OpenVPN ChangeLog
Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
-2026.02.11 -- Version 2.7.0
-
-Frank Lichtenheld (3):
- crypto: Do not claim we will remove support for BF-CBC in 2.7
- Update the clang-format reference version to 21.1.8
- Review Changes.rst for 2.7.0 release
-
-Max Fillinger (1):
- Mbed TLS 4: Add more algorithms
-
-
-2026.01.28 -- Version 2.7_rc6
-
-Arne Schwabe (1):
- Silence compiler truncation warning by checking snprintf return value
-
-Frank Lichtenheld (16):
- crypto_openssl: Fix various conversion warnings
- cryptoapi: Avoid conversion warnings
- ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku
- socket: Avoid conversion warning in get_addr_generic
- ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option
- port-share: Check return value of fork()
- openvpnserv: Fix conversion warnings in interactive.c
- openvpnserv: Factor out the string conversion from GetItfDnsDomains
- openvpnserv: Add a first unit test
- GHA: Update mbedtls to v4
- route: Fix conversion warnings on BSDs
- socket: Remove ifdef for SO_{RCV, SND}BUF
- test_openvpnserv: Make sure to include config.h
- GHA: Run openvpnserv UT for MinGW builds
- status: Avoid conversion warnings in status_read/status_printf
- manage: Do not trigger actions on management disconnect if not authenticated
-
-Gert Doering (1):
- tunnel_server(): close correct inotify fd
-
-Heiko Hund (1):
- Prevent NULL pointer dereference with --dns-updown
-
-Max Fillinger (1):
- Add support for Mbed TLS 4
-
-
-2026.01.15 -- Version 2.7_rc5
-
-Arne Schwabe (5):
- Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers
- Allow test-crypto to work without the --secret argument
- Fix warnings on Android about unused variables/methods
- Require script-security 2 when using unix: tun
- Correctly handle sender jumping exactly epoch_data_keys_future_count
-
-Frank Lichtenheld (12):
- tests/unit_tests: Port to cmocka 2.0.0 API
- GHA: Maintenance update January 2026
- Update Copyright statements to 2026
- Fix building test_tls_crypt with cmocka 2.0
- configure.ac: Clean up systemd support
- socks: Replace magic "10" for socks header with macro
- socks: Fix wrong success check in socks_username_password_auth
- socket: Remove old 'dynamic remote' feature
- socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply
- ssl_verify: Fix parsing of timeout from auth pending file
- error: Remove our implementation of static_assert
- forward: Avoid conversion warning in ipv6_send_icmp_unreachable
-
-Gert Doering (3):
- remove ENABLE_X509ALTUSERNAME conditional
- Repair interaction between DCO and persist-tun after reconnection
- OpenVPN Release 2.7_rc5
-
-
-2025.12.17 -- Version 2.7_rc4
-
-Arne Schwabe (4):
- Clarify some code in epoch with better comments
- Add a section about wolfSSL GPLv3 and point out missing TLS PRF support
- Fix dco with null cipher being enabled without auth none
- Change ssl_ctx in struct tls_options to be a pointer
-
-Frank Lichtenheld (19):
- Documentation: Various syntax fixes and text improvements
- CMake: For VS build, switch from /W2 to /W3
- socket: Initialize struct in_addr_t in getaddr()
- GHA: Add minGW Release build
- tun: Refactor BSD write_tun/read_tun
- tun: Change return type of write_tun/read_tun to ssize_t
- Remove some obsolete references to --windows-driver
- options: Remove some verbose error messages for options deprecated in 2.4
- Correct documentation for --ns-cert-type
- buffer: Change limits for array_mult_safe
- mbuf: Add unit tests
- options: Avoid some conversion warnings
- schedule: Rework documentation for schedule_add_entry
- multi: Fix wrong sigma value in multi_push_restart_schedule_exit
- multi: Fix type handling for hashes, mostly inotify_watchers
- multi: Fix various conversion warnings
- manage: Avoid several conversion warnings by using the correct types
- buffer: Change buf_prepend and buf_advance to accept ssize_t for length
- multi: Warn about failing read in multi_process_file_closed()
-
-Gianmarco De Gregori (2):
- mudp: fix unaligned 32-bit read when parsing peer ID
- Deprecate --fast-io option
-
-Heiko Hund (1):
- iservice: set adapter DNS only with search domains
-
-Klemens Nanni (1):
- Prevent crash on invalid server-ipv6 argument
-
-Lev Stipakov (1):
- tun.c: set IPv4 address temporary on Windows
-
-Max Fillinger (1):
- Drop Mbed TLS 2.X compatibility
-
-Moritz Fain (1):
- PUSH_UPDATE: fix option reset logic in continuation messages
-
-Selva Nair (2):
- Set UTF-8 as the codepage using manifest declaration
- pull-filter: improve documentation
-
-Simon Matter (1):
- Add CAP_SYS_NICE to the positive list in systemd service files
-
-Steffan Karger (1):
- mbedtls: gracefully exit if certificate file is NULL
-
-
-2025.11.28 -- Version 2.7_rc3
-
-Frank Lichtenheld (9):
- doc: Document potential filesystem pitfalls of client-config-dir
- GHA: Maintenance update November 2025
- GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS
- tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
- Changes.rst: Fix various syntax errors and typos
- error: Allow status argument to check_status to be ssize_t
- Linux: Assume we have a kernel that was release in the last 15 years
- configure/CMake: Remove unused checks
- configure/CMake: Unify Windows handling
-
-Gert Doering (4):
- Change '--multihome' behaviour regarding egress interface selection.
- extract_x509_field_ssl(): verify that X509_NAME is not NULL.
