-OpenVPN
-Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
+OpenVPN ChangeLog
+Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
-2009.05.30 -- Version 2.1_rc17
+This file is not maintained in this branch of the OpenVPN git repository.
-* Reduce the debug level (--verb) at which received management interface
- commands are echoed from 7 to 3. Passwords will be filtered.
-
-* Fixed race condition in management interface recv code on
- Windows, where sending a set of several commands to the
- management interface in quick succession might cause the
- latter commands in the set to be ignored.
-
-* Increased management interface input command buffer size
- from 256 to 1024 bytes.
-
-* Minor tweaks to Windows build system.
-
-* Added "redirect-private" option which allows private subnets
- to be pushed to the client in such a way that they don't accidently
- obscure critical local addresses such as the DHCP server address and
- DNS server addresses.
-
-* Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
- client will examine the routing table and determine whether (a) the
- OpenVPN server is reachable via a locally connected interface, or (b)
- traffic to the server must be forwarded through the default router.
- Only add a special bypass route for the OpenVPN server if (b) is true.
- If (a) is true, behave as if the 'local' flag is specified, and do not
- add a bypass route.
-
- The new 'autolocal' flag depends on the non-portable test_local_addr()
- function in route.c, which is currently only implemented for Windows.
- The 'autolocal' flag will act as a no-op on platforms that have not
- yet defined a test_local_addr() function.
-
-* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
- more option content to be pushed from server to client).
-
-* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
- levels <=3) a common and usually innocuous warning.
-
-* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
- functionality (Alon Bar-Lev).
-
-* Fixed bug where the remote_X environmental variables were not being
- set correctly when the 'local' option is specifed.
-
-2009.05.17 -- Version 2.1_rc16
-
-* Windows installer changes:
-
- 1. ifdefed out the check Windows version code which is causing
- problems on Windows 7
-
- 2. don't define SF_SELECTED if it is already defined
-
- 3. Use LZMA instead of BZIP2 compression for better compression
-
- 4. Upgraded OpenSSL to 0.9.8k
-
-* Added the ability to read the configuration file
- from stdin, when "stdin" is given as the config
- file name.
-
-* Allow "management-client" directive to be used
- with unix domain sockets.
-
-* Added errors-to-stderr option. When enabled, fatal errors
- that result in the termination of the daemon will be written
- to stderr.
-
-* Added optional "nogw" (no gateway) flag to --server-bridge
- to inhibit the pushing of the route-gateway parameter to
- clients.
-
-* Added new management interface command "pid" to show the
- process ID of the current OpenVPN process (Angelo Laub).
-
-* Fixed issue where SIGUSR1 restarts would fail if private
- key was specified as an inline file.
-
-* Added daemon_start_time and daemon_pid environmental variables.
-
-* In management interface, added new ">CLIENT:ESTABLISHED" notification.
-
-* Build fixes:
-
- 1. Fixed some issues with C++ style comments that leaked into the code.
-
- 2. Updated configure.ac to work on MinGW64.
-
- 3. Updated common.h types for _WIN64.
-
- 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
- compilers.
-
- 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
- OpenVPNCryptAcquireCertificatePrivateKey to work around
- a symbol conflict in MinGW-5.1.4.
-
-2008.11.19 -- Version 2.1_rc15
-
-* Fixed issue introduced in 2.1_rc14 that may cause a
- segfault when a --plugin module is used.
-
-* Added server-side --opt-verify option: clients that connect
- with options that are incompatible with those of the server
- will be disconnected (without this option, incompatible
- clients would trigger a warning message in the server log
- but would not be disconnected).
-
-* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
- flag on the server as well as pushes it to connecting clients.
-
-* Minor options check fix: --no-name-remapping is a
- server-only option and should therefore generate an
- error when used on the client.
-
-* Added --prng option to control PRNG (pseudo-random
- number generator) parameters. In previous OpenVPN
- versions, the PRNG was hardcoded to use the SHA1
- hash. Now any OpenSSL hash may be used. This is
- part of an effort to remove hardcoded references to
- a specific cipher or cryptographic hash algorithm.
-
-* Cleaned up man page synopsis.
-
-2008.11.16 -- Version 2.1_rc14
-
-* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
- with the goal of fixing a build issue on Fedora 9 that was
- introduced in 2.1_rc13.
-
-* Added additional method parameter to --script-security to preserve
- backward compatibility with system() call semantics used in OpenVPN
- 2.1_rc8 and earlier. To preserve backward compatibility use:
-
- script-security 3 system
-
-* Added additional warning messages about --script-security 2
- or higher being required to execute user-defined scripts or
- executables.
-
-* Windows build system changes:
-
- Modified Windows domake-win build system to write all openvpn.nsi
- input files to gen, so that gen can be disconnected from
- the rest of the source tree and makensis openvpn.nsi will
- still function correctly.
-
- Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
- (commented out by default).
-
- Added optional files SAMPCONF_CONF2 (second sample configuration
- file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
- build system, and may be defined in settings.in.
-
-* Extended Management Interface "bytecount" command
- to work when OpenVPN is running as a server.
- Documented Management Interface "bytecount" command in
- management/management-notes.txt.
-
-* Fixed informational message in ssl.c to properly indicate
- deferred authentication.
-
-* Added server-side --auth-user-pass-optional directive, to allow
- connections by clients that do not specify a username/password, when a
- user-defined authentication script/module is in place (via
- --auth-user-pass-verify, --management-client-auth, or a plugin module).
-
-* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
-
- Calling scripts can set the KEY_NAME environmental variable to set
- the "name" X509 subject field in generated certificates.
-
- Modified pkitool to allow flexibility in separating the Common Name
- convention from the cert/key filename convention.
-
- For example:
-
- KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
-
- will create a client certificate/key pair of james.crt/james.key
- having a Common Name of "James's Laptop" and a Name of "james".
-
-* Added --no-name-remapping option to allow Common Name, X509 Subject,
- and username strings to include any printable character including
- space, but excluding control characters such as tab, newline, and
- carriage-return (this is important for compatibility with external
- authentication systems).
-
- As a related change, added --status-version 3 format (and "status 3"
- in the management interface) which uses the version 2 format except
- that tabs are used as delimiters instead of commas so that there
- is no ambiguity when parsing a Common Name that contains a comma.
-
- Also, save X509 Subject fields to environment, using the naming
- convention:
-
- X509_{cert_depth}_{name}={value}
-
- This is to avoid ambiguities when parsing out the X509 subject string
- since "/" characters could potentially be used in the common name.
-
-* Fixed some ifconfig-pool issues that precluded it from being combined
- with --server directive.
-
- Now, for example, we can configure thusly:
-
- server 10.8.0.0 255.255.255.0 nopool
- ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
-
- to have ifconfig-pool manage only a subset
- of the VPN subnet.
-
-* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
- config file syntax checking to allow directives for future OpenVPN
- versions to be ignored.
-
-2008.10.07 -- Version 2.1_rc13
-
-* Bundled OpenSSL 0.9.8i with Windows installer.
-
-* Management interface can now listen on a unix
- domain socket, for example:
-
- management /tmp/openvpn unix
-
- Also added management-client-user and management-client-group
- directives to control which processes are allowed to connect
- to the socket.
-
-* Copyright change to OpenVPN Technologies, Inc.
-
-2008.09.23 -- Version 2.1_rc12
-
-* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
- part of the tarball (Matthias Andree).
-
-* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
- was incorrectly expecting the lladdr parameter to be an IP address
- when it is actually a MAC address (HoverHell).
-
-2008.09.14 -- Version 2.1_rc11
-
-* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
- to fail if UDP packets are dropped.
-
-2008.09.10 -- Version 2.1_rc10
-
-* Added "--server-bridge" (without parameters) to enable
- DHCP proxy mode: Configure server mode for ethernet
- bridging using a DHCP-proxy, where clients talk to the
- OpenVPN server-side DHCP server to receive their IP address
- allocation and DNS server addresses.
-
-* Added "--route-gateway dhcp", to enable the extraction
- of the gateway address from a DHCP negotiation with the
- OpenVPN server-side LAN.
-
-* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
- on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
- ignore it.
-
-* Warn when ethernet bridging that the IP address of the bridge adapter
- is probably not the same address that the LAN adapter was set to
- previously.
-
-* When running as a server, warn if the LAN network address is
- the all-popular 192.168.[0|1].x, since this condition commonly
- leads to subnet conflicts down the road.
-
-* Primarily on the client, check for subnet conflicts between
- the local LAN and the VPN subnet.
-
-* Added a 'netmask' parameter to get_default_gateway, to return
- the netmask of the adapter containing the default gateway.
- Only implemented on Windows so far. Other platforms will
- return 255.255.255.0. Currently the netmask information is
- only used to warn about subnet conflicts.
-
-* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
- and USE_SSL flags are enabled (Alon Bar-Lev).
-
-* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
- --script-security rules. Also adds retrying if the addresses are in
- use (Matthias Andree).
-
-* Fixed build issue with ./configure --disable-socks --disable-http.
-
-* Fixed separate compile errors in options.c and ntlm.c that occur
- on strict C compilers (such as old versions of gcc) that require
- that C variable declarations occur at the start of a {} block,
- not in the middle.
-
-* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
- the new implementation of extract_x509_field_ssl depends on.
-
-* LZO compression buffer overflow errors will now invalidate
- the packet rather than trigger a fatal assertion.
-
-* Fixed minor compile issue in ntlm.c (mid-block declaration).
-
-* Added --allow-pull-fqdn option which allows client to pull DNS names
- from server (rather than only IP address) for --ifconfig, --route, and
- --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
- for these options to be pulled and translated to IP addresses by default.
- Now --allow-pull-fqdn will be explicitly required on the client to enable
- DNS-name-to-IP-address translation of pulled options.
-
-* 2.1_rc8 and earlier did implicit shell expansion on script
- arguments since all scripts were called by system().
- The security hardening changes made to 2.1_rc9 no longer
- use system(), but rather use the safer execve or CreateProcess
- system calls. The security hardening also introduced a
- backward incompatibility with 2.1_rc8 and earlier in that
- script parameters were no longer shell-expanded, so
- for example:
-
- client-connect "docc CLIENT-CONNECT"
-
- would fail to work because execve would try to execute
- a script called "docc CLIENT-CONNECT" instead of "docc"
- with "CLIENT-CONNECT" as the first argument.
-
- This patch fixes the issue, bringing the script argument
- semantics back to pre 2.1_rc9 behavior in order to preserve
- backward compatibility while still using execve or CreateProcess
- to execute the script/executable.
-
-* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
- to more closely conform to RFC 3696:
-
- (1) DNS name length must not exceed 255 characters
-
- (2) DNS name characters must be limited to alphanumeric,
- dash ('-'), and dot ('.')
-
-* Fixed bug in intra-session TLS key rollover that was introduced with
- deferred authentication features in 2.1_rc8.
-
-2008.07.31 -- Version 2.1_rc9
-
-* Security Fix -- affects non-Windows OpenVPN clients running
- OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
- vulnerable nor are any versions of the OpenVPN server vulnerable).
- An OpenVPN client connecting to a malicious or compromised
- server could potentially receive an "lladdr" or "iproute" configuration
- directive from the server which could cause arbitrary code execution on
- the client. A successful attack requires that (a) the client has agreed
- to allow the server to push configuration directives to it by including
- "pull" or the macro "client" in its configuration file, (b) the client
- successfully authenticates the server, (c) the server is malicious or has
- been compromised and is under the control of the attacker, and (d) the
- client is running a non-Windows OS. Credit: David Wagner.
- CVE-2008-3459
-
-* Miscellaneous defensive programming changes to multiple
- areas of the code. In particular, use of the system() call
- for calling executables such as ifconfig, route, and
- user-defined scripts has been completely revamped in favor
- of execve() on unix and CreateProcess() on Windows.
-
-* In Windows build, package a statically linked openssl.exe to work around
- observed instabilities in the dynamic build since the migration to
- OpenSSL 0.9.8h.
-
-2008.06.11 -- Version 2.1_rc8
-
-* Added client authentication and packet filtering capability
- to management interface. In addition, allow OpenVPN plugins
- to take advantage of deferred authentication and packet
- filtering capability.
-
-* Added support for client-side connection profiles.
-
-* Fixed unbounded memory growth bug in environmental variable
- code that could have caused long-running OpenVPN sessions
- with many TLS renegotiations to incrementally
- increase memory usage over time.
-
-* Windows release now packages openssl-0.9.8h.
-
-* Build system changes -- allow building on Windows using
- autoconf/automake scripts (Alon Bar-Lev).
-
-* Changes to Windows build system to make it easier to do
- partial builds, with a reduced set of prerequisites,
- where only a subset of OpenVPN installer
- components are built. See ./domake-win comments.
-
-* Cleanup IP address for persistence interfaces for tap and also
- using ifconfig, gentoo#209055 (Alon Bar-Lev).
-
-* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
-
-* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
-
-* Added new OpenVPN icon and installer graphic.
-
-* Minor pkitool changes.
-
-* Added --pkcs11-id-management option, which will cause OpenVPN to
- query the management interface via the new NEED-STR asynchronous
- notification query to get additional PKCS#11 options (Alon Bar-Lev).
-
-* Added NEED-STR management interface asynchronous query and
- "needstr" management interface command to respond to the query
- (Alon Bar-Lev).
-
-* Added Dragonfly BSD support (Francis-Gudin).
-
-* Quote device names before passing to up/down script (Josh Cepek).
-
-* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
- prevent structure padding from causing an incorrect length
- to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
- platforms.
-
-* On systems that support res_init, always call it
- before calling gethostbyname to ensure that
- resolver configuration state is current.
-
-* Added NTLMv2 proxy support (Miroslav Zajic).
-
-* Fixed an issue in extract_x509_field_ssl where the extraction
- would fail on the first field of the subject name, such as
- the common name in: /CN=foo/emailAddress=foo@bar.com
-
-* Made "Linux ip addr del failed" error nonfatal.
-
-* Amplified --client-cert-not-required warning.
-
-* Added #pragma pack to proto.h.
-
-2008.01.29 -- Version 2.1_rc7
-
-* Added a few extra files that exist in the svn repo but were
- not being copied into the tarball by make dist.
-
-* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
-
-2008.01.24 -- Version 2.1_rc6
-
-* Fixed options checking bug introduced in rc5 where legitimate configuration
- files might elicit the error: "Options error: Parameter pkcs11_private_mode
- can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
- is also specified."
-
-2008.01.23 -- Version 2.1_rc5
-
-* Fixed Win2K TAP driver bug that was introduced by Vista fixes,
- incremented driver version to 9.4.
