Up to [cvs.NetBSD.org] / pkgsrc / net / openvpn
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
openvpn: updated to 2.6.12 v2.6.12 Bug fixes: the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict, breaking user configurations with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason is set by a script. Strip those before testing the command buffer. Also, add unit test. Http-proxy: fix bug preventing proxy credentials caching.
openvpn: updated to 2.6.11 v2.6.11 Security fixes: CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5) CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson) CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client (Reynir Björnsson) New features: Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store. Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise) Bug fixes: Fix connect timeout when using SOCKS proxies Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers Add bracket in fingerprint message and do not warn about missing verification Documentation: Remove "experimental" denotation for --fast-io Correctly document ifconfig_* variables passed to scripts Documentation: make section levels consistent Samples: Update sample configurations (remove compression & old cipher settings, add more informative comments)
openvpn: updated to 2.6.10 Version 2.6.10 Christoph Schug (1): Update documentation references in systemd unit files Frank Lichtenheld (6): Fix typo --data-cipher-fallback samples: Remove tls-*.conf check_compression_settings_valid: Do not test for LZ4 in LZO check t_client.sh: Allow to skip tests Update Copyright statements to 2024 GHA: general update March 2024 Lev Stipakov (4): win32: Enforce loading of plugins from a trusted directory interactive.c: disable remote access to the service pipe interactive.c: Fix potential stack overflow issue Disable DCO if proxy is set via management Martin Rys (1): openvpn-[client|server].service: Remove syslog.target Max Fillinger (1): Remove license warning from README.mbedtls Selva Nair (1): Document that auth-user-pass may be inlined wellweek (1): remove repetitive words in documentation and comments
net/openvpn: Update to 2.6.9 Upstream NEWS: bug fixes
net/openvpn: Update to 2.6.8 upstream NEWS: bugfixes
net/openvpn: Update to 2.6.7 Upstream NEWS: Security Fixes: * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417) * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417). User visible changes: * DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco. * Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support. * add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6. * add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves). * --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again) * warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations) New features: * DCO-WIN: get and log driver version (for easier debugging). * print "peer temporary key details" in TLS handshake * log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios) * add CMake build system for MinGW and MSVC builds * remove old MSVC build system * improve cmocka unit test building for Windows
net/openvpn: Update to 2.6.6 upstream change summary: New features ------------ - set WINS server via interactive service - this adds support for "dhcp-option WINS 192.0.2.1" for DCO + wintun interfaces where no DHCP server is used (Github #373).
net/openvpn: Update to 2.6.5 Upstream changes are bugfixes and minor improvements
openvpn: updated to 2.6.4 Overview of changes in 2.6.4 User visible changes License amendment: all NEW commits fall under a modified license that explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for details. Existing code will fall under the new license as soon as all contributors have agreed to the change - work ongoing. New features DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). This is the userland side, accepting a message from kernel, and initiating a TLS renegotiation. As of release, only implemented in FreeBSD kernel. Bug fixes fix pkcs#11 usage with OpenSSL 3.x and PSS signing fix compile error on TARGET_ANDROID fix typo in help text manpage updates (--topology) encoding of non-ASCII windows error messages in log + management fixed (use UTF8 "as for everything else", not ANSI codepages)
openvpn: updated to 2.6.3 Version 2.6.3 GHA: remove Ubuntu 18.04 builds vcpkg: request "tools" feature of openssl for MSVC build doc: run rst2* with --strict to catch warnings Support of DNS domain for DHCP-less drivers Bug-fix: segfault in dco_get_peer_stats()
openvpn: updated to 2.6.2 Overview of changes in 2.6.2 New features implement byte counter statistics for DCO Linux (p2mp server and client) implement byte counter statistics for DCO Windows (client only) '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses fix a few cases of possibly undefined behaviour detected by ASAN add more unit tests for Windows cryptoapi interface Bug fixes sending of AUTH_PENDING and INFO_PRE messages fixed Windows: do not treat "setting IPv6 interface metric failed" as fatal error on "block-dns" install - this can happen if IPv6 is disabled on the interface and is not harmful in itself fix '--inactive' if DCO is in use NOTE: on FreeBSD, this is not working yet (missing per-peer stats) DCO-Linux: do not print errno on netlink errors (errno is not set by NL) SOCKS client: improve error reporting on server disconnects DCO-Linux: fix lockups due to netlink buffer overflows on high client connect/disconnect activity. See "User visible changes" for more details of this. fix some uses of the OpenSSL3 API for non-default providers (enable use of quantum-crypto OpenSSL provider) fix memory leak of approx. 1600 bytes per incoming initial TLS packet fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper (data format conversion was not done properly) fix 'make distcheck' - unexpected side effect of 'subdir-objects' fix ASSERT() with dynamic tls-crypt and --tls-crypt-v2 User visible changes print (kernel) DCO version on startup - helpful for getting a more complete picture of the environment in use. New control packets flow for data channel offloading on Linux. 2.6.2+ changes the way OpenVPN control packets are handled on Linux when DCO is active, fixing the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in order to highlight this change and ensure that users and userspace software could easily understand which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime. The client-pending-auth management command now requires also the key id. The management version has been changed to 5 to indicate this change. A client will now refuse a connection if pushed compression settings will contradict the setting of allow-compression as this almost always results in a non-working connection.
openvpn: updated to 2.6.1 Overview of changes in 2.6.1 New features Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. CryptoAPI (Windows): support issuer name as a selector. Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:<string>" where <string> is matched as a substring of the issuer (CA) name in the certificate. User visible changes on crypto initialization, move old "quite verbose" messages to --verb 4 and only print a more compact summary about crypto and timing parameters by default configure now enables DCO build by default on FreeBSD and Linux, which brings in a default dependency for libnl-genl (for Linux distributions that are too old to have this library, use "configure --disable-dco") make "configure --help" output more consistent CryptoAPI (Windows): remove support code for OpenSSL before 3.0.1 (this will not affect official OpenVPN for Windows installers, as they will always be built with OpenSSL 3.0.x) CryptoAPI (Windows): log the selected certificate's name "configure" now uses "subdir-objects", for automake >= 1.16 (less warnings for recent-enough automake versions, will change the way .o files are created) Bugfixes / minor improvements fixed old IPv6 ifconfig race condition for FreeBSD 12.4 fix compile-time breakage related to DCO defines on FreeBSD 14 enforce minimum packet size for "--fragment" (avoid division by zero) some alignment fixes to avoid unaligned memory accesses, which will bring problems on some architectures (Sparc64, some ARM versions) - found by USAN clang checker windows source code fixes to reduce number of compile time warnings (eventual goal is to be able to compile with -Werror on MinGW), mostly related to signed/unsigned char * conversions, printf() format specifiers and unused variables. avoid endless loop on logging with --management + --verb 6+ build (but not run) unit tests on MinGW cross compiles, and run them when building with GitHub Actions. add unit test for parts of cryptoapi.c add debug logging to help with diagnosing windows driver selection disable DCO if proxy config is set via management interface do not crash on Android if run without --management improve documentation about cipher negotiation and OpenVPN3 for x86 windows builds, use proper calling conventions for dco-win (__stdcall) differentiate "dhcp-option ..." options into "needs an interface with true DHCP service" (tap-windows) and "can also be installed by IPAPI or service, and can be used on non-DHCP interfaces" (wintun, dco-win) windows interactive service: fix possible double-free if "--block-dns" installation fails due to "security products" interfering "make dist": package ovpn_dco_freebsd.h to permit building from tarballs on FreeBSD 14
openvpn: updated to 2.5.8 Overview of changes in 2.5.8 New features allow running a default configuration with TLS libraries without BF-CBC (even if TLS cipher negotiation would not actually use BF-CBC, the long-term compatibility "default cipher BF-CBC" would trigger an error on such TLS libraries) User-visible Changes add git branch name + commit ID to OpenVPN version string on MSVC builds (windows) Testing Enhancements t_client.sh: if fping is found and fping6 is not, assume we have fping 4.0 and up, and call "fping -6" for IPv6 ping tests t_client.sh: allow to force FAIL on prerequisite fails, so a CI environment will no longer "silently skip" t_client runs if fping (etc) can not be found, but will error out Bugfixes ``--auth-nocache'' was not always correctly clearing username+password after a renegotiation ensure that auth-token received from server is cleared if requested by the management interface ("forget password" or automatically via ``--management-forget-disconnect'') in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix. using --auth-token together with --management-client-auth (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix. management interface would sometimes get stuck if client and server try to write something simultaneously. Fix by allowing a limited level of recursion in virtual_output_callback() fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state tls-crypt-v2: abort connection if client-key is too short make man page agree with actual code on replay-window backtrag log message remove useless empty line from CR_RESPONSE message
openvpn*: Update to 2.5.7 Upstream changes: bugfixes
openvpn: updated to 2.5.6 OpenVPN 2.5.6. This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547).