- Remove remainders of --no-name-remapping option
- OpenVPN Release 2.7_rc3
-
-Gianmarco De Gregori (2):
- multi-socket: remove duplicated/dead code
- multi-socket: do not return tuntap flags on server-side
-
-Heiko Hund (9):
- iservice: fix buffer size in call to FormatMessage
- iservice: make sure buffer size is not zero
- iservice: make sure registry string is terminated
- iservice: check for NULL pointer
- iservice: fix calculation of converted domains size
- iservice: return correct size when domains are truncated
- iservice: handle ignoring itf domains correctly
- iservice: fix off by one error
- iservice: rename one_glyph to glyph_size
-
-Lev Stipakov (1):
- interactive.c: harden pipe handling against misbehaving clients
-
-Marco Baffo (1):
- route: handle default gateway (net_gateway) and nexthop towards VPN server separately
-
-Max Fillinger (1):
- Add option to check tls-crypt-v2 key timestamps
-
-Ralf Lici (1):
- dco: process messages immediately after read
-
-Selva Nair (3):
- vcpkg-ports/pkcs11-helper: bump version to 1.31
- Harden interactive service pipe
- Restrict access to the service pipe to SYSTEM and owner
-
-
-2025.11.17 -- Version 2.7_rc2
-
-Antonio Quartulli (4):
- test_networking: use appropriate assert helpers
- unit_tests: prefer proper cmocka assert helpers
- init: make some functions static
- options: remove --opt-verify functionality
-
-Arne Schwabe (3):
- Do not underestimate number of encrypted/decrypted AEAD blocks
- Fix construction of invalid pointer in tls_pre_decrypt
- Fix memcmp check for the hmac verification in the 3way handshake being inverted
-
-Frank Lichtenheld (17):
- manage: Correctly handle port 65535 in man_kill
- pkcs11_openssl: Silence a conversion warning
- Enable -Wtype-limits by default (via -Wextra)
- ssl: Change tls_send_payload size argument to size_t
- openssl_compat: Avoid conversion warning for SSL_get_negotiated_group
- pkcs11: Avoid some conversion warnings
- ssl: change return type of calc_control_channel_frame_overhead to size_t
- otime: Fix various conversion warnings
- interval: Fix conversion warning
- forward: Change context_reschedule_sec sec argument to time_t
- tls_crypt: Avoid some conversion warnings
- ssl: Fix conversion warning in tls_prepend_opcode_v1
- ssl: Change update argument of compute_earliest_wakeup to time_t
- ssl: Clean up type handling in write_string()
- ssl: Clean up type handling in export_user_keying_material()
- ssl: Clean up type handling in parse_early_negotiation_tlvs()
- ssl_pkt: Avoid conversion warnings
-
-Gert Doering (5):
- FreeBSD DCO: repair incoming 'delete peer' notifications in p2p client mode
- dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications
- dco_freebsd: implement dco_get_peer_stats()
- FreeBSD DCO: repair --inactive
- dco_freebsd.c: fix integer warnings
-
-Heiko Hund (7):
- iservice: fix DNS address list generation
- msvc: fix struct initialization for v19 compilers
- iservice: validate config path better
- win: remove checks for PATHCCH_ENSURE_TRAILING_SLASH
- iservice: validate config path case-insensitive
- iservice: make sure directories have trailing backslash
- iservice: use saved iface index to restore metric
-
-Lev Stipakov (5):
- tapctl: use better wording for adapters
- tapctl: factor out command handlers
- recursive routing: fixes and clean-ups
- tapctl: make output of 'list' and 'create' commands more verbose
- tapctl: refactor 'create' command
-
-Marco Baffo (1):
- PUSH_UPDATE server: update reporting_addr after ifconfig update
-
-Mikhail Khachaiants (1):
- socket: reject mismatched address family in get_addr_generic
-
-Selva Nair (2):
- openvpnserv: Disallow stdin as config unless user is authorized
- Use correct undo_list when clearing DNS addresses
-
-
-2025.10.29 -- Version 2.7_rc1
-
-Antonio Quartulli (1):
- sitnl: set FD_CLOEXEC on socket to prevent abuse
-
-Arne Schwabe (12):
- Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
- Avoid possible race condition that kill OpenVPN itself
- Add ASSERT to afunix code that dev_node is always set up the way we expect
- Warn if push is used without --mode server/--server/--server-bridge
- Fix logic when pushed cipher triggers tun reopen and ignore more options
- Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled
- Remove --memstats feature
- clean up environment variable handling in verify_user_pass_script
- fix key_state_gen_auth_control_files probably checking file creation
- Fix warnings about conversion from int to unsigned char/uint8_t
- Ensure return value of snprintf is correctly checked
- Ensure that get_sigtype always return non-NULL
-
-Christian Kujau (2):
- doc: Fix hyperlinks in openvpn(8)
- doc: HTTPS upgrades and URL fixes throughout the tree
-
-Frank Lichtenheld (18):
- test_dhcp: Start a dhcp helper functions UT
- CONTRIBUTING: Update outdated/obsolete information
- schedule: Fix conversion warning
- win32: Change some APIs to use DWORD instead of size_t
- dhcp: Clean up type handling of write_dhcp_*
- init: Fix datav2_enabled check in options import
- socket: Wrap winsock functions to avoid common conversion warnings
- proxy: factor out recv_char code common with socks proxy
- proxy: factor out send code common with socks proxy
- push_util: Make send_push_update static
- ssl_util: Fix conversion warning in get_num_elements
- push_util: Fix conversion warnings
- multi: Fix wrong usage of mroute_extract_openvpn_sockaddr
- mroute: Remove unused mask argument of mroute_get_in*
- gremlin: Avoid some conversion warnings
- crypto_backend: Change len argument of md_ctx_update to size_t
- mudp/mtcp: Remove -Wconversion pragmas
- manage: Change kill_by_addr to use better types for port/proto
-
-Gert Doering (3):
- remove redundant PULL_DEFINED() macro definition
- zeroize struct image in packet_id_persist_save() before writing to disk
- OpenVPN Release 2.7_rc1
-
-Heiko Hund (2):
- iservice: use interface index with netsh
- iservice: check return value of MultiByteToWideChar
-
-Joshua Rogers (1):
- tcp: apply CLOEXEC to accepted socket, not listener
-
-Lev Stipakov (1):
- interactive.c: add the upper bound for startupdata size
-
-Marco Baffo (2):
- PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6)
- PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements
-
-Max Fillinger (1):
- Zeroize tls-crypt-v2 client keys
-
-Ralf Lici (5):
- options: warn and ignore --reneg-bytes/pkts when DCO is enabled
- dco-freebsd: store peer stats directly in c2
- dco: remove dco_read/write_bytes from dco_context_t
- dco-freebsd: fix peer stats storage on client instances
- management: ensure consistent BYTECOUNT timing on server
-
-Selva Nair (3):
- pkcs11_management_id_get: Free certificate object after use
- Canonicalize config_dir before comparing with the config file location
- Add -lpathcch for mingw32 builds using autotools
-
-Steffan Karger (1):
- Remove perf.c/perf.h
-
-
-2025.10.13 -- Version 2.7_beta3
-
-Arne Schwabe (2):
- Allowing installing FreeBSD routes with interface instead of next-hop
- Allow route_ipv6_match_host to be used outside of route.c
-
-Frank Lichtenheld (33):
- GHA: Dependency updates September 2025
- comp-lz4: Fix types in call to LZ4_decompress_safe
- dco_win: In dco_new_key, document size assumptions for the integer casts
- dco_linux: Fix -Wconversion warnings
- ssl_openssl: Use uint16_t internally for TLS versions
- dco: Change sd argument to dco_new_peer from int to socket_descriptor_t
- crypto_epoch: Clean up type handling in ovpn_expand_label()
- route: Fix a unused-but-set-variable warning on OpenBSD
- platform: Do not assume uid_t/gid_t are signed
- mtu: Trivial -Wconversion fix
- Review CMocka assertion usage
- dhcp: Fix conversion warnings
- COPYING: Remove licenses for software bundled in the Windows client
- sitnl: Clean up type handling
- options: Factor out parsing code to separate options_parse.c
- unit_tests: Remove useless wrapping for argv/buffer tests
- crypto: Make some casts to int explicit
- test_options_parse: Start new UT for options_parse.c
- buffer: Fix buf_parse eating input
- test_options_parse: Add test for read_config_string
- vlan: Remove -Wconversion override
- GHA: Run options_parse test for MinGW
- test_options_parse: Do not use uintmax_t instead of LargestIntegralType