-
-* Windows build system changes:
-
- Incremented included OpenSSL version to openssl-0.9.7m.
-
- Updated openssl.patch for openssl-0.9.7m and added some
- brief usage comments to the head of the patch.
-
- Added build-pkcs11-helper.sh for building the pkcs11-helper
- library.
-
- Integrated inclusion of pkcs11-helper into Windows build
- system.
-
- Upgraded TAP build scripts to use WDK 6001.17121
- (Windows 2008 Server pre-RTM).
-
-* Windows installer changes:
-
- Clean up the start menu folder.
-
- Allow for a site-specific sample configuration file and keys
- to be included in a custom installer (see SAMPCONF macros
- in settings.in).
-
- New icon (temporary).
-
-* Added "forget-passwords" command to the management interface
- (Alon Bar-Lev).
-
-* Added --management-signal option to signal SIGUSR1 when the
- management interface disconnects (Alon Bar-Lev).
-
-* Modified command line and config file parser to allow
- quoted strings using single quotes ('') (Alon Bar-Lev).
-
-* Use pkcs11-helper as external library, can be downloaded from
- https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
-
-* Fixed interim memory growth issue in TCP connect loop where
- "TCP: connect to %s failed, will try again in %d seconds: %s"
- is output.
-
-* Fixed bug in epoll driver in event.c, where the lack of a
- handler for EPOLLHUP could cause 99% CPU usage.
-
-* Defined ALLOW_NON_CBC_CIPHERS for people who don't
- want to use a CBC cipher for OpenVPN's data channel.
-
-* Added PLUGIN_LIBDIR preprocessor string to prepend a default
- plugin directory to the dlopen search list when the user
- specifies the basename of the plugin only (Marius Tomaschewski).
-
-* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
- to allow forward slash characters ("/") in the X509 common name
- (Pavel Shramov).
-
-* Allow OpenVPN to run completely unprivileged under Linux
- by allowing openvpn --mktun to be used with --user and --group
- to set the UID/GID of the tun device node. Also added --iproute
- option to allow an alternative command to be executed in place
- of the default iproute2 command (Alon Bar-Lev).
-
-* Fixed --disable-iproute2 in ./configure to actually disable
- iproute2 usage (Alon Bar-Lev).
-
-* Added --management-forget-disconnect option -- forget
- passwords when management session disconnects (Alon Bar-Lev).
-
-2007.04.25 -- Version 2.1_rc4
-
-* Worked out remaining issues with TAP driver signing
- on Vista x64. OpenVPN will now run on Vista x64
- with driver signing enforcement enabled.
-
-* Fixed 64-bit portability bug in time_string function
- (Thomas Habets).
-
-2007.04.22 -- Version 2.1_rc3
-
-* Additional fixes to TAP driver for Windows x64. Driver
- now runs successfully on Vista x64 if driver signing
- enforcement is disabled.
-
-* The Windows Installer and TAP driver are now signed by
- OpenVPN Solutions LLC (in addition to the usual GnuPG
- signatures).
-
-* Added OpenVPN GUI (Mathias Sundman version) as install
- option in Windows installer.
-
-* Clean up configure on FreeBSD for recent autotool versions
- that require that all .h files have to be compiled.
- Also, FreeBSD install does not support GNU long options
- which the Makefile in easy-rsa/2.0 uses (not checked the
- others as we don't install those on Gentoo) (Roy Marples).
-
-* Added additional scripts to easy-rsa/Windows for working
- with password-protected keys; also add -extensions server
- option when generating server cert via
- build-key-server-pass.bat (Daniel Zauft).
-
-2007.02.27 -- Version 2.1_rc2
-
-* auth-pam change: link with -lpam rather
- than dlopen (Roy Marples).
-
-* Prevent SIGUSR1 or SIGHUP from causing program
- exit from initial management hold.
-
-* SO_REUSEADDR should not be set on Windows TCP sockets
- because it will cause bind to succeed on port conflicts.
-
-* Added time_ascii, time_duration, and time_unix
- environmental variables for plugins and callback
- scripts.
-
-* Fixed issue where OpenVPN does not apply the --txqueuelen option
- to persistent interfaces made with --mktun (Roy Marples).
-
-* Attempt at rational signal handling when in the
- management hold state. During management hold, ignore
- SIGUSR1/SIGHUP signals thrown with the "signal" command.
- Also, "signal" command will now apply remapping as
- specified with the --remap-usr1 option.
- When a signal entered using the "signal" command from a management
- hold is ignored, output: >HOLD:Waiting for hold release
-
-* Fixed issue where struct env_set methods that
- change the value of an existing name=value pair
- would delay the freeing of the memory held by
- the previous name=value pair until the underlying
- client instance object is closed.
- This could cause a server that handles long-term
- client connections, resulting in many periodic calls
- to verify_callback, to needlessly grow the env_set
- memory allocation until the underlying client instance
- object is closed.
-
-* Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
- to reflect the fact that Vista has blacklisted the tap0801.sys
- file name due to previous compatibility issues which have now
- been resolved. TAP-Win32 major/minor version number is now 9/1.
-
-* Windows installer will delete a previously installed
- tap0801.sys TAP driver before installing tap0901.sys.
-
-* Added code to Windows installer to fail gracefully on 64 bit
- installs until 64-bit TAP driver issues can be resolved.
-
-* Added code to Windows installer to fail gracefully on
- versions of Windows which are not explicitly supported.
-
-* The Windows version will now use a default route-delay
- of 5 seconds to deal with an apparent routing table race
- condition on Vista.
-
-* Worked around an incompatibility in the Windows Vista
- version of CreateIpForwardEntry as described in
- http://www.nynaeve.net/?p=59
- This issue would cause route additions using the
- IP Helper API to fail on Vista.
-
-* On Windows, revert to "ip-win32 dynamic" as the default.
-
-2006.10.31 -- Version 2.1_rc1
-
-* Support recovery (return to hold) from signal at
- management password prompt.
-
-* Added workaround for OpenSC PKCS#11 bug#108
- (Alon Bar-Lev).
-
-2006.10.01 -- Version 2.1-beta16
-
-* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
- published vulnerabilities.
-
-* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
- (Henry Nestler).
-
-* Autodetect 32/64 bit Windows in installer and install
- appropriate TAP driver (Mathias Sundman, Hypherion).
-
-* Fixed bug in loopback self-test introduced
- in 2.1-beta15 where self test as invoked by
- "make check" would not properly exit after
- 2 minutes (Paul Howarth).
-
-2006.09.12 -- Version 2.1-beta15
-
-* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
- RSA Signature Forgery (CVE-2006-4339).
-
-* Fixed bug introduced with the --port-share directive
- (back in 2.1-beta9 which causes TLS soft resets
- (1 per hour by default) in TCP server mode to force
- a blockage of tunnel packets and later time-out and
- restart the connection.
-
-* easy-rsa update (Alon Bar-Lev)
- Makefile (install) is now available so that
- distribs will be able to install it safely.
-
-* PKCS#11 changes: (Alon Bar-Lev)
- - Modified ssl.c to not FATAL and return to init.c
- so auth-retry will work.
- - Modifed pkcs11-helper.c to fix some problem with
- multiple providers.
- - Added retry counter to PKCS#11 PIN hook.
- - Modified PKCS#11 PIN retry loop to return correct error
- code when PIN is incorrect.
- - Fix handling (ignoring) zero sized attributes.
- - Fix gcc-2 issues.
- - Fix openssl 0.9.6 (first version) issues.
-
-* Minor fixes of lladdr (Alon Bar-Lev)
- Updated makefile.w32-vc to include lladdr.*, updated
- linkage libraries.
- Modified lladdr.c to be compiled under visual C.
-
-* Added two new management states:
- OPENVPN_STATE_RESOLVE -- DNS lookup
- OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
-
-* Echo management state change to log.
-
-* Minor syshead.h change for NetBSD to allow
- TCP_NODELAY flag to work.
-
-* Modified --port-share code to remove the assumption that
- CMSG_SPACE always evaluates to a constant, to enable
- compilation on NetBSD and possibly other BSDs as well.
-
-* Eliminated gcc 3.3.3 warnings on NetBSD
- when ./configure --enable-strict is used.
-
-* Added optional minimum-number-of-bytes parameter
- to --inactive directive.
-
-2006.04.13 -- Version 2.1-beta14
-
-* Fixed Windows server bug in time backtrack handling code which
- could cause TLS negotiation failures on legitimate clients.
-
-* Rewrote gettimeofday function for Windows to be
- simpler and more efficient.
-
-* Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
-
-* Added --route-metric option to set a default route metric
- for --route (Roy Marples).
-
-* Added --lladdr option to specify the link layer (MAC) address
- for the tap interface on non-Windows platforms (Roy Marples).
-
-2006.04.12 -- Version 2.1-beta13
-
-* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
- to 64 bits caused a bug in the Windows version which has now
- been fixed. The bug could cause intermittent crashes.
-
-2006.04.05 -- Version 2.1-beta12
-
-* Security Vulnerability -- An OpenVPN client connecting to a
- malicious or compromised server could potentially receive
- "setenv" configuration directives from the server which could
- cause arbitrary code execution on the client via a LD_PRELOAD
- attack. A successful attack appears to require that (a) the
- client has agreed to allow the server to push configuration
- directives to it by including "pull" or the macro "client" in
- its configuration file, (b) the client configuration file uses
- a scripting directive such as "up" or "down", (c) the client
- succesfully authenticates the server, (d) the server is
- malicious or has been compromised and is under the control of
- the attacker, and (e) the attacker has at least some level of
- pre-existing control over files on the client (this might be
- accomplished by having the server respond to a client web request
- with a specially crafted file). Credit: Hendrik Weimer.
- CVE-2006-1629.
-
- The fix is to disallow "setenv" to be pushed to clients from
- the server, and to add a new directive "setenv-safe" which is
- pushable from the server, but which appends "OPENVPN_" to the
- name of each remotely set environmental variable.
-
-* "topology subnet" fix for FreeBSD (Benoit Bourdin).
-
-* PKCS11 fixes (Alon Bar-Lev). For full description:
- svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
-
-* When deleting routes under Linux, use the route metric
- as a differentiator to ensure that the route teardown
- process only deletes the identical route which was originally
- added via the "route" directive (Roy Marples).
-
-* Fix the t_cltsrv.sh file in FreeBSD 4 jails
- (Matthias Andree, Dirk Meyer, Vasil Dimov).
-
-* Extended tun device configure code to support ethernet
- bridging on NetBSD (Emmanuel Kasper).
-
-2006.02.19 -- Version 2.1-beta11
-
-* Fixed --port-share bug that caused premature closing
- of proxied sessions.
-
-2006.02.17 -- Version 2.1-beta10
-
-* Fixed --port-share breakage introduced in 2.1-beta9.
-
-2006.02.16 -- Version 2.1-beta9
-
-* Added --port-share option for allowing OpenVPN and HTTPS
- server to share the same port number.
-* Added --management-client option to connect as a client
- to management GUI app rather than be connected to as a
- server.
-* Added "bytecount" command to management interface.
-* --remote-cert-tls fixes (Alon Bar-Lev).
-
-2006.01.03 -- Version 2.1-beta8
-
-* --remap-usr1 will now also remap signals thrown during
- initialization.
-* Added --connect-timeout option to control the timeout
- on TCP client connection attempts (doesn't work on all
- OSes). This patch also makes OpenVPN signalable during
- TCP connection attempts.
-* Fixed bug in acinclude.m4 where capability of compiler
- to handle zero-length arrays in structs is tested
- (David Stipp).
-* Fixed typo in manage.c where inline function declaration
- was declared without the "static" keyword (David Stipp).
-* Patch to support --topology subnet on Mac OS X (Mathias Sundman).
-* Added --auto-proxy directive to auto-detect HTTP or SOCKS
- proxy settings (currently Windows only).
-* Removed redundant base64 code.
-* Better sanity checking of --server and --server-bridge
- IP pool ranges, so as not to hit the assertion at
- pool.c:119 (2.0.5).
-* Fixed bug where --daemon and --management-query-passwords
- used together would cause OpenVPN to block prior to
- daemonization.
-* Fixed client/server race condition which could occur
- when --auth-retry interact is set and the initially
- provided auth-user-pass credentials are incorrect,
- forcing a username/password re-query.
-* Fixed bug where if --daemon and --management-hold are
- used together, --user or --group options would be ignored.
-* --ip-win32 adaptive is now the default.
-* --ip-win32 netsh (or --ip-win32 adaptive when in netsh
- mode) can now set DNS/WINS addresses on the TAP-Win32
- adapter.
-* Added new option --route-method adaptive (Win32)
- which tries IP helper API first, then falls back to
- route.exe.
-* Made --route-method adaptive the default.
-
-2005.11.12 -- Version 2.1-beta7
-
-* Allow blank passwords to be passed via the management
- interface.
-* Fixed bug where "make check" inside a FreeBSD "jail"
- would never complete (Matthias Andree).
-* Fixed bug where --server directive in --dev tap mode
- claimed that it would support subnets of /30 or less
- but actually would only accept /29 or less.
-* Extend byte counters to 64 bits (M. van Cuijk).
-* Fixed bug in Linux get_default_gateway function
- introduced in 2.0.4, which would cause redirect-gateway
- on Linux clients to fail.
-* Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
- be compatible with 2.0.x distribution.
-* Documented --route-nopull.
-* Documented --ip-win32 adaptive.
-* Windows build now linked with LZO2.
-* Allow ca, cert, key, and dh files to be specified
- inline via XML-like syntax without needing to
- reference an explicit file.
- For example:
- <ca>
- data here...
- </ca>
-* Allow plugin and push directives to have multi-line
- parameter lists such as:
- <plugin>
- my-plugin.so
- parm1
- parm2
- </plugin>
-* Added connect-retry-max option (Alon Bar-Lev).
-* Fixed problems where signals thrown during initialization
- were not returning to a management-hold state.
-* Added a backtrack-hardened system time algorithm.
-* Added --remote-cert-ku, --remote-cert-eku, and
- --remote-cert-tls options for verifying certificate
- attributes (Alon Bar-Lev).
-* For Windows, reverted --ip-win32 default back to "dynamic".
- To use new adaptive mode, set explicitly.
-
-2005.11.01 -- Version 2.1-beta6
-
-* Security fix (merged from 2.0.4) -- Affects non-Windows
- OpenVPN clients of version 2.0 or higher which connect to
- a malicious or compromised server. A format string
- vulnerability in the foreign_option function in options.c
- could potentially allow a malicious or compromised server
- to execute arbitrary code on the client. Only
- non-Windows clients are affected. The vulnerability
- only exists if (a) the client's TLS negotiation with
- the server succeeds, (b) the server is malicious or
- has been compromised such that it is configured to
- push a maliciously crafted options string to the client,
- and (c) the client indicates its willingness to accept
- pushed options from the server by having "pull" or
- "client" in its configuration file (Credit: Vade79).