openvpn: updated to 2.5.5 Overview of changes in 2.5.5 ============================ User-visible Changes -------------------- - SWEET32/64bit cipher deprecation change was postponed to 2.7 - Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. - require EC support in windows builds (this means it's no longer possible to build a Windows OpenVPN binary with an OpenSSL lib without EC support) New features ------------ - Windows build: use CFG and Spectre mitigations on MSVC builds - bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%\SSL\openssl.cfg (typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists. This is important for some hardware tokens which need special OpenSSL config for correct operation. Bugfixes -------- - Windows build: enable EKM - Windows build: improve various vcpkg related build issues - Windows build: fix regression related to non-writeable status files - Windows build: fix regression that broke OpenSSL EC support - Windows build: fix "product version" display (2.5..4 -> 2.5.4) - Windows build: fix regression preventing use of PKCS12 files - improve "make check" to notice if "openvpn --show-cipher" crashes - improve argv unit tests - ensure unit tests work with mbedTLS builds without BF-CBC ciphers - include "--push-remove" in the output of "openvpn --help" - fix error in iptables syntax in example firewall.sh script - fix "resolvconf -p" invocation in example "up" script - fix "common_name" environment for script calls when "--username-as-common-name" is in effect Documentation ------------- - move "push-peer-info" documentation from "server options" to "client" (where it belongs) - correct "foreign_option_{n}" typo in manpage - update IRC information in CONTRIBUTING.rst (libera.chat) - README.down-root: fix plugin module name
net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch
net: Remove SHA1 hashes for distfiles
openvpn: updated to 2.5.4 Overview of changes in 2.5.4 ============================ Bugfixes -------- - fix prompting for password on windows console if stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/adm64 when released. - fix setting MAC address on TAP adapters (--lladdr) to use sitnl (was overlooked, and still used "ifconfig" calls) - various improvements for man page building (rst2man/rst2html etc) - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on at least one platform strictly checking this) - fix minor memory leak under certain conditions in add_route() and add_route_ipv6() User-visible Changes -------------------- - documentation improvements - copyright updates where needed - better error reporting when win32 console access fails New features ------------ - also build man page on Windows builds
openvpn: updated to 2.5.3 Version 2.5.3 * Add missing free_key_ctx for auth_token * Add github actions * Implement auth-token-user * Update copyrights * openvpnmsica: properly schedule reboot in the end of installation * msvc: add ARM64 configuration * msvc: standalone building * contrib/vcpkg-ports: add pkcs11-helper port * vcpkg-ports: restore trailing whitespaces in .patch files * GitHub actions: add MSVC build * crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) * contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) * Fix SIGSEGV (NULL deref) receiving push "echo" * Fix build with mbedtls w/o SSL renegotiation support * Improve documentation of AUTH_PENDING related directives * Apply the connect-retry backoff to only one side of a connection
openvpn: updated to 2.5.2 The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with “–auth-gen-token” or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
openvpn: updated to 2.5.1 Version 2.5.1 * Fix auth-token not being updated if auth-nocache is set * Remove auth_user_pass.wait_for_push variable * Fix port-share option with TLS-Crypt v2 * Zero initialise msghdr prior to calling sendmesg * Fix tls-auth mismatch OCC message when tls-cryptv2 is used. * build: Fix missing install of man page in certain environments * Fix too early argv freeing when registering DNS * Remove 1 second delay before running netsh * Skip DHCP renew with Wintun adapter * Change travis build scripts to use https when fetching prerequisites. * Fix line number reporting on config file errors after <inline> segments * Clarify --block-ipv6 intent and direction. * Document common uses of 'echo' directive, re-enable logging for 'echo'. * Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL * clean up / rewrite sample-plugins/defer/simple.c * Fix naming error in sample-plugins/defer/simple.c * Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in * Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c * More explicit versioning compatibility in sample-plugins/defer/simple.c * Explain structver usage in sample defer plugin. * Man page sections corrections * Quote the domain name argument passed to the wmic command * tls-crypt-v2: fix server memory leak * tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
openvpn: add URL to upstream bug report
openvpn: fix installation of man page. Bump PKGREVISION.