- proto: Clean up conversion warnings related to checksum macros
- test_options_parse: Remove --wrap
- lzo: Fix conversion warning
- options_util: Fix conversion warning in atoi_constrained
- options: Review use of positive_atoi vs atoi_constrained
- console: Simplify query_user_add interface
- socks: Fix conversion warnings with MinGW
- Move build_dhcp_options_string from tun to dhcp
- dhcp: Replace DHCP Option types with defines
- test_user_pass: Check fatal errors for empty username/password
-
-Lev Stipakov (4):
- dco-win: fix broken ASSERT in dco_new_key
- dco-win: support for epoch data channel
- Preserve ifconfig(_ipv6)_local across reconnect
- Make recursive routing check more fine-grained
-
-Marco Baffo (4):
- PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled
- PUSH_UPDATE server: bug-fix, reset buffer after processing
- PUSH_UPDATE server: check IV_PROTO before sending the message to the client
- redirect-gateway: only redirect traffic through TUN if address families match
-
-Selva Nair (1):
- Fix PIN cache time in test_pkcs11.c
-
-Steffan Karger (1):
- Document that tls-crypt-v2 can be used in connection profile
-
-
-2025.09.25 -- Version 2.7_beta2
-
-Antonio Quartulli (1):
- dco: add standard mi prefix handling to multi_process_incoming_dco()
-
-Arne Schwabe (1):
- Switch test_ssl certificate from RSA 2048 to secp384r1
-
-Frank Lichtenheld (22):
- openvpn_PRF: Change API to use size_t for lengths
- ssl_common: Make sure ssl flags are treated as unsigned
- options: Factor out usages of strtoll and atoll
- ps: Clean up conversion warnings in journal_add function
- events: Make sure rwflags are treated as unsigned
- manage: Change command_line_* API to use size_t for lengths
- Introduce msglvl_t to unify msglevel type handling
- socket: Change resolve flags to unsigned int
- list: Make types of hash elements consistent
- ssl: Fix -Wconversion warnings in pem_password_callback
- ssl_verify: Change backend_x509_* functions to size_t for lengths
- Handle return type of EVP_MD_size
- Clean up conversion warnings related to base64_{en, de}code
- configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend
- Enable a subset of -Wextra
- socks: factor out socks_proxy_recv_char()
- multi_io_init: simplify
- dns: Fix bug in error handling when talking to script
- Enable -Wconversion -Wno-sign-conversion by default
- Make unit tests -Wconversion clean
- ps: Fix conversion warnings related to send/recv return values
- event: Silence conversion warning in tv_to_ms_timeout
-
-Gert Doering (5):
- replace assert() calls with ASSERT()
- remove newline characters at the end of msg() calls
- dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message
- fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
- Fix t_net.sh / networking_testdriver after 'broadcast' change
-
-Gianmarco De Gregori (2):
- Multi-socket win: avoid repeated socket_set()
- Fix multi-socket and dco-win interaction
-
-Lev Stipakov (5):
- Preserve --dhcp-option values from local config
- win: replace wmic invocation with powershell
- openvpnserv: Fix writing messages to the event log
- GHA: collect more artifacts for mingw builds
- Validate DNS parameters
-
-Marco Baffo (1):
- push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update()
-
-Max Fillinger (1):
- Rename Fox Crypto to Sentyron in copyright notices
-
-Sebastian Marsching (1):
- Bugfix: Set broadcast address on interface.
-
-
-2025.09.04 -- Version 2.7_beta1
-
-Arne Schwabe (1):
- Check message id/acked ids too when doing sessionid cookie checks
-
-Frank Lichtenheld (27):
- Update text of GPL to latest version from FSF
- Update GPL header in all source files to current recommended version
- Define a .clang-format file for the project
- Disable clang-format for some code parts
- Update git-pre-commit-uncrustify.sh to handle clang-format
- GHA: enable -Werror for mbedTLS v3 and AWS LC builds
- Reformat the whole project with clang-format
- Fix build error with clang-cl on latest Windows SDK
- clang-format: Switch to ColumnLimit 0
- Add clang-format reformat commit to .git-blame-ignore-revs
- Remove uncrustify config and reformat-all.sh
- buffer: remove unused function buf_write_alloc_prepend
- t_client.sh: Do not wait 3 seconds for OpenVPN to come up
- Collect trivial conversion fixes
- options: Fix --hash-size virtual argument
- Clean up documentation for --tun-mtu-max
- comp: Make sure comp flags are treated as unsigned
- crypto: Make sure crypto flags are treated as unsigned
- options: Make sure option types are treated as unsigned
- route: Make sure various route flags are treated as unsigned
- socket: Create socket_util with non-socket functions
- Add new unit test module test_socket
- socket_util: Clean up conversion warnings in add_in6_addr
- manage: Make sure various management flags are treated as unsigned
- forward: Make sure pip flags are treated as unsigned
- options: Introduce atoi_constrained and review usages of atoi_warn
- ssl_openssl: Fix type of sslopts argument to SSL_CTX_set_options
-
-Gert Doering (3):
- Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
- Introduce env variables to communicate desired gateway redirection to NM.
- OpenVPN Release 2.7_beta1
-
-Gianmarco De Gregori (1):
- dco: avoid printing mi prefix on debug messages
-
-Heiko Hund (1):
- dns: fix systemd dns-updown script
-
-Ilia Shipitsin (1):
- GHA: limit 'Deploy Doxygen documentation' to main repo only
-
-Lev Stipakov (3):
- Log setting DNS via NRPT
- dco-win: add support for multipeer stats
- Refactor management bytecount tracking
-
-Marco Baffo (1):
- PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
-
-Ralf Lici (3):
- management: resync timer on bytecount interval change
- dco_linux: validate tun interface before fetching stats
- management: stop bytecount on client disconnection
-
-Samuli Seppänen (2):
- Add sample FFDH parameters file and use that in t_server_null tests
-
-
-2025.07.31 -- Version 2.7_alpha3
-
-Antonio Quartulli (10):
- README.dco: update Linux instructions
- dco_linux: fix case statement by using proper error value
- dco_linux: use M_FATAL instead of M_ERR in netlink error code paths
- dco_linux: rearrange functions
- multi: store multi_context address inside top instance
- dco: only pass struct context to init function
- dco_linux: factor out netlink notification code
- dco_linux: fix async message reception
- multi: make some multi_*() functions static
- dco_linux: clean up PEER_GET trigger and parser
-
-Arne Schwabe (1):
- Cleanup/simplify mbed TLS related define from autoconf
-
-Christian Schürmann (1):
- Replace deprecated OpenSSL.crypto.load_crl
-
-Frank Lichtenheld (8):
- packet_id: Fix build with --disable-debug
- Fix new doxygen warnings about using @return in void functions
- Fix compiler warning in reliable.c with --disable-debug
- reliable: Review and fix gc_arena usage
- configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
- GHA: Dependency updates July 2025
- plugins: Clean up -Wconversion warnings
- options: Simplify function setenv_foreign_option
-
-Gert Doering (3):
- mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs
- unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
- OpenVPN Release 2.7_alpha3
-
-Gianmarco De Gregori (2):
- Route: add support for user defined routing table
- Multi-socket: Fix assert triggered by stale peer-id reuse
-
-Heiko Hund (9):
- dns: add updown script for macOS
- fix macOS dns-updown handling of parallel full redirects
- run forced --dns-updown without --script-security
- dns: create NRPT registry key if it doesn't exist
- dns: do not run updown scripts with lwipovpn
- prevent search domain races with macOS dns-updown
- move macOS dns-updown common code into functions
- mac dns: compare servers before restoring backup
- mac dns: do not run dns-updown in parallel
-
-Kristof Provost (3):
- dco: support float notifications on FreeBSD
- dco-freebsd: always enable float notification support
- dco-freebsd: pass address scope to the kernel
-
-Lev Stipakov (4):
- Fix broken DHCP options
- Fix --dns options for TAP adapter
- Fix DNS options duplication on PUSH_UPDATE
- Fix wrong byte order of --dns server
-
-Marco Baffo (3):
- PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime.