- CVE-2005-3393
-* Security fix -- (merged from 2.0.4) Potential DoS
- vulnerability on the server in TCP mode. If the TCP
- server accept() call returns an error status, the resulting
- exception handler may attempt to indirect through a NULL
- pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
- CVE-2005-3409
-* Fix attempt of assertion at multi.c:1586 (note that
- this precise line number will vary across different
- versions of OpenVPN).
-* Windows reliability changes:
- (a) Added code to make sure that the local PATH environmental
- variable points to the Windows system32 directory.
- (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
- and then fails over to 'netsh' if the DHCP negotiation fails.
- (c) Made --ip-win32 adaptive the default.
-* More PKCS#11 additions/changes (Alon Bar-Lev).
-* Added ".PHONY: plugin" to Makefile.am to work around
- "make dist" issue.
-* Fixed double fork issue that occurs when --management-hold
- is used.
-* Moved TUN/TAP read/write log messages from --verb 8 to 6.
-* Warn when multiple clients having the same common name or
- username usurp each other when --duplicate-cn is not used.
-* Modified Windows and Linux versions of get_default_gateway
- to return the route with the smallest metric
- if multiple 0.0.0.0/0.0.0.0 entries are present.
-* Added ">NEED-OK" alert and "needok" command to management
- interface to provide a general interface for sending
- alerts to the end-user. Used by the PKCS#11 code
- to send Token Insertion Requests to the user.
-* Added actual remote address used to the ">STATE" alert
- in the management interface (Rolf Fokkens).
-
-2005.10.17 -- Version 2.1-beta4
-
-* Fixed bug introduced in 2.1-beta3 where management
- socket bind would fail.
-* --capath fix in ssl.c (Zhuang Yuyao).
-* Added ".PHONY: plugin" to Makefile.am, reverted
- location of "plugin" directory (thanks to
- Matthias Andree for figuring this out).
-
-2005.10.16 -- Version 2.1-beta3
-
-* Added PKCS#11 support (Alon Bar-Lev).
-* Enable the use of --ca together with --pkcs12. If --ca is
- used at the same time as --pkcs12, the CA certificate is loaded
- from the file specified by --ca regardless if the pkcs12 file
- contains a CA cert or not (Mathias Sundman).
-* Merged --capath patch (Thomas Noel).
-* Merged --multihome patch.
-* Added --bind option for TCP client connections (Ewan Bhamrah
- Harley).
-* Moved "plugin" directory to "plugins" to deal with strange
- automake problem that ended up being also fixable with
- ".PHONY: plugin" in Makefile.am.
-
-2005.10.13 -- Version 2.1-beta2
-
-* Made --sndbuf and --rcvbuf pushable.
-
-2005.10.01 -- Version 2.1-beta1
-
-* Made LZO setting pushable.
-* Renamed sample-keys/tmp-ca.crt to ca.crt.
-* Fixed bug where remove_iroutes_from_push_route_list
- was missing routes if those routes had
- an implied netmask (by omission) of 255.255.255.255.
-* Merged with 2.0.3-rc1
-* easy-rsa/2.0 moved to easy-rsa
-* old easy-rsa moved to easy-rsa/1.0
-
-2005.09.23 -- Version 2.0.2-TO4
-
-* Added feature to TAP-Win32 adapter to allow it to be
- opened from non-administrator mode. This feature
- is enabled by default, and can be enabled/disabled
- in the adapter advanced properties dialog.
-* Added --allow-nonadmin standalone option for Windows to
- set TAP adapter to allow non-admin access. This
- is a user-mode version of the code, and duplicates
- the same feature as the above entry.
-* Added fix that attempts to solve corner case of tunnel not
- forwarding packets when system clock is reset to an earlier time.
-* Added --redirect-gateway bypass-dns option. (Developers:
- To add bypass-dhcp or bypass-dns support to other OSes,
- add a get_bypass_addresses function to route.c for
- your OS.)
-* Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
- allows a client-connect plugin to return configuration text
- in memory, rather than via a file.
-* Fixed a bug where --mode server --proto tcp-server --cipher none
- operation could cause tunnel packet truncation.
-* openvpn --version will show [LZO1] or [LZO2], depending on
- version that was linked.
-
-2005.09.07 -- Version 2.0.2-TO1
-
-* Added --topology directive. See man page.
-* Added --redirect-gateway bypass-dhcp option to add a route
- allowing DHCP packets to bypass the tunnel, when the
- DHCP server is non-local. Currently only implemented
- on Windows clients.
-* Modified OpenVPN Service on Windows to declare the DHCP
- client service as a dependency.
-* Extended the plugin interface to allow plugins to declare
- per-client constructor and destructor functions, to make
- it simpler for plugins to maintain per-client state.
-
-2005.09.25 -- Version 2.0.3-rc1
-
-* openvpn_plugin_abort_v1 function wasn't being properly
- registered on Windows.
-* Fixed a bug where --mode server --proto tcp-server --cipher none
- operation could cause tunnel packet truncation.
-
-2005.08.25 -- Version 2.0.2
-
-* No change from 2.0.2-rc1.
-
-2005.08.24 -- Version 2.0.2-rc1
-
-* Fixed regression bug in Win32 installer, introduced in 2.0.1,
- which incorrectly set OpenVPN service to autostart.
-* Don't package source code zip file in Windows installer
- in order to reduce the size of the installer. The source
- zip file can always be downloaded separately if needed.
-* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
- version of get_default_gateway. Allocated socket for route
- manipulation is never freed so number of mbufs continuously
- grow and exhaust system resources after a while (Jaroslav Klaus).
-* Fixed bug where "--proto tcp-server --mode p2p --management
- host port" would cause the management port to not respond until
- the OpenVPN peer connects.
-* Modified pkitool script to be /bin/sh compatible (Johnny Lam).
-
-2005.08.16 -- Version 2.0.1
-
-* Security Fix -- DoS attack against server when run with "verb 0" and
- without "tls-auth". If a client connection to the server fails
- certificate verification, the OpenSSL error queue is not properly
- flushed, which can result in another unrelated client instance on the
- server seeing the error and responding to it, resulting in disconnection
- of the unrelated client (CAN-2005-2531).
-* Security Fix -- DoS attack against server by authenticated client.
- This bug presents a potential DoS attack vector against the server
- which can only be initiated by a connected and authenticated client.
- If the client sends a packet which fails to decrypt on the server,
- the OpenSSL error queue is not properly flushed, which can result in
- another unrelated client instance on the server seeing the error and
- responding to it, resulting in disconnection of the unrelated client
- (CAN-2005-2532). Credit: Mike Ireton.
-* Security Fix -- DoS attack against server by authenticated client.
- A malicious client in "dev tap" ethernet bridging mode could
- theoretically flood the server with packets appearing to come from
- hundreds of thousands of different MAC addresses, causing the OpenVPN
- process to deplete system virtual memory as it expands its internal
- routing table. A --max-routes-per-client directive has been added
- (default=256) to limit the maximum number of routes in OpenVPN's
- internal routing table which can be associated with a given client
- (CAN-2005-2533).
-* Security Fix -- DoS attack against server by authenticated client.
- If two or more client machines try to connect to the server at the
- same time via TCP, using the same client certificate, and when
- --duplicate-cn is not enabled on the server, a race condition can
- crash the server with "Assertion failed at mtcp.c:411"
- (CAN-2005-2534).
-* Fixed server bug where under certain circumstances, the client instance
- object deletion function would try to delete iroutes which had never been
- added in the first place, triggering "Assertion failed at mroute.c:349".
-* Added --auth-retry option to prevent auth errors from being fatal
- on the client side, and to permit username/password requeries in case
- of error. Also controllable via new "auth-retry" management interface
- command. See man page for more info.
-* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
-* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
- would fail to build.
-* Implement "make check" to perform loopback tests (Matthias Andree).
-
-2005.07.21 -- Version 2.0.1-rc7
-
-* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
-* Include linux/types.h before checking for linux/errqueue.h (Matthias
- Andree).
-
-2005.07.15 -- Version 2.0.1-rc6
-
-* Commented out "user nobody" and "group nobody" in sample
- client/server config files.
-* Allow '@' character to be used in --client-config-dir
- file names.
-
-2005.07.04 -- Version 2.0.1-rc5
-
-* Windows version will log a for-further-info URL when
- initialization sequence is completed with errors.
-* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
- to control whether auth-pam plugin links to PAM via
- dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
- behavior should be preserved. DLOPEN_PAM=0 is the preferred
- setting to link via -lpam, but DLOPEN_PAM=1 works around
- a bug in SuSE 9.1 (and possibly other distros as well)
- where the PAM modules are not linked with -lpam. See
- thread on openvpn-devel for more discussion about this
- patch (Simon Perreault).
-
-2005.06.15 -- Version 2.0.1-rc4
-
-* Support LZO 2.00, including changes to configure script to
- autodetect LZO version.
-
-2005.06.12 -- Version 2.0.1-rc3
-
-* Fixed a bug which caused standard file handles to not be closed
- after daemonization when --plugin and --daemon are used together,
- and if the plugin initialization function forks (as does auth-pam
- and down-root) (Simon Perreault).
-* Added client-side up/down scripts in contrib/pull-resolv-conf
- for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
- on Linux/Unix systems (Jesse Adelman).
-* Fixed bug where if client-connect scripts/plugins were cascaded,
- and one (but not all) of them returned an error status, there might
- be cases where for an individual script/plugin, client-connect was
- called but not client-disconnect. The goal of this fix is to
- ensure that if client-connect is called on a given client instance,
- then client-disconnect will definitely be called. A potential
- complication of this fix is that when client-connect functions are
- cascaded, it's possible that the client-disconnect function would
- be called in cases where the related client-connect function returned
- an error status. This fix should not alter OpenVPN behavior when
- scripts/plugins are not cascaded.
-* Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
- fatal error to a warning: "FRAG: outgoing buffer is not empty".
- Need more info on how to reproduce this one.
-* When --duplicate-cn is used, the --ifconfig-pool allocation
- algorithm will now allocate the first available IP address.
-* When --daemon and --management-hold are used together,
- OpenVPN will daemonize before it enters the management hold state.
-
-2005.05.16 -- Version 2.0.1-rc2
-
-* Modified vendor test in openvpn.spec file to match against
- "Mandrakesoft" in addition to "MandrakeSoft".
-* Using --iroute in a --client-config-dir file while in --dev tap
- mode is not currently supported and will produce a warning
- message. Fixed bug where in certain cases, in addition to
- generating a warning message, this combination of options
- would also produce a fatal assertion in mroute.c.
-* Pass --auth-user-pass username to server-side plugin without
- performing any string remapping (plugins, unlike scripts,
- don't get any security benefit from string remapping).
- This is intended to fix an issue with openvpn-auth-pam/pam_winbind
- where backslash characters in a username ('\') were being remapped
- to underscore ('_').
-* Updated OpenSSL DLLs in Windows build to 0.9.7g.
-* Documented --explicit-exit-notify in man page.
-* --explicit-exit-notify seconds parameter defaults to 1 if
- unspecified.
-
-2005.04.30 -- Version 2.0.1-rc1
-
-* Fixed bug where certain kinds of fatal errors after
- initialization (such as port in use) would leave plugin
- processes (such as openvpn-auth-pam) still running.
-* Added optional openvpn_plugin_abort_v1 plugin function for
- closing initialized plugin objects in the event of a fatal
- error by main OpenVPN process.
-* When the --remote list is > 1, and --resolv-retry is not
- specified (meaning that it defaults to "infinite"), apply the
- infinite timeout to the --remote list as a whole, but try each
- list item only once before moving on to the next item.
-* Added new --syslog directive which redirects output
- to syslog without requiring the use of the --daemon or --inetd
- directives.
-* Added openvpn.spec option to allow RPM to be built with support
- for passwords read from a file:
- rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
-
-2005.04.17 -- Version 2.0
-
-* Fixed minor options string typo in options.c.
-
-2005.04.10 -- Version 2.0-rc21
-
-* Change license description from "GPL Version 2 or (at your
- option) any later version" to just "GPL Version 2".
-
-2005.04.04 -- Version 2.0-rc20
-
-* Dag Wieers has put together an OpenVPN/LZO binary RPM set with
- excellent distro/version coverage for RH/EL/Fedora, though
- using his own SPEC. I modified openvpn.spec to follow some of
- the same conventions such as putting sample scripts and doc
- files in %doc rather than /usr/share/openvpn.
-* Minor change to init scripts to run the user-defined script
- /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
- configs are started, and to run /etc/openvpn/openvpn-shutdown
- after all OpenVPN configs have been stopped. The
- openvpn-startup script can be used for stuff like
- insmod tun.o, setting up firewall rules, or starting
- ethernet bridges.
-
-2005.03.29 -- Version 2.0-rc19
-
-* Omit additions of routes where the network and
- gateway are equal and the netmask is 255.255.255.255.
- This can come up if you are using both
- server/ifconfig-pool and client-config-dir with
- ifconfig-push static addresses for some subset of clients
- which directly reference the server IP address as the
- remote endpoint.
-
-2005.03.28 -- Version 2.0-rc18
-
-* Packaged Windows installer with OpenSSL 0.9.7f.
-* Built Windows installer with NSIS 2.06.
-
-2005.03.12 -- Version 2.0-rc17
-
-* "MANAGEMENT: CMD" log file output will now only occur
- at --verb 7 or greater.
-* Added an optional name/value configuration list to
- the openvpn-auth-pam plugin module argument list. See
- plugin/auth-pam/README for documentation. This is necessary
- in order for openvpn-auth-pam to work with queries generated
- by arbitrary PAM modules.
-* In both auth-pam and down-root plugins, in the forked process,
- a read error on the parent process socket is no longer fatal.
-* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
- A conditional test of the vendor has been added to
- Require the appropriately named 'lzo' (liblzo1 / lzo).
- (Tom Walsh - http://openhardware.net)
-
-
-2005.02.20 -- Version 2.0-rc16
-
-* Fixed bug introduced in rc13 where Windows service wrapper
- would be installed with a startup type of Automatic.
- This fix restores the previous behavior of installing
- with a startup type of Manual.
-
-2005.02.19 -- Version 2.0-rc15
-
-* Added warning when --keepalive is not used in a server
- configuration.
-* Don't include OpenSSL md4.h file if we are not building
- NTLM proxy support (Waldemar Brodkorb).