openvpn: updated to 2.5.0 Overview of changes in 2.5 ========================== New features ------------ Client-specific tls-crypt keys (``--tls-crypt-v2``) ``tls-crypt-v2`` adds the ability to supply each client with a unique tls-crypt key. This allows large organisations and VPN providers to profit from the same DoS and TLS stack protection that small deployments can already achieve using ``tls-auth`` or ``tls-crypt``. ChaCha20-Poly1305 cipher support Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel. Improved Data channel cipher negotiation The option ``ncp-ciphers`` has been renamed to ``data-ciphers``. The old name is still accepted. The change in name signals that ``data-ciphers`` is the preferred way to configure data channel ciphers and the data prefix is chosen to avoid the ambiguity that exists with ``--cipher`` for the data cipher and ``tls-cipher`` for the TLS ciphers. OpenVPN clients will now signal all supported ciphers from the ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN servers will select the first common cipher from the ``data-ciphers`` list instead of blindly pushing the first cipher of the list. This allows to use a configuration like ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that prefers ChaCha20-Poly1305 but uses it only if the client supports it. See the data channel negotiation section in the manual for more details. Removal of BF-CBC support in default configuration: By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be enabled by adding data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC and when you need to support very old peers also data-ciphers-fallback BF-CBC To offer backwards compatibility with older configs an *explicit* cipher BF-CBC in the configuration will be automatically translated into adding BF-CBC to the data-ciphers option and setting data-ciphers-fallback to BF-CBC (as in the example commands above). We strongly recommend to switching away from BF-CBC to a more secure cipher. Asynchronous (deferred) authentication support for auth-pam plugin. See src/plugins/auth-pam/README.auth-pam for details. Deferred client-connect The ``--client-connect`` option and the connect plugin API allow asynchronous/deferred return of the configuration file in the same way as the auth-plugin. Faster connection setup A client will signal in the ``IV_PROTO`` variable that it is in pull mode. This allows the server to push the configuration options to the client without waiting for a ``PULL_REQUEST`` message. The feature is automatically enabled if both client and server support it and significantly reduces the connection setup time by avoiding one extra packet round-trip and 1s of internal event delays. Netlink support On Linux, if configured without ``--enable-iproute2``, configuring IP addresses and adding/removing routes is now done via the netlink(3) kernel interface. This is much faster than calling ``ifconfig`` or ``route`` and also enables OpenVPN to run with less privileges. If configured with --enable-iproute2, the ``ip`` command is used (as in 2.4). Support for ``ifconfig`` and ``route`` is gone. Wintun support On Windows, OpenVPN can now use ``wintun`` devices. They are faster than the traditional ``tap9`` tun/tap devices, but do not provide ``--dev tap`` mode - so the official installers contain both. To use a wintun device, add ``--windows-driver wintun`` to your config (and use of the interactive service is required as wintun needs SYSTEM privileges to enable access). IPv6-only operation It is now possible to have only IPv6 addresses inside the VPN tunnel, and IPv6-only address pools (2.4 always required IPv4 config/pools and IPv6 was the "optional extra"). Improved Windows 10 detection Correctly log OS on Windows 10 now. Linux VRF support Using the new ``--bind-dev`` option, the OpenVPN outside socket can now be put into a Linux VRF. See the "Virtual Routing and Forwarding" documentation in the man page. TLS 1.3 support TLS 1.3 support has been added to OpenVPN. Currently, this requires OpenSSL 1.1.1+. The options ``--tls-ciphersuites`` and ``--tls-groups`` have been added to fine tune TLS protocol options. Most of the improvements were also backported to OpenVPN 2.4 as part of the maintainance releases. Support setting DHCP search domain A new option ``--dhcp-option DOMAIN-SEARCH my.example.com`` has been defined, and Windows support for it is implemented (tun/tap only, no wintun support yet). Other platforms need to support this via ``--up`` script (Linux) or GUI (OSX/Tunnelblick). per-client changing of ``--data-ciphers`` or ``data-ciphers-fallback`` from client-connect script/dir (NOTE: this only changes preference of ciphers for NCP, but can not override what the client announces as "willing to accept") Handle setting of tun/tap interface MTU on Windows If IPv6 is in use, MTU must be >= 1280 (Windows enforces IETF requirements) Add support for OpenSSL engines to access private key material (like TPM). HMAC based auth-token support The ``--auth-gen-token`` support has been improved and now generates HMAC based user token. If the optional ``--auth-gen-token-secret`` option is used clients will be able to seamlessly reconnect to a different server using the same secret file or to the same server after a server restart. Improved support for pending authentication The protocol has been enhanced to be able to signal that the authentication should use a secondary authentication via web (like SAML) or a two factor authentication without disconnecting the OpenVPN session with AUTH_FAILED. The session will instead be stay in a authenticated state and wait for the second factor authentication to complete. This feature currently requires usage of the managent interface on both client and server side. See the `management-notes.txt` ``client-pending-auth`` and ``cr-response`` commands for more details. VLAN support OpenVPN servers in TAP mode can now use 802.1q tagged VLANs on the TAP interface to separate clients into different groups that can then be handled differently (different subnets / DHCP, firewall zones, ...) further down the network. See the new options ``--vlan-tagging``, ``--vlan-accept``, ``--vlan-pvid``. 802.1q tagging on the client side TAP interface is not handled today (= tags are just forwarded transparently to the server). Support building of .msi installers for Windows Allow unicode search string in ``--cryptoapicert`` option (Windows) Support IPv4 configs with /31 netmasks now (By no longer trying to configure ``broadcast x.x.x.x'' in ifconfig calls, /31 support "just works") New option ``--block-ipv6`` to reject all IPv6 packets (ICMPv6) this is useful if the VPN service has no IPv6, but the clients might have (LAN), to avoid client connections to IPv6-enabled servers leaking "around" the IPv4-only VPN. ``--ifconfig-ipv6`` and ``--ifconfig-ipv6-push`` will now accept hostnames and do a DNS lookup to get the IPv6 address to use Deprecated features ------------------- For an up-to-date list of all deprecated options, see this wiki page: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions - ``ncp-disable`` has been deprecated With the improved and matured data channel cipher negotiation, the use of ``ncp-disable`` should not be necessary anymore. - ``inetd`` has been deprecated This is a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only, which complicates the code quite a bit for little gain. To be removed in OpenVPN 2.6 (unless users protest). - ``no-iv`` has been removed This option was made into a NOOP option with OpenVPN 2.4. This has now been completely removed. - ``--client-cert-not-required`` has been removed This option will now cause server configurations to not start. Use ``--verify-client-cert none`` instead. - ``--ifconfig-pool-linear`` has been removed This option is removed. Use ``--topology p2p`` or ``--topology subnet`` instead. - ``--compress xxx`` is considered risky and is warned against, see below. - ``--key-method 1`` has been removed User-visible Changes -------------------- - If multiple connect handlers are used (client-connect, ccd, connect plugin) and one of the handler succeeds but a subsequent fails, the client-disconnect-script is now called immediately. Previously it was called, when the VPN session was terminated. - Support for building with OpenSSL 1.0.1 has been removed. The minimum supported OpenSSL version is now 1.0.2. - The GET_CONFIG management state is omitted if the server pushes the client configuration almost immediately as result of the faster connection setup feature. - ``--compress`` is nowadays considered risky, because attacks exist leveraging compression-inside-crypto to reveal plaintext (VORACLE). So by default, ``--compress xxx`` will now accept incoming compressed packets (for compatibility with peers that have not been upgraded yet), but will not use compression outgoing packets. This can be controlled with the new option ``--allow-compression yes|no|asym``. - Stop changing ``--txlen`` aways from OS defaults unless explicitly specified in config file. OS defaults nowadays are actually larger then what we used to configure, so our defaults sometimes caused packet drops = bad performance. - remove ``--writepid`` pid file on exit now - plugin-auth-pam now logs via OpenVPN logging method, no longer to stderr (this means you'll have log messages in syslog or openvpn log file now) - use ISO 8601 time format for file based logging now (YYYY-MM-DD hh:mm:dd) (syslog is not affected, nor is ``--machine-readable-output``) - ``--clr-verify`` now loads all CRLs if more than one CRL is in the same file (OpenSSL backend only, mbedTLS always did that) - when ``--auth-user-pass file`` has no password, and the management interface is active, query management interface (instead of trying console query, which does not work