy Apple).
3649 2004.03.30 -- Version 2.0-test18
3651 * Minor fixes + Windows self-install modified
3652 to use OpenSSL 0.9.7d.
3654 2004.03.29 -- Version 2.0-test17
3656 * Fixed some bugs related to instance timeout and deletion.
3657 * Extended --push/--pull option to support additional
3660 2004.03.28 -- Version 2.0-test16
3662 * Successful test of --mode udp-server, --push,
3663 --pull, and --ifconfig-pool with server on
3664 Linux 2.4 and clients on Linux and Windows.
3666 2004.03.25 -- Version 2.0-test15
3668 * Implemented hash-table lookup of client instances
3669 based either on remote UDP address/port or remote
3671 * Implemented a randomized binary tree based
3672 scheduler for scalably scheduling a large number
3673 of client instance events. Uses the treap
3674 data structure and node rotation algorithm
3675 to keep the tree balanced.
3676 * Initial implementation of ifconfig-pool.
3677 * Made --key-method 2 the default.
3679 2004.03.20 -- Version 2.0-test14
3681 * Implemented --push and --pull.
3683 2004.03.20 -- Version 2.0-test13
3685 * Reduced struct tls_multi and --single-session
3687 * Modified --single-session flag to be used
3688 in multi-client UDP server client instances.
3690 2004.03.19 -- Version 2.0-test12
3692 * Added the key multi-client UDP server options,
3693 --mode, --push, --pull, and --ifconfig-pool.
3694 * Revamped GC (garbage collection) code to not rely
3696 * Modifications to thread.[ch] to allow a more
3697 flexible thread model.
3699 2004.03.16 -- Version 2.0-test11
3701 * Moved all timer code to interval.h, added new file
3703 * Fixed missing include.
3705 2004.03.16 -- Version 2.0-test10
3707 * More TAP-Win32 fixes.
3708 * Initial debugging and testing of multi.[ch].
3710 2004.03.14 -- Version 2.0-test9
3712 * Branch merge with 1.6-rc3
3713 * More point-to-multipoint work in multi.[ch].
3714 * Major TAP-Win32 driver restructuring to use
3715 NdisMRegisterDevice instead of
3716 IoCreateDevice/IoCreateSymbolicLink.
3717 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
3719 * In the majority of cases, TAP-Win32 should now be
3720 able to install and uninstall on Win2K without requiring
3722 * TAP-Win32 MAC address can now be explicitly set in the
3723 adapter advanced properties page.
3725 2004.03.04 -- Version 2.0-test8
3727 * Branch merge with 1.6-rc2.
3729 2004.03.03 -- Version 2.0-test7
3731 * Branch merge with 1.6-rc1.2.
3733 2004.03.02 -- Version 2.0-test6
3735 * Branch merge with 1.6-rc1.
3737 2004.03.02 -- Version 2.0-test5
3739 * Move Socks5 UDP header append/remove to socks.c, and is
3740 called from forward.c.
3741 * Moved verify statics from ssl.c into struct tls_session.
3742 * Wrote multi.[ch] to handle top level of point-to-multipoint
3744 * Wrote some code to allow a struct link_socket in a child context
3745 to be slaved to the parent context.
3746 * Broke up packet read and process functions in forward.c
3747 (from socket or tuntap) into separate functions for read
3748 and process, so that point-to-point and point-to-multipoint can
3749 share the same code.
3750 * Expand TLS control channel to allow the passing of configuration
3752 * Wrote mroute.[ch] to handle internal packet routing for
3753 point-to-multipoint mode.
3755 2004.02.22 -- Version 2.0-test3
3757 * Initial work on UDP multi-client server.
3758 * Branch merge of 1.6-beta7
3760 2004.02.14 -- Version 2.0-test2
3762 * Refactorization of openvpn.c into openvpn.[ch]
3763 init.[ch] forward.[ch] forward-inline.h
3764 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
3765 sig.[ch]. Created a master per-tunnel
3766 struct context in openvpn.h.
3767 * Branch merge of 1.6-beta6.2
3769 2003.11.06 -- Version 2.0-test1
3771 * Initial testbed for 2.0.
3773 2004.05.09 -- Version 1.6.0
3775 * Unchanged from 1.6-rc4 except for version number
3778 2004.04.01 -- Version 1.6-rc4
3780 * Made minor customizations to devcon and
3781 renamed as tapinstall.exe for Windows version.
3782 * Fixed "storage size of `iv' isn't known" build
3784 * OpenSSL 0.9.7d bundled with Windows self-install.
3786 2004.03.13 -- Version 1.6-rc3
3788 * Minor Windows fixes for --ip-win32 dynamic, relating to
3789 the way the TAP-Win32 driver responds to a DHCP request
3790 from the Windows DHCP client.
3791 * The net_gateway environmental variable wasn't being
3792 set correctly for called scripts (Paul Zuber).