-* Added easy-rsa/build-key-pkcs12 and
- easy-rsa/Windows/build-key-pkcs12.bat scripts
- (Mathias Sundman).
-
-2005.02.16 -- Version 2.0-rc14
-
-* Fixed small memory leak that occurs when --crl-verify
- is used.
-* Upgraded Windows installer and .nsi script to NSIS 2.05
- (Mathias Sundman).
-* Changed #include backslash usage in cryptoapi.c to use
- forward slashes instead (Gisle Vanem).
-* Created easy-rsa/revoke-full to handle revocations in
- a single step: (a) revoke crt, (b) regenerate CRL, and
- (c) verify that revocation succeeded.
-* Renamed easy-rsa/Windows/revoke-key to revoke-full so
- that both *nix and Windows scripts are equivalent.
-
-2005.02.11 -- Version 2.0-rc13
-
-* Improve human-readability of local/remote options
- diff, when inconsistencies are present.
-* For Windows easy-rsa, distribute vars.bat.sample and
- openssl.cnf.sample, then copy them to their normal
- filenames (without the .sample) when init-config.bat
- is run. This is to prevent OpenVPN upgrades from
- wiping out vars.bat and openssl.cnf edits.
-* Modified service wrapper (Windows) to use a
- case-insensitive search when scanning for .ovpn files
- in \Program Files\OpenVPN\config. Prior versions
- required an all-lower-case .ovpn file extension.
-* Miscellaneous service wrapper code cleanup.
-* If --user/--group is used on Windows, treat it
- as a no-op with a warning (this makes it easier to
- distribute the same client config file to Windows
- and *nix users).
-* Warn if --ifconfig-pool-persist is used with
- --duplicate-cn.
-
-2005.02.05 -- Version 2.0-rc12
-
-* Removed some debugging code inadvertently included
- in rc11 which would print the --auth-user-pass
- username/password provided by clients in the server
- logfile.
-* Client code for cycling through --remote list will
- retry the last address which successfully authenticated
- before moving on through the list.
-* Windows installer will now install sample configuration
- files in \Program Files\OpenVPN\sample-configs as well
- as generate a start menu shortcut to this directory.
-* Minor type change in buffer.[ch] to work around char-type
- ambiguity bug. Caused management interface lock-ups on
- ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
-
-2005.02.03 -- Version 2.0-rc11
-
-* Windows installer will now install easy-rsa directory
- in \Program Files\OpenVPN
-* Allow syslog facility to be controlled at compile time,
- e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
-* Changed certain shell scripts in distribution to use
- #!/bin/sh rather than #!/bin/bash for better portability.
-* If --ifconfig-pool-persist seconds parameter is 0, treat
- persist file as an allocation of fixed IP addresses
- (previous versions took IP-to-common-name associations
- from this list as hints, not mandatory static allocations).
-* Fixed bug on *nix where if --auth-user-pass and --log
- were used together, the username prompt would be sent to
- the log file rather than /dev/tty.
-* Spurious text in openvpn.8 detected by doclifter
- (Eric S. Raymond).
-* Call closelog later on daemon kill so that process
- exit message is written to syslog.
-
-2005.01.27 -- Version 2.0-rc10
-
-* When ./configure is run with plugins enabled (the default),
- check whether or not dlopen exists in libc before testing
- for libdl. This is to fix an issue on FreeBSD and possibly
- other OSes which bundle libdl functions in libc.
-* On Windows, filter initial WSAEINVAL warning which occurs
- on the initial read attempt of an unbound socket.
-* The easy-rsa scripts build-key, build-key-pass, and
- build-key-server will now chmod the .key file
- to 0600. This is in addition to the fact the generated
- keys directory has always been similarly protected
- (Pete Harlan).
-
-2005.01.23 -- Version 2.0-rc9
-
-* Fixed error "ROUTE: route addition failed using
- CreateIpForwardEntry ..." on Windows when --redirect-gateway
- is used over a RRAS internet link.
-* When using --route-method exe on Windows, include the
- gateway parameter on route delete commands (Mathias Sundman).
-* Try not to do a hard reset (i.e. SIGHUP) when two
- SIGUSR1 signals are received in close succession.
-* If the push list tries to grow beyond its buffer capacity,
- the resulting error will be non-fatal.
-* To increase the push list capacity (must be done on both
- client and server), increase TLS_CHANNEL_BUF_SIZE in
- common.h (default=1024).
-
-2005.01.15 -- Version 2.0-rc8
-
-* Fixed bug introduced in rc7 where options error
- "--auth-user-pass requires --pull" might occur even
- if --pull was correctly specified.
-* Changed management interface code to bind once
- to TCP socket, rather than rebinding after every
- client disconnect.
-* Added "disable" directive for client-config-dir
- files.
-* Windows binary install is now distributed with
- OpenSSL 0.9.7e.
-* Query the management interface for --http-proxy
- username/password if authfile is set to "stdin".
-* Added current OpenVPN version number to "Unrecognized
- option or missing parameter" error message.
-* Added "-extensions server" to "openssl req" command
- in easy-rsa/build-key-server (Nir Yeffet).
-
-2005.01.10 -- Version 2.0-rc7
-
-* Fixed bug in management interface which could cause
- 100% CPU utilization in --proto tcp-server mode
- on all *nix OSes except for Linux 2.6.
-* --ifconfig-push now accepts DNS names as well as
- IP addresses.
-* Added sanity check errors when --pull or
- --auth-user-pass is used in an incorrect mode.
-* Updated man page entries for --client-connect and
- --ifconfig-push.
-* Added "String Types and Remapping" section to man
- page to consisely document the way which OpenVPN
- may convert certain types of characters in strings
- to ('_').
-* Modified bridging description in HOWTO to emphasize
- the fact that bridging allows Windows file and print
- sharing without a WINS server (Charles Duffy).
-
-2004.12.20 -- Version 2.0-rc6
-
-* Improved checking for epoll support in ./configure
- to fix false positive on RH9 (Jan Just Keijser).
-* Made the "MULTI TCP: I/O wait required blocking in
- multi_tcp_action, action=7" error nonfatal and replaced
- with "MULTI: Outgoing TUN queue full, dropped packet".
- So far the issue only seems to occur on Linux 2.2
- in --mode server --proto tcp mode. It occurs when
- the TUN/TAP driver locks up and refuses to accept
- new packet writes for a second or more.
-* Fixed bug where if a --client-config-dir file tried
- to include another file using "config", and if that
- include failed, OpenVPN would abort with a fatal
- error. Now such inclusion failures will be logged
- but are no longer fatal.
-* Global changes to the way that packet buffer alignment
- is handled. Previously we didn't care about alignment
- and took care, when handling 16 and 32 bit words
- in buffers, to always use alignment-safe transfers.
- This approach appears to be inadequate on some
- architectures such as alpha. The new approach is
- to initialize packet buffers in a way that anticipates
- how component structures will be allocated within
- them, to maintain correct alignment.
-* Added --dhcp-option DISABLE-NBT to disable NetBIOS
- over TCP (Jan Just Keijser).
-* Added --http-proxy-option directive for controlling
- miscellaneous HTTP proxy options.
-* Management state will no longer transition to "WAIT"
- during TLS renegotiations.
-
-2004.12.16 -- Version 2.0-rc5
-
-* The --client-config-dir option will now try to open
- a default file called "DEFAULT" if no file matching
- the common name of the incoming client was found.
-* The --client-connect script/plugin can now veto client
- authentication by returning a failure code.
-* The --learn-address script/plugin can now prevent a
- client-instance/address association from being learned
- by returning a failure code.
-* Changed RPM group in .spec file to Applications/Internet.
-
-2004.12.14 -- Version 2.0-rc4
-
-* SuSE only -- Fixed interaction between openvpn.spec and
- suse/openvpn.init where the .spec file was writing the
- OpenVPN binary to a different location than where the
- .init script was referencing it (Stefan Engel).
-* Solaris only -- Split Solaris ifconfig command into two
- parts (Jan Just Keijser).
-* Some cleanup in add_option().
-* Better error checking on input dotted quad IP addresses.
-* Verify that --push argument is quoted, if there is
- more than one.
-* More miscellaneous option sanity checks.
-
-2004.12.13 -- Version 2.0-rc3
-
-* On Windows, when --log or --log-append is used,
- save the original stderr for username and password
- prompts.
-* Fixed a bug introduced in the late 2.0 betas where
- if a "verb" parameter >= 16 was used, it would be
- ignored and the actual verb level would remain at 1.
-* Fixed a bug mostly seen on OS X where --management-hold
- or --management-query-passwords would cause the management
- interface to be unresponsive to incoming client connections.
-* Trigger an options error if one of the management-modifying
- options is used without "management" itself.
-
-2004.12.12 -- Version 2.0-rc2
-
-* Amplified warnings in documentation about possible
- man-in-the-middle attack when clients do not properly
- verify server certificate. Changes to easy-rsa README,
- FAQ, HOWTO, man page, and sample client config file.
-* Added a warning message if --tls-client or --client
- is used without also specifying one of either
- --ns-cert-type, --tls-remote, or --tls-verify.
-* status_open() fixes for MSVC builds (Blaine Fleming).
-* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
- compiler error which has been reported on some platforms.
-* The openvpn.spec file for rpmbuild has several
- new build-time options. See comments in the file.
-* Plugins are now built and packaged in the RPM and
- will be saved in /usr/share/openvpn/plugin/lib.
-* Added --management-hold directive to start OpenVPN
- in a hibernating state until released by the
- management interface. Also added "hold" command
- to the management interface.
-
-2004.12.07 -- Version 2.0-rc1
-
-* openvpn.spec workaround for SuSE confusion regarding
- /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
-
-2004.12.05 -- Version 2.0-beta20
-
-* The ability to read --askpass and --auth-user-pass
- passwords from a file has been disabled by default.
- To re-enable, use ./configure --enable-password-save.
-* Added additional pre-connected states to management
- interface. See management/management-notes.txt
- for more info.
-* State history is now recorded by the management
- interface, and the "state" command now works like
- the log or echo commands.
-* State history and real-time state change notifications
- are now prepended with an integer unix timestamp.
-* Added --http-proxy-timeout option, previously
- the timeout was hardcoded to 5 seconds.
-
-2004.12.02 -- Version 2.0-beta19
-
-* Fixed bug in management interface line termination
- where output lines incorrectly contained a \00 char
- after the customary \0d \0a.
-* Fixed bug introduced in beta18 where Windows version
- would segfault on options errors.
-* Fixed bug in management interface where an empty
- quoted string ("") entered as a parameter would cause
- a segfault.
-* Fixed bug where --resolv-retry was not working
- properly with multiple --remote hosts.
-* Added additional ./configure options to reduce
- executable size for embedded applications.
- See ./configure --help.
-
-2004.11.28 -- Version 2.0-beta18
-
-* Added management interface. See new --management-*
- options or the full management interface documentation
- in management/management-notes.txt in the tarball.
- Management interface inclusion can be disabled by
- ./configure --disable-management.
-* Added two new plugin modules: auth-pam and down-root.
- Auth-pam supports pam-based authentication using a
- split privilege execution model, while down-root enables
- a down script to be executed with root privileges, even
- when --user/--group is used to drop root privileges.
- See the plugin directory in the tarball for READMEs,
- source code, and Makefiles.
-* Plugin developers should note that some changes were
- made to the plugin interface since beta17. See
- openvpn-plugin.h for details.
- Plugin interface inclusion can be disabled with
- ./configure --disable-plugins
-* Added easy-rsa/build-key-server script which will
- build a certificate with with nsCertType=server.
-* Added --ns-cert-type option for verification
- of nsCertType field in peer certificate.
-* If --fragment n is specified and --mssfix is specified
- without a parameter, default --mssfix to n. This restores
- the 1.6 behavior when using --mssfix without a parameter.
-* Fixed SSL context initialization bug introduced in beta14
- where this error might occur on restarts: "Cannot load
- certificate chain ... PEM_read_bio:no start line".
-
-2004.11.11 -- Version 2.0-beta17
-
-* Changed default port number to 1194 per IANA official
- port number assignment.
-* Added --plugin directive which allows compiled
- modules to intercept script callbacks. See
- plugin folder in tarball for more info.
-* Fixed bug introduced in beta12 where --key-method 1
- authentications which should have succeeded would fail.
-* Ignore SIGUSR1 during DNS resolution.
-* Added SuSE support to openvpn.spec (Umberto Nicoletti).
-* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
- Runestig).
-
-2004.11.07 -- Version 2.0-beta16
-
-* Modified sample-scripts/auth-pam.pl to get username
- and password from OpenVPN via a file rather than
- via environmental variables.
-* Added bytes_sent and bytes_received environmental
- variables to be set prior to client-disconnect script.
-* Changed client virtual IP derivation precedence:
- (1) use --ifconfig-push directive from --client-connect
- script, (2) use --ifconfig-push directive from
- --client-config-dir, and (3) use --ifconfig-pool
- address.
-* If a --client-config-dir file specifies --ifconfig-push,
- it will be visible to the --client-connect-script in
- the ifconfig_pool_remote_ip environmental variable.
-* For tun-style tunnels, the ifconfig_pool_local_ip
- environmental variable will be set, while for
- tap-style tunnels, the ifconfig_pool_netmask variable
- will be set.
-* Added intelligence to autoconf script to test
- compiler for the accepted form of zero-length arrays.
-* Fixed a bug introduced in beta12 where --ip-win32
- netsh would fail if --dev-node was not explicitly
- specified.
-* --ip-win32 netsh will now work on hidden adapters.
-* Fix attempt of "Assertion failed at crypto.c:149".
- This assertion has also been reported on 1.x with a
- slightly different line number. The fix is twofold:
- (1) In previous releases, --mtu-test may trigger this
- assertion -- this bug has been fixed. (2) If something
- else causes the assertion to be thrown, don't panic,
- just output a nonfatal warning to the log and drop
- the packet which generated the error.
-* Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
-* Added --echo directive.
-* Added --auth-nocache directive.
-
-2004.10.28 -- Version 2.0-beta15
-
-* Changed environmental variable character classes
- so that names must consist of alphanumeric or
- underbar chars and values must consist of printable
- characters. Illegal chars will be deleted.
- Versions prior to 2.0-beta12 were more restrictive
- and would map spaces to '.'.
-* On Windows, when the TAP adapter fails to
- initialize with the correct IP address, output
- "Initialization Sequence Completed with Errors"
- to the console or log file.
-* Added a warning when user/group/chroot is used
- without persist-tun and persist-key.
-* Added cryptoapi.[ch] to tarball and source zip.