on windows) - skip expired certificates in Windows certificate store (``--cryptoapicert``) - ``--socks-proxy`` + ``--proto udp*`` will now allways use IPv4, even if IPv6 is requested and available. Our SOCKS code does not handle IPv6+UDP, and before that change it would just fail in non-obvious ways. - TCP listen() backlog queue is now set to 32 - this helps TCP servers that receive lots of "invalid" connects by TCP port scanners - do no longer print OCC warnings ("option mismatch") about ``key-method``, ``keydir``, ``tls-auth`` and ``cipher`` - these are either gone now, or negotiated, and the warnings do not serve a useful purpose. - ``dhcp-option DNS`` and ``dhcp-option DNS6`` are now treated identically (= both accept an IPv4 or IPv6 address for the nameserver) Maintainer-visible changes -------------------------- - the man page is now in maintained in .rst format, so building the openvpn.8 manpage from a git checkout now requires python-docutils (if this is missing, the manpage will not be built - which is not considered an error generally, but for package builders or ``make distcheck`` it is). Release tarballs contain the openvpn.8 file, so unless some .rst is changed, doc-utils are not needed for building. - OCC support can no longer be disabled - AEAD support is now required in the crypto library - ``--disable-server`` has been removed from configure (so it is no longer possible to build a client-/p2p-only OpenVPN binary) - the saving in code size no longer outweighs the extra maintenance effort. - ``--enable-iproute2`` will disable netlink(3) support, so maybe remove that from package building configs (see above) - support building with MSVC 2019 - cmocka based unit tests are now only run if cmocka is installed externally (2.4 used to ship a local git submodule which was painful to maintain) - ``--disable-crypto`` configure option has been removed. OpenVPN is now always built with crypto support, which makes the code much easier to maintain. This does not affect ``--cipher none`` to do a tunnel without encryption. - ``--disable-multi`` configure option has been removed
openvpn: updated to 2.4.9 OpenVPN 2.4.9 * socks: use the right function when printing struct openvpn_sockaddr * Fetch OpenSSL versions via source/old links * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs * Fix OpenSSL 1.1.1 not using auto elliptic curve selection * Fix broken fragmentation logic when using NCP * Fix building with --enable-async-push in FreeBSD * Fix broken async push with NCP is used * Fix illegal client float (CVE-2020-11810) * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file * Fix OpenSSL private key passphrase notices * Swap the order of checks for validating interactive service user * Move querying username/password from management interface to a function * When auth-user-pass file has no password query the management interface (if available). * Fix possibly uninitialized return value in GetOpenvpnSettings() * Fix possible access of uninitialized pipe handles * Skip expired certificates in Windows certificate store * Allow unicode search string in --cryptoapicert option * mbedTLS: Make sure TLS session survives move * docs: Add reference to X509_LOOKUP_hash_dir(3)
openvpn: updated to 2.4.8 Version 2.4.8 This is primarily a maintenance release with minor bugfixes and improvements. New features Support compiling with OpenSSL 1.1 without deprecated APIs handle PSS padding in cryptoapicert (necessary for TLS >= 1.2) User visible changes do not abort when hitting the combination of "--pull-filter" and "--mode server" (this got hit when starting OpenVPN servers using the windows GUI which installs a pull-filter to force ip-win32) increase listen() backlog queue to 32 (improve response behaviour on openvpn servers using TCP that get portscanned) fix and enhance documentation (INSTALL, man page, ...) Bug fixes the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as a workaround, force IPv4 in this case until a full implementation for IPv6-UDP-SOCKS can be made. fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana fix building with LibreSSL do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in systemd environments) repair windows builds repair Darwin builds (remove -no-cpp-precomp flag)
openvpn: updated to 2.4.7 OpenVPN 2.4.7 - Fix subnet topology on NetBSD (2.4). - add support for %lu in argv_printf and prevent ASSERT - buffer_list: add functions documentation - ifconfig-ipv6(-push): allow using hostnames - Properly free tuntap struct on android when emulating persist-tun - Add OpenSSL compat definition for RSA_meth_set_sign - Add support for tls-ciphersuites for TLS 1.3 - Add better support for showing TLS 1.3 ciphersuites in --show-tls - Use right function to set TLS1.3 restrictions in show-tls - Add message explaining early TLS client hello failure - Fallback to password authentication when auth-token fails - systemd: extend CapabilityBoundingSet for auth_pam - plugin: Export base64 encode and decode functions - Add %d, %u and %lu tests to test_argv unit tests. - Fix combination of --dev tap and --topology subnet across multiple platforms. - Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. - preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst) - Minor reliability layer documentation fixes - Resolves small IV_GUI_VER typo in the documentation. - Clarify and expand management interface documentation - Refactor NCP-negotiable options handling - init.c: refine functions names and description - interactive.c: fix usage of potentially uninitialized variable - options.c: fix broken unary minus usage - Remove extra token after #endif - Fix error message when using RHEL init script - man: correct a --redirection-gateway option flag - Replace M_DEBUG with D_LOW as the former is too verbose - Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' - Bump version of openvpn plugin argument structs to 5 - Move get system directory to a separate function - Enable dhcp on tap adapter using interactive service - Pass the hash without the DigestInfo header to NCryptSignHash() - White-list pull-filter and script-security in interactive service - Add Interactive Service developer documentation - Detect TAP interfaces with root-enumerated hardware ID - man: add security considerations to --compress section - mbedtls: print warning if random personalisation fails - Fix memory leak after sighup - travis: add OpenSSL 1.1 Windows build - Fix --disable-crypto build - Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' - buffer_list_aggregate_separator(): simplify code
openvpn: fix for NetBSD with subnet topology; remove empty DIST_SUBDIR
openvpn: 2.4.6 OpenVPN 2.4.6 management: Warn if TCP port is used without password Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4 Fix potential double-free() in Interactive Service (CVE-2018-9336) preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst) manpage: improve description of --status and --status-version Make return code external tls key match docs Delete the IPv6 route to the "connected" network on tun close Management: warn about password only when the option is in use Avoid overflow in wakeup time computation Add missing #ifdef SSL_OP_NO_TLSv1_1/2 Check for more data in control channel
openvpn: updated to 2.4.5 OpenVPN 2.4.5: reload HTTP proxy credentials when moving to the next connection profile Allow learning iroutes with network made up of all 0s (only if netbits < 8) mbedtls: fix typ0 in comment manpage: fix simple typ0 Treat dhcp-option DNS6 and DNS identical show the right string for key-direction Fix typo in error message: "optione" -> "option" lz4: Fix confused version check lz4: Fix broken builds when pkg-config is not present but system library is Remove references to keychain-mcd in Changes.rst lz4: Rebase compat-lz4 against upstream v1.7.5 systemd: Add and ship README.systemd Update copyright to include 2018 plus company name change man: Add .TQ groff support macro man: Reword --management to prefer unix sockets over TCP OpenSSL: check EVP_PKEY key types before returning the pkey Remove warning on pushed tun-ipv6 option. Fix removal of on-link prefix on windows with netsh travis-ci: add brew cache, remove ccache travis-ci: modify openssl build script to support openssl-1.1.0 autoconf: Fix engine checks for openssl 1.1 Cast time_t to long long in order to print it. Fix build with LibreSSL Check whether in pull_mode before warning about previous connection blocks Avoid illegal memory access when malformed data is read from the pipe Fix missing check for return value of malloc'd buffer Return NULL if GetAdaptersInfo fails Use RSA_meth_free instead of free Bring cryptoapi.c upto speed with openssl 1.1 Add SSL_CTX_get_max_proto_version() not in openssl 1.0 TLS v1.2 support for cryptoapicert -- RSA only Refactor get_interface_metric to return metric and auto flag separately Ensure strings read from registry are null-terminated Make most registry values optional Use lowest metric interface when multiple interfaces match a route Adapt to RegGetValue brokenness in Windows 7 Fix format spec errors in Windows builds Local functions are not supported in MSVC. Bummer. Mixing wide and regular strings in concatenations is not allowed in MSVC. RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h Simplify iphlpapi.dll API calls Fix local #include to use quoted form Document ">PASSWORD:Auth-Token" real-time message Fix typo in "verb" command examples Uniform swprintf() across MinGW and MSVC compilers MSVC meta files added to .gitignore list openvpnserv: Add support for multi-instances Document missing OpenVPN states make struct key * argument of init_key_ctx const buffer_list_aggregate_separator(): add unit tests Add --tls-cert-profile option. Use P_DATA_V2 for server->client packets too Fix memory leak in buffer unit tests buffer_list_aggregate_separator(): update list size after aggregating buffer_list_aggregate_separator(): don't exceed max_len buffer_list_aggregate_separator(): prevent 0-byte malloc Fix types around buffer_list_push(_data) ssl_openssl: fix compiler warning by removing getbio() wrapper travis: use clang's -fsanitize=address to catch more bugs Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ Add support for TLS 1.3 in --tls-version-{min, max} Plug memory leak if push is interrupted Fix format errors when cross-compiling for Windows Log pre-handshake packet drops using D_MULTI_DROPPED Enable stricter compiler warnings by default Get rid of ax_check_compile_flag.m4 mbedtls: don't use API deprecated in mbed 2.7 Warn if tls-version-max < tls-version-min Don't throw fatal errors from create_temp_file() Fix '--bind ipv6only'