3793 * Added code to determine the default gateway on FreeBSD,
3794 allowing the --redirect-gateway option to work
3795 (Juan Rodriguez Hervella).
3797 2004.03.04 -- Version 1.6-rc2
3799 * Fixed bug in Windows version where the NetBIOS node-type
3800 DHCP option might have been passed even if it was not
3802 * Fixed bug in Windows version introduced in 1.6-rc1, where
3803 DHCP timeout would be set to 0 seconds if --ifconfig option
3804 was used and --ip-win32 option was not explicitly specified.
3805 * Added some new --dhcp-option types for Windows version.
3807 2004.03.02 -- Version 1.6-rc1
3809 * For Windows, make "--ip-win32 dynamic" the default.
3810 * For Windows, make "--route-delay 10" the default
3811 unless --ip-win32 dynamic is not used or --route-delay
3812 is explicitly specified.
3813 * L_TLS mutex could have been left in a locked state
3814 for certain kinds of TLS errors.
3816 2004.02.22 -- Version 1.6-beta7
3818 * Allow scheduling priority increase (--nice) together
3819 with UID/GID downgrade (--user/--group).
3820 * Code that causes SIGUSR1 restart on TLS errors in TCP
3821 mode was not activated in pthread builds.
3822 * Save the certificate serial number in an environmental
3823 variable called tls_serial_{n} prior to calling the
3824 --tls-verify script. n is the current cert chain level.
3825 * Added NetBSD IPv6 tunnel capability (also requires
3826 a kernel patch) (Horst Laschinsky).
3827 * Fixed bug in checking the return value of the nice()
3828 function (Ian Pilcher).
3829 * Bug fix in new FreeBSD IPv6 over TUN code which was
3830 originally added in 1.6-beta5 (Nathanael Rensen).
3831 * More Socks5 fixes -- extended the struct frame
3832 infrastructure to accomodate proxy-based encapsulation
3834 * Added --dhcp-option to Windows version for setting
3835 adapter properties such as WINS & DNS servers.
3836 * Use a default route-delay of 5 seconds when
3837 --ip-win32 dynamic is specified (only applicable when
3838 --route-delay is not explicitly specified).
3839 * Added "log_append" registry variable to control
3840 whether the OpenVPN service wrapper on Windows
3841 opens log files in append (log_append="1") or
3842 truncate (log_append="0") mode. The default
3845 2004.02.05 -- Version 1.6-beta6
3847 * UDP over Socks5 fix to accomodate Socks5 encapsulation
3848 overhead (Christof Meerwald).
3849 * Minor --ip-win32 dynamic tweaks (use long lease time,
3850 invalidate existing lease with DHCPNAK).
3852 2004.02.01 -- Version 1.6-beta5
3854 * Added Socks5 proxy support (Christof Meerwald).
3855 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
3856 * Special TAP-Win32 debug mode for Windows self-install that was
3857 enabled in beta4 is now turned off.
3858 * Added some new Solaris notes to INSTALL (Koen Maris).
3859 * More work on --ip-win32 dynamic.
3861 2004.01.27 -- Version 1.6-beta4
3863 * For this beta, the Windows self-install is a debug version
3864 and will run slower -- use only for testing.
3865 * Reverted the --ip-win32 default back to 'ipapi'
3867 * Added the offset parameter to '--ip-win32 dynamic' which
3868 can be used to control the address of the masqueraded
3869 DHCP server which replies to Windows DHCP requests.
3870 * Added a wait/nowait option to --inetd (nowait can only
3871 be used with TCP sockets, TLS authentication, and over
3872 a bridged configuration -- see FAQ for more info)
3873 (Stefan `Sec` Zehl).
3874 * Added a build-time capability where TAP-Win32 driver
3875 debug messages can be output by OpenVPN at --verb 6
3878 2004.01.20 -- Version 1.6-beta2
3880 * Added ./configure --enable-iproute2 flag which
3881 uses iproute2 instead of route + ifconfig --
3882 this is necessary for the LEAF Linux distro
3884 * Added renewal-time and rebind-time to set of
3885 DHCP options returned by the TAP-Win32 driver when
3886 "--ip-win32 dynamic" is used.
3888 2004.01.14 -- Version 1.6-beta1
3890 * Fixed --proxy bug that sometimes caused plaintext
3891 control info generated by the proxy prior to http
3892 CONNECT method establishment to be incorrectly
3893 parsed as OpenVPN data.
3894 * For Windows version, implemented the
3895 "--ip-win32 dynamic" method and made it the default.
3896 This method sets the TAP-Win32 adapter IP address
3897 and netmask by replying to the kernel's DHCP queries.
3898 See the man page for more detailed info.
3899 * Added --connect-retry parameter which controls
3900 the time interval (in seconds) between connect()
3901 retries when --proto tcp-client is used. Previously,
3902 this value was hardcoded to 5 seconds, and still
3904 * --resolv-retry can now be used with a parameter
3905 of "infinite" to retry indefinitely.