-* --tls-remote option now works with common name
- prefixes as well as with the full X509 subject
- string. This is a useful alternative to using
- a CRL on the client.
-* common names associated with a static
- --ifconfig-push setting will no longer leave
- any state in the --ifconfig-pool-persist file.
-* Hard TLS errors (TLS handshake failed) will now
- trigger either a SIGUSR1 signal by default
- or SIGTERM (if --tls-exit is specified). In TCP
- mode, all TLS errors are considered to be hard.
- In server mode, the signal will be local to the
- client instance.
-* Added method parameter to --auth-user-pass-verify
- directive to select whether username/password
- is passed to script via environment or a temporary
- file.
-* Added --status-version option to control format
- of --status file. The --mode server
- --status-version 2 format now includes a line
- type token, the virtual IP address is shown
- in the client list (even in --dev tap mode),
- and the integer time_t value is shown anywhere
- an ascii-formatted time/date is also shown.
-* Added --remap-usr1 directive which can be used
- to control whether internally or externally
- generated SIGUSR1 signals are remapped to
- SIGHUP (restart without persisting state) or
- SIGTERM (exit).
-* When running as a Windows service (using
- --service option), check the exit event before
- and after reading one line of input from
- stdin, when reading username/password info.
-* For developers: Extended the --gremlin function
- to better stress-test the new 2.0 features,
- added Valgrind support on Linux and Dmalloc
- support on Windows.
-
-2004.10.19 -- Version 2.0-beta14
-
-* Fixed a bug introduced in Beta12 that would occur
- if you use a --client-connect script without also
- defining --tmp-dir.
-* Fixed a bug introduced in Beta12 where a learn-address
- script might segfault on the delete method.
-* Added Crypto API support in Windows version via
- the --cryptoapicert option (Peter 'Luna' Runestig).
-
-2004.10.18 -- Version 2.0-beta13
-
-* Fixed an issue introduced in Beta12 where the private
- key password would not be prompted for unless --askpass
- was explicitly specified in the config.
-
-2004.10.17 -- Version 2.0-beta12
-
-* Added support for username/password-based authentication.
- Clients can now authentication themselves with the server
- using either a certificate, a username/password, or both.
- New directives: --auth-user-pass, --auth-user-pass-verify,
- --client-cert-not-required, and --username-as-common-name.
-* Added NTLM proxy patch (William Preston).
-* Added --ifconfig-pool-linear server flag to allocate
- individual tun addresses for clients rather than /30
- subnets (won't work with Windows clients).
-* Modified --http-proxy code to cache username/password
- across restarts.
-* Modified --http-proxy code to read username/password
- from the console when the auth file is given as "stdin".
-* Modified --askpass to take an optional filename argument.
-* --persist-tun and --persist-key now work in client mode
- and can be pushed to clients as well.
-* Added --ifconfig-pool-persist directive, to maintain
- ifconfig-pool info in a file which is persistent across
- daemon instantiations.
-* --user and --group privilege downgrades as well as
- --chroot now also work in client mode (the
- dowgrade/chroot will be delayed until the initialization
- sequence is completed).
-* Added --show-engines standalone directive to show
- available OpenSSL crypto accelerator engine support.
-* --engine directive now accepts an optional engine-ID
- parameter to control which engine is used.
-* "Connection reset, restarting" log message now shows
- which client is being reset.
-* Added --dhcp-pre-release directive in Windows version.
-* Second parm to --ip-win32 can be "default", e.g.
- --ip-win32 dynamic default 60.
-* Fixed documentation bug regarding environmental
- variable settings for --ifconfig-pool IP addresses.
- The correct environmental variable names are:
- ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
-* ifconfig_pool_local_ip and ifconfig_pool_remote_ip
- environmental variables are now passed to the
- client-disconnect script.
-* In server mode, environmental variables are now scoped
- according to the client they are associated with,
- to solve the problem of "crosstalk" between different
- client's environmental variable sets.
-* Added --down-pre flag to cause --down script to be
- called before TUN/TAP close (rather than after).
-* Added --tls-exit flag which will cause OpenVPN
- to exit on any TLS errors.
-* Don't push a route to a client if it exactly
- matches an iroute (this lets you push routes to
- all clients, and OpenVPN will automatically remove
- the route from the route push list only for that client
- which the route actually belongs to).
-* Made '--resolv-retry infinite' the default.
- --resolv-retry can be disabled by using a parameter of 0.
-* For clients which plan to pull config info from server,
- set an initial default ping-restart of 60 seconds.
-* Optimized mute code to lessen the load on the processor
- when messages are being muted at a higher frequency.
-* Made route log messages non-mutable.
-* Silence the Linux "No buffer space available" message.
-* Added miscellaneous additional option sanity checks.
-* Added Windows version of easy-rsa scripts in
- easy-rsa/Windows directory (Andrew J. Richardson).
-* Added NetBSD route patch (Ed Ravin).
-* Added OpenBSD patch for TAP + --redirect-gateway
- (Waldemar Brodkorb).
-* Directives which prompt for a username and/or password
- will now work with --daemon (OpenVPN will prompt
- before forking).
-* Warn if CRL is from a different issuer than the
- issuer of the peer certificate (Bernhard Weisshuhn).
-* Changed init script chkconfig parameters to start
- OpenVPN daemon(s) before NFS.
-* Bug fix attempt of "too many I/O wait events" which occurs
- on OSes which prefer select() over poll() such as Mac OS X.
-* Added --ccd-exclusive flag. This flag will require, as a
- condition of authentication, that a connecting client has
- a --client-config-dir file.
-* TAP-Win32 open code will attempt to open a free adapter
- if --dev-node is not specified (Mathias Sundman).
-* Resequenced --nice and --chroot ordering so that --nice
- occurs first.
-* Added --suppress-timestamps flag (Charles Duffy).
-* Source code changes to allow compilation by MSVC
- (Peter 'Luna' Runestig).
-* Added experimental --fast-io flag which optimizes
- TUN/TAP/UDP writes on non-Windows systems.
-
-2004.08.18 -- Version 2.0-beta11
-
-* Added --server, --server-bridge, --client, and
- --keepalive helper directives. See client.conf
- and server.conf in sample-config-files for sample
- configurations which use the new directives.
-* On Windows, added --route-method to control
- whether IP Helper API or route.exe is used
- to add/delete routes.
-* On Windows, added a second parameter to
- --route-delay to control the maximum time period
- to wait for the TAP-Win32 adapter to come up
- before adding routes.
-* Fixed bug in Windows version where configurations
- which omit --ifconfig might fail to recognize when
- the TAP adapter is up.
-* Proxy connection failures will now retry according
- to the --connect-retry parameter.
-* Fixed --dev null handling on Windows so that TLS
- loopback test described in INSTALL file works
- correctly on Windows.
-* Added "Initialization Sequence Completed" message
- after all initialization steps have been completed
- and the VPN can be considered "up".
-* Better sanity-checking on --ifconfig-pool parameters.
-* Added --tcp-queue-limit option to control
- TUN/TAP -> TCP socket overflow.
-* --ifconfig-nowarn flag will now silence general
- warnings about possible --ifconfig address
- conflicts, including the warning about --ifconfig
- and --remote addresses being in same /24 subnet.
-* Fixed case where server mode did not correctly
- identify certain types of ethernet multicast packets
- (Marcel de Kogel).
-* Added --explicit-exit-notify option (experimental).
-
-2004.08.02 -- Version 2.0-beta10
-
-* Fixed possible reference after free of option strings
- after a restart, bug was introduced in beta8.
-* Fixed segfault at route.c:919 in the beta9
- Windows version that was being caused by indirection
- through a NULL pointer.
-* Mistakenly built debug version of TAP-Win32 driver
- for beta9. Beta10 has correct release build.
-
-2004.07.30 -- Version 2.0-beta9
-
-* Fixed --route issue on Windows that was introduced with
- the new beta8 route implementation based on the
- IP Helper API.
-
-2004.07.27 -- Version 2.0-beta8
-
-* Added TCP support in server mode.
-* Added PKCS #12 support (Mathias Sundman).
-* Added patch to make revoke-crt and make-crl work
- seamlessly within the easy-rsa environment (Jan Kiszka).
-* Modified --mode server ethernet bridge code to forward
- special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
-* Added --dhcp-renew and --dhcp-release flags to Windows
- version. Normally DHCP renewal and release on the TAP
- adapter occurs automatically under Windows, however
- if you set the TAP-Win32 adapter Media Status property
- to "Always Connected", you may need these flags.
-* Added --show-net standalone flag to Windows version to
- show OpenVPN's view of the system adapter and routing
- tables.
-* Added --show-net-up flag to Windows version to output
- the system routing table and network adapter list to
- the log file after the TAP-Win32 adapter has been brought
- up and any routes have been added.
-* Modified Windows version to add routes using the IP Helper
- API rather than by calling route.exe.
-* Fixed bug where --route-up script was not being called
- if no --route options were specified.
-* Added --mute-replay-warnings to suppress packet replay
- warnings. This is a common false alarm on WiFi nets.
-* Added "def1" flag to --redirect-gateway option to override
- the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
- rather than 0.0.0.0/0. This has the benefit of overriding
- but not wiping out the original default gateway.
- (Thanks to Jim Carter for pointing out this idea).
-* You can now run OpenVPN with a single config file argument.
- For example, you can now say "openvpn config.conf"
- rather than "openvpn --config config.conf".
-* On Windows, made --route and --route-delay more adaptive
- with respect to waiting for interfaces referenced by the
- route destination to come up. Routes added by --route
- should now be added as soon as the interface comes up,
- rather than after an obligatory 10 second delay. The
- way this works internally is that --route-delay now
- defaults to 0 on Windows. Previous versions would
- wait for --route-delay seconds then add the routes.
- This version will wait --route-delay seconds and then
- test the routing table at one second intervals for the
- next 30 seconds and will not add the routes until they
- can be added without errors.
-* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
- default on TCP/UDP socket in light of reports that this
- action can have undesirable global side effects on the
- MTU settings of other adapters. These parameters can
- still be set, but you need to explicitly specify
- --sndbuf and/or --rcvbuf.
-* Added --max-clients option to limit the maximum number
- of simultaneously connected clients in server mode.
-* Added error message to illuminate shell escape gotcha when
- single backslashes are used in Windows path names.
-* Added optional netmask parm to --ifconfig-pool.
-* Fixed bug where http-proxy connect retry attempts were
- incorrectly going to the remote OpenVPN server,
- not to the HTTP proxy server.
-
-2004.06.29 -- Version 2.0-beta7
-
-* Fixed bug in link_socket_verify_incoming_addr() which
- under certain circumstances could have caused --float
- behavior even if --float was not specified.
-* --tls-auth option now works with --mode server.
- All clients and the server should use the same
- --tls-auth key when operating in client/server mode.
-* Added --engine option to make use of OpenSSL-supported
- crypto acceleration hardware.
-* Fixed some high verbosity print format size issues
- in event.c for 64 bit platforms (Janne Johansson).
-* Made failure to open --log or --log-append file
- a non-fatal error.
-
-2004.06.23 -- Version 2.0-beta6
-
-* Fixed Windows installer to intelligently put
- up a reboot dialog only if tapinstall tells
- us that it's really necessary.
-* Fixed "Assertion failed at fragment.c:309"
- bug when --mode server and --fragment are used
- together.
-* Ignore HUP, USR1, and USR2 signals during
- initialization. Prior versions would abort.
-* Fixed bug on OS X: "Assertion failed at event.c:406".
-* Added --service option to Windows version, for use
- when OpenVPN is being programmatically instantiated
- by another process (see man page for info).
-* --log and --log-append options now work on Windows.
-* Update OpenBSD INSTALL notes (Janne Johansson).
-* Enable multicast on tun interface when running on
- OpenBSD (Pavlin Radoslavov).
-* Fixed recent --test-crypto breakage, where options
- such as --cipher were not being parsed correctly.
-* Modified options compatibility string by removing
- ifconfig substring if it is empty. Incremented
- options compatibility string version number to 4.
-* Fixed typo in --tls-timeout option parsing
- (Mikael Lonnroth).
-
-2004.06.13 -- Version 2.0-beta5
-
-* Fixed rare --mode server crash that could occur
- if data was being routed to a client at
- high bandwidth at the precise moment that the
- client instance object on the server was being
- deleted.
-* Fixed issue on machines which have epoll.h and
- the epoll_create glibc call defined, but which
- don't actually implement epoll in the kernel.
- OpenVPN will now gracefully fall back to the
- poll API in this case.
-* Fixed Windows bug which would cause the following
- error in a --mode server --dev tap configuration:
- "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
- exceeded".
-* Added CRL (certificate revocation list) management
- scripts to easy-rsa directory (Jon Bendtsen).
-* Do a better job of getting the ifconfig component
- of the options consistency check to work correctly
- when --up-delay is used.
-* De-inlined some functions which were too complex
- to be inlined anyway with gcc.
-* If a --dhcp-option option is pushed to a non-windows
- client, the option will be saved in the client's
- environment before the --up script is called, under
- the name "foreign_option_{n}".
-* Added --learn-address script (see man page) which
- allows for firewall access through the VPN to be
- controlled based on the client common name.
-* In mode --server mode, when a client connects to
- the server, the server will disconnect any
- still-active clients which use the same common
- name. Use --duplicate-cn flag to revert to
- previous behavior of allowing multiple clients
- to concurrently connect with the same common name.
-
-2004.06.08 -- Version 2.0-beta4
-
-* Fixed issue with beta3 where Win32 service wrapper
- was keying off of old TAP HWID as a dependency. To
- ensure that the new service wrapper is correctly
- installed, the Windows install script will uninstall
- the old wrapper before installing the new one,
- causing a reset of service properties.
-* Fixed permissions issue on --status output file,
- with default access permissions of owner read/write
- only (default permissions can be changed of course with
- chmod).
-
-2004.06.05 -- Version 2.0-beta3
-
-* More changes to TAP-Win32 driver's INF file which
- affects the placement of the driver in the Windows
- device namespace. This is done to work around an
- apparent bug in Windows when short HWIDs are used,
- and will also ease the upgrade from 1.x to 2.0 by
- reducing the chances that a reboot will be needed
- on upgrade. Like beta2, this upgrade will
- delete existing TAP-Win32 interfaces, and reinstall
- a single new interface with default properties.
-* Major rewrite of I/O event wait layer in the style
- of libevent. This is a precursor to TCP support
- in --mode server.
-* New feature: --status. Outputs a SIGUSR2-like
- status summary to a given file, updated once
- per n seconds. The status file is comma delimited
- for easy machine parsing.