openvpn: update to 2.4.4 Version 2.4.4 ============= This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements. Bug fixes --------- - Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is rejected by the remote side - Ignore ``--keysize`` when NCP have resulted in a changed cipher. - Configurations using ``--auth-nocache`` and the management interface to provide user credentials (like NetworkManager on Linux) on client side with servers implementing authentication tokens (for example, using ``--auth-gen-token``) will now behave correctly and not query the user for an, to them, unknown authentication token on renegotiations of the tunnel. - Fix bug causing invalid or corrupt SOCKS port number when changing the proxy via the management interface. - The man page should now have proper escaping of hyphens/minus characters and have seen some minor corrections. User-visible Changes -------------------- - Linux servers with systemd which uses the ``openvpn-server@.service`` unit file for server configurations will now utilize the automatic restart feature in systemd. If the OpenVPN server process dies unexpectedly, systemd will ensure the OpenVPN configuration will be restarted without any user interaction. Deprecated features ------------------- - ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5. - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 Security -------- - CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``. Before this fix, it could allow an attacker to send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as ``--key-method 2`` has been the default since OpenVPN 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5.
Distfile has been changed upstream
OpenVPN 2.4.3 Ignore auth-nocache for auth-user-pass if auth-token is pushed crypto: Enable SHA256 fingerprint checking in --verify-hash copyright: Update GPLv2 license texts auth-token with auth-nocache fix broke --disable-crypto builds OpenSSL: don't use direct access to the internal of X509 OpenSSL: don't use direct access to the internal of EVP_PKEY OpenSSL: don't use direct access to the internal of RSA OpenSSL: don't use direct access to the internal of DSA OpenSSL: force meth->name as non-const when we free() it OpenSSL: don't use direct access to the internal of EVP_MD_CTX OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX OpenSSL: don't use direct access to the internal of HMAC_CTX Fix NCP behaviour on TLS reconnect. Remove erroneous limitation on max number of args for --plugin Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. Fix potential 1-byte overread in TCP option parsing. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. refactor my_strupr Fix 2 memory leaks in proxy authentication routine Fix memory leak in add_option() for option 'connection' Ensure option array p[] is always NULL-terminated Fix a null-pointer dereference in establish_http_proxy_passthru() Prevent two kinds of stack buffer OOB reads and a crash for invalid input data Fix an unaligned access on OpenBSD/sparc64 Missing include for socket-flags TCP_NODELAY on OpenBSD Make openvpn-plugin.h self-contained again. Pass correct buffer size to GetModuleFileNameW() Log the negotiated (NCP) cipher Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) Skip tls-crypt unit tests if required crypto mode not supported openssl: fix overflow check for long --tls-cipher option Add a DSA test key/cert pair to sample-keys Fix mbedtls fingerprint calculation mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) mbedtls: require C-string compatible types for --x509-username-field Fix remote-triggerable memory leaks (CVE-2017-7521) Restrict --x509-alt-username extension types Fix potential double-free in --x509-alt-username (CVE-2017-7521) Fix gateway detection with OpenBSD routing domains
OpenVPN 2.4.2 Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy. Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
Version 2.3.16: * fix redirect-gateway behaviour when an IPv4 default route does not exist * Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) * Check for errors in the return value of GetModuleFileNameW() * Fix gateway detection with OpenBSD routing domains
update openvpn to 2.3.15 fixes DoSses: CVE-2017-7478 CVE-2017-7479 fixes PR pkg/52044 relevant excerpt of ChangeLog: OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> 2017.05.11 -- Version 2.3.15 David Sommerseth (5): dev-tools: Added script for updating copyright years in files Update copyrights docs: Further improve --reneg-bytes and SWEET32 information git: Merge .gitignore files into a single file Make --cipher/--auth none more explicit on the risks Gert Doering (1): Document --proto udp6, tcp6, etc. Julien Muchembled (1): Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset Steffan Karger (6): Add missing includes in error.h cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Document that OpenVPN 2.3 does not check the CRL signature Introduce and use secure_memzero() to erase secrets Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) Don't assert out on receiving too-large control packets (CVE-2017-7478) 2016.12.06 -- Version 2.3.14 Christian Hesse (1): update year in copyright message David Sommerseth (1): Document the --auth-token option Gert Doering (2): Repair topology subnet on FreeBSD 11 Repair topology subnet on OpenBSD Lev Stipakov (1): Drop recursively routed packets Selva Nair (4): Support --block-outside-dns on multiple tunnels When parsing '--setenv opt xx ..' make sure a third parameter is present Map restart signals from event loop to SIGTERM during exit-notification wait Correctly state the default dhcp server address in man page Steffan Karger (1): Clean up format_hex_ex() 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): Use AES ciphers in our sample configuration files and add a few modern 2.4 examples Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4): t_client.sh: Make OpenVPN write PID file to avoid various sudo issues t_client.sh: Add support for Kerberos/ksu t_client.sh: Improve detection if the OpenVPN process did start during tests t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5): Do not abort t_client run if OpenVPN instance does not start. Fix t_client runs on OpenSolaris make t_client robust against sudoers misconfiguration add POSTINIT_CMD_suf to t_client.sh and sample config Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1): skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2): Exclude peer-id from pulled options digest Fix compilation in pedantic mode Samuli Seppänen (1): Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6): Fix unittests for out-of-source builds Make gnu89 support explicit cleanup: remove code duplication in msg_test() Update cipher-related man page text Limit --reneg-bytes to 64MB when using small block ciphers Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. Move ASSERT so external-key with OpenSSL works again David Sommerseth (3): Only build and run cmocka unit tests if its submodule is initialized Another fix related to unit test framework Remove NOP function and callers Dorian Harmans (1): Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1): Plug memory leak in mbedTLS backend Jeffrey Cutter (1): Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2): Add unit testing support via cmocka Add a test for auth-pam searchandreplace Josh Cepek (1): Push an IPv6 CIDR mask used by the server, not the pool's size Leon Klingele (1): Add link to bug tracker Samuli Seppänen (2): Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes Clarify the fact that build instructions in README are for release tarballs Selva Nair (4): Make error non-fatal while deleting address using netsh Make block-outside-dns work with persist-tun Ignore SIGUSR1/SIGHUP during exit notification Promptly close the netcmd_semaphore handle after use Steffan Karger (4): Fix polarssl / mbedtls builds Don't limit max incoming message size based on c2->frame Fix '--cipher none --cipher' crash Discourage using 64-bit block ciphers