3906 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
3907 for support of multi-level certificate chains
3909 * Fixed --tls-auth incompatibility with 1.4.x and earlier
3910 versions of OpenVPN when the passphrase file is an
3911 OpenVPN static key file (as generated by --genkey).
3912 * Added shell-escape support in config files using
3913 the backslash character ("\") so that (for example)
3914 double quotes can be passed to the shell.
3915 * Added "contrib" subdirectory on tarball, source zip,
3916 and CVS containing user-submitted contributions.
3917 * Added an optional patch to the Redhat init script to
3918 allow the configuration file directory to be a
3919 multi-level directory hierarchy (Farkas Levente).
3920 See contrib/multilevel-init.patch
3921 * Added some scripts and documentation on using
3922 Linux "fwmark" iptables rules to enable
3923 fine-grained routing control over the VPN
3924 (Sean Reifschneider, <jafo@tummy.com>).
3925 See contrib/openvpn-fwmarkroute-1.00
3927 2003.11.20 -- Version 1.5.0
3929 * Minor documentation changes.
3931 2003.11.04 -- Version 1.5-beta14
3933 * Fixed build problem with ./configure --disable-ssl
3934 that was reported on Debian woody.
3935 * Fixed bug where --redirect-gateway could not be used
3936 together with --resolv-retry.
3938 2003.11.03 -- Version 1.5-beta13
3940 * Added CRL (certificate revocation list) capability using
3941 --crl-verify option (Stefano Bracalenti).
3942 * Added --replay-window option for variable replay-protection
3944 * Fixed --fragment bug which might have caused certain large
3945 packets to be sent unfragmented.
3946 * Modified --secret and --tls-auth to permit different cipher and
3947 HMAC keys to be used for each data flow direction. Also
3948 increased static key file size generated by --genkey from
3949 1024 to 2048 bits, where 512 bits each are reserved for
3950 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
3951 and backward compatibility is maintained. See --secret option
3952 documentation on the man page for more info.
3953 * Added --tls-remote option (Teemu Kiviniemi).
3954 * Fixed --tls-cipher documention regarding correct delimiter
3955 usage (Teemu Kiviniemi).
3956 * Added --key-method option for selecting alternative data
3957 channel key negotiation methods. Method 1 is the default.
3958 Method 2 has been added (see man page for more info).
3959 * Added French translation of HOWTO to web site
3960 (Guillaume Lehmann).
3961 * Fixed problem caused by late resolver library load on
3962 certain platforms when --resolv-retry and --chroot are
3963 used together (Teemu Kiviniemi).
3964 * In TCP mode, all decryption or TLS errors will abort the current
3965 connection (this is not done in UDP mode because UDP is
3967 * Fixed a TCP client reconnect bug that only occurs on the
3968 BSDs, where connect() fails with an invalid argument. This
3969 bug was partially (but not completely) fixed in beta7.
3970 * Added "route_net_gateway" environmental variable which contains
3971 the pre-existing default gateway address from the routing table
3972 (there's no standard API for getting the default gateway, so
3973 right now this feature only works on Windows or Linux).
3974 * Renamed the "route_default_gateway" enviromental variable to
3975 "route_vpn_gateway" -- this is the remote VPN endpoint.
3976 * The special keywords vpn_gateway, net_gateway, and remote_host
3977 can now be used for the network or gateway components of the
3978 --route option. See the man page for more info.
3979 * Added the --redirect-gateway option to configure the VPN
3980 as the default gateway (implemented on Linux and Windows only).
3981 * Added the --http-proxy option with basic authentication
3982 support for use in TCP client mode. Successfully tested
3983 using Squid as the HTTP proxy, with and without authentication.
3985 2003.10.12 -- Version 1.5-beta12
3987 * Fixed Linux-only bug in --mktun and --rmtun which was
3988 introduced around beta8 or so, which would cause
3989 an error such as "I don't recognize device tun0 as a
3990 tun or tap device1".
3991 * Added --ifconfig-nowarn option to disable options
3992 consistency warnings about --ifconfig parameters.
3993 * Don't allow any kind of sequence number backtracking or
3994 message reordering when in TCP mode.
3995 * Changed beta naming convention to use '_' (underscore)
3996 rather than '-' (dash) to pacify rpmbuild.
3998 2003.10.08 -- Version 1.5-beta11
4000 * Modified code in the Windows version which sets the IP address
4001 and netmask of the TAP-Win32 adapter using the IP Helper API.
4002 Most of the changes involve better error recovery when
4003 the IP Helper API returns an error status. See the
4004 manual page entry on --ip-win32 for more info.
4006 2003.10.08 -- Version 1.5-beta10
4008 * Added getpass() function for Windows version so that --askpass
4009 option works correctly (Stefano Bracalenti).
4010 * Added reboot advisory to end of Win32 install script.
4011 * Changed crypto code to use pseudo-random IVs rather than
4012 carrying forward the IV state from the previous packet.