- PUSH_UPDATE: Added remove_option() and do_update().
- PUSH_UPDATE: Added update_option() function.
-
-Ralf Lici (5):
- dco linux: avoid redefining ovpn enums
- dco linux: avoid sending local port to ovpn
- dco: Add support for float notifications
- improve float collision logging
- add flag to print addresses in a consistent format during float
-
-Samuli Seppänen (2):
- t_server_null: add multi-socket testing
- t_server_null: match test numbers with server numbers
-
-Terrance (1):
- Update systemd service name param to match command
-
-rein.vanbaaren (1):
- Added PQE to WolfSSL
-
-
-2025.06.18 -- Version 2.7_alpha2
-
-Antonio Quartulli (1):
- dco_linux: enable extended netlink error reporting
-
-Arne Schwabe (1):
- Add missing header in unit tests Makefile.am
-
-Frank Lichtenheld (6):
- Remove contrib/pull-resolv-conf
- Update copyright statements to 2025
- Do not segfault on missing --dh in server config
- Delete old sample-windows file and obsolete Windows sample handling
- t_server_null: Test different permutations of --dh
- Fix various badly placed comments in preparation for reformat
-
-Gert Doering (1):
- OpenVPN Release 2.7_alpha2
-
-Gianmarco De Gregori (1):
- Multi-socket: local_list clean-up
-
-Heiko Hund (2):
- fix typo in haikuos dns-updown script
- dns: deal with --dhcp-options when --dns is active
-
-Max Fillinger (2):
- Use mbedtls_ssl_export_keying_material()
- mbedtls: Allow TLS 1.3 if available
-
-Ralf Lici (1):
- Preserve socket protocol during float processing
-
-Samuli Seppänen (1):
- t_server_null: print error when server startup fails
-
-
-2025.05.28 -- Version 2.7_alpha1
-
-5andr0 (1):
- Implement server_poll_timeout for socks
-
-Alexander von Gluck (4):
- Haiku: Introduce basic platform / tun support
- Haiku: Add calls to manage routing table
- Haiku: change del to delete in route command. del is undocumented
- Haiku: Fix short interface path length
-
-Antonio Quartulli (32):
- disable DCO if --secret is specified
- dco: properly re-initialize dco_del_peer_reason
- dco: bail out when no peer-specific message is delivered
- dco: improve comment about hidden debug message
- dco: print proper message in case of transport disconnection
- dco_linux: update license for ovpn_dco_linux.h
- Update issue templates
- Avoid warning about missing braces when initialising key struct
- dco: don't use NetLink to exchange control packets
- dco: print version to log if available
- dco-linux: remove M_ERRNO flag when printing netlink error message
- multi: don't call DCO APIs if DCO is disabled
- dco-freebsd: use m->instances[] instead of m->hash
- dco-linux: implement dco_get_peer_stats{, multi} API
- configure.ac: fix typ0 in LIBCAPNG_CFALGS
- dco: fix crash when --multihome is used with --proto tcp
- dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
- event/multi: add event_arg object to make event handling more generic
- pass link_socket object to i/o functions
- io_work: convert shift argument to uintptr_t
- io_work: pass event_arg object to event handler in case of socket event
- sitnl: replace NLMSG_TAIL macro with noinline function
- override ai_family if 'local' numeric address was specified
- Adapt socket handling to support listening on multiple sockets
- allow user to specify 'local' multiple times in config files
- dco_linux: extend netlink error cb with extra info
- man: extend --persist-tun section
- dco: pass remoteaddr only for UDP peers
- socket: use remote proto when creating client sockets
- dco_linux: fix peer stats parsing with new ovpn kernel module
- socket: don't transfer bind family to socket in case of ANY address
- dco_linux: avoid bogus text when netlink message is not parsed
-
-Aquila Macedo (1):
- doc: Correct typos in multiple documentation files
-
-Arne Schwabe (190):
- Fix connection cookie not including address and fix endianness in test
- Fix unit test of test_pkt on little endian Linux
- Disable DCO when TLS mode is not used
- Ignore connection attempts while server is shutting down
- Improve debug logging of DCO swap key message and Linux dco_new_peer
- Trigger a USR1 if dco_update_keys fails
- Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range
- Ensure that argument to parse_line has always space for final sentinel
- Improve documentation on user/password requirement and unicodize function
- Eliminate or comment empty blocks and switch fallthrough
- Remove unused gc_arena
- Fix corner case that might lead to leaked file descriptor
- Deprecate NTLMv1 proxy auth method.
- Use include "buffer.h" instead of include <buffer.h>
- Ensure that dco keepalive and mssfix options are also set in pure p2p mode
- Make management password check constant time
- Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL
- Move dco_installed back to link_socket from link_socket.info.actual
- Do not set nl socket buffer size
- Also drop incoming dco packet content when dropping the packet
- Improve logging when seeing a message for an unkown peer
- Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions
- Replace custom min macro and use more C99 style in man_remote_entry_get
- Replace realloc with new gc_realloc function
- Add connect-freq-initial option to limit initial connection responses
- Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled
- Deprecate OCC checking
- Workaround: make ovpn-dco more reliable
- Fix unaligned access in auth-token
- Update LibreSSL to 3.7.0 in Github actions
- Add printing USAN stack trace on github actions
- Fix LibreSSL not building in Github Actions
- Add missing stdint.h includes in unit tests files
- Combine extra_tun/frame parameter of frame_calculate_payload_overhead
- Update the last sections in the man page to a be a bit less outdated
- Add building unit tests with mingw to github actions
- Revise the cipher negotiation info about OpenVPN3 in the man page
- Exit if a proper message instead of segfault on Android without management
- Use proper print format/casting when converting msg_channel handle
- Reduce initialisation spam from verb <= 3 and print summary instead
- Dynamic tls-crypt for secure soft_reset/session renegotiation
- Set netlink socket to be non-blocking
- Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
- Fix memory leaks in open_tun_dco()
- Fix memory leaks in HMAC initial packet generation
- Use key_state instead of multi for tls_send_payload parameter
- Make sending plain text control message session aware
- Only update frame calculation if we have a valid link sockets
- Improve description of compat-mode
- Simplify --compress parsing in options.c
- Refuse connection if server pushes an option contradicting allow-compress
- Add 'allow-compression stub-only' internally for DCO
- Parse compression options and bail out when compression is disabled
- Remove unused variable line
- Add Apache2 linking with for new commits
- Fix compile error on TARGET_ANDROID
- Fix use-after-free with EVP_CIPHER_free
- Remove key_type argument from generate_key_random
- add basic CMake based build
- Avoid unused function warning/error on FreeBSD (and potientially others)
- Do not blindly assume python3 is also the interpreter that runs rst2html
- Only add -Wno-stringop-truncation on supported compilers
- fix warning with gcc 12.2.0 (compiler bug?)