Update net/openvpn to 2.3.11. Changes since 2.3.6: 2016.05.09 -- Version 2.3.11 Fixed port-share bug with DoS potential Make intent of utun device name validation clear Fix buffer overflow by user supplied data Correctly report TCP connection timeout on windows. Report Windows bitness Fix undefined signed shift overflow Fix build with libressl Improve LZO, PAM and OpenSSL documentation Ensure input read using systemd-ask-password is null terminated Support reading the challenge-response from console openssl: improve logging polarssl: improve logging Update manpage: OpenSSL might also need /dev/urandom inside chroot socks.c: fix check on get_user_pass() return value(s) Fix OCSP_check.sh hardening: add safe FD_SET() wrapper openvpn_fd_set() Fix memory leak in argv_extract_cmd_name() Replace MSG_TEST() macro for static inline msg_test() Restrict default TLS cipher list Various Changes.rst fixes Clarify mssfix documentation Clarify --block-outside-dns documentation Update --block-outside-dns to work on Windows Vista 2016.01.04 -- Version 2.3.10 Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier. Repair IPv6 netsh calls if Win XP is detected Use bob.example.com and alice.example.com to improve clarity of documentation Remove unused variables from ssl_verify_polarssl.c's x509_get_serial() Upgrade OpenVPN 2.3 to PolarSSL 1.3 Warn user if their certificate has expired Make assert_failed() print the failed condition cleanup: get rid of httpdigest.c type warnings Fix regression in setups without a client certificate polarssl: fix unreachable code 2015.12.15 -- Version 2.3.9 Show extra-certs in current parameters. Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c Do not set the buffer size by default but rely on the operation system default. Remove --enable-password-save option Reflect enable-password-save change in documentation Also remove second instance of enable-password-save in the man page Detect config lines that are too long and give a warning/error Log serial number of revoked certificate Adjust server-ipv6 documentation Avoid partial authentication state when using --disabled in CCD configs Make "block-outside-dns" option platform agnostic Un-break --auth-user-pass on windows Replace unaligned 16bit access to TCP MSS value with bytewise access Repair test_local_addr() on WIN32 Fix possible heap overflow on read accessing getaddrinfo() result. Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote() remove unused gc_arena in FreeBSD close_tun() Fix isatty() check for good. put virtual IPv6 addresses into env Use adapter index instead of name for windows IPv6 interface config Client-side part for server restart notification Use adapter index for add/delete_route_ipv6 Pass adapter index to up/down scripts Fix VS2013 compilation Fix privilege drop if first connection attempt fails Support for username-only auth file. Add CONTRIBUTING.rst Updates to Changes.rst Fix termination when windows suspends/sleeps Do not hard-code windows systemroot in env_block Handle ctrl-C and ctrl-break events on Windows Unbreak read username password from management Replace strdup() calls for string_alloc() calls Check return value of ms_error_text() Increase control channel packet size for faster handshakes hardening: add insurance to exit on a failed ASSERT() Fix memory leak in auth-pam plugin Fix (potential) memory leak in init_route_list() Fix unintialized variable in plugin_vlog() Add macro to ensure we exit on fatal errors Fix memory leak in add_option() by simplifying get_ipv6_addr openssl: properly check return value of RAND_bytes() Fix rand_bytes return value checking Add Windows DNS Leak fix using WFP ('block-outside-dns') Fix "White space before end tags can break the config parser" 2015.08.03 -- Version 2.3.8 Report missing endtags of inline files as warnings Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit Produce a meaningful error message if --daemon gets in the way of asking for passwords. Document --daemon changes and consequences (--askpass, --auth-nocache). Del ipv6 addr on close of linux tun interface Fix --askpass not allowing for password input via stdin write pid file immediately after daemonizing Make __func__ work with Visual Studio too fix regression: query password before becoming daemon Fix using management interface to get passwords. Fix overflow check in openvpn_decrypt() 2015.06.02 -- Version 2.3.7 Default gateway can't be determined on illumos/Solaris platforms Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4 autotools: Fix wrong ./configure help screen default values down-root plugin: Replaced system() calls with execve() down-root: Improve error messages plugin, down-root: Fix compiler warnings sockets: Remove the limitation of --tcp-nodelay to be server-only plugins, down-root: Code style clean-up pkcs11: Load p11-kit-proxy.so module by default Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary New approach to handle peer-id related changes to link-mtu (2.3 version) Fix incorrect use of get_ipv6_addr() for iroute options. Print helpful error message on --mktun/--rmtun if not available. explain effect of --topology subnet on --ifconfig Add note about file permissions and --crl-verify to manpage. repair --dev null breakage caused by db950be85d37 assume res_init() is always there. Correct note about DNS randomization in openvpn.8 Disallow usage of --server-poll-timeout in --secret key mode. slightly enhance documentation about --cipher Enforce "serial-tests" behaviour for tests/Makefile Revert "Enforce "serial-tests" behaviour for tests/Makefile" On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo(). Use configure.ac hack to apply serial_test AM option only if supported. Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo(). Move res_init() call to inner openvpn_getaddrinfo() loop Fix FreeBSD ifconfig for topology subnet tunnels. Fix --redirect-private in --dev tap mode. include ifconfig_ environment variables in --up-restart env set Fix null pointer dereference in options.c Fix mssfix default value in connection_list context Manual page update for Re-enabled TLS version negotiation. Include systemd units in the source tarball (make dist) Updated manpage for --rport and --lport Properly escape dashes on the man-page Improve documentation in --script-security section of the man-page Really fix '--cipher none' regression Update doxygen (a bit) Set tls-version-max to 1.1 if cryptoapicert is used Account for peer-id in frame size calculation Disable SSL compression Fix frame size calculation for non-CBC modes. Allow for CN/username of 64 characters (fixes off-by-one) Remove unneeded parameter 'first_time' from possibly_become_daemon() Re-enable TLS version negotiation by default Remove size limit for files inlined in config Improve --tls-cipher and --show-tls man page description Re-read auth-user-pass file on (re)connect if required Clarify --capath option in manpage Call daemon() before initializing crypto library
Add SHA512 digests for distfiles for net category Problems found with existing digests: Package haproxy distfile haproxy-1.5.14.tar.gz 159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded] da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated] Problems found locating distfiles: Package bsddip: missing distfile bsddip-1.02.tar.Z Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2 Package djbdns: missing distfile djbdns-cachestats.patch Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch Package gated: missing distfile gated-3-5-11.tar.gz Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz Package poink: missing distfile poink-1.6.tar.gz Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch Package waste: missing distfile waste-source.tar.gz Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
Update to 2.3.6: 2014.11.28 -- Version 2.3.6 David Sommerseth (1): systemd: Reworked the systemd unit file to handle server and client configs better Gert Doering (1): Add client-only support for peer-id. Samuli Seppänen (1): Fix to --shaper documentation on the man-page Steffan Karger (4): Fix assertion error when using --cipher none Add --tls-version-max Modernize sample keys and sample configs Drop too-short control channel packets instead of asserting out. 2014.10.24 -- Version 2.3.5 Andris Kalnozols (2): Fix some typos in the man page. Do not upcase x509-username-field for mixed-case arguments. Arne Schwabe (1): Fix server routes not working in topology subnet with --server [v3] David Sommerseth (4): Improve error reporting on file access to --client-config-dir and --ccd-exclusive Don't let openvpn_popen() keep zombies around Add systemd unit file for OpenVPN systemd: Use systemd functions to consider systemd availability Gert Doering (3): Drop incoming fe80:: packets silently now. Fix t_lpback.sh platform-dependent failures Call init script helpers with explicit path (./) Heiko Hund (1): refine assertion to allow other modes than CBC Hubert Kario (2): ocsp_check - signature verification and cert staus results are separate ocsp_check - double check if ocsp didn't report any errors in execution James Bekkema (1): Fix socket-flag/TCP_NODELAY on Mac OS X James Yonan (6): Fixed several instances of declarations after statements. In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror. Explicitly cast the third parameter of setsockopt to const void * to avoid warning. MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier. Define PATH_SEPARATOR for MSVC builds. Fixed some compile issues with show_library_versions() Jann Horn (1): Remove quadratic complexity from openvpn_base64_decode() Mike Gilbert (1): Add configure check for the path to systemd-ask-password Philipp Hagemeister (2): Add topology in sample server configuration file Implement on-link route adding for iproute2 Samuel Thibault (1): Ensure that client-connect files are always deleted Steffan Karger (13): Remove function without effect (cipher_ok() always returned true). Remove unneeded wrapper functions in crypto_openssl.c Fix bug that incorrectly refuses oid representation eku's in polar builds Update README.polarssl Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure. Add proper check for crypto modes (CBC or OFB/CFB) Improve --show-ciphers to show if a cipher can be used in static key mode Extend t_lpback tests to test all ciphers reported by --show-ciphers Don't exit daemon if opening or parsing the CRL fails. Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen. Fix regression with password protected private keys (polarssl) ssl_polarssl.c: fix includes and make casts explicit Remove unused variables from ssl_verify_openssl.c extract_x509_extension() TDivine (1): Fix "code=995" bug with windows NDIS6 tap driver.
