OpenVPN ChangeLog
Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
+2026.03.31 -- Version 2.7.1
+
+Antonio Quartulli (1):
+ options: drop useless init_gc param for init_options()
+
+Arne Schwabe (12):
+ Change stream_buf_read_setup_dowork parameter to struct steam_buf
+ DCO Linux: Fix setting DCO ifmode failing on big endian archs
+ Merge stream_buf_get_next and stream_buf_set_next
+ AWS-LC: Add missing return and cast in ssl_tls1_PRF
+ GHA: Install aws-lc under /opt/aws-lc
+ Show version and double check we use the right TLS library in Github Actions
+ Remove unnecessary OpenSSL init and cleanup commands in unit tests
+ GHA: Cache built crypto libraries
+ Use openssl_err_t typedef to deal with difference between TLS libraries
+ Do not support tls_ctx_set_cert_profile on AWS-LC
+ Use const specifices in extract_x509_field_ssl
+ Increase default size of internal hash maps to 4 * --max-clients
+
+Frank Lichtenheld (7):
+ clang-format: Add missing InsertBraces: true
+ auth-pam: fix discards 'const' qualifier from pointer target type
+ GHA: Maintenance update February 2026
+ buffer: Add checked_snprintf function and use it in the code
+ vcpkg-ports: Review pkcs11-helper port
+ systemd: Change LimitNPROC to TasksMax and increase limit
+ ssl_verify_openssl: Clean up extract_x509_extension
+
+Gert Doering (4):
+ port-share: log incoming connections at verb 3 only
+ rework all occurrences of 'M_ERR | M_ERRNO'
+ configure.ac: adjust to native inotify support for FreeBSD 15+
+ dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver
+
+Gianmarco De Gregori (1):
+ socket: restore per-connection lport override over global default
+
+Haixiao Yan (1):
+ tests: skip test execution when cross-compiling
+
+Heiko Hund (2):
+ doc: improve Windows-specific options section
+ doc: fix typo with --ingore-unknown-option
+
+Max Fillinger (1):
+ Avoid unbounded allocations in pkcs11_mbedtls.c
+
+Ralf Lici (1):
+ doc: fix client-nat syntax and examples
+
+Rudi Heitbaum (3):
+ dns: fix discards 'const' qualifier from pointer target type
+ ntlm: fix discards 'const' qualifier from pointer target type
+ ssl_verify_openssl: use official ASN1_STRING_ API
+
+Selva Nair (4):
+ Fixup version command on management interface
+ Document management client versions
+ Use USER_PASS_LEN for private key password buffer size
+ Add an optional username-only flag for auth-user-pass
+
+
2026.02.11 -- Version 2.7.0
Frank Lichtenheld (3):
+Overview of changes in 2.7.1
+============================
+Bugfixes
+--------
+- Fix usage of ``--lport`` inside a ``<connection>`` block - this got
+ broken with the multi-socket patchset (GH OpenVPN/openvpn#995)
+
+- Do not try to run auto-pam unit test when cross-compiling.
+
+- Do not break private-key passphrases of length >= 64
+ (GH OpenVPN/openvpn#993)
+
+- Fix obscure ASSERT() crash on TCP connects with TAP and no ip config.
+
+- Make DCO work on FreeBSD systems that have no IPv4 support in kernel
+ (FreeBSD PR 286263)
+
+- Make DCO work on Linux on big endian systems (namely, MIPS and PowerPC)
+ (GH OpenVPN/ovpn-dco#96)
+
+New features
+------------
+- Add a new ``username-only`` flag argument to ``--auth-user-pass`` which
+ will now make OpenVPN only query for username and send a dummy password
+ to the server. This is only useful if auth schemes are used on the
+ server side that will do some sort of external challenge base on username,
+ and not password authentication. See discussion in GH OpenVPN/openvpn#501
+ (starting Jan 30, 2024).
+
+- Increase default sizing of internal hash maps to ``4 * --max-clients``.
+ The default used to be ``256`` with a ``--max-clients`` default of
+ 1024 - this is bad for performance, while the memory savings are
+ minimal. On a very memory constrained system, reduce ``--max-clients``.
+
+Long-term code maintenance
+--------------------------
+- Work on OpenSSL 4.0 API support, reducing use of ASN1_STRING members.
+
+- Remove obsolete OpenSSL 1.0.x support code from unit tests.
+
+- Improve documentation of management client versioning, replace magic
+ numbers in the code with an enum type.
+
+- Fixup responses to management interface ``version`` command (for >= 4).
+
+- Make ``--enable-async-push`` work on FreeBSD 15 (which has native
+ inotify support, and consequently no libinotify.pc anymore)
+
+- Adjust some code parts to new "const" handling on string function
+ returns (ISO C23, as implemented by glibc 2.43 and newer).
+
+- Remove erroneous usage of ``M_ERR | M_ERRNO`` throughout the code.
+
+
+User-visible Changes
+--------------------
+- When compiled with the AWS-LC SSL library, using ``--tls-cert-profile``
+ will now print a run-time warning - the library does not support it,
+ so it would silently do nothing.
+
+- Systemd unit files: change LimitNPROC to TasksMax and increase limit
+ (GH: OpenVPN/openvpn#929)
+
+- Documentation improvements.
+
+- port-share: log incoming connections at ``verb 3``, not on ``error``
+ level anymore (GH: OpenVPN/openvpn#976).
+
+
Overview of changes in 2.7
==========================
New features
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [.0])
+define([PRODUCT_VERSION_PATCH], [.1])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,7,0,0])
+define([PRODUCT_VERSION_RESOURCE], [2,7,1,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
projects / thirdparty / openvpn.git / commitdiff
