From: Gert Doering Date: Fri, 13 Feb 2026 12:10:24 +0000 (+0100) Subject: start release/2.8 development cycle X-Git-Tag: start_of_2.8^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f4e9de2ad4a8af06ebc5c8dc15a3cb0ab305e12;p=thirdparty%2Fopenvpn.git start release/2.8 development cycle this commit starts work on "master" after branching off "release/2.7" -> version.m4 set to "2.8_git", ChangeLog emptied, Changes.rst prepared for notable news in Release 2.8 Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index aff3519d0..b56e9be81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,1396 +1,8 @@ OpenVPN ChangeLog Copyright (C) 2002-2026 OpenVPN Inc -2026.02.11 -- Version 2.7.0 - -Frank Lichtenheld (3): - crypto: Do not claim we will remove support for BF-CBC in 2.7 - Update the clang-format reference version to 21.1.8 - Review Changes.rst for 2.7.0 release - -Max Fillinger (1): - Mbed TLS 4: Add more algorithms - - -2026.01.28 -- Version 2.7_rc6 - -Arne Schwabe (1): - Silence compiler truncation warning by checking snprintf return value - -Frank Lichtenheld (16): - crypto_openssl: Fix various conversion warnings - cryptoapi: Avoid conversion warnings - ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku - socket: Avoid conversion warning in get_addr_generic - ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option - port-share: Check return value of fork() - openvpnserv: Fix conversion warnings in interactive.c - openvpnserv: Factor out the string conversion from GetItfDnsDomains - openvpnserv: Add a first unit test - GHA: Update mbedtls to v4 - route: Fix conversion warnings on BSDs - socket: Remove ifdef for SO_{RCV, SND}BUF - test_openvpnserv: Make sure to include config.h - GHA: Run openvpnserv UT for MinGW builds - status: Avoid conversion warnings in status_read/status_printf - manage: Do not trigger actions on management disconnect if not authenticated - -Gert Doering (1): - tunnel_server(): close correct inotify fd - -Heiko Hund (1): - Prevent NULL pointer dereference with --dns-updown - -Max Fillinger (1): - Add support for Mbed TLS 4 - - -2026.01.15 -- Version 2.7_rc5 - -Arne Schwabe (5): - Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers - Allow test-crypto to work without the --secret argument - Fix warnings on Android about unused variables/methods - Require script-security 2 when using unix: tun - Correctly handle sender jumping exactly epoch_data_keys_future_count - -Frank Lichtenheld (12): - tests/unit_tests: Port to cmocka 2.0.0 API - GHA: Maintenance update January 2026 - Update Copyright statements to 2026 - Fix building test_tls_crypt with cmocka 2.0 - configure.ac: Clean up systemd support - socks: Replace magic "10" for socks header with macro - socks: Fix wrong success check in socks_username_password_auth - socket: Remove old 'dynamic remote' feature - socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply - ssl_verify: Fix parsing of timeout from auth pending file - error: Remove our implementation of static_assert - forward: Avoid conversion warning in ipv6_send_icmp_unreachable - -Gert Doering (3): - remove ENABLE_X509ALTUSERNAME conditional - Repair interaction between DCO and persist-tun after reconnection - OpenVPN Release 2.7_rc5 - - -2025.12.17 -- Version 2.7_rc4 - -Arne Schwabe (4): - Clarify some code in epoch with better comments - Add a section about wolfSSL GPLv3 and point out missing TLS PRF support - Fix dco with null cipher being enabled without auth none - Change ssl_ctx in struct tls_options to be a pointer - -Frank Lichtenheld (19): - Documentation: Various syntax fixes and text improvements - CMake: For VS build, switch from /W2 to /W3 - socket: Initialize struct in_addr_t in getaddr() - GHA: Add minGW Release build - tun: Refactor BSD write_tun/read_tun - tun: Change return type of write_tun/read_tun to ssize_t - Remove some obsolete references to --windows-driver - options: Remove some verbose error messages for options deprecated in 2.4 - Correct documentation for --ns-cert-type - buffer: Change limits for array_mult_safe - mbuf: Add unit tests - options: Avoid some conversion warnings - schedule: Rework documentation for schedule_add_entry - multi: Fix wrong sigma value in multi_push_restart_schedule_exit - multi: Fix type handling for hashes, mostly inotify_watchers - multi: Fix various conversion warnings - manage: Avoid several conversion warnings by using the correct types - buffer: Change buf_prepend and buf_advance to accept ssize_t for length - multi: Warn about failing read in multi_process_file_closed() - -Gianmarco De Gregori (2): - mudp: fix unaligned 32-bit read when parsing peer ID - Deprecate --fast-io option - -Heiko Hund (1): - iservice: set adapter DNS only with search domains - -Klemens Nanni (1): - Prevent crash on invalid server-ipv6 argument - -Lev Stipakov (1): - tun.c: set IPv4 address temporary on Windows - -Max Fillinger (1): - Drop Mbed TLS 2.X compatibility - -Moritz Fain (1): - PUSH_UPDATE: fix option reset logic in continuation messages - -Selva Nair (2): - Set UTF-8 as the codepage using manifest declaration - pull-filter: improve documentation - -Simon Matter (1): - Add CAP_SYS_NICE to the positive list in systemd service files - -Steffan Karger (1): - mbedtls: gracefully exit if certificate file is NULL - - -2025.11.28 -- Version 2.7_rc3 - -Frank Lichtenheld (9): - doc: Document potential filesystem pitfalls of client-config-dir - GHA: Maintenance update November 2025 - GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS - tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age - Changes.rst: Fix various syntax errors and typos - error: Allow status argument to check_status to be ssize_t - Linux: Assume we have a kernel that was release in the last 15 years - configure/CMake: Remove unused checks - configure/CMake: Unify Windows handling - -Gert Doering (4): - Change '--multihome' behaviour regarding egress interface selection. - extract_x509_field_ssl(): verify that X509_NAME is not NULL. - Remove remainders of --no-name-remapping option - OpenVPN Release 2.7_rc3 - -Gianmarco De Gregori (2): - multi-socket: remove duplicated/dead code - multi-socket: do not return tuntap flags on server-side - -Heiko Hund (9): - iservice: fix buffer size in call to FormatMessage - iservice: make sure buffer size is not zero - iservice: make sure registry string is terminated - iservice: check for NULL pointer - iservice: fix calculation of converted domains size - iservice: return correct size when domains are truncated - iservice: handle ignoring itf domains correctly - iservice: fix off by one error - iservice: rename one_glyph to glyph_size - -Lev Stipakov (1): - interactive.c: harden pipe handling against misbehaving clients - -Marco Baffo (1): - route: handle default gateway (net_gateway) and nexthop towards VPN server separately - -Max Fillinger (1): - Add option to check tls-crypt-v2 key timestamps - -Ralf Lici (1): - dco: process messages immediately after read - -Selva Nair (3): - vcpkg-ports/pkcs11-helper: bump version to 1.31 - Harden interactive service pipe - Restrict access to the service pipe to SYSTEM and owner - - -2025.11.17 -- Version 2.7_rc2 - -Antonio Quartulli (4): - test_networking: use appropriate assert helpers - unit_tests: prefer proper cmocka assert helpers - init: make some functions static - options: remove --opt-verify functionality - -Arne Schwabe (3): - Do not underestimate number of encrypted/decrypted AEAD blocks - Fix construction of invalid pointer in tls_pre_decrypt - Fix memcmp check for the hmac verification in the 3way handshake being inverted - -Frank Lichtenheld (17): - manage: Correctly handle port 65535 in man_kill - pkcs11_openssl: Silence a conversion warning - Enable -Wtype-limits by default (via -Wextra) - ssl: Change tls_send_payload size argument to size_t - openssl_compat: Avoid conversion warning for SSL_get_negotiated_group - pkcs11: Avoid some conversion warnings - ssl: change return type of calc_control_channel_frame_overhead to size_t - otime: Fix various conversion warnings - interval: Fix conversion warning - forward: Change context_reschedule_sec sec argument to time_t - tls_crypt: Avoid some conversion warnings - ssl: Fix conversion warning in tls_prepend_opcode_v1 - ssl: Change update argument of compute_earliest_wakeup to time_t - ssl: Clean up type handling in write_string() - ssl: Clean up type handling in export_user_keying_material() - ssl: Clean up type handling in parse_early_negotiation_tlvs() - ssl_pkt: Avoid conversion warnings - -Gert Doering (5): - FreeBSD DCO: repair incoming 'delete peer' notifications in p2p client mode - dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications - dco_freebsd: implement dco_get_peer_stats() - FreeBSD DCO: repair --inactive - dco_freebsd.c: fix integer warnings - -Heiko Hund (7): - iservice: fix DNS address list generation - msvc: fix struct initialization for v19 compilers - iservice: validate config path better - win: remove checks for PATHCCH_ENSURE_TRAILING_SLASH - iservice: validate config path case-insensitive - iservice: make sure directories have trailing backslash - iservice: use saved iface index to restore metric - -Lev Stipakov (5): - tapctl: use better wording for adapters - tapctl: factor out command handlers - recursive routing: fixes and clean-ups - tapctl: make output of 'list' and 'create' commands more verbose - tapctl: refactor 'create' command - -Marco Baffo (1): - PUSH_UPDATE server: update reporting_addr after ifconfig update - -Mikhail Khachaiants (1): - socket: reject mismatched address family in get_addr_generic - -Selva Nair (2): - openvpnserv: Disallow stdin as config unless user is authorized - Use correct undo_list when clearing DNS addresses - - -2025.10.29 -- Version 2.7_rc1 - -Antonio Quartulli (1): - sitnl: set FD_CLOEXEC on socket to prevent abuse - -Arne Schwabe (12): - Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 - Avoid possible race condition that kill OpenVPN itself - Add ASSERT to afunix code that dev_node is always set up the way we expect - Warn if push is used without --mode server/--server/--server-bridge - Fix logic when pushed cipher triggers tun reopen and ignore more options - Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled - Remove --memstats feature - clean up environment variable handling in verify_user_pass_script - fix key_state_gen_auth_control_files probably checking file creation - Fix warnings about conversion from int to unsigned char/uint8_t - Ensure return value of snprintf is correctly checked - Ensure that get_sigtype always return non-NULL - -Christian Kujau (2): - doc: Fix hyperlinks in openvpn(8) - doc: HTTPS upgrades and URL fixes throughout the tree - -Frank Lichtenheld (18): - test_dhcp: Start a dhcp helper functions UT - CONTRIBUTING: Update outdated/obsolete information - schedule: Fix conversion warning - win32: Change some APIs to use DWORD instead of size_t - dhcp: Clean up type handling of write_dhcp_* - init: Fix datav2_enabled check in options import - socket: Wrap winsock functions to avoid common conversion warnings - proxy: factor out recv_char code common with socks proxy - proxy: factor out send code common with socks proxy - push_util: Make send_push_update static - ssl_util: Fix conversion warning in get_num_elements - push_util: Fix conversion warnings - multi: Fix wrong usage of mroute_extract_openvpn_sockaddr - mroute: Remove unused mask argument of mroute_get_in* - gremlin: Avoid some conversion warnings - crypto_backend: Change len argument of md_ctx_update to size_t - mudp/mtcp: Remove -Wconversion pragmas - manage: Change kill_by_addr to use better types for port/proto - -Gert Doering (3): - remove redundant PULL_DEFINED() macro definition - zeroize struct image in packet_id_persist_save() before writing to disk - OpenVPN Release 2.7_rc1 - -Heiko Hund (2): - iservice: use interface index with netsh - iservice: check return value of MultiByteToWideChar - -Joshua Rogers (1): - tcp: apply CLOEXEC to accepted socket, not listener - -Lev Stipakov (1): - interactive.c: add the upper bound for startupdata size - -Marco Baffo (2): - PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6) - PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements - -Max Fillinger (1): - Zeroize tls-crypt-v2 client keys - -Ralf Lici (5): - options: warn and ignore --reneg-bytes/pkts when DCO is enabled - dco-freebsd: store peer stats directly in c2 - dco: remove dco_read/write_bytes from dco_context_t - dco-freebsd: fix peer stats storage on client instances - management: ensure consistent BYTECOUNT timing on server - -Selva Nair (3): - pkcs11_management_id_get: Free certificate object after use - Canonicalize config_dir before comparing with the