Changes 2.3.4: The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.
Changes 2.3.2: Only print script warnings when a script is used. Remove stray mention of script-security system. Move settings of user script into set_user_script function Move checking of script file access into set_user_script Provide more accurate warning message Fix NULL-pointer crash in route_list_add_vpn_gateway(). Fix problem with UDP tunneling due to mishandled pktinfo structures. Always push basic set of peer info values to server. make 'explicit-exit-notify' pullable again Fix proto tcp6 for server & non-P2MP modes Fix Windows script execution when called from script hooks Fixed tls-cipher translation bug in openssl-build Fixed usage of stale define USE_SSL to ENABLE_SSL Fix segfault when enabling pf plug-ins
SunOS build fix.
Upgrade OpenVPN to 2.3.0 Bump openvpn-acct-wtmpx to add its licence and to take into account the new location of plugin directory Significant changes since 2.2.x: * Full IPv6 support * SSL layer modularised, enabling easier implementation for other SSL libraries * PolarSSL support as a drop-in replacement for OpenSSL * New plug-in API providing direct certificate access, improved logging API and easier to extend in the future * Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP' * New feature: --management-external-key - to provide access to the encryption keys via the management interface * New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins * New feature: --client-nat support * New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling * New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback) * New feature: --stale-routes-check, which cleans up the internal routing table * New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name * Improved client-kill management interface command * Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins * Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation * More options can now be used inside <connection> blocks * Completely new build system, enabling easier cross-compilation and Windows builds * Much of the code has been better documented * Many documentation updates * Plenty of bug fixes and other code clean-ups
Changes 2.2.2: * Only warn about non-tackled IPv6 packets once * add missing break between "case IPv4" and "case IPv6" * bump tap driver version from 9.8 to 9.9 * log error message and exit for "win32, tun mode, tap driver version 9.8" * Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch
Fix buildling on Mac OS X 10.7
Changes 2.2.1: * Don't define ENABLE_PUSH_PEER_INFO if SSL is not available * Fix compiling issues with pkcs11 when --disable-management is configured * Remove support for Linux 2.2 configuration fallback * Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto * Fix 2.2.0 build failure when management interface disabled * Added info about --show-proxy-settings * Documented --x509-username-field option * Updated "easy-rsa" for OpenSSL 1.0.0 * Fixes to easy-rsa/2.0 * Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf * Fix a build-ca issue on Windows * Fix issues with some older GCC compilers
Changes 2.2.0: * Several man-page updates * Several buildsystem fixes * Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier * Change the default --tmp-dir path to a more suitable path * Improve the mysprintf() issue in openvpnserv.c * Fixed bug in port-share that could cause port share process to crash * Fix the --client-cert-not-required feature
Changes 2.1.4: * Fix problem with special case route targets ('remote_host') The init_route() function will leave &netlist untouched for get_special_addr() routes ("remote_host" being one of them). netlist is on stack, contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from netlist.data[] until the route_list is full.
Changes 2.1.3: * Fixed potential local privilege escalation vulnerability in Windows service. * Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory). * When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted. * Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication. * Don't advance to the next connection profile on AUTH_FAILED errors. * Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. * Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. * Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] * Enable exponential backoff in reliability layer retransmits. * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen. * Management interface performance optimizations: 1. Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth 2. man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o * Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly. * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in. * Proxy improvements: * Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. * Implemented a key/value auth channel from client to server. * Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds.
Updated to 2.1.1. Changes: 2009.12.11 -- Version 2.1.1 * Fixed some breakage in openvpn.spec (which is required to build an RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth). 2009.12.11 -- Version 2.1.0 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug). * Documented "multihome" option in the man page. 2009.11.20 -- Version 2.1_rc22 * Fixed a client-side bug on Windows that occurred when the "dhcp-pre-release" or "dhcp-renew" options were combined with "route-gateway dhcp". The release/renew would not occur because the Windows DHCP renew function is blocking and therefore must be called from another process or thread so as not to stall the tunnel. * Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued.
Update to 2.1rc21. From Changelog: * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address CVE-2009-3555. Note that OpenVPN has never relied on the session renegotiation capabilities that are built into the SSL/TLS protocol, therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation completely) will not adversely affect OpenVPN mid-session SSL/TLS renegotation or any other OpenVPN capabilities. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain.