- Fix CR_RESPONSE mangaement message using wrong key_id
- Print a more user-friendly error when tls-crypt-v2 client auth fails
- Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
- Mock openvpn_exece on win32 also for test_tls_crypt
- Check if the -wrap argument is actually supported by the platform's ld
- Revert commit 423ced962d
- Implement using --peer-fingerprint without CA certificates
- show extra info for OpenSSL errors
- Remove ability to use configurations without TLS by default
- Add warning for the --show-groups command that some groups are missing
- Print peer temporary key details
- Add warning if a p2p NCP client connects to a p2mp server
- Remove openssl engine method for loading the key
- Add undefined and abort on error to clang sanitize builds
- Add --enable-werror to all platforms in Github Actions
- Remove saving initial frame code
- Double check that we do not use a freed buffer when freeing a session
- Fix using to_link buffer after freed
- Remove CMake custom compiler flags for RELEASE and DEBUG build
- Do not check key_state buffers that are in S_UNDEF state
- Remove unused function prototype crypto_adjust_frame_parameters
- Introduce report_command_status helper function
- Log SSL alerts more prominently
- Remove unused/unneeded/add missing defines from configure/cmake
- Document tls-exit option mainly as test option
- Remove dead remains of extract_x509_field_test
- Replace character_class_debug with proper unit test
- Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
- Fix check_session_buf_not_used using wrong index
- Add missing check for nl_socket_alloc failure
- Add check for nice in cmake config
- Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror
- Remove compat versionhelpers.h and remove cmake/configure check for it
- Rename state_change to continue_tls_process
- Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c
- Fix building mbed TLS with CMake and allow specifying custom directories
- Extend the error message when TLS 1.0 PRF fails
- Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
- Check PRF availability on initialisation and add --force-tls-key-material-export
- Make it more explicit and visible when pkg-config is not found
- Clarify that the tls-crypt-v2-verify has a very limited env set
- Move get_tmp_dir to win32-util.c and error out on failure
- Implement the --tls-export-cert feature
- Use mingw compile definition also to unit tests
- Add test_ssl unit test and test export of PEM to file
- Remove conditional text for Apache2 linking exception
- Fix ssl unit tests on OpenSSL 1.0.2
- Ensure that all unit tests use unbuffered stdout and stderr
- Allow unit tests to fall back to hard coded location
- Add unit test for encrypting/decrypting data channel
- Print SSL peer signature information in handshake debug details
- Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
- Turn dead list test code into unit test
- Use snprintf instead of sprintf for get_ssl_library_version
- Fix snprintf/swnprintf related compiler warnings
- Add bracket in fingerprint message and do not warn about missing verification
- Match ifdef for get_sigtype function with if ifdef of caller
- Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex
- Add missing EVP_KDF_CTX_free in ssl_tls1_PRF
- Replace macos11 with macos14 in github runners
- Remove openvpn_snprintf and similar functions
- Repeat the unknown command in errors from management interface
- Only run coverity scan in OpenVPN/OpenVPN repository
- Support OpenBSD with cmake
- Workaround issue in LibreSSL crashing when enumerating digests/ciphers
- Remove OpenSSL 1.0.2 support
- Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL
- Allow the TLS session to send out TLS alerts
- Properly handle null bytes and invalid characters in control messages
- Allow trailing \r and \n in control channel message
- Add Ubuntu 24.04 runner to Github Actions
- Implement support for AEAD tag at the end
- Remove check for anonymous unions from configure and cmake config
- Make read/write_tun_header static
- Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin
- Move to common backend_driver type in struct tuntap
- Introduce DRIVER_AFUNIX backend for use with lwipovpn
- Change dev null to be a driver type instead of a special mode of tun/tap
- Use print_tun_backend_driver instead of custom code to print type
- Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap
- Ensure that the AF_UNIX socket pair has at least 65k of buffer space
- Fix check for CMake not detecting struct cmsg
- Remove null check after checking for checking for did_open_tun
- Remove a large number of unused structs and functions
- Remove unused methods write_key/read_key
- Refuse clients if username or password is longer than USER_PASS_LEN
- Move should_trigger_renegotiation into its own function
- Change --reneg-bytes and --reneg-packets to 64 bit counters
- Use XOR instead of concatenation for calculation of IV from implicit IV
- Trigger renegotiation of data key if getting close to the AEAD usage limit
- Implement HKDF expand function based on RFC 8446
- Split init_key_ctx_bi into send/recv init
- Move initialisation of implicit IVs to init_key_ctx_bi methods
- Change internal id of packet id to uint64
- Add small unit test for buf_chomp
- Add building/testing with msbuild and the clang compiler
- Ensure that Python3 is available
- Change API of init_key_ctx to use struct key_parameters
- Allow DEFAULT in data-ciphers and report both expanded and user set option
- Do not attempt to decrypt packets anymore after 2**36 failed decryptions
- Add methods to read/write packet ids for epoch data
- Implement methods to generate and manage OpenVPN Epoch keys
- Rename aead-tag-at-end to aead-epoch
- Improve peer fingerprint documentation
- Remove comparing username to NULL in tls_lock_username
- Print warnings/errors when numerical parameters cannot be parsed
- Add unit tests for atoi parsing options helper
- Improve error reporting from AF_UNIX tun/tap support
- Fix typo in positive_atoi
- Fix oversight of link socket code change in Android code path
- Implement epoch key data format
- Extend the unit test for data channel packets with aead limit tests
- Add (fake) Android cmake building
- Add android build to Github Actions
- Reconnect when TCP is on use on network-change management command
- Implement override-username
- Fix incorrect condition for checking password related check
- Directly use _countof in array initialisation
- Improve documentation for override-username
- Mention address if not unspecific on DNS failure
- Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
- Allow tls-crypt-v2 to be setup only on initial packet of a session
- Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid
- Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username
- Also print key agreement when printing negotiated details
- Fix mbed TLS key exporter functionality in 3.6.x and cmake
- Make --dh none behaviour default if not specified
-
-Ben Boeckel (1):
- console_systemd: remove the timeout when using 'systemd-ask-password'
-
-Christoph Schug (1):
- Update documentation references in systemd unit files
-
-Corubba Smith (3):
- Support IPv6 towards port-share proxy receiver
- Document x509-username-fields oid usage
- Remove x509-username-fields uppercasing
-
-David Sommerseth (4):
- ssl_verify: Fix memleak if creating deferred auth control files fails
- ntlm: Clarify details on NTLM phase 3 decoding
- Remove --tls-export-cert
- Remove superfluous x509_write_pem()
-
-Franco Fichtner (1):
- Allow to set ifmode for existing DCO interfaces in FreeBSD
-
-Frank Lichtenheld (174):
- options.c: fix format security error when compiling without optimization
- options.c: update usage description of --cipher
- Update copyright year to 2023
- xkey_pkcs11h_sign: fix dangling pointer
- options: Always define options->management_flags
- check_engine_keys: make pass with OpenSSL 3
- documentation: update 'unsupported options' section
- Changes.rst: document removal of --keysize
- Windows: fix unused function setenv_foreign_option
- Windows: fix unused variables in delete_route_ipv6
- Windows: fix wrong printf format in x_check_status
- Windows: fix unused variable in win32_get_arch
- configure: enable DCO by default on FreeBSD/Linux
- Windows: fix signedness errors with recv/send