config file location - Add -lpathcch for mingw32 builds using autotools - -Steffan Karger (1): - Remove perf.c/perf.h - - -2025.10.13 -- Version 2.7_beta3 - -Arne Schwabe (2): - Allowing installing FreeBSD routes with interface instead of next-hop - Allow route_ipv6_match_host to be used outside of route.c - -Frank Lichtenheld (33): - GHA: Dependency updates September 2025 - comp-lz4: Fix types in call to LZ4_decompress_safe - dco_win: In dco_new_key, document size assumptions for the integer casts - dco_linux: Fix -Wconversion warnings - ssl_openssl: Use uint16_t internally for TLS versions - dco: Change sd argument to dco_new_peer from int to socket_descriptor_t - crypto_epoch: Clean up type handling in ovpn_expand_label() - route: Fix a unused-but-set-variable warning on OpenBSD - platform: Do not assume uid_t/gid_t are signed - mtu: Trivial -Wconversion fix - Review CMocka assertion usage - dhcp: Fix conversion warnings - COPYING: Remove licenses for software bundled in the Windows client - sitnl: Clean up type handling - options: Factor out parsing code to separate options_parse.c - unit_tests: Remove useless wrapping for argv/buffer tests - crypto: Make some casts to int explicit - test_options_parse: Start new UT for options_parse.c - buffer: Fix buf_parse eating input - test_options_parse: Add test for read_config_string - vlan: Remove -Wconversion override - GHA: Run options_parse test for MinGW - test_options_parse: Do not use uintmax_t instead of LargestIntegralType - proto: Clean up conversion warnings related to checksum macros - test_options_parse: Remove --wrap - lzo: Fix conversion warning - options_util: Fix conversion warning in atoi_constrained - options: Review use of positive_atoi vs atoi_constrained - console: Simplify query_user_add interface - socks: Fix conversion warnings with MinGW - Move build_dhcp_options_string from tun to dhcp - dhcp: Replace DHCP Option types with defines - test_user_pass: Check fatal errors for empty username/password - -Lev Stipakov (4): - dco-win: fix broken ASSERT in dco_new_key - dco-win: support for epoch data channel - Preserve ifconfig(_ipv6)_local across reconnect - Make recursive routing check more fine-grained - -Marco Baffo (4): - PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled - PUSH_UPDATE server: bug-fix, reset buffer after processing - PUSH_UPDATE server: check IV_PROTO before sending the message to the client - redirect-gateway: only redirect traffic through TUN if address families match - -Selva Nair (1): - Fix PIN cache time in test_pkcs11.c - -Steffan Karger (1): - Document that tls-crypt-v2 can be used in connection profile - - -2025.09.25 -- Version 2.7_beta2 - -Antonio Quartulli (1): - dco: add standard mi prefix handling to multi_process_incoming_dco() - -Arne Schwabe (1): - Switch test_ssl certificate from RSA 2048 to secp384r1 - -Frank Lichtenheld (22): - openvpn_PRF: Change API to use size_t for lengths - ssl_common: Make sure ssl flags are treated as unsigned - options: Factor out usages of strtoll and atoll - ps: Clean up conversion warnings in journal_add function - events: Make sure rwflags are treated as unsigned - manage: Change command_line_* API to use size_t for lengths - Introduce msglvl_t to unify msglevel type handling - socket: Change resolve flags to unsigned int - list: Make types of hash elements consistent - ssl: Fix -Wconversion warnings in pem_password_callback - ssl_verify: Change backend_x509_* functions to size_t for lengths - Handle return type of EVP_MD_size - Clean up conversion warnings related to base64_{en, de}code - configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend - Enable a subset of -Wextra - socks: factor out socks_proxy_recv_char() - multi_io_init: simplify - dns: Fix bug in error handling when talking to script - Enable -Wconversion -Wno-sign-conversion by default - Make unit tests -Wconversion clean - ps: Fix conversion warnings related to send/recv return values - event: Silence conversion warning in tv_to_ms_timeout - -Gert Doering (5): - replace assert() calls with ASSERT() - remove newline characters at the end of msg() calls - dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message - fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds - Fix t_net.sh / networking_testdriver after 'broadcast' change - -Gianmarco De Gregori (2): - Multi-socket win: avoid repeated socket_set() - Fix multi-socket and dco-win interaction - -Lev Stipakov (5): - Preserve --dhcp-option values from local config - win: replace wmic invocation with powershell - openvpnserv: Fix writing messages to the event log - GHA: collect more artifacts for mingw builds - Validate DNS parameters - -Marco Baffo (1): - push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update() - -Max Fillinger (1): - Rename Fox Crypto to Sentyron in copyright notices - -Sebastian Marsching (1): - Bugfix: Set broadcast address on interface. - - -2025.09.04 -- Version 2.7_beta1 - -Arne Schwabe (1): - Check message id/acked ids too when doing sessionid cookie checks - -Frank Lichtenheld (27): - Update text of GPL to latest version from FSF - Update GPL header in all source files to current recommended version - Define a .clang-format file for the project - Disable clang-format for some code parts - Update git-pre-commit-uncrustify.sh to handle clang-format - GHA: enable -Werror for mbedTLS v3 and AWS LC builds - Reformat the whole project with clang-format - Fix build error with clang-cl on latest Windows SDK - clang-format: Switch to ColumnLimit 0 - Add clang-format reformat commit to .git-blame-ignore-revs - Remove uncrustify config and reformat-all.sh - buffer: remove unused function buf_write_alloc_prepend - t_client.sh: Do not wait 3 seconds for OpenVPN to come up - Collect trivial conversion fixes - options: Fix --hash-size virtual argument - Clean up documentation for --tun-mtu-max - comp: Make sure comp flags are treated as unsigned - crypto: Make sure crypto flags are treated as unsigned - options: Make sure option types are treated as unsigned - route: Make sure various route flags are treated as unsigned - socket: Create socket_util with non-socket functions - Add new unit test module test_socket - socket_util: Clean up conversion warnings in add_in6_addr - manage: Make sure various management flags are treated as unsigned - forward: Make sure pip flags are treated as