4013 This is in response to item 2 in the following document:
4014 http://www.openssl.org/~bodo/tls-cbc.txt which points
4015 out weaknesses in TLS's use of the same IV carryforward
4016 approach. This change does not break protocol compatibility
4017 with previous versions of OpenVPN.
4018 * Made a change to the crypto replay protection code to also
4019 protect against certain kinds of packet reordering attacks.
4020 This change does not break protocol compatibility with
4021 previous versions of OpenVPN.
4022 * Added --ip-win32 option to provide several choices for
4023 setting the IP address on the TAP-Win32 adapter.
4024 * #ifdefed out non-CBC crypto modes by default.
4025 * Added --up-delay option to delay TUN/TAP open and --up script
4026 execution until after connection establishment. This option
4027 replaces the earlier windows-only option --tap-delay.
4029 2003.10.01 -- Version 1.5-beta9
4031 * Fixed --route-noexec bug where option was not parsed correctly.
4032 * Complain if --dev tun is specified without --ifconfig on Windows.
4033 * Fixed bug where TCP connections on windows would sometimes cause
4034 an assertion failure.
4035 * Added a new flag to TAP-Win32 advanced properties that allows one
4036 to set the adapter to be always "connected" even when an OpenVPN
4037 process doesn't have it open. The default behavior is to report
4038 a media status of connected only when an OpenVPN process has the
4040 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
4041 DLLs in response to an OpenSSL security advisory.
4043 2003.09.30 -- Version 1.5-beta8
4045 * Extended the --ifconfig option to work on tap devices as well
4047 * Implemented the --ifconfig option for Windows, by calling the
4049 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
4050 refresh the MAC cache. This behaviour can be disabled with
4052 * On Windows, allow the --dev-node parameter (which specifies
4053 the name of the TAP-Win32 adapter) to be omitted in cases where
4054 there is a single TAP-Win32 adapter on the system which can be
4055 assumed to be the default.
4056 * Modified the diagnostic --verb 5 debugging level to print 'R'
4057 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
4058 and 'w' for TUN/TAP write.
4059 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
4061 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
4062 * Make the --enable-mtu-dynamic ./configure option enabled by
4064 * Deprecated the --mtu-dynamic run-time option, in favor of
4066 * DNS names can now be used as --ifconfig parameters.
4067 * Significant work on TAP-Win32 driver to bring up to SMP standards.
4068 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
4069 unloaded or disabled, while a user-space process has it open.
4070 * On Windows, if --tun-mtu is not specified, it will be read from
4071 the TAP-Win32 driver via ioctl.
4072 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
4073 signal (only when run from a console window).
4074 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
4075 * Renamed --mtu-dynamic option to --fragment to more accurately
4076 reflect its function. Fragment accepts a single parameter which
4077 is the upper limit on acceptable UDP packet size.
4078 * Changed default --tun-mtu-extra parameter to 32 from 64.
4079 * Eliminated reference to malloc.o in configure.ac.
4080 * Added tun device emulation to the TAP-Win32 driver.
4081 * Added --route and related options.
4082 * Added init script for SuSE Linux (Frank Plohmann).
4083 * Extended option consistency check between peers to function
4084 in all crypto modes, including static-key and cleartext modes.
4085 Previously only TLS mode was supported. Disable with
4087 * Overall, increased the amount of configuration option sanity
4088 checking, especially of networking parameters.
4089 * Added --mtu-test option for empirical MTU measurement.
4090 * Added Windows-only option --tap-delay to not set the TAP-Win32
4091 adapter media state to 'connected' until TCP/UDP connection
4092 establishment with peer.
4093 * Slightly modified --route/--route-delay semantics so that when
4094 --route is given without --route-delay, routes are added
4095 immediately after tun/tap device open. When --route-delay is
4096 specified, routes will be added n seconds after connection
4097 initiation, where n is the --route-delay parameter (which
4099 * Made TCP framing error into a non-fatal error that triggers a
4102 2003.08.28 -- Version 1.5-beta7
4104 * Fixed bug that caused OpenVPN not to respond to exit/restart
4105 signals when --resolv-retry is used and a local or remote DNS
4106 name cannot be resolved.
4107 * Exported a series of environmental variables with useful
4108 info for scripts. See man page for more info. Based
4109 on a suggestion by Anthony Ciaravalo.
4110 * Moved TCP/UDP socket bind to a point in the initialization
4111 before the --up script gets called. This is desirable
4112 because (a) a socket bind failure will happen before
4113 daemonization, allowing an error status code to be returned
4114 to the shell and (b) the possibility is eliminated of a
4115 socket bind failure causing the --up script to be run
4116 but not the --down script. This change has a side effect
4117 that --resolv-retry will no longer work with --local.
4118 * Fixed bug where if an OpenVPN TCP server went down and back
4119 up again, Solaris or FreeBSD clients would fail to reconnect
4121 * Fixed bug that prevented OpenVPN from being run by
4122 inetd/xinetd in TCP mode.