- configure: fix formatting of --disable-lz4 and --enable-comp-stub
- tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled
- GHA: remove Ubuntu 18.04 builds
- vcpkg: request "tools" feature of openssl for MSVC build
- Do not include net/in_systm.h
- version.sh: remove
- doc: run rst2* with --strict to catch warnings
- man page: Remove cruft from --topology documentation
- tests: do not include t_client.sh in dist
- vcpkg-ports/pkcs11-helper: Make compatible with mingw build
- vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json
- vcpkg-ports/pkcs11-helper: reference upstream PRs in patches
- dco_linux: properly close dco version file
- DCO: fix memory leak in dco_get_peer_stats_multi for Linux
- Fix two unused assignments
- sample-plugins: Fix memleak in client-connect example plugin
- tests: Allow to override openvpn binary used
- test_buffer: add tests for buf_catrunc and its caller format_hex_ex
- buffer: use memcpy in buf_catrunc
- options: remove --key-method from usage message
- msvc-generate: include version.m4.in in tarball
- dist: add more missing files only used in the MSVC build
- vcpkg-ports/pkcs11-helper: rename patches to make file names shorter
- unit_tests: Add missing cert_data.h to source list for unit tests
- dist: Include all documentation in distribution
- CMake: Add complete MinGW and MSVC build
- Remove all traces of the previous MSVC build system
- CMake: Add /Brepro to MSVC link options
- GHA: update to run-vcpkg@v11
- test_tls_crypt: Improve mock() usage to be more portable
- CMake: Throw a clear error when config.h in top-level source directory
- CMake: Support doc builds on Windows machines that do not have .py file association
- Remove old Travis CI related files
- README.cmake.md: Add new documentation for CMake buildsystem
- GHA: refactor mingw UTs and add missing tls_crypt
- GHA: Add macos-13
- options: Do not hide variables from parent scope
- pkcs11_openssl: Disable unused code
- route: Fix overriding return value of add_route3
- CMake: various small non-functional improvements
- GHA: do not trigger builds in openvpn-build anymore
- Remove --no-replay option
- GHA: new workflow to submit scan to Coverity Scan service
- doc: fix argument name in --route-delay documentation
- Change type of frame.mss_fix to uint16_t
- Remove last uses of inet_ntoa
- mss/mtu: make all size calculations use size_t
- dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork
- gerrit-send-mail.py: Add patch version to subject
- Add mbedtls3 GHA build
- platform.c: Do not depend Windows build on HAVE_CHDIR
- sample-keys: renew for the next 10 years
- GHA: clean up libressl builds with newer libressl
- configure.ac: Remove unused AC_TYPE_SIGNAL macro
- documentation: remove reference to removed option --show-proxy-settings
- unit_tests: remove includes for mock_msg.h
- buffer: add documentation for string_mod and extend related UT
- tests: disable automake serial_tests
- documentation: improve documentation of --x509-track
- configure: allow to disable NTLM
- configure: enable silent rules by default
- misc: make get_auth_challenge static
- Remove support for NTLM v1 proxy authentication
- GHA: increase verbosity for make check
- NTLM: add length check to add_security_buffer
- NTLM: increase size of phase 2 response we can handle
- Fix various 'Uninitialized scalar variable' warnings from Coverity
- proxy-options.rst: Add proper documentation for --http-proxy-user-pass
- NTLM: when NTLMv1 is requested, try NTLMv2 instead
- buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
- --http-proxy-user-pass: allow to specify in either order with --http-proxy
- test_user_pass: new UT for get_user_pass
- test_user_pass: Add UTs for character filtering
- gerrit-send-mail: Make output consistent across systems
- README.cmake.md: Document minimum required CMake version for --preset
- documentation: Update and fix documentation for --push-peer-info
- documentation: Fixes for previous fixes to --push-peer-info
- test_user_pass: add basic tests for static/dynamic challenges
- Fix typo --data-cipher-fallback
- samples: Remove tls-*.conf
- check_compression_settings_valid: Do not test for LZ4 in LZO check
- t_client.sh: Allow to skip tests
- gerrit-send-mail: add missing Signed-off-by
- Update Copyright statements to 2024
- GHA: general update March 2024
- samples: Update sample configurations
- documentation: make section levels consistent
- phase2_tcp_server: fix Coverity issue 'Dereference after null check'
- script-options.rst: Update ifconfig_* variables
- crypto_backend: fix type of enc parameter
- tests: fork default automake test-driver
- forked-test-driver: Show test output always
- Change default of "topology" to "subnet"
- Use topology default of "subnet" only for server mode
- Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp
- configure: update old copy of pkg.m4
- LZO: do not use lzoutils.h macros
- test_user_pass: Fix building with --enable-systemd
- Remove "experimental" denotation for --fast-io
- t_server_null.sh: Fix failure case
- configure: Add -Wstrict-prototypes and -Wold-style-definition
- configure: Try to detect LZO with pkg-config
- configure: Switch to C11 by default
- Fix missing spaces in various messages
- console_systemd: rename query_user_exec to query_user_systemd
- configure: Allow to detect git checkout if .git is not a directory
- GHA: Configure Renovate
- configure: Try to use pkg-config to detect mbedTLS
- tun: use is_tun_p2p more consistently
- Various fixes for -Wconversion errors
- generate_auth_token: simplify code
- GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
- GHA: Enable t_server_null tests
- configure: Handle libnl-genl and libcap-ng consistent with other libs
- configure: Review use of standard AC macros
- socket: Change return types of link_socket_write* to ssize_t
- GHA: Pin dependencies
- GHA: Update macOS runners
- GHA: Simplify macOS builds
- Remove support for compression on send
- Fix wrong doxygen comments
- Various typo fixes
- macOS: Assume that net/if_utun.h is always present
- Fix some formatting related to if/else and macros
- Fix memory leak in ntlm_support
- forward: Fix potential unaligned access in drop_if_recursive_routing
- GHA: General update December 2024
- Review doxygen warnings
- Regenerate doxygen config file with doxygen -u
- Fix 'uninitialized pointer read' in openvpn_decrypt_aead
- ssl_openssl: Clean up unused functions and add missing "static"
- Fix some trivial sign-compare compiler warnings
- tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning
- openvpnserv: Fix some inconsistent usages of TEXT()
- Fix doxygen warnings in crypto_epoch.h
- GHA: Drop Ubuntu 20.04 and other maintenance
- GHA: Publish Doxygen documentation to Github Pages
- Add more 'intentional fallthrough' comments
- Remove various unused function parameters
- Remove unused function check_subnet_conflict
- options: Cleanup and simplify options_postprocess_verify_ce
- Apply text-removal.sh script to Windows codebase
- openvpnserv: Clean up use of TEXT() from DNS patches
- Post tchar.h removal cleanup
- Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
- t_server_null_default.rc: Add some tests with --data-ciphers
- GHA: Pin version of CMake for all builds
- GHA: Dependency and Actions update April 2025
- GHA: Make sure renovate notifies us about AWS LC releases
- Doxygen: Fix obsolete links to OpenSSL documentation
- GHA: Use CMake 4.0 and apply required fixes
- Doxygen: Clean up tls-crypt documentation
- Doxygen: Remove useless Python information
- Manually reformat some long trailing comments
- CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path
- CMake: Sync list of compiler flags with configure.ac
- CMake: Reorganize header and symbol tests
- GHA: Dependency and Actions update May 2025
- Doxygen: Fix missing parameter warnings
- Changes.rst: Collect, fix, and improve entries for 2.7 release
-
-George Pchelkin (1):
- fix typo: dhcp-options to dhcp-option in vpn-network-options.rst
-
-Gert Doering (21):
- Change version.m4 to 2.7_git
- bandaid fix for TCP multipoint server crash with Linux-DCO
- Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up
- Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode
- Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO
- Repair special-casing of EEXIST for Linux/SITNL route install
- Get rid of unused 'bool tuntap_buffer' arguments.
- FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well
- Make received OCC exit messages more visible in log.
- OpenBSD: repair --show-gateway
- get_default_gateway() HWADDR overhaul
- make t_server_null 'server alive?' check more robust
- t_client.sh: conditionally skip ifconfig+route check
- send uname() release as IV_PLAT_VER= on non-windows versions
- options: add IPv4 support to '--show-gateway <arg>'
- get_default_gateway(): implement platform support for Linux/SITNL
- get_default_gateway(): implement platform support for Linux/IPROUTE2
- add missing (void) to win32 function declarations
- add more (void) to windows specific function prototypes and declarations
- Make 'lport 0' no longer sufficient to do '--bind'.
- Add information-gathering about DNS resolvers configured to t_client.sh(.in)
-
-Gianmarco De Gregori (17):
- Persist-key: enable persist-key option by default
- Minor fix to process_ip_header
- Http-proxy: fix bug preventing proxy credentials caching
- Ensures all params are ready before invoking dco_set_peer()
- Route: remove incorrect routes on exit
- Fix for msbuild/mingw GHA failures
- multiproto: move generic event handling code in dedicated files
- Fix PASS_BY_VALUE issue in options_postprocess_mutate_le()
- mroute: adapt to new protocol handling and hashing improvements
- mroute/management: repair mgmt client-kill for mroute with proto
- Add support for simultaneous use of UDP and TCP sockets
- Rename occurences of 'struct link_socket' from 'ls' to 'sock'
- Fix FreeBSD-DCO and Multisocket interaction
- manpage: fix HTML format for --local
- Fix dco_win and multisocket interaction
- dco_linux: Introduce new uAPIs
- Explicit-exit-notify and multisocket interaction
-
-Heiko Hund (21):
- dns option: allow up to eight addresses per server
- work around false positive warning with mingw 12
- dns option: remove support for exclude-domains
- cmake: create and link compile_commands.json file
- cmake: symlink whole build dir not just .json file
- Windows: enforce 'block-local' with WFP filters
- add and send IV_PROTO_DNS_OPTION_V2 flag
- dns: store IPv4 addresses in network byte order
- dns: clone options via pointer instead of copy
- service: add utf8to16 function that takes a size
- dns: support multiple domains without DHCP
- dns: do not use netsh to set name server addresses
- win: calculate address string buffer size
- win: implement --dns option support with NRPT
- dns: apply settings via script on unixoid systems
- fix typo in haikuos dns-updown script
- dns: support running up/down command with privsep
- dns: don't publish env vars to non-dns scripts
- dns: fix potential NULL pointer dereference
- win: match search domains when creating exclude rules
- win: fix collecting DNS exclude data
-
-Heiko Wundram (1):
- Implement Windows CA template match for Crypto-API selector
-
-Ilia Shipitsin (3):
- src/openvpn/init.c: handle strdup failures
- sample/sample-plugins/defer/multi-auth.c: handle strdup errors
- tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors
-
-Ilya Shipitsin (1):
- src/openvpn/dco_freebsd.c: handle malloc failure
-
-Juliusz Sosinowicz (1):
- Change include order for tests
-
-Klemens Nanni (1):
- Fix tmp-dir documentation
-
-Kristof Provost (10):
- Read DCO traffic stats from the kernel
- dco: Update counters when a client disconnects
- Read the peer deletion reason from the kernel
- dco: cleanup FreeBSD dco_do_read()
- options.c: enforce a minimal fragment size
- configure: improve FreeBSD DCO check
- dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD
- dco: print FreeBSD version
- DCO: support key rotation notifications
- dco-freebsd: dynamically re-allocate buffer if it's too small
-
-Lev Stipakov (63):
- Rename dco_get_peer_stats to dco_get_peer_stats_multi
- management: add timer to output BYTECOUNT
- Introduce dco_get_peer_stats API and Windows implementation
- git-version.py: proper support for tags
- msvc: upgrade to Visual Studio 2022
- tun: move print_windows_driver() out of tun.h
- openvpnmsica: remove dco installer custom actions
- openvpnmsica: remove unused declarations
- openvpnmsica: fix adapters discovery logic for DCO
- Allow certain DHCP options to be used without DHCP server
- dco-win: use proper calling convention on x86
- Improve format specifier for socket handle in Windows
- Disable DCO if proxy is set via management
- Add logging for windows driver selection process
- Avoid management log loop with verb >= 6
- Support --inactive option for DCO
- Fix '--inactive <time> 0' behavior for DCO
- Print DCO client stats on SIGUSR2
- Don't overwrite socket flags when using DCO on Windows
- Support of DNS domain for DHCP-less drivers
- dco-win: support for --dev-node
- tapctl: generate driver-specific adapter names
- openvpnmsica: link C runtime statically
- tun.c: enclose DNS domain in single quotes in WMIC call
- manage.c: document missing KID parameter
- Set WINS servers via interactice service
- CMake: fix broken daemonization and syslog functionality
- Warn user if INFO control command is too long
- CMake: fix HAVE_DAEMON detection on Linux
- dco-win: get driver version
- dco: warn if DATA_V1 packets are sent to userspace
- config.h: fix incorrect defines for _wopen()
- Make --dns options apply for tap-windows6 driver
- Warn if pushed options require DHCP
- tun.c: don't attempt to delete DNS and WINS servers if they're not set
- win32: Enforce loading of plugins from a trusted directory
- interactive.c: disable remote access to the service pipe
- interactive.c: Fix potential stack overflow issue
- Disable DCO if proxy is set via management
- misc.c: remove unused code
- interactive.c: Improve access control for gui<->service pipe
- Use a more robust way to get dco-win version
- dco: better naming for function parameters
- repair DNS address option
- dco-win: factor out getting dco version
- dco-win: enable mode server on supported configuration
- dco-win: simplify do_close_link_socket()
- route.c: change the signature of get_default_gateway()
- route.c: improve get_default_gateway() logic on Windows
- mudp.c: keep offset value when resetting buffer
- multi.c: add iroutes after dco peer is added
- dco-win: disable dco in server mode if multiple --local options defined
- dco-win: multipeer support
- dco-win: simplify control packets prepend code
- dco-win: kernel notifications
- dco-win: support for iroutes
- dco-win: Fix crash when cancelling pending operation
- Remove UINT8_MAX definition