unsigned - options: Introduce atoi_constrained and review usages of atoi_warn - ssl_openssl: Fix type of sslopts argument to SSL_CTX_set_options - -Gert Doering (3): - Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file - Introduce env variables to communicate desired gateway redirection to NM. - OpenVPN Release 2.7_beta1 - -Gianmarco De Gregori (1): - dco: avoid printing mi prefix on debug messages - -Heiko Hund (1): - dns: fix systemd dns-updown script - -Ilia Shipitsin (1): - GHA: limit 'Deploy Doxygen documentation' to main repo only - -Lev Stipakov (3): - Log setting DNS via NRPT - dco-win: add support for multipeer stats - Refactor management bytecount tracking - -Marco Baffo (1): - PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages - -Ralf Lici (3): - management: resync timer on bytecount interval change - dco_linux: validate tun interface before fetching stats - management: stop bytecount on client disconnection - -Samuli Seppänen (2): - Add sample FFDH parameters file and use that in t_server_null tests - - -2025.07.31 -- Version 2.7_alpha3 - -Antonio Quartulli (10): - README.dco: update Linux instructions - dco_linux: fix case statement by using proper error value - dco_linux: use M_FATAL instead of M_ERR in netlink error code paths - dco_linux: rearrange functions - multi: store multi_context address inside top instance - dco: only pass struct context to init function - dco_linux: factor out netlink notification code - dco_linux: fix async message reception - multi: make some multi_*() functions static - dco_linux: clean up PEER_GET trigger and parser - -Arne Schwabe (1): - Cleanup/simplify mbed TLS related define from autoconf - -Christian Schürmann (1): - Replace deprecated OpenSSL.crypto.load_crl - -Frank Lichtenheld (8): - packet_id: Fix build with --disable-debug - Fix new doxygen warnings about using @return in void functions - Fix compiler warning in reliable.c with --disable-debug - reliable: Review and fix gc_arena usage - configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks - GHA: Dependency updates July 2025 - plugins: Clean up -Wconversion warnings - options: Simplify function setenv_foreign_option - -Gert Doering (3): - mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs - unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42 - OpenVPN Release 2.7_alpha3 - -Gianmarco De Gregori (2): - Route: add support for user defined routing table - Multi-socket: Fix assert triggered by stale peer-id reuse - -Heiko Hund (9): - dns: add updown script for macOS - fix macOS dns-updown handling of parallel full redirects - run forced --dns-updown without --script-security - dns: create NRPT registry key if it doesn't exist - dns: do not run updown scripts with lwipovpn - prevent search domain races with macOS dns-updown - move macOS dns-updown common code into functions - mac dns: compare servers before restoring backup - mac dns: do not run dns-updown in parallel - -Kristof Provost (3): - dco: support float notifications on FreeBSD - dco-freebsd: always enable float notification support - dco-freebsd: pass address scope to the kernel - -Lev Stipakov (4): - Fix broken DHCP options - Fix --dns options for TAP adapter - Fix DNS options duplication on PUSH_UPDATE - Fix wrong byte order of --dns server - -Marco Baffo (3): - PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime. - PUSH_UPDATE: Added remove_option() and do_update(). - PUSH_UPDATE: Added update_option() function. - -Ralf Lici (5): - dco linux: avoid redefining ovpn enums - dco linux: avoid sending local port to ovpn - dco: Add support for float notifications - improve float collision logging - add flag to print addresses in a consistent format during float - -Samuli Seppänen (2): - t_server_null: add multi-socket testing - t_server_null: match test numbers with server numbers - -Terrance (1): - Update systemd service name param to match command - -rein.vanbaaren (1): - Added PQE to WolfSSL - - -2025.06.18 -- Version 2.7_alpha2 - -Antonio Quartulli (1): - dco_linux: enable extended netlink error reporting - -Arne Schwabe (1): - Add missing header in unit tests Makefile.am - -Frank Lichtenheld (6): - Remove contrib/pull-resolv-conf - Update copyright statements to 2025 - Do not segfault on missing --dh in server config - Delete old sample-windows file and obsolete Windows sample handling - t_server_null: Test different permutations of --dh - Fix various badly placed comments in preparation for reformat - -Gert Doering (1): - OpenVPN Release 2.7_alpha2 - -Gianmarco De Gregori (1): - Multi-socket: local_list clean-up - -Heiko Hund (2): - fix typo in haikuos dns-updown script - dns: deal with --dhcp-options when --dns is active - -Max Fillinger (2): - Use mbedtls_ssl_export_keying_material() - mbedtls: Allow TLS 1.3 if available - -Ralf Lici (1): - Preserve socket protocol during float processing - -Samuli Seppänen (1): - t_server_null: print error when server startup fails - - -2025.05.28 -- Version 2.7_alpha1 - -5andr0 (1): - Implement server_poll_timeout for socks - -Alexander von Gluck (4): - Haiku: Introduce basic platform / tun support - Haiku: Add calls to manage routing table - Haiku: change del to delete in route command. del is undocumented - Haiku: Fix short interface path length - -Antonio Quartulli (32): - disable DCO if --secret is specified - dco: properly re-initialize dco_del_peer_reason - dco: bail out when no peer-specific message is delivered - dco: improve comment about hidden debug message - dco: print proper message in case of transport disconnection - dco_linux: update license for ovpn_dco_linux.h - Update issue templates - Avoid warning about missing braces when initialising key struct - dco: don't use NetLink to exchange control packets - dco: print version to log if available - dco-linux: remove M_ERRNO flag when printing netlink error message - multi: don't call DCO APIs if DCO is disabled - dco-freebsd: use m->instances[] instead of m->hash - dco-linux: implement dco_get_peer_stats{, multi} API - configure.ac: fix typ0 in LIBCAPNG_CFALGS - dco: fix crash when --multihome is used with --proto tcp - dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification - event/multi: add event_arg object to make event handling more generic - pass link_socket object to i/o functions - io_work: convert shift argument to uintptr_t - io_work: pass event_arg object