-* --ifconfig-pool now remembers common names and
- will try to assign a consistent IP to a given
- common name. Still to do: persist --ifconfig-pool
- memory across restarts by saving state in file.
-* Fixed bug in event timer queue which could cause
- recurring timer events such as --ping to not
- correctly schedule again after firing. This in
- turn would cause spurrious ping restarts and possible
- connection outages. Thanks to Denis Vlasenko for
- tracking this down.
-* Possible fix to reported bug where --daemon argument
- was not printing to syslog correctly after restart.
-* Fixed bug where pulling --route or --dhcp-option
- directives from a server would problematically
- interact with --persist-tun on the client.
-* Updated contrib/multilevel-init.patch (Farkas Levente).
-* Added RPM build option to .spec and .spec.in files
- to optionally disable LZO inclusion (Ian Pilcher).
-* The latest MingW runtime and headers define
- 'ssize_t', so a patch is needed (Gisle Vanem).
-
-2004.05.14 -- Version 2.0-beta2
-
-* Fixed signal handling bug in --mode server, where
- SIGHUP and SIGUSR1 were treated as SIGTERM.
-* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
- Apparently the larger string may work around
- a problem where the TAP adapter is sometimes missing
- from the network connections panel, especially under
- XP SP2. Also note that installing this upgrade will
- uninstall any pre-existing TAP-Win32 adapters, and then
- install a single new adapter, meaning that old adapter
- properties will be lost. Thanks to Md5Chap for solving
- this one.
-* For --mode server --dev tap, the options --ifconfig and
- --ifconfig-pool are now optional. This allows address
- assignment via DHCP or use of a TAP VPN without
- IP support, as has always been possible with 1.x.
-* Fixed bug where --ifconfig may not work correctly on
- Linux 2.2.
-* Added 'local' flag to --redirect-gateway for use on
- networks where both OpenVPN daemons are connected
- to a shared subnet, such as wireless.
-
-2004.05.09 -- Version 2.0-beta1
-
-* Unchanged from test29 except for version number
- upgrade.
-
-2004.05.08 -- Version 2.0-test29
-
-* Modified --dev-node on Windows to accept a TAP-Win32
- GUID name. In addition, --show-adapters will now
- display the high-level name and GUID of each adapter.
- This is an attempt to work around an issue in Windows
- where sometimes the TAP-Win32 adapter installs correctly
- but has no icon in the network connections control
- panel. In such cases, being able to specify
- --dev-node {TAP-GUID} can work around the missing icon.
-
-2004.05.07 -- Version 2.0-test28
-
-* Fixed bug which could cause segfault on program
- shutdown if --route and --persist-tun are used
- together.
-
-2004.05.06 -- Version 2.0-test27
-
-* Fixed bug in close_instance() which might cause
- memory to be accessed after it had already been freed.
-* Fixed bug in verify_callback() that might have
- caused uninitialized data to be referenced.
-* --iroute now allows full CIDR subnet routing.
-* In "--mode server --dev tun" usage, source addresses
- on VPN packets coming from a particular client must
- be associated with that client in the OpenVPN internal
- routing table.
-
-2004.04.28 -- Version 2.0-test26
-
-* Optimized broadcast path in multi-client mode.
-* Added socket buffer size options --rcvbuf & --sndbuf.
-* Configure Linux tun/tap driver to use a more sensible
- txqueuelen default. Also allow explicit setting
- via --txqueuelen option (Harald Roelle).
-* The --remote option now allows the port number
- to be specified as the second parameter. If
- unspecified, the port number defaults to the
- --rport value.
-* Multiple --remote options on the client can now be
- specified for load balancing and failover. The
- --remote-random flag can be used to initially randomize
- the --remote list for basic load balancing.
-* If a remote DNS name resolves to multiple DNS addresses,
- one will be chosen by random as a kind of basic
- load-balancing feature if --remote-random is used.
-* Added --connect-freq option to control maximum
- new connection frequency in multi-client mode.
-* In multi-client mode, all syslog messages associated
- with a specific client now include a client-ID prefix.
-* For Windows, use a gettimeofday() function based
- on QueryPerformanceCounter (Derek Burdick).
-* Fixed bug in interaction between --key-method 2
- and DES ciphers, where dynamic keys would be generated
- with bad parity and then be rejected.
-
-2004.04.17 -- Version 2.0-test24
-
-* Reworked multi-client broadcast handling.
-
-2004.04.13 -- Version 2.0-test23
-
-* Fixed bug in --dev tun --client-to-client routing.
-* Fixed a potential deadlock in --pull.
-* Fixed a problem with select() usage which could
- cause a repeating sequence of "select : Invalid
- argument (code=22)"
-
-2004.04.11 -- Version 2.0-test22
-
-* Fixed bug where --mode server + --daemon was
- prematurely closing syslog connection.
-* Added support for --redirect-gateway on Mac OS X
- (Jeremy Apple).
-* Minor changes to TAP-Win32 driver based on feedback
- from the NDISTest tool.
-
-2004.04.11 -- Version 2.0-test21
-
-* Optimizations in multi-client server event loop.
-
-2004.04.10 -- Version 2.0-test20
-
-* --mode server capability now works with either tun
- or tap interfaces. When used with tap interfaces,
- OpenVPN will internally bridge all client tap
- interfaces with the server tap interface.
-* Connecting clients can now have a client-specific
- configuration on the server, based on the client
- common name embedded in the client certificate.
- See --client-config-dir and --client-connect.
- These options can be used to configure client-specific
- routes.
-* Added an option --client-to-client that enables
- internal client-to-client routing or bridging.
- Otherwise, clients will only "see" the server,
- not other connected clients.
-* Fixed bug in route scheduling which would have caused
- --mode server to not work on Windows in test18
- and test19 with the sample config file.
-* Man page is up to date with all new options.
-* OpenVPN 2.0 release notes on web site updated
- with tap-style tunnel examples.
-
-2004.04.02 -- Version 2.0-test19
-
-* Fixed bug where routes pushed from server were
- not working correctly on Windows clients.
-* Added Mac OS X route patch (Jeremy Apple).
-
-2004.03.30 -- Version 2.0-test18
-
-* Minor fixes + Windows self-install modified
- to use OpenSSL 0.9.7d.
-
-2004.03.29 -- Version 2.0-test17
-
-* Fixed some bugs related to instance timeout and deletion.
-* Extended --push/--pull option to support additional
- option classes.
-
-2004.03.28 -- Version 2.0-test16
-
-* Successful test of --mode udp-server, --push,
- --pull, and --ifconfig-pool with server on
- Linux 2.4 and clients on Linux and Windows.
-
-2004.03.25 -- Version 2.0-test15
-
-* Implemented hash-table lookup of client instances
- based either on remote UDP address/port or remote
- ifconfig endpoint.
-* Implemented a randomized binary tree based
- scheduler for scalably scheduling a large number
- of client instance events. Uses the treap
- data structure and node rotation algorithm
- to keep the tree balanced.
-* Initial implementation of ifconfig-pool.
-* Made --key-method 2 the default.
-
-2004.03.20 -- Version 2.0-test14
-
-* Implemented --push and --pull.
-
-2004.03.20 -- Version 2.0-test13
-
-* Reduced struct tls_multi and --single-session
- memory footprint.
-* Modified --single-session flag to be used
- in multi-client UDP server client instances.
-
-2004.03.19 -- Version 2.0-test12
-
-* Added the key multi-client UDP server options,
- --mode, --push, --pull, and --ifconfig-pool.
-* Revamped GC (garbage collection) code to not rely
- on any global data.
-* Modifications to thread.[ch] to allow a more
- flexible thread model.
-
-2004.03.16 -- Version 2.0-test11
-
-* Moved all timer code to interval.h, added new file
- interval.c.
-* Fixed missing include.
-
-2004.03.16 -- Version 2.0-test10
-
-* More TAP-Win32 fixes.
-* Initial debugging and testing of multi.[ch].
-
-2004.03.14 -- Version 2.0-test9
-
-* Branch merge with 1.6-rc3
-* More point-to-multipoint work in multi.[ch].
-* Major TAP-Win32 driver restructuring to use
- NdisMRegisterDevice instead of
- IoCreateDevice/IoCreateSymbolicLink.
-* Changed TAP-Win32 symbolic links to use \DosDevices\Global\
- pathname prefix.
-* In the majority of cases, TAP-Win32 should now be
- able to install and uninstall on Win2K without requiring
- a reboot.
-* TAP-Win32 MAC address can now be explicitly set in the
- adapter advanced properties page.
-
-2004.03.04 -- Version 2.0-test8
-
-* Branch merge with 1.6-rc2.
-
-2004.03.03 -- Version 2.0-test7
-
-* Branch merge with 1.6-rc1.2.
-
-2004.03.02 -- Version 2.0-test6
-
-* Branch merge with 1.6-rc1.
-
-2004.03.02 -- Version 2.0-test5
-
-* Move Socks5 UDP header append/remove to socks.c, and is
- called from forward.c.
-* Moved verify statics from ssl.c into struct tls_session.
-* Wrote multi.[ch] to handle top level of point-to-multipoint
- mode.
-* Wrote some code to allow a struct link_socket in a child context
- to be slaved to the parent context.
-* Broke up packet read and process functions in forward.c
- (from socket or tuntap) into separate functions for read
- and process, so that point-to-point and point-to-multipoint can
- share the same code.
-* Expand TLS control channel to allow the passing of configuration
- commands.
-* Wrote mroute.[ch] to handle internal packet routing for
- point-to-multipoint mode.
-
-2004.02.22 -- Version 2.0-test3
-
-* Initial work on UDP multi-client server.
-* Branch merge of 1.6-beta7
-
-2004.02.14 -- Version 2.0-test2
-
-* Refactorization of openvpn.c into openvpn.[ch]
- init.[ch] forward.[ch] forward-inline.h
- occ.[ch] occ-inline.h ping.[ch] ping-inline.h
- sig.[ch]. Created a master per-tunnel
- struct context in openvpn.h.
-* Branch merge of 1.6-beta6.2
-
-2003.11.06 -- Version 2.0-test1
-
-* Initial testbed for 2.0.
-
-2004.05.09 -- Version 1.6.0
-
-* Unchanged from 1.6-rc4 except for version number
- upgrade.
-
-2004.04.01 -- Version 1.6-rc4
-
-* Made minor customizations to devcon and
- renamed as tapinstall.exe for Windows version.
-* Fixed "storage size of `iv' isn't known" build
- problem on FreeBSD.
-* OpenSSL 0.9.7d bundled with Windows self-install.
-
-2004.03.13 -- Version 1.6-rc3
-
-* Minor Windows fixes for --ip-win32 dynamic, relating to
- the way the TAP-Win32 driver responds to a DHCP request
- from the Windows DHCP client.
-* The net_gateway environmental variable wasn't being
- set correctly for called scripts (Paul Zuber).
-* Added code to determine the default gateway on FreeBSD,
- allowing the --redirect-gateway option to work
- (Juan Rodriguez Hervella).
-
-2004.03.04 -- Version 1.6-rc2
-
-* Fixed bug in Windows version where the NetBIOS node-type
- DHCP option might have been passed even if it was not
- specified.
-* Fixed bug in Windows version introduced in 1.6-rc1, where
- DHCP timeout would be set to 0 seconds if --ifconfig option
- was used and --ip-win32 option was not explicitly specified.
-* Added some new --dhcp-option types for Windows version.
-
-2004.03.02 -- Version 1.6-rc1
-
-* For Windows, make "--ip-win32 dynamic" the default.
-* For Windows, make "--route-delay 10" the default
- unless --ip-win32 dynamic is not used or --route-delay
- is explicitly specified.
-* L_TLS mutex could have been left in a locked state
- for certain kinds of TLS errors.
-
-2004.02.22 -- Version 1.6-beta7
-
-* Allow scheduling priority increase (--nice) together
- with UID/GID downgrade (--user/--group).
-* Code that causes SIGUSR1 restart on TLS errors in TCP
- mode was not activated in pthread builds.
-* Save the certificate serial number in an environmental
- variable called tls_serial_{n} prior to calling the
- --tls-verify script. n is the current cert chain level.
-* Added NetBSD IPv6 tunnel capability (also requires
- a kernel patch) (Horst Laschinsky).
-* Fixed bug in checking the return value of the nice()
- function (Ian Pilcher).
-* Bug fix in new FreeBSD IPv6 over TUN code which was
- originally added in 1.6-beta5 (Nathanael Rensen).
-* More Socks5 fixes -- extended the struct frame
- infrastructure to accomodate proxy-based encapsulation
- overhead.
-* Added --dhcp-option to Windows version for setting
- adapter properties such as WINS & DNS servers.
-* Use a default route-delay of 5 seconds when
- --ip-win32 dynamic is specified (only applicable when
- --route-delay is not explicitly specified).
-* Added "log_append" registry variable to control
- whether the OpenVPN service wrapper on Windows
- opens log files in append (log_append="1") or
- truncate (log_append="0") mode. The default
- is truncate.
-
-2004.02.05 -- Version 1.6-beta6
-
-* UDP over Socks5 fix to accomodate Socks5 encapsulation
- overhead (Christof Meerwald).
-* Minor --ip-win32 dynamic tweaks (use long lease time,
- invalidate existing lease with DHCPNAK).
-
-2004.02.01 -- Version 1.6-beta5
-
-* Added Socks5 proxy support (Christof Meerwald).
-* IPv6 tun support for FreeBSD (Thomas Glanzmann).
-* Special TAP-Win32 debug mode for Windows self-install that was
- enabled in beta4 is now turned off.
-* Added some new Solaris notes to INSTALL (Koen Maris).
-* More work on --ip-win32 dynamic.
-
-2004.01.27 -- Version 1.6-beta4
-
-* For this beta, the Windows self-install is a debug version
- and will run slower -- use only for testing.
-* Reverted the --ip-win32 default back to 'ipapi'
- from 'dynamic'.
-* Added the offset parameter to '--ip-win32 dynamic' which
- can be used to control the address of the masqueraded
- DHCP server which replies to Windows DHCP requests.
-* Added a wait/nowait option to --inetd (nowait can only
- be used with TCP sockets, TLS authentication, and over
- a bridged configuration -- see FAQ for more info)
- (Stefan `Sec` Zehl).
-* Added a build-time capability where TAP-Win32 driver
- debug messages can be output by OpenVPN at --verb 6
- or higher.
-
-2004.01.20 -- Version 1.6-beta2
-
-* Added ./configure --enable-iproute2 flag which
- uses iproute2 instead of route + ifconfig --
- this is necessary for the LEAF Linux distro
- (Martin Hejl).