- win: allow OpenVPN service account to use any command-line options
- ssl_openssl.c: Prevent potential double-free
- win: refactor get_windows_version()
- win: create adapter on demand
- win: remove Wintun support
-
-Marc Becker (5):
- unify code path for adding PKCS#11 providers
- use new pkcs11-helper interface to add providers
- special handling for PKCS11 providers on win32
- vcpkg-ports/pkcs11-helper: support loader flags
- vcpkg-ports/pkcs11-helper: bump to version 1.30
-
-Marco Baffo (3):
- tun: removed unnecessary route installations
- IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified
- get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination
-
-Martin Rys (1):
- openvpn-[client|server].service: Remove syslog.target
-
-Matthias Andree (1):
- make dist: Ship ovpn_dco_freebsd.h, too
-
-Max Fillinger (10):
- Correct tls-crypt-v2 metadata length in man page
- Fix message for too long tls-crypt-v2 metadata
- Add support for mbedtls 3.X.Y
- Update README.mbedtls
- Disable TLS 1.3 support with mbed TLS
- Enable key export with mbed TLS 3.x.y
- Remove license warning from README.mbedtls
- mbedtls: Remove support for old TLS versions
- mbedtls: Warn if --tls-version-min is too low
- Remove HAVE_EXPORT_KEYING_MATERIAL macro
-
-Michael Baentsch (1):
- using OpenSSL3 API for EVP PKEY type name reporting
-
-Michael Nix (1):
- fix typo in help text: --ignore-unknown-option
-
-Qingfang Deng (1):
- dco: fix source IP selection when multihome
-
-Ralf Lici (3):
- Fix check_addr_clash argument order
- Handle missing DCO peer by restarting the session
- Implement ovpn version detection
-
-Reynir Björnsson (2):
- protocol_dump: tls-crypt support
- Only schedule_exit() once
-
-Rémi Farault (1):
- Add calls to nvlist_destroy to avoid leaks
-
-Samuli Seppänen (6):
- Add t_server_null test suite
- t_server_null: multiple improvements and fixes
- t_server_null: persist test log files
- t_server_null: forcibly kill misbehaving servers
- t_server_null: use wait instead of marker files
- Add lwip support to t_server_null
-
-Selva Nair (63):
- Reduce default restart pause to 1 second
- Do not include auth-token in pulled option digest
- Persist DCO client data channel traffic stats on restart
- Add remote-count and remote-entry query via management
- Permit unlimited connection entries and remotes
- Use a template for 'unsupported management commands' error
- Allow skipping multple remotes via management interface
- Properly unmap ring buffer file-map in interactive service
- Use undo_lists for saving ring-buffer handles in interactive service
- Cleanup: Close duplicated handles in interactive service
- Preparing for better signal handling: some code refactoring
- Refactor signal handling in openvpn_getaddrinfo
- Use IPAPI for setting ipv6 routes when iservice not available
- Fix signal handling on Windows
- Assign and honour signal priority order
- Distinguish route addition errors from route already exists
- Propagate route error to initialization_completed()
- Include CE_DISABLED status of remote in "remote-entry-get" response
- Define and use macros for route addition status code
- Warn when pkcs11-id or pkcs11-id-management options are ignored
- Cleanup route error and debug logging on Windows
- Fix one more 'existing route may get deleted' case
- block-dns using iservice: fix a potential double free
- Conditionally add subdir-objects option to automake
- Build unit tests in mingw Windows build
- cyryptapi.c: log the selected certificate's name
- cryptoapi.c: remove pre OpenSSL-3.01 support
- cryptoapi.c: simplify parsing of thumbprint hex string
- Option --cryptoapicert: support issuer name as a selector
- Add a unit test for functions in cryptoapi.c
- Do not save pointer to 'struct passwd' returned by getpwnam etc.
- Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
- Import some sample certificates into Windows store for testing
- Add tests for finding certificates in Windows cert store
- Refactor SSL_CTX_use_CryptoAPI_certificate()
- Add a test for signing with certificates in Windows store
- Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
- Improve error message on short read from socks proxy
- Make error in setting metric for IPv6 interface non-fatal
- Bug-fix: segfault in dco_get_peer_stats()
- Move digest_sign_verify out of test_cryptoapi.c
- Unit tests: Test for PKCS#11 using a softhsm2 token
- Enable pkcs11 an dtest_pkcs11 in github actions
- Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
- Format Windows error message in Unicode
- Bugfix: dangling pointer passed to pkcs11-helper
- Correctly handle Unicode names for exit event
- Interactive service: do not force a target desktop for openvpn.exe
- Improve signal handling using POSIX sigaction
- signal_reset(): combine check and reset operations
- Log OpenSSL errors on failure to set certificate
- Document that auth-user-pass may be inlined
- test_pkcs11.c: set file offset to 0 after ftruncate
- proxy.c: Clear sensitive data after use
- Protect cached username, password and token on client
- Interpret --key and --cert option argument as URI
- Add a test for loading certificate and key to ssl context
- Add a test for loading certificate and key using file: URI
- Initialize before use struct user_pass in ui_reader()
- Static-challenge concatenation option
- Add test for static-challenge concatenation option
- Fix more of uninitialized struct user_pass local vars
- Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
-
-Sergey Korolev (1):
- dco-linux: fix counter print format
-
-Shubham Mittal (2):
- Add compatibility to build OpenVPN with AWS-LC.
- Adding AWS-LC to the OpenVPN CI
-
-Shuji Furukawa (1):
- Improve shuffling algorithm of connection list
-
-Steffan Karger (2):
- Fix IPv6 route add/delete message log level
- Improve data channel crypto error messages
-
-Timo Rothenpieler (1):
- Don't clear capability bounding set on capng_change_id
-
-corubba (2):
- Fix IPv6 in port-share journal
- Fix port-share journal doc
-
-orbea (1):
- configure: disable engines if OPENSSL_NO_ENGINE is defined
-
-rein.vanbaaren (1):
- Fix MBEDTLS_DEPRECATED_REMOVED build errors
-
-wellweek (1):
- remove repetitive words in documentation and comments
-
-yatta (1):
- fix(ssl): init peer_id when init tls_multi
-
+this marks the start of the 2.8 development cycle
+up to the first formal 2.8 pre-release, this file will not be
+maintained - please look at "git log" or "git shortlog v2.7.0..HEAD"
+to see what was changed.
projects / thirdparty / openvpn.git / commitdiff