to event handler in case of socket event - sitnl: replace NLMSG_TAIL macro with noinline function - override ai_family if 'local' numeric address was specified - Adapt socket handling to support listening on multiple sockets - allow user to specify 'local' multiple times in config files - dco_linux: extend netlink error cb with extra info - man: extend --persist-tun section - dco: pass remoteaddr only for UDP peers - socket: use remote proto when creating client sockets - dco_linux: fix peer stats parsing with new ovpn kernel module - socket: don't transfer bind family to socket in case of ANY address - dco_linux: avoid bogus text when netlink message is not parsed - -Aquila Macedo (1): - doc: Correct typos in multiple documentation files - -Arne Schwabe (190): - Fix connection cookie not including address and fix endianness in test - Fix unit test of test_pkt on little endian Linux - Disable DCO when TLS mode is not used - Ignore connection attempts while server is shutting down - Improve debug logging of DCO swap key message and Linux dco_new_peer - Trigger a USR1 if dco_update_keys fails - Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range - Ensure that argument to parse_line has always space for final sentinel - Improve documentation on user/password requirement and unicodize function - Eliminate or comment empty blocks and switch fallthrough - Remove unused gc_arena - Fix corner case that might lead to leaked file descriptor - Deprecate NTLMv1 proxy auth method. - Use include "buffer.h" instead of include - Ensure that dco keepalive and mssfix options are also set in pure p2p mode - Make management password check constant time - Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL - Move dco_installed back to link_socket from link_socket.info.actual - Do not set nl socket buffer size - Also drop incoming dco packet content when dropping the packet - Improve logging when seeing a message for an unkown peer - Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions - Replace custom min macro and use more C99 style in man_remote_entry_get - Replace realloc with new gc_realloc function - Add connect-freq-initial option to limit initial connection responses - Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled - Deprecate OCC checking - Workaround: make ovpn-dco more reliable - Fix unaligned access in auth-token - Update LibreSSL to 3.7.0 in Github actions - Add printing USAN stack trace on github actions - Fix LibreSSL not building in Github Actions - Add missing stdint.h includes in unit tests files - Combine extra_tun/frame parameter of frame_calculate_payload_overhead - Update the last sections in the man page to a be a bit less outdated - Add building unit tests with mingw to github actions - Revise the cipher negotiation info about OpenVPN3 in the man page - Exit if a proper message instead of segfault on Android without management - Use proper print format/casting when converting msg_channel handle - Reduce initialisation spam from verb <= 3 and print summary instead - Dynamic tls-crypt for secure soft_reset/session renegotiation - Set netlink socket to be non-blocking - Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key - Fix memory leaks in open_tun_dco() - Fix memory leaks in HMAC initial packet generation - Use key_state instead of multi for tls_send_payload parameter - Make sending plain text control message session aware - Only update frame calculation if we have a valid link sockets - Improve description of compat-mode - Simplify --compress parsing in options.c - Refuse connection if server pushes an option contradicting allow-compress - Add 'allow-compression stub-only' internally for DCO - Parse compression options and bail out when compression is disabled - Remove unused variable line - Add Apache2 linking with for new commits - Fix compile error on TARGET_ANDROID - Fix use-after-free with EVP_CIPHER_free - Remove key_type argument from generate_key_random - add basic CMake based build - Avoid unused function warning/error on FreeBSD (and potientially others) - Do not blindly assume python3 is also the interpreter that runs rst2html - Only add -Wno-stringop-truncation on supported compilers - fix warning with gcc 12.2.0 (compiler bug?) - Fix CR_RESPONSE mangaement message using wrong key_id - Print a more user-friendly error when tls-crypt-v2 client auth fails - Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 - Mock openvpn_exece on win32 also for test_tls_crypt - Check if the -wrap argument is actually supported by the platform's ld - Revert commit 423ced962d - Implement using --peer-fingerprint without CA certificates - show extra info for OpenSSL errors - Remove ability to use configurations without TLS by default - Add warning for the --show-groups command that some groups are missing - Print peer temporary key details - Add warning if a p2p NCP client connects to a p2mp server - Remove openssl engine method for loading the key - Add undefined and abort on error to clang sanitize builds - Add --enable-werror to all platforms in Github Actions - Remove saving initial frame code - Double check that we do not use a freed buffer when freeing a session - Fix using to_link buffer after freed - Remove CMake custom compiler flags for RELEASE and DEBUG build - Do not check key_state buffers that are in S_UNDEF state - Remove unused function prototype crypto_adjust_frame_parameters - Introduce report_command_status helper function - Log SSL alerts more prominently - Remove unused/unneeded/add missing defines from configure/cmake - Document tls-exit option mainly as test option - Remove dead remains of extract_x509_field_test - Replace character_class_debug with proper unit test - Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway - Fix check_session_buf_not_used using wrong index - Add missing check for nl_socket_alloc failure - Add check for nice in cmake config - Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror - Remove compat versionhelpers.h and remove cmake/configure check for it - Rename state_change to continue_tls_process - Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c - Fix building mbed TLS with CMake and allow specifying custom directories - Extend the error message when TLS 1.0 PRF fails - Fix unaligned access in macOS, FreeBSD, Solaris hwaddr - Check PRF availability on initialisation and add --force-tls-key-material-export - Make it more explicit and visible when pkg-config is not found - Clarify that the tls-crypt-v2-verify has a very limited env set - Move get_tmp_dir to win32-util.c and error out on failure - Implement the --tls-export-cert feature - Use mingw compile definition also to unit tests - Add test_ssl unit test and test export of PEM to file - Remove conditional text for Apache2 linking exception - Fix ssl unit tests on OpenSSL 1.0.2 - Ensure that all unit tests use unbuffered stdout and stderr - Allow unit tests to fall back to hard coded location - Add unit test for encrypting/decrypting data channel - Print SSL peer signature information in handshake debug details - Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs - Turn dead list test code into unit test - Use snprintf instead of sprintf for get_ssl_library_version - Fix snprintf/swnprintf related compiler warnings - Add bracket in fingerprint message and do not warn about missing verification - Match ifdef for get_sigtype function with if ifdef of caller - Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex - Add missing EVP_KDF_CTX_free in ssl_tls1_PRF - Replace macos11 with macos14 in github runners - Remove openvpn_snprintf and similar functions - Repeat the unknown command in errors from management interface - Only run coverity scan in OpenVPN/OpenVPN repository - Support OpenBSD with cmake - Workaround issue in LibreSSL crashing when enumerating digests/ciphers - Remove OpenSSL 1.0.2 support - Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL - Allow the TLS session to send out TLS alerts - Properly handle null bytes and invalid characters in control messages - Allow trailing \r and \n in control channel message - Add Ubuntu 24.04 runner to Github Actions - Implement support for AEAD tag at the end - Remove check for anonymous unions from configure and cmake config - Make read/write_tun_header static - Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin - Move to common backend_driver type in struct tuntap - Introduce DRIVER_AFUNIX backend for use with lwipovpn - Change dev null to be a driver type instead of a special mode of tun/tap - Use print_tun_backend_driver instead of custom code to print type - Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap - Ensure that the AF_UNIX socket pair has at least 65k of buffer space - Fix check for CMake not detecting struct cmsg - Remove null check after checking for checking for did_open_tun - Remove a large number of unused structs and functions - Remove unused methods write_key/read_key - Refuse clients if username or password is longer than USER_PASS_LEN - Move should_trigger_renegotiation into its own function - Change --reneg-bytes and --reneg-packets to 64 bit counters - Use XOR instead of concatenation for calculation of IV from implicit IV - Trigger renegotiation of data key if getting close to the AEAD usage limit - Implement HKDF expand function based on RFC 8446 - Split init_key_ctx_bi into send/recv init - Move initialisation of implicit IVs to init_key_ctx_bi methods - Change internal id of packet id to uint64 - Add small unit test for buf_chomp - Add building/testing with msbuild and the clang compiler - Ensure that Python3 is available - Change API of init_key_ctx to use struct key_parameters - Allow DEFAULT in data-ciphers and report both expanded and user set option - Do not attempt to decrypt packets anymore after 2**36 failed decryptions - Add methods to read/write packet ids for epoch data - Implement methods to generate and manage OpenVPN Epoch keys - Rename aead-tag-at-end to aead-epoch - Improve peer fingerprint documentation - Remove comparing username to NULL in tls_lock_username - Print warnings/errors when numerical parameters cannot be parsed - Add unit tests for atoi parsing options helper - Improve error reporting from AF_UNIX tun/tap support - Fix typo in positive_atoi - Fix oversight of link socket code change in Android code path - Implement epoch key data format - Extend the unit test for data channel packets with aead limit tests - Add (fake) Android cmake building - Add android build to Github Actions - Reconnect when TCP is on use on network-change management command - Implement override-username - Fix incorrect condition for checking password related check - Directly use _countof in array initialisation - Improve documentation for override-username - Mention address if not unspecific on DNS failure - Do not leave half-initialised key wrap struct when dynamic tls-crypt fails - Allow tls-crypt-v2 to be setup only on initial packet of a session - Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid - Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username - Also print key agreement when printing negotiated details - Fix mbed TLS key exporter functionality in 3.6.x and cmake - Make --dh none behaviour default if not specified - -Ben Boeckel (1): - console_systemd: remove the timeout when using 'systemd-ask-password' - -Christoph Schug (1): - Update documentation references in systemd unit files - -Corubba Smith (3): - Support IPv6 towards port-share proxy receiver - Document x509-username-fields oid usage - Remove x509-username-fields uppercasing - -David Sommerseth (4): - ssl_verify: Fix memleak if creating deferred auth control files fails - ntlm: Clarify details on NTLM phase 3 decoding - Remove --tls-export-cert - Remove superfluous x509_write_pem() - -Franco Fichtner (1): - Allow to set ifmode for existing DCO interfaces in FreeBSD - -Frank Lichtenheld (174): - options.c: fix format security error when compiling without optimization - options.c: update usage description of --cipher - Update copyright year to 2023 - xkey_pkcs11h_sign: fix dangling pointer - options: Always define options->management_flags - check_engine_keys: make pass with OpenSSL 3 - documentation: update 'unsupported options' section - Changes.rst: document removal of --keysize - Windows: fix unused function setenv_foreign_option - Windows: fix unused variables in delete_route_ipv6 - Windows: fix wrong printf format in x_check_status - Windows: fix unused variable in win32_get_arch - configure: enable DCO by default on FreeBSD/Linux - Windows: fix signedness errors with recv/send - configure: fix formatting of --disable-lz4 and --enable-comp-stub - tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled - GHA: remove Ubuntu 