-* Added renewal-time and rebind-time to set of
- DHCP options returned by the TAP-Win32 driver when
- "--ip-win32 dynamic" is used.
-
-2004.01.14 -- Version 1.6-beta1
-
-* Fixed --proxy bug that sometimes caused plaintext
- control info generated by the proxy prior to http
- CONNECT method establishment to be incorrectly
- parsed as OpenVPN data.
-* For Windows version, implemented the
- "--ip-win32 dynamic" method and made it the default.
- This method sets the TAP-Win32 adapter IP address
- and netmask by replying to the kernel's DHCP queries.
- See the man page for more detailed info.
-* Added --connect-retry parameter which controls
- the time interval (in seconds) between connect()
- retries when --proto tcp-client is used. Previously,
- this value was hardcoded to 5 seconds, and still
- defaults as such.
-* --resolv-retry can now be used with a parameter
- of "infinite" to retry indefinitely.
-* Added SSL_CTX_use_certificate_chain_file() to ssl.c
- for support of multi-level certificate chains
- (Sten Kalenda).
-* Fixed --tls-auth incompatibility with 1.4.x and earlier
- versions of OpenVPN when the passphrase file is an
- OpenVPN static key file (as generated by --genkey).
-* Added shell-escape support in config files using
- the backslash character ("\") so that (for example)
- double quotes can be passed to the shell.
-* Added "contrib" subdirectory on tarball, source zip,
- and CVS containing user-submitted contributions.
-* Added an optional patch to the Redhat init script to
- allow the configuration file directory to be a
- multi-level directory hierarchy (Farkas Levente).
- See contrib/multilevel-init.patch
-* Added some scripts and documentation on using
- Linux "fwmark" iptables rules to enable
- fine-grained routing control over the VPN
- (Sean Reifschneider, <jafo@tummy.com>).
- See contrib/openvpn-fwmarkroute-1.00
-
-2003.11.20 -- Version 1.5.0
-
-* Minor documentation changes.
-
-2003.11.04 -- Version 1.5-beta14
-
-* Fixed build problem with ./configure --disable-ssl
- that was reported on Debian woody.
-* Fixed bug where --redirect-gateway could not be used
- together with --resolv-retry.
-
-2003.11.03 -- Version 1.5-beta13
-
-* Added CRL (certificate revocation list) capability using
- --crl-verify option (Stefano Bracalenti).
-* Added --replay-window option for variable replay-protection
- window sizes.
-* Fixed --fragment bug which might have caused certain large
- packets to be sent unfragmented.
-* Modified --secret and --tls-auth to permit different cipher and
- HMAC keys to be used for each data flow direction. Also
- increased static key file size generated by --genkey from
- 1024 to 2048 bits, where 512 bits each are reserved for
- send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
- and backward compatibility is maintained. See --secret option
- documentation on the man page for more info.
-* Added --tls-remote option (Teemu Kiviniemi).
-* Fixed --tls-cipher documention regarding correct delimiter
- usage (Teemu Kiviniemi).
-* Added --key-method option for selecting alternative data
- channel key negotiation methods. Method 1 is the default.
- Method 2 has been added (see man page for more info).
-* Added French translation of HOWTO to web site
- (Guillaume Lehmann).
-* Fixed problem caused by late resolver library load on
- certain platforms when --resolv-retry and --chroot are
- used together (Teemu Kiviniemi).
-* In TCP mode, all decryption or TLS errors will abort the current
- connection (this is not done in UDP mode because UDP is
- "connectionless").
-* Fixed a TCP client reconnect bug that only occurs on the
- BSDs, where connect() fails with an invalid argument. This
- bug was partially (but not completely) fixed in beta7.
-* Added "route_net_gateway" environmental variable which contains
- the pre-existing default gateway address from the routing table
- (there's no standard API for getting the default gateway, so
- right now this feature only works on Windows or Linux).
-* Renamed the "route_default_gateway" enviromental variable to
- "route_vpn_gateway" -- this is the remote VPN endpoint.
-* The special keywords vpn_gateway, net_gateway, and remote_host
- can now be used for the network or gateway components of the
- --route option. See the man page for more info.
-* Added the --redirect-gateway option to configure the VPN
- as the default gateway (implemented on Linux and Windows only).
-* Added the --http-proxy option with basic authentication
- support for use in TCP client mode. Successfully tested
- using Squid as the HTTP proxy, with and without authentication.
-
-2003.10.12 -- Version 1.5-beta12
-
-* Fixed Linux-only bug in --mktun and --rmtun which was
- introduced around beta8 or so, which would cause
- an error such as "I don't recognize device tun0 as a
- tun or tap device1".
-* Added --ifconfig-nowarn option to disable options
- consistency warnings about --ifconfig parameters.
-* Don't allow any kind of sequence number backtracking or
- message reordering when in TCP mode.
-* Changed beta naming convention to use '_' (underscore)
- rather than '-' (dash) to pacify rpmbuild.
-
-2003.10.08 -- Version 1.5-beta11
-
-* Modified code in the Windows version which sets the IP address
- and netmask of the TAP-Win32 adapter using the IP Helper API.
- Most of the changes involve better error recovery when
- the IP Helper API returns an error status. See the
- manual page entry on --ip-win32 for more info.
-
-2003.10.08 -- Version 1.5-beta10
-
-* Added getpass() function for Windows version so that --askpass
- option works correctly (Stefano Bracalenti).
-* Added reboot advisory to end of Win32 install script.
-* Changed crypto code to use pseudo-random IVs rather than
- carrying forward the IV state from the previous packet.
- This is in response to item 2 in the following document:
- http://www.openssl.org/~bodo/tls-cbc.txt which points
- out weaknesses in TLS's use of the same IV carryforward
- approach. This change does not break protocol compatibility
- with previous versions of OpenVPN.
-* Made a change to the crypto replay protection code to also
- protect against certain kinds of packet reordering attacks.
- This change does not break protocol compatibility with
- previous versions of OpenVPN.
-* Added --ip-win32 option to provide several choices for
- setting the IP address on the TAP-Win32 adapter.
-* #ifdefed out non-CBC crypto modes by default.
-* Added --up-delay option to delay TUN/TAP open and --up script
- execution until after connection establishment. This option
- replaces the earlier windows-only option --tap-delay.
-
-2003.10.01 -- Version 1.5-beta9
-
-* Fixed --route-noexec bug where option was not parsed correctly.
-* Complain if --dev tun is specified without --ifconfig on Windows.
-* Fixed bug where TCP connections on windows would sometimes cause
- an assertion failure.
-* Added a new flag to TAP-Win32 advanced properties that allows one
- to set the adapter to be always "connected" even when an OpenVPN
- process doesn't have it open. The default behavior is to report
- a media status of connected only when an OpenVPN process has the
- adapter open.
-* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
- DLLs in response to an OpenSSL security advisory.
-
-2003.09.30 -- Version 1.5-beta8
-
-* Extended the --ifconfig option to work on tap devices as well
- as tun devices.
-* Implemented the --ifconfig option for Windows, by calling the
- netsh tool.
-* By default, do an "arp -d *" on Windows after TAP-Win32 open to
- refresh the MAC cache. This behaviour can be disabled with
- --no-arp-del.
-* On Windows, allow the --dev-node parameter (which specifies
- the name of the TAP-Win32 adapter) to be omitted in cases where
- there is a single TAP-Win32 adapter on the system which can be
- assumed to be the default.
-* Modified the diagnostic --verb 5 debugging level to print 'R'
- for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
- and 'w' for TUN/TAP write.
-* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
- mode.
-* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
-* Make the --enable-mtu-dynamic ./configure option enabled by
- default.
-* Deprecated the --mtu-dynamic run-time option, in favor of
- --fragment.
-* DNS names can now be used as --ifconfig parameters.
-* Significant work on TAP-Win32 driver to bring up to SMP standards.
-* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
- unloaded or disabled, while a user-space process has it open.
-* On Windows, if --tun-mtu is not specified, it will be read from
- the TAP-Win32 driver via ioctl.
-* On Windows, added TAP-Win32 driver status info to "F2" keyboard
- signal (only when run from a console window).
-* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
-* Renamed --mtu-dynamic option to --fragment to more accurately
- reflect its function. Fragment accepts a single parameter which
- is the upper limit on acceptable UDP packet size.
-* Changed default --tun-mtu-extra parameter to 32 from 64.
-* Eliminated reference to malloc.o in configure.ac.
-* Added tun device emulation to the TAP-Win32 driver.
-* Added --route and related options.
-* Added init script for SuSE Linux (Frank Plohmann).
-* Extended option consistency check between peers to function
- in all crypto modes, including static-key and cleartext modes.
- Previously only TLS mode was supported. Disable with
- --disable-occ.
-* Overall, increased the amount of configuration option sanity
- checking, especially of networking parameters.
-* Added --mtu-test option for empirical MTU measurement.
-* Added Windows-only option --tap-delay to not set the TAP-Win32
- adapter media state to 'connected' until TCP/UDP connection
- establishment with peer.
-* Slightly modified --route/--route-delay semantics so that when
- --route is given without --route-delay, routes are added
- immediately after tun/tap device open. When --route-delay is
- specified, routes will be added n seconds after connection
- initiation, where n is the --route-delay parameter (which
- can be set to 0).
-* Made TCP framing error into a non-fatal error that triggers a
- connection reset.
-
-2003.08.28 -- Version 1.5-beta7
-
-* Fixed bug that caused OpenVPN not to respond to exit/restart
- signals when --resolv-retry is used and a local or remote DNS
- name cannot be resolved.
-* Exported a series of environmental variables with useful
- info for scripts. See man page for more info. Based
- on a suggestion by Anthony Ciaravalo.
-* Moved TCP/UDP socket bind to a point in the initialization
- before the --up script gets called. This is desirable
- because (a) a socket bind failure will happen before
- daemonization, allowing an error status code to be returned
- to the shell and (b) the possibility is eliminated of a
- socket bind failure causing the --up script to be run
- but not the --down script. This change has a side effect
- that --resolv-retry will no longer work with --local.
-* Fixed bug where if an OpenVPN TCP server went down and back
- up again, Solaris or FreeBSD clients would fail to reconnect
- to it.
-* Fixed bug that prevented OpenVPN from being run by
- inetd/xinetd in TCP mode.
-* Added --log and --log-append options for logging messages to
- a file.
-* On Windows, check that the current user is a member of the
- Administrator group before attempting install or uninstall.
-
-2003.08.16 -- Version 1.5-beta6
-
-* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
-
-2003.08.14 -- Version 1.5-beta5
-
-* Added user-configurability of the TAP-Win32 adapter MTU
- through the adapter advanced properties page.
-* Added Windows Service support.
-* On Windows, added file association and right-clickability
- for .ovpn files (OpenVPN config files).
-
-2003.08.05 -- Version 1.5-beta4
-
-* Extra refinements and error checking added to Windows
- NSIS install script.
-
-2003.08.05 -- Version 1.5-beta3
-
-* Added md5.h include to crypto.c to fix build problem on
- OpenBSD.
-* Created a Win32 installer using NSIS.
-* Removed DelService command from TAP-Win32 INF file. It appears
- to be not necessary and it interfered with the ability to
- uninstall and reinstall the driver without needing to reboot.
-* On Windows version, added "addtap" and "deltapall" batch
- files to add and delete TAP-Win32 adapter instances.
-
-2003.07.31 -- Version 1.5-beta2
-
-* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
- in Windows ASCII so it's easier to click and view.
-* Added postscript and PDF versions of the HOWTO to the web
- site (C R Zamana).
-* Merged Michael Clarke's stability patch into TAP-Win32
- driver which appears to fix the suspend/resume driver bug
- and significantly improve driver stability.
-* Added Christof Meerwald's Media Status patch to the
- TAP-Win32 driver which shows the TAP adapter to be
- disconnected when OpenVPN is not running.
-* Moved socket connect and TCP server listen code to a later
- point in openvpn() function so that the TCP server listen
- state is entered after daemonization.
-* Added keyboard shortcuts to simulate signals in the Windows
- version, see the window title bar for descriptions.
-
-2003.07.24 -- Version 1.5-beta1
-
-* Added TCP support via the new --proto option.
-* Renamed udp-centric options such as --udp-mtu to
- --link-mtu (old option names preserved for compatibility).
-* Ported to Windows 2000 + XP using mingw and a TAP driver
- derived from the Cipe-Win32 project by Damion K. Wilson.
-* Added --show-adapters flag for windows version.
-* Reworked the SSL/TLS packet acknowledge code to better
- handle certain corner cases.
-* Turned off the default enabling of IP forwarding in the
- sample-scripts/openvpn.init script for Redhat.
- Forwarding can be enabled by users in their --up scripts
- or firewall config.
-* Added --up-restart option based on suggestion from Sean
- Reifschneider.
-* If --dev tap or --dev-type tap is specified, --tun-mtu
- defaults to 1500 and --tun-mtu-extra defaults to 64.
-* Enabled --verb 5 debugging mode that prints 'R' and 'W'
- for each packet read or write on the TCP/UDP socket.
-
-2003.08.04 -- Version 1.4.3
-
-* Added md5.h include to crypto.c
- to fix build problem on OpenBSD.
-
-2003.07.15 -- Version 1.4.2
-
-* Removed adaptive bandwidth from
- --mtu-dynamic -- its absence appears
- to work better than its existence (1.4.1.2).
-* Minor changes to --shaper to fix long
- retransmit timeouts at low bandwidth
- (1.4.1.2).
-* Added LOG_RW flag to openvpn.h for
- debugging (1.4.1.2).
-* Silenced spurious configure warnings (1.4.1.2).
-* Backed out --dev-name patch, modified --dev
- to offer equivalent functionality (1.4.1.4).
-* Added an optional parameter to --daemon and
- --inetd to support the passing of a custom
- program name to the system logger (1.4.1.5).
-* Add compiled-in options to the program title
- (1.4.1.5).
-* Coded the beginnings of a WIN32 port (1.4.1.5).
-* Succeeded in porting to Win32 Mingw environment
- and running loopback tests (1.4.1.6). Still
- need a kernel driver for full Win32
- functionality.
-* Fixed a bug in error.h where
- HAVE_CPP_VARARG_MACRO_GCC was misspelled.
- This would have caused a significant slowdown
- of OpenVPN when built by compilers that
- lack ISO C99 vararg macros (1.4.1.6).
-* Created an init script for Gentoo Linux
- in ./gentoo directory (1.4.1.6).
-
-2003.05.15 -- Version 1.4.1
-
-* Modified the Linux 2.4 TUN/TAP open code to
- fall back to the 2.2 TUN/TAP interface if the
- open or ioctl fails.