4123 * Added --log and --log-append options for logging messages to
4125 * On Windows, check that the current user is a member of the
4126 Administrator group before attempting install or uninstall.
4128 2003.08.16 -- Version 1.5-beta6
4130 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
4132 2003.08.14 -- Version 1.5-beta5
4134 * Added user-configurability of the TAP-Win32 adapter MTU
4135 through the adapter advanced properties page.
4136 * Added Windows Service support.
4137 * On Windows, added file association and right-clickability
4138 for .ovpn files (OpenVPN config files).
4140 2003.08.05 -- Version 1.5-beta4
4142 * Extra refinements and error checking added to Windows
4143 NSIS install script.
4145 2003.08.05 -- Version 1.5-beta3
4147 * Added md5.h include to crypto.c to fix build problem on
4149 * Created a Win32 installer using NSIS.
4150 * Removed DelService command from TAP-Win32 INF file. It appears
4151 to be not necessary and it interfered with the ability to
4152 uninstall and reinstall the driver without needing to reboot.
4153 * On Windows version, added "addtap" and "deltapall" batch
4154 files to add and delete TAP-Win32 adapter instances.
4156 2003.07.31 -- Version 1.5-beta2
4158 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
4159 in Windows ASCII so it's easier to click and view.
4160 * Added postscript and PDF versions of the HOWTO to the web
4162 * Merged Michael Clarke's stability patch into TAP-Win32
4163 driver which appears to fix the suspend/resume driver bug
4164 and significantly improve driver stability.
4165 * Added Christof Meerwald's Media Status patch to the
4166 TAP-Win32 driver which shows the TAP adapter to be
4167 disconnected when OpenVPN is not running.
4168 * Moved socket connect and TCP server listen code to a later
4169 point in openvpn() function so that the TCP server listen
4170 state is entered after daemonization.
4171 * Added keyboard shortcuts to simulate signals in the Windows
4172 version, see the window title bar for descriptions.
4174 2003.07.24 -- Version 1.5-beta1
4176 * Added TCP support via the new --proto option.
4177 * Renamed udp-centric options such as --udp-mtu to
4178 --link-mtu (old option names preserved for compatibility).
4179 * Ported to Windows 2000 + XP using mingw and a TAP driver
4180 derived from the Cipe-Win32 project by Damion K. Wilson.
4181 * Added --show-adapters flag for windows version.
4182 * Reworked the SSL/TLS packet acknowledge code to better
4183 handle certain corner cases.
4184 * Turned off the default enabling of IP forwarding in the
4185 sample-scripts/openvpn.init script for Redhat.
4186 Forwarding can be enabled by users in their --up scripts
4188 * Added --up-restart option based on suggestion from Sean
4190 * If --dev tap or --dev-type tap is specified, --tun-mtu
4191 defaults to 1500 and --tun-mtu-extra defaults to 64.
4192 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
4193 for each packet read or write on the TCP/UDP socket.
4195 2003.08.04 -- Version 1.4.3
4197 * Added md5.h include to crypto.c
4198 to fix build problem on OpenBSD.
4200 2003.07.15 -- Version 1.4.2
4202 * Removed adaptive bandwidth from
4203 --mtu-dynamic -- its absence appears
4204 to work better than its existence (1.4.1.2).
4205 * Minor changes to --shaper to fix long
4206 retransmit timeouts at low bandwidth
4208 * Added LOG_RW flag to openvpn.h for
4209 debugging (1.4.1.2).
4210 * Silenced spurious configure warnings (1.4.1.2).
4211 * Backed out --dev-name patch, modified --dev
4212 to offer equivalent functionality (1.4.1.4).
4213 * Added an optional parameter to --daemon and
4214 --inetd to support the passing of a custom
4215 program name to the system logger (1.4.1.5).
4216 * Add compiled-in options to the program title
4218 * Coded the beginnings of a WIN32 port (1.4.1.5).
4219 * Succeeded in porting to Win32 Mingw environment
4220 and running loopback tests (1.4.1.6). Still
4221 need a kernel driver for full Win32
4223 * Fixed a bug in error.h where
4224 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
4225 This would have caused a significant slowdown
4226 of OpenVPN when built by compilers that
4227 lack ISO C99 vararg macros (1.4.1.6).
4228 * Created an init script for Gentoo Linux
4229 in ./gentoo directory (1.4.1.6).
4231 2003.05.15 -- Version 1.4.1
4233 * Modified the Linux 2.4 TUN/TAP open code to
4234 fall back to the 2.2 TUN/TAP interface if the
4235 open or ioctl fails.
4236 * Fixed bug when --verb is set to 0 and non-fatal
4237 socket errors occur, causing 100% CPU utilization.
4238 Occurs on platorms where
4239 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
4241 * Fixed typo in tun.c that was preventing
4243 * Added --enable-mtu-dynamic configure option
4244 to enable --mtu-dynamic experimental option.