18.04 builds - vcpkg: request "tools" feature of openssl for MSVC build - Do not include net/in_systm.h - version.sh: remove - doc: run rst2* with --strict to catch warnings - man page: Remove cruft from --topology documentation - tests: do not include t_client.sh in dist - vcpkg-ports/pkcs11-helper: Make compatible with mingw build - vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json - vcpkg-ports/pkcs11-helper: reference upstream PRs in patches - dco_linux: properly close dco version file - DCO: fix memory leak in dco_get_peer_stats_multi for Linux - Fix two unused assignments - sample-plugins: Fix memleak in client-connect example plugin - tests: Allow to override openvpn binary used - test_buffer: add tests for buf_catrunc and its caller format_hex_ex - buffer: use memcpy in buf_catrunc - options: remove --key-method from usage message - msvc-generate: include version.m4.in in tarball - dist: add more missing files only used in the MSVC build - vcpkg-ports/pkcs11-helper: rename patches to make file names shorter - unit_tests: Add missing cert_data.h to source list for unit tests - dist: Include all documentation in distribution - CMake: Add complete MinGW and MSVC build - Remove all traces of the previous MSVC build system - CMake: Add /Brepro to MSVC link options - GHA: update to run-vcpkg@v11 - test_tls_crypt: Improve mock() usage to be more portable - CMake: Throw a clear error when config.h in top-level source directory - CMake: Support doc builds on Windows machines that do not have .py file association - Remove old Travis CI related files - README.cmake.md: Add new documentation for CMake buildsystem - GHA: refactor mingw UTs and add missing tls_crypt - GHA: Add macos-13 - options: Do not hide variables from parent scope - pkcs11_openssl: Disable unused code - route: Fix overriding return value of add_route3 - CMake: various small non-functional improvements - GHA: do not trigger builds in openvpn-build anymore - Remove --no-replay option - GHA: new workflow to submit scan to Coverity Scan service - doc: fix argument name in --route-delay documentation - Change type of frame.mss_fix to uint16_t - Remove last uses of inet_ntoa - mss/mtu: make all size calculations use size_t - dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork - gerrit-send-mail.py: Add patch version to subject - Add mbedtls3 GHA build - platform.c: Do not depend Windows build on HAVE_CHDIR - sample-keys: renew for the next 10 years - GHA: clean up libressl builds with newer libressl - configure.ac: Remove unused AC_TYPE_SIGNAL macro - documentation: remove reference to removed option --show-proxy-settings - unit_tests: remove includes for mock_msg.h - buffer: add documentation for string_mod and extend related UT - tests: disable automake serial_tests - documentation: improve documentation of --x509-track - configure: allow to disable NTLM - configure: enable silent rules by default - misc: make get_auth_challenge static - Remove support for NTLM v1 proxy authentication - GHA: increase verbosity for make check - NTLM: add length check to add_security_buffer - NTLM: increase size of phase 2 response we can handle - Fix various 'Uninitialized scalar variable' warnings from Coverity - proxy-options.rst: Add proper documentation for --http-proxy-user-pass - NTLM: when NTLMv1 is requested, try NTLMv2 instead - buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' - --http-proxy-user-pass: allow to specify in either order with --http-proxy - test_user_pass: new UT for get_user_pass - test_user_pass: Add UTs for character filtering - gerrit-send-mail: Make output consistent across systems - README.cmake.md: Document minimum required CMake version for --preset - documentation: Update and fix documentation for --push-peer-info - documentation: Fixes for previous fixes to --push-peer-info - test_user_pass: add basic tests for static/dynamic challenges - Fix typo --data-cipher-fallback - samples: Remove tls-*.conf - check_compression_settings_valid: Do not test for LZ4 in LZO check - t_client.sh: Allow to skip tests - gerrit-send-mail: add missing Signed-off-by - Update Copyright statements to 2024 - GHA: general update March 2024 - samples: Update sample configurations - documentation: make section levels consistent - phase2_tcp_server: fix Coverity issue 'Dereference after null check' - script-options.rst: Update ifconfig_* variables - crypto_backend: fix type of enc parameter - tests: fork default automake test-driver - forked-test-driver: Show test output always - Change default of "topology" to "subnet" - Use topology default of "subnet" only for server mode - Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp - configure: update old copy of pkg.m4 - LZO: do not use lzoutils.h macros - test_user_pass: Fix building with --enable-systemd - Remove "experimental" denotation for --fast-io - t_server_null.sh: Fix failure case - configure: Add -Wstrict-prototypes and -Wold-style-definition - configure: Try to detect LZO with pkg-config - configure: Switch to C11 by default - Fix missing spaces in various messages - console_systemd: rename query_user_exec to query_user_systemd - configure: Allow to detect git checkout if .git is not a directory - GHA: Configure Renovate - configure: Try to use pkg-config to detect mbedTLS - tun: use is_tun_p2p more consistently - Various fixes for -Wconversion errors - generate_auth_token: simplify code - GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1 - GHA: Enable t_server_null tests - configure: Handle libnl-genl and libcap-ng consistent with other libs - configure: Review use of standard AC macros - socket: Change return types of link_socket_write* to ssize_t - GHA: Pin dependencies - GHA: Update macOS runners - GHA: Simplify macOS builds - Remove support for compression on send - Fix wrong doxygen comments - Various typo fixes - macOS: Assume that net/if_utun.h is always present - Fix some formatting related to if/else and macros - Fix memory leak in ntlm_support - forward: Fix potential unaligned access in drop_if_recursive_routing - GHA: General update December 2024 - Review doxygen warnings - Regenerate doxygen config file with doxygen -u - Fix 'uninitialized pointer read' in openvpn_decrypt_aead - ssl_openssl: Clean up unused functions and add missing "static" - Fix some trivial sign-compare compiler warnings - tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning - openvpnserv: Fix some inconsistent usages of TEXT() - Fix doxygen warnings in crypto_epoch.h - GHA: Drop Ubuntu 20.04 and other maintenance - GHA: Publish Doxygen documentation to Github Pages - Add more 'intentional fallthrough' comments - Remove various unused function parameters - Remove unused function check_subnet_conflict - options: Cleanup and simplify options_postprocess_verify_ce - Apply text-removal.sh script to Windows codebase - openvpnserv: Clean up use of TEXT() from DNS patches - Post tchar.h removal cleanup - Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ - t_server_null_default.rc: Add some tests with --data-ciphers - GHA: Pin version of CMake for all builds - GHA: Dependency and Actions update April 2025 - GHA: Make sure renovate notifies us about AWS LC releases - Doxygen: Fix obsolete links to OpenSSL documentation - GHA: Use CMake 4.0 and apply required fixes - Doxygen: Clean up tls-crypt documentation - Doxygen: Remove useless Python information - Manually reformat some long trailing comments - CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path - CMake: Sync list of compiler flags with configure.ac - CMake: Reorganize header and symbol tests - GHA: Dependency and Actions update May 2025 - Doxygen: Fix missing parameter warnings - Changes.rst: Collect, fix, and improve entries for 2.7 release - -George Pchelkin (1): - fix typo: dhcp-options to dhcp-option in vpn-network-options.rst - -Gert Doering (21): - Change version.m4 to 2.7_git - bandaid fix for TCP multipoint server crash with Linux-DCO - Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up - Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode - Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO - Repair special-casing of EEXIST for Linux/SITNL route install - Get rid of unused 'bool tuntap_buffer' arguments. - FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well - Make received OCC exit messages more visible in log. - OpenBSD: repair --show-gateway - get_default_gateway() HWADDR overhaul - make t_server_null 'server alive?' check more robust - t_client.sh: conditionally skip ifconfig+route check - send uname() release as IV_PLAT_VER= on non-windows versions - options: add IPv4 support to '--show-gateway ' - get_default_gateway(): implement platform support for Linux/SITNL - get_default_gateway(): implement platform support for Linux/IPROUTE2 - add missing (void) to win32 function declarations - add more (void) to windows specific function prototypes and declarations - Make 'lport 0' no longer sufficient to do '--bind'. - Add information-gathering about DNS resolvers configured to t_client.sh(.in) - -Gianmarco De Gregori (17): - Persist-key: enable persist-key option by default - Minor fix to process_ip_header - Http-proxy: fix bug preventing proxy credentials caching - Ensures all params are ready before invoking dco_set_peer() - Route: remove incorrect routes on exit - Fix for msbuild/mingw GHA failures - multiproto: move generic event handling code in dedicated files - Fix PASS_BY_VALUE issue in options_postprocess_mutate_le() - mroute: adapt to new protocol handling and hashing improvements - mroute/management: repair mgmt client-kill for mroute with proto - Add support for simultaneous use of UDP and TCP sockets - Rename occurences of 'struct link_socket' from 'ls' to 'sock' - Fix FreeBSD-DCO and Multisocket interaction - manpage: fix HTML format for --local - Fix dco_win and multisocket interaction - dco_linux: Introduce new uAPIs - Explicit-exit-notify and multisocket interaction - -Heiko Hund (21): - dns option: allow up to eight addresses per server - work around false positive warning with mingw 12 - dns option: remove support for exclude-domains - cmake: create and link compile_commands.json file - cmake: symlink whole build dir not just .json file - Windows: enforce 'block-local' with WFP filters - add and send IV_PROTO_DNS_OPTION_V2 flag - dns: store IPv4 addresses in network byte order - dns: clone options via pointer instead of copy - service: add utf8to16 function that takes a size - dns: support multiple domains without DHCP - dns: do not use netsh to set name server addresses - win: calculate address string buffer size - win: implement --dns option support with NRPT - dns: apply settings via script on unixoid systems - fix typo in haikuos dns-updown script - dns: support running up/down command with privsep - dns: don't publish env vars to non-dns scripts - dns: fix potential NULL pointer dereference - win: match search domains when creating exclude rules - win: fix collecting DNS exclude data - -Heiko Wundram (1): - Implement Windows CA template match for Crypto-API selector - -Ilia Shipitsin (3): - src/openvpn/init.c: handle strdup failures - sample/sample-plugins/defer/multi-auth.c: handle strdup errors - tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors - -Ilya Shipitsin (1): - src/openvpn/dco_freebsd.c: handle malloc failure - -Juliusz Sosinowicz (1): - Change include order for tests - -Klemens Nanni (1): - Fix tmp-dir documentation - -Kristof Provost (10): - Read DCO traffic stats from the kernel - dco: Update counters when a client disconnects - Read the peer deletion reason from the kernel - dco: cleanup FreeBSD dco_do_read() - options.c: enforce a minimal fragment size - configure: improve FreeBSD DCO check - dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD - dco: print FreeBSD version - DCO: support key rotation notifications - dco-freebsd: dynamically re-allocate buffer if it's too small - -Lev Stipakov (63): - Rename dco_get_peer_stats to dco_get_peer_stats_multi - management: add timer to output BYTECOUNT - Introduce dco_get_peer_stats API and Windows implementation - git-version.py: proper support for tags - msvc: upgrade to Visual Studio 2022 - tun: move print_windows_driver() out of tun.h - openvpnmsica: remove dco installer custom actions - openvpnmsica: remove unused declarations - openvpnmsica: fix adapters discovery logic for DCO - Allow certain DHCP options to be used without DHCP server - dco-win: use proper calling convention on x86 - Improve format specifier for socket handle in Windows - Disable DCO if proxy is set via management - Add logging for windows driver selection process - Avoid management log loop with verb >= 6 - Support --inactive option for DCO - Fix '--inactive