-* Fixed bug when --verb is set to 0 and non-fatal
- socket errors occur, causing 100% CPU utilization.
- Occurs on platorms where
- EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
- such as Linux 2.4.
-* Fixed typo in tun.c that was preventing
- OpenBSD build.
-* Added --enable-mtu-dynamic configure option
- to enable --mtu-dynamic experimental option.
-
-2003.05.07 -- Version 1.4.0
-
-* Added --replay-persist feature to allow replay
- protection across sessions.
-* Fixed bug where --ifconfig could not be used
- with --tun-mtu.
-* Added --tun-mtu-extra parameter to deal with
- the situation where a read on a TUN/TAP device
- returns more data than the device's MTU size.
-* Fixed bug where some IPv6 support code for
- Linux was not being properly ifdefed out for
- Linux 2.2, causing compile errors.
-* Added OPENVPN_EXIT_STATUS_x codes to
- openvpn.h to control which status value
- openvpn returns to its caller (such as
- a shell or inetd/xinetd) for various conditions.
-* Added OPENVPN_DEBUG_COMMAND_LINE flag to
- openvpn.h to allow debugging in situations
- where stdout, stderr, and syslog cannot be used
- for message output, such as when OpenVPN is
- instantiated by inetd/xinetd.
-* Removed owner-execute permission from file
- created by static key generator (Herbert Xu
- and Alberto Gonzalez Iniesta).
-* Added --passtos option to allow IPv4 TOS bits
- to be passed from TUN/TAP input packets to
- the outgoing UDP socket (Craig Knox).
-* Added code to prevent open socket file descriptors
- from being accessible to called scripts.
-* Added --dev-name option (Christian Lademann).
-* Added --mtu-disc option for manual control
- over MTU options.
-* Show OS MTU value on UDP socket write failures
- (linux only).
-* Numerous build system and portability
- fixes (Matthias Andree).
-* Added better sensing of compiler support for
- variable argument macros, including (a) gcc
- style, (b) ISO C 1999 style, and (c) no support.
-* Removed generated files from CVS. Note INSTALL
- file for new CVS build commands.
-* Changed certain internal symbol names
- for C standards compliance.
-* Added TUN/TAP open code to cycle dynamically
- through unit numbers until it finds a free
- unit (based on code from Thomas Gielfeldt
- and VTun).
-* Added dynamic MTU and fragmenting infrastructure
- (Experimental). Rebuild with FRAGMENT_ENABLE
- defined to enable.
-* Minor changes to SSL/TLS negotiation, use
- exponential backoff on retransmits, and use
- a smaller MTU size (note that no protocol
- changes have been made which would break
- compatibility with 1.3.x).
-* Added --enable-strict-options flag
- to ./configure. This option will cause
- a more strict check for options compatibility
- between peers when SSL/TLS negotiation is used,
- but should only be used when both OpenVPN peers
- are of the same version.
-* Reorganization of debugging levels.
-* Added a workaround in configure.ac for
- default SSL header location on Linux
- to fix RH9 build problem.
-* Fixed potential deadlock when pthread support
- is used on OSes that allocate a small socketpair()
- message buffer.
-* Fixed openvpn.init to be sh compliant
- (Bishop Clark).
-* Changed --daemon to wait until all
- initialization is finished before becoming a
- daemon, for the benefit of initialization
- scripts that want a useful return status from
- the openvpn command.
-* Made openvpn.init script more robust, including
- positive indication of initialization errors
- in the openvpn daemon and better sanity checks.
-* Changed --chroot to wait until initialization
- is finished before calling chroot(), and allow
- the use of --user and --group with --chroot.
-* When syslog logging is enabled (--daemon or
- --inetd), set stdin/stdout/stderr to point
- to /dev/null.
-* For inetd instantiations, dup socket descriptor
- to a >2 value.
-* Fixed bug in verify-cn script, where test would
- incorrectly fail if CN=x was the last component
- of the X509 composite string (Anonymous).
-* Added Markus F.X.J. Oberhumer's special
- license exception to COPYING.
-
-2002.10.23 -- Version 1.3.2
-
-* Added SSL_CTX_set_client_CA_list call
- to follow the canonical form for TLS initialization
- recommended by the OpenSSL docs. This change allows
- better support for intermediate CAs and has no impact
- on security.
-* Added build-inter script to easy-rsa package, to
- facilitate the generation of intermediate CAs.
-* Ported to NetBSD (Dimitri Goldin).
-* Fixed minor bug in easy-rsa/sign-req. It refers to
- openssl.cnf file, instead of $KEY_CONFIG, like all
- other scripts (Ernesto Baschny).
-* Added --days 3650 to the root CA generation command
- in the HOWTO to override the woefully small 30 day
- default (Dominik 'Aeneas' Schnitzer).
-* Fixed bug where --ping-restart would sometimes
- not re-resolve remote DNS hostname.
-* Added --tun-ipv6 option and related infrastructure
- support for IPv6 over tun.
-* Added IPv6 over tun support for Linux (Aaron Sethman).
-* Added FreeBSD 4.1.1+ TUN/TAP driver notes to
- INSTALL (Matthias Andree).
-* Added inetd/xinetd support (--inetd) including
- documentation in the HOWTO.
-* Added "Important Note on the use of commercial certificate
- authorities (CAs) with OpenVPN" to HOWTO based on
- issues raised on the openvpn-users list.
-
-2002.07.10 -- Version 1.3.1
-
-* Fixed bug in openvpn.spec and openvpn.init
- which caused RPM upgrade to fail.
-
-2002.07.10 -- Version 1.3.0
-
-* Added --dev-node option to allow explicit selection of
- tun/tap device node.
-* Removed mlockall call from child thread, as it doesn't
- appear to be necessary (child thread inherits mlockall
- state from parent).
-* Added --ping-timer-rem which causes timer for --ping-exit
- and --ping-restart not to run unless we have a remote IP
- address.
-* Added condrestart to openvpn.init and openvpn.spec
- (Bishop Clark).
-* Added --ifconfig case for FreeBSD (Matthias Andree).
-* Call openlog with facility=LOG_DAEMON (Matthias Andree).
-* Changed LOG_INFO messages to LOG_NOTICE.
-* Added warning when key files are group/others accessible.
-* Added --single-session flag for TLS mode.
-* Fixed bug where --writepid would segfault if used with
- an invalid filename.
-* Fixed bug where --ipchange status message was formatted
- incorrectly.
-* Print more concise error message when system() call
- fails.
-* Added --disable-occ option.
-* Added --local, --remote, and --ifconfig options sanity
- check.
-* Changed default UDP MTU to 1300 and TUN/TAP MTU to
- 1300.
-* Successfully tested with OpenSSL 0.9.7 Beta 2.
-* Broke out debug level definitions to errlevel.h
-* Minor documentation and web site changes.
-* All changes maintain protocol compatibility
- with OpenVPN versions since 1.1.0, however default
- MTU changes will require setting the MTU explicitly
- by command line option, if you want 1.3.0 to
- communicate with previous versions.
-
-2002.06.12 -- Version 1.2.1
-
-* Added --ping-restart option to restart
- connection on ping timeout using SIGUSR1
- logic (Matthias Andree).
-* Added --persist-tun, --persist-key,
- --persist-local-ip, and --persist-remote-ip
- options for finer-grained control over SIGUSR1
- and --ping-restart restarts. To
- replicate previous SIGUSR1 functionality,
- use --persist-remote-ip.
-* Changed residual IV fetching code to take
- IV from tail of ciphertext.
-* Added check to make sure that CFB or OFB
- cipher modes are only used with SSL/TLS
- authentication mode, and added a caveat
- to INSTALL.
-* Changed signal handling during initialization
- (including re-initialization during restarts)
- to exit on SIGTERM or SIGINT and ignore other
- signals which would ordinarily be caught.
-* Added --resolv-retry option to allow
- retries on hostname resolution.
-* Expanded the --float option to also
- allow dynamic changes in source port number
- on incoming datagrams.
-* Added --mute option to limit repetitive
- logging of similar message types.
-* Added --group option to downgrade GID
- after initialization.
-* Try to set ifconfig path automatically
- in configure.
-* Added --ifconfig code for Mac OS X
- (Christoph Pfisterer).
-* Moved "Peer Connection Initiated" message
- to --verb level 1.
-* Successfully tested with
- OpenSSL 0.9.7 Beta 1 and AES cipher.
-* Added RPM notes to INSTALL.
-* Added ACX_PTHREAD (from the autoconf
- macro archive) to configure.ac
- to figure out the right pthread
- options for a given platform.
-* Broke out macro definitions from
- configure.ac to acinclude.m4.
-* Minor changes to docs and HOWTO.
-* All changes maintain protocol compatibility
- with OpenVPN versions since 1.1.0.
-
-2002.05.22 -- Version 1.2.0
-
-* Added configuration file support via
- the --config option.
-* Added pthread support to improve latency.
- With pthread support, OpenVPN
- will offload CPU-intensive tasks such as RSA
- key number crunching to a background thread
- to improve tunnel packet forwarding
- latency. pthread support can be enabled
- with the --enable-pthread configure option.
- Pthread support is currently available
- only for Linux and Solaris.
-* Added --dev-type option so that tun/tap
- device names don't need to begin with
- "tun" or "tap".
-* Added --writepid option to write main
- process ID to a file.
-* Numerous portability fixes to ease
- porting to other OSes including changing
- all network types to uint8_t and uint32_t,
- and not assuming that time_t is 32 bits.
-* Backported to OpenSSL 0.9.5.
-* Ported to Solaris.
-* Finished OpenBSD port except for
- pthread support.
-* Added initialization script:
- sample-scripts/openvpn.init
- (Douglas Keller)
-* Ported to Mac OS X (Christoph Pfisterer).
-* Improved resilience to DoS attacks when
- TLS mode is used without --remote or
- --tls-auth, or when --float is used
- with --remote. Note however that the best
- defense against DoS attacks in TLS mode
- is to use --tls-auth.
-* Eliminated automake/autoconf dependency
- for non-developers.
-* Ported configure.in to configure.ac
- and autoconf 2.50+.
-* SIGHUP signal now causes OpenVPN to restart
- and re-read command line and or config file,
- in conformance with canonical daemon behaviour.
-* SIGUSR1 now does what SIGHUP did in
- version 1.1.1 and earlier -- close and reopen
- the UDP socket for use when DHCP changes
- host's IP address and preserve most recently
- authenticated peer address without rereading
- config file.
-* SIGUSR2 added -- outputs current statistics,
- including compression statistics.
-* All changes maintain protocol compatibility
- with 1.1.1 and 1.1.0.
-
-2002.04.22 -- Version 1.1.1
-
-* Added --ifconfig option to automatically configure
- TUN device.
-* Added inactivity disconnect (--inactive
- and --ping-exit options).
-* Added --ping option to keep stateful firewalls
- from timing out.
-* Added sanity check to command line parser to
- err if any TLS options are used in non-TLS mode.
-* Fixed build problem with compiler environments that
- define printf as a macro.
-* Fixed build problem on linux systems that have
- an integrated TUN/TAP driver but lack the persistent
- tunnel feature (TUNSETPERSIST). Some linux kernels
- >= 2.4.0 and < 2.4.7 fall into this category.
-* Changed all calls to EVP_CipherInit to use explicit
- encrypt/decrypt mode in order to fix problem with
- IDEA-CBC and AES-256-CBC ciphers.
-* Minor changes to control channel transmit limiter
- algorithm to fix problem where TLS control channel
- might not renegotiate within the default 60 second window.
-* Simplified man page examples by taking advantage
- of the new --ifconfig option.
-* Minor changes to configure.in to check more
- rigourously for OpenSSL 0.9.6 or greater.
-* Put back openvpn.spec, eliminated
- openvpn.spec.in.
-* Modified openvpn.spec to reflect new automake-based
- build environment (Bishop Clark).
-* Other documentation changes.
-* Added --test-crypto option for debugging.
-* Added "missing" and "mkinstalldirs" automake
- support files.
-
-
-2002.04.09 -- Version 1.1.0
-
-* Strengthened replay protection and IV handling,
- extending it fully to both static key and
- TLS dynamic key exchange modes.
-* Added --mlock option to disable paging and ensure that key
- material and tunnel data is never paged to disk.
-* Added optional traffic shaping feature to cap the maximum
- data rate of the tunnel.
-* Converted to automake (The Platypus Brothers 2002-04-01).
-* Ported to OpenBSD by Janne Johansson.
-* Added --tun-af-inet option to work around an incompatibility
- between Linux and BSD tun drivers.
-* Sequence number-based replay protection using the
- IPSec sliding window model is now the default,
- disable with --no-replay.
-* Explicit IV is now the default, disable with --no-iv.
-* Disabled all cipher modes except CBC, CFB, and OFB.
-* In CBC mode, use explicit IV and carry forward residuals,
- using IPSec model.
-* In CFB/OFB mode, IV is timestamp, sequence number.
-* Eliminated --packet-id, --timestamp, and max-delta parameter to
- the --tls-auth option as they are now supplanted by improved
- replay code which is enabled by default.
-* Eliminated --rand-iv as it is now obsolete with improved
- IV code.
-* Eliminated --reneg-err option as it increases vulnerability
- to DoS attacks.
-* Added weak key check for DES ciphers.
-* --tls-freq option is no longer specified on the command line,
- instead it now inherits its parameter from the
- --tls-timeout option.
-* Fixed bug that would try to free memory on exit that was
- never malloced if --comp-lzo was not specified.
-* Errata fixed in the man page examples: "test-ca" should be
- "tmp-ca".
-* Updated manual page.
-* Preliminary work in porting to OpenSSL 0.9.7.
-* Changed license to allowing linking with OpenSSL.
-
-2002.03.29 -- Version 1.0.3
-
-* Fixed a problem in configure with library ordering on the
- command line.
-
-2002.03.28 -- Version 1.0.2
-
-* Improved the efficiency of the inner event loop.
-* Fixed a minor bug with timeout handling.
-* Improved the build system to build on RH 6.2 through 7.2.
-* Added an openvpn.spec file for RPM builders (Bishop Clark).
-
-2002.03.23 -- Version 1.0
-
-* Added TLS-based authentication and key exchange.
-* Added gremlin mode to stress test.
-* Wrote man page.
-
-2001.12.26 -- Version 0.91
-
-* Added any choice of cipher or HMAC digest.
-
-2001.5.13 -- Version 0.90
-
-* Initial release.
-* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.
+Release branches (release/2.5, release/2.4, etc) have individual ChangeLog
+files with all changes relevant for these releases.
projects / thirdparty / openvpn.git / blobdiff