4246 2003.05.07 -- Version 1.4.0
4248 * Added --replay-persist feature to allow replay
4249 protection across sessions.
4250 * Fixed bug where --ifconfig could not be used
4252 * Added --tun-mtu-extra parameter to deal with
4253 the situation where a read on a TUN/TAP device
4254 returns more data than the device's MTU size.
4255 * Fixed bug where some IPv6 support code for
4256 Linux was not being properly ifdefed out for
4257 Linux 2.2, causing compile errors.
4258 * Added OPENVPN_EXIT_STATUS_x codes to
4259 openvpn.h to control which status value
4260 openvpn returns to its caller (such as
4261 a shell or inetd/xinetd) for various conditions.
4262 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
4263 openvpn.h to allow debugging in situations
4264 where stdout, stderr, and syslog cannot be used
4265 for message output, such as when OpenVPN is
4266 instantiated by inetd/xinetd.
4267 * Removed owner-execute permission from file
4268 created by static key generator (Herbert Xu
4269 and Alberto Gonzalez Iniesta).
4270 * Added --passtos option to allow IPv4 TOS bits
4271 to be passed from TUN/TAP input packets to
4272 the outgoing UDP socket (Craig Knox).
4273 * Added code to prevent open socket file descriptors
4274 from being accessible to called scripts.
4275 * Added --dev-name option (Christian Lademann).
4276 * Added --mtu-disc option for manual control
4278 * Show OS MTU value on UDP socket write failures
4280 * Numerous build system and portability
4281 fixes (Matthias Andree).
4282 * Added better sensing of compiler support for
4283 variable argument macros, including (a) gcc
4284 style, (b) ISO C 1999 style, and (c) no support.
4285 * Removed generated files from CVS. Note INSTALL
4286 file for new CVS build commands.
4287 * Changed certain internal symbol names
4288 for C standards compliance.
4289 * Added TUN/TAP open code to cycle dynamically
4290 through unit numbers until it finds a free
4291 unit (based on code from Thomas Gielfeldt
4293 * Added dynamic MTU and fragmenting infrastructure
4294 (Experimental). Rebuild with FRAGMENT_ENABLE
4296 * Minor changes to SSL/TLS negotiation, use
4297 exponential backoff on retransmits, and use
4298 a smaller MTU size (note that no protocol
4299 changes have been made which would break
4300 compatibility with 1.3.x).
4301 * Added --enable-strict-options flag
4302 to ./configure. This option will cause
4303 a more strict check for options compatibility
4304 between peers when SSL/TLS negotiation is used,
4305 but should only be used when both OpenVPN peers
4306 are of the same version.
4307 * Reorganization of debugging levels.
4308 * Added a workaround in configure.ac for
4309 default SSL header location on Linux
4310 to fix RH9 build problem.
4311 * Fixed potential deadlock when pthread support
4312 is used on OSes that allocate a small socketpair()
4314 * Fixed openvpn.init to be sh compliant
4316 * Changed --daemon to wait until all
4317 initialization is finished before becoming a
4318 daemon, for the benefit of initialization
4319 scripts that want a useful return status from
4320 the openvpn command.
4321 * Made openvpn.init script more robust, including
4322 positive indication of initialization errors
4323 in the openvpn daemon and better sanity checks.
4324 * Changed --chroot to wait until initialization
4325 is finished before calling chroot(), and allow
4326 the use of --user and --group with --chroot.
4327 * When syslog logging is enabled (--daemon or
4328 --inetd), set stdin/stdout/stderr to point
4330 * For inetd instantiations, dup socket descriptor
4332 * Fixed bug in verify-cn script, where test would
4333 incorrectly fail if CN=x was the last component
4334 of the X509 composite string (Anonymous).
4335 * Added Markus F.X.J. Oberhumer's special
4336 license exception to COPYING.
4338 2002.10.23 -- Version 1.3.2
4340 * Added SSL_CTX_set_client_CA_list call
4341 to follow the canonical form for TLS initialization
4342 recommended by the OpenSSL docs. This change allows
4343 better support for intermediate CAs and has no impact
4345 * Added build-inter script to easy-rsa package, to
4346 facilitate the generation of intermediate CAs.
4347 * Ported to NetBSD (Dimitri Goldin).
4348 * Fixed minor bug in easy-rsa/sign-req. It refers to
4349 openssl.cnf file, instead of $KEY_CONFIG, like all
4350 other scripts (Ernesto Baschny).
4351 * Added --days 3650 to the root CA generation command
4352 in the HOWTO to override the woefully small 30 day
4353 default (Dominik 'Aeneas' Schnitzer).
4354 * Fixed bug where --ping-restart would sometimes
4355 not re-resolve remote DNS hostname.
4356 * Added --tun-ipv6 option and related infrastructure
4357 support for IPv6 over tun.
4358 * Added IPv6 over tun support for Linux (Aaron Sethman).
4359 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
4360 INSTALL (Matthias Andree).
4361 * Added inetd/xinetd support (--inetd) including
4362 documentation in the HOWTO.
4363 * Added "Important Note on the use of commercial certificate
4364 authorities (CAs) with OpenVPN" to HOWTO based on
4365 issues raised on the openvpn-users list.
4367 2002.07.10 -- Version 1.3.1
4369 * Fixed bug in openvpn.spec and openvpn.init
4370 which caused RPM upgrade to fail.
4372 2002.07.10 -- Version 1.3.0
4374 * Added --dev-node option to allow explicit selection of
4375 tun/tap device node.
4376 * Removed mlockall call from child thread, as it doesn't
4377 appear to be necessary (child thread inherits mlockall
4379 * Added --ping-timer-rem which causes timer for --ping-exit
4380 and --ping-restart not to run unless we have a remote IP
4382 * Added condrestart to openvpn.init and openvpn.spec
4384 * Added --ifconfig case for FreeBSD (Matthias Andree).
4385 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
4386 * Changed LOG_INFO messages to LOG_NOTICE.
4387 * Added warning when key files are group/others accessible.
4388 * Added --single-session flag for TLS mode.
4389 * Fixed bug where --writepid would segfault if used with
4390 an invalid filename.
4391 * Fixed bug where --ipchange status message was formatted
4393 * Print more concise error message when system() call
4395 * Added --disable-occ option.
4396 * Added --local, --remote, and --ifconfig options sanity
4398 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
4400 * Successfully tested with OpenSSL 0.9.7 Beta 2.
4401 * Broke out debug level definitions to errlevel.h
4402 * Minor documentation and web site changes.
4403 * All changes maintain protocol compatibility
4404 with OpenVPN versions since 1.1.0, however default
4405 MTU changes will require setting the MTU explicitly
4406 by command line option, if you want 1.3.0 to
4407 communicate with previous versions.
4409 2002.06.12 -- Version 1.2.1
4411 * Added --ping-restart option to restart
4412 connection on ping timeout using SIGUSR1
4413 logic (Matthias Andree).
4414 * Added --persist-tun, --persist-key,
4415 --persist-local-ip, and --persist-remote-ip
4416 options for finer-grained control over SIGUSR1
4417 and --ping-restart restarts. To
4418 replicate previous SIGUSR1 functionality,
4419 use --persist-remote-ip.
4420 * Changed residual IV fetching code to take
4421 IV from tail of ciphertext.
4422 * Added check to make sure that CFB or OFB
4423 cipher modes are only used with SSL/TLS
4424 authentication mode, and added a caveat
4426 * Changed signal handling during initialization
4427 (including re-initialization during restarts)
4428 to exit on SIGTERM or SIGINT and ignore other
4429 signals which would ordinarily be caught.
4430 * Added --resolv-retry option to allow
4431 retries on hostname resolution.
4432 * Expanded the --float option to also
4433 allow dynamic changes in source port number
4434 on incoming datagrams.
4435 * Added --mute option to limit repetitive
4436 logging of similar message types.
4437 * Added --group option to downgrade GID
4438 after initialization.
4439 * Try to set ifconfig path automatically
4441 * Added --ifconfig code for Mac OS X
4442 (Christoph Pfisterer).
4443 * Moved "Peer Connection Initiated" message
4445 * Successfully tested with
4446 OpenSSL 0.9.7 Beta 1 and AES cipher.
4447 * Added RPM notes to INSTALL.
4448 * Added ACX_PTHREAD (from the autoconf
4449 macro archive) to configure.ac
4450 to figure out the right pthread
4451 options for a given platform.
4452 * Broke out macro definitions from
4453 configure.ac to acinclude.m4.
4454 * Minor changes to docs and HOWTO.
4455 * All changes maintain protocol compatibility
4456 with OpenVPN versions since 1.1.0.
4458 2002.05.22 -- Version 1.2.0
4460 * Added configuration file support via
4461 the --config option.
4462 * Added pthread support to improve latency.
4463 With pthread support, OpenVPN
4464 will offload CPU-intensive tasks such as RSA
4465 key number crunching to a background thread
4466 to improve tunnel packet forwarding
4467 latency. pthread support can be enabled
4468 with the --enable-pthread configure option.
4469 Pthread support is currently available
4470 only for Linux and Solaris.
4471 * Added --dev-type option so that tun/tap
4472 device names don't need to begin with
4474 * Added --writepid option to write main
4475 process ID to a file.
4476 * Numerous portability fixes to ease
4477 porting to other OSes including changing
4478 all network types to uint8_t and uint32_t,
4479 and not assuming that time_t is 32 bits.
4480 * Backported to OpenSSL 0.9.5.
4481 * Ported to Solaris.
4482 * Finished OpenBSD port except for
4484 * Added initialization script:
4485 sample-scripts/openvpn.init
4487 * Ported to Mac OS X (Christoph Pfisterer).
4488 * Improved resilience to DoS attacks when
4489 TLS mode is used without --remote or
4490 --tls-auth, or when --float is used
4491 with --remote. Note however that the best
4492 defense against DoS attacks in TLS mode
4493 is to use --tls-auth.
4494 * Eliminated automake/autoconf dependency
4496 * Ported configure.in to configure.ac
4498 * SIGHUP signal now causes OpenVPN to restart
4499 and re-read command line and or config file,
4500 in conformance with canonical daemon behaviour.
4501 * SIGUSR1 now does what SIGHUP did in
4502 version 1.1.1 and earlier -- close and reopen
4503 the UDP socket for use when DHCP changes
4504 host's IP address and preserve most recently
4505 authenticated peer address without rereading
4507 * SIGUSR2 added -- outputs current statistics,
4508 including compression statistics.
4509 * All changes maintain protocol compatibility
4510 with 1.1.1 and 1.1.0.
4512 2002.04.22 -- Version 1.1.1
4514 * Added --ifconfig option to automatically configure
4516 * Added inactivity disconnect (--inactive
4517 and --ping-exit options).
4518 * Added --ping option to keep stateful firewalls
4520 * Added sanity check to command line parser to
4521 err if any TLS options are used in non-TLS mode.
4522 * Fixed build problem with compiler environments that
4523 define printf as a macro.
4524 * Fixed build problem on linux systems that have
4525 an integrated TUN/TAP driver but lack the persistent
4526 tunnel feature (TUNSETPERSIST). Some linux kernels
4527 >= 2.4.0 and < 2.4.7 fall into this category.
4528 * Changed all calls to EVP_CipherInit to use explicit
4529 encrypt/decrypt mode in order to fix problem with
4530 IDEA-CBC and AES-256-CBC ciphers.
4531 * Minor changes to control channel transmit limiter
4532 algorithm to fix problem where TLS control channel
4533 might not renegotiate within the default 60 second window.
4534 * Simplified man page examples by taking advantage
4535 of the new --ifconfig option.
4536 * Minor changes to configure.in to check more
4537 rigourously for OpenSSL 0.9.6 or greater.
4538 * Put back openvpn.spec, eliminated
4540 * Modified openvpn.spec to reflect new automake-based
4541 build environment (Bishop Clark).
4542 * Other documentation changes.
4543 * Added --test-crypto option for debugging.
4544 * Added "missing" and "mkinstalldirs" automake
4548 2002.04.09 -- Version 1.1.0
4550 * Strengthened replay protection and IV handling,
4551 extending it fully to both static key and
4552 TLS dynamic key exchange modes.
4553 * Added --mlock option to disable paging and ensure that key
4554 material and tunnel data is never paged to disk.
4555 * Added optional traffic shaping feature to cap the maximum
4556 data rate of the tunnel.
4557 * Converted to automake (The Platypus Brothers 2002-04-01).
4558 * Ported to OpenBSD by Janne Johansson.
4559 * Added --tun-af-inet option to work around an incompatibility
4560 between Linux and BSD tun drivers.
4561 * Sequence number-based replay protection using the
4562 IPSec sliding window model is now the default,
4563 disable with --no-replay.
4564 * Explicit IV is now the default, disable with --no-iv.
4565 * Disabled all cipher modes except CBC, CFB, and OFB.
4566 * In CBC mode, use explicit IV and carry forward residuals,
4568 * In CFB/OFB mode, IV is timestamp, sequence number.
4569 * Eliminated --packet-id, --timestamp, and max-delta parameter to
4570 the --tls-auth option as they are now supplanted by improved
4571 replay code which is enabled by default.
4572 * Eliminated --rand-iv as it is now obsolete with improved
4574 * Eliminated --reneg-err option as it increases vulnerability
4576 * Added weak key check for DES ciphers.
4577 * --tls-freq option is no longer specified on the command line,
4578 instead it now inherits its parameter from the
4579 --tls-timeout option.
4580 * Fixed bug that would try to free memory on exit that was
4581 never malloced if --comp-lzo was not specified.
4582 * Errata fixed in the man page examples: "test-ca" should be
4584 * Updated manual page.
4585 * Preliminary work in porting to OpenSSL 0.9.7.
4586 * Changed license to allowing linking with OpenSSL.
4588 2002.03.29 -- Version 1.0.3
4590 * Fixed a problem in configure with library ordering on the
4593 2002.03.28 -- Version 1.0.2
4595 * Improved the efficiency of the inner event loop.
4596 * Fixed a minor bug with timeout handling.
4597 * Improved the build system to build on RH 6.2 through 7.2.
4598 * Added an openvpn.spec file for RPM builders (Bishop Clark).
4600 2002.03.23 -- Version 1.0
4602 * Added TLS-based authentication and key exchange.
4603 * Added gremlin mode to stress test.
4606 2001.12.26 -- Version 0.91
4608 * Added any choice of cipher or HMAC digest.
4610 2001.5.13 -- Version 0.90
4613 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.