NetBSD's tun driver has no broadcast support. When configured with a tun device and subnet topology, OpenVPN insisted on setting a broadcast address on the tun device, causing a fatal error. This patch fixes that, and has been submitted upstream
Update to 2.1_rc20 from 2.1_rc13: 2009.10.01 -- Version 2.1_rc20 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. * Fixed build problem when ./configure --disable-server is used. * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke). * Added --remote-random-hostname option. * Added "load-stats" management interface command to get global server load statistics. * Added new ./configure flags: --disable-def-auth Disable deferred authentication --disable-pf Disable internal packet filter * Added "setcon" directive for interoperability with SELinux (Sebastien Raveau). * Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation. * The maximum number of "route" directives (specified in the config file or pulled from a server) can now be configured via the new "max-routes" directive. * Eliminated the limitation on the number of options that can be pushed to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. * Added --server-poll-timeout option : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. * Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. * client-kill management interface command, when issued on server, will now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list. 2009.07.16 -- Version 2.1_rc19 * In Windows TAP driver, refactor DHCP/ARP packet injection code to use a DPC (deferred procedure call) to defer packet injection until IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive in the context of AdapterTransmit. This is an attempt to reduce kernel stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been observed on Vista. Updated TAP driver version number to 9.6. * In configure.ac, use datadir instead of datarootdir for compatibility with <autoconf-2.60. 2009.06.07 -- Version 2.1_rc18 * Fixed compile error on ./configure --enable-small * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change does not build on Windows on non-MINGW32. 2009.05.30 -- Version 2.1_rc17 * Reduce the debug level (--verb) at which received management interface commands are echoed from 7 to 3. Passwords will be filtered. * Fixed race condition in management interface recv code on Windows, where sending a set of several commands to the management interface in quick succession might cause the latter commands in the set to be ignored. * Increased management interface input command buffer size from 256 to 1024 bytes. * Minor tweaks to Windows build system. * Added "redirect-private" option which allows private subnets to be pushed to the client in such a way that they don't accidently obscure critical local addresses such as the DHCP server address and DNS server addresses. * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN client will examine the routing table and determine whether (a) the OpenVPN server is reachable via a locally connected interface, or (b) traffic to the server must be forwarded through the default router. Only add a special bypass route for the OpenVPN server if (b) is true. If (a) is true, behave as if the 'local' flag is specified, and do not add a bypass route. The new 'autolocal' flag depends on the non-portable test_local_addr() function in route.c, which is currently only implemented for Windows. The 'autolocal' flag will act as a no-op on platforms that have not yet defined a test_local_addr() function. * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for more option content to be pushed from server to client). * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug levels <=3) a common and usually innocuous warning. * Fixed issue of symbol conflicts interfering with Windows CryptoAPI functionality (Alon Bar-Lev). * Fixed bug where the remote_X environmental variables were not being set correctly when the 'local' option is specifed. 2009.05.17 -- Version 2.1_rc16 * Windows installer changes: 1. ifdefed out the check Windows version code which is causing problems on Windows 7 2. don't define SF_SELECTED if it is already defined 3. Use LZMA instead of BZIP2 compression for better compression 4. Upgraded OpenSSL to 0.9.8k * Added the ability to read the configuration file from stdin, when "stdin" is given as the config file name. * Allow "management-client" directive to be used with unix domain sockets. * Added errors-to-stderr option. When enabled, fatal errors that result in the termination of the daemon will be written to stderr. * Added optional "nogw" (no gateway) flag to --server-bridge to inhibit the pushing of the route-gateway parameter to clients. * Added new management interface command "pid" to show the process ID of the current OpenVPN process (Angelo Laub). * Fixed issue where SIGUSR1 restarts would fail if private key was specified as an inline file. * Added daemon_start_time and daemon_pid environmental variables. * In management interface, added new ">CLIENT:ESTABLISHED" notification. * Build fixes: 1. Fixed some issues with C++ style comments that leaked into the code. 2. Updated configure.ac to work on MinGW64. 3. Updated common.h types for _WIN64. 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc compilers. 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to OpenVPNCryptAcquireCertificatePrivateKey to work around a symbol conflict in MinGW-5.1.4. 2008.11.19 -- Version 2.1_rc15 * Fixed issue introduced in 2.1_rc14 that may cause a segfault when a --plugin module is used. * Added server-side --opt-verify option: clients that connect with options that are incompatible with those of the server will be disconnected (without this option, incompatible clients would trigger a warning message in the server log but would not be disconnected). * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket flag on the server as well as pushes it to connecting clients. * Minor options check fix: --no-name-remapping is a server-only option and should therefore generate an error when used on the client. * Added --prng option to control PRNG (pseudo-random number generator) parameters. In previous OpenVPN versions, the PRNG was hardcoded to use the SHA1 hash. Now any OpenSSL hash may be used. This is part of an effort to remove hardcoded references to a specific cipher or cryptographic hash algorithm. * Cleaned up man page synopsis. 2008.11.16 -- Version 2.1_rc14 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred, with the goal of fixing a build issue on Fedora 9 that was introduced in 2.1_rc13. * Added additional method parameter to --script-security to preserve backward compatibility with system() call semantics used in OpenVPN 2.1_rc8 and earlier. To preserve backward compatibility use: script-security 3 system * Added additional warning messages about --script-security 2 or higher being required to execute user-defined scripts or executables. * Windows build system changes: Modified Windows domake-win build system to write all openvpn.nsi input files to gen, so that gen can be disconnected from the rest of the source tree and makensis openvpn.nsi will still function correctly. Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in (commented out by default). Added optional files SAMPCONF_CONF2 (second sample configuration file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows build system, and may be defined in settings.in. * Extended Management Interface "bytecount" command to work when OpenVPN is running as a server. Documented Management Interface "bytecount" command in management/management-notes.txt. * Fixed informational message in ssl.c to properly indicate deferred authentication. * Added server-side --auth-user-pass-optional directive, to allow connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). * Changes to easy-rsa/2.0/pkitool and related openssl.cnf: Calling scripts can set the KEY_NAME environmental variable to set the "name" X509 subject field in generated certificates. Modified pkitool to allow flexibility in separating the Common Name convention from the cert/key filename convention. For example: KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james will create a client certificate/key pair of james.crt/james.key having a Common Name of "James's Laptop" and a Name of "james". * Added --no-name-remapping option to allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return (this is important for compatibility with external authentication systems). As a related change, added --status-version 3 format (and "status 3" in the management interface) which uses the version 2 format except that tabs are used as delimiters instead of commas so that there is no ambiguity when parsing a Common Name that contains a comma. Also, save X509 Subject fields to environment, using the naming convention: X509_{cert_depth}_{name}={value} This is to avoid ambiguities when parsing out the X509 subject string since "/" characters could potentially be used in the common name. * Fixed some ifconfig-pool issues that precluded it from being combined with --server directive. Now, for example, we can configure thusly: server 10.8.0.0 255.255.255.0 nopool ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0 to have ifconfig-pool manage only a subset of the VPN subnet. * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax config file syntax checking to allow directives for future OpenVPN versions to be ignored.
Make it work on DragonFly 2.0 and up. Bump PKGREVISION.
Update to 2.1rc13. Changes include: 2008.10.07 -- Version 2.1_rc13 * Bundled OpenSSL 0.9.8i with Windows installer. * Management interface can now listen on a unix domain socket, for example: management /tmp/openvpn unix Also added management-client-user and management-client-group directives to control which processes are allowed to connect to the socket. * Copyright change to OpenVPN Technologies, Inc. 2008.09.23 -- Version 2.1_rc12 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes part of the tarball (Matthias Andree). * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code was incorrectly expecting the lladdr parameter to be an IP address when it is actually a MAC address (HoverHell). 2008.09.14 -- Version 2.1_rc11 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped. 2008.09.10 -- Version 2.1_rc10 * Added "--server-bridge" (without parameters) to enable DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses. * Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN. * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, ignore it. * Warn when ethernet bridging that the IP address of the bridge adapter is probably not the same address that the LAN adapter was set to previously. * When running as a server, warn if the LAN network address is the all-popular 192.168.[0|1].x, since this condition commonly leads to subnet conflicts down the road. * Primarily on the client, check for subnet conflicts between the local LAN and the VPN subnet. * Added a 'netmask' parameter to get_default_gateway, to return the netmask of the adapter containing the default gateway. Only implemented on Windows so far. Other platforms will return 255.255.255.0. Currently the netmask information is only used to warn about subnet conflicts. * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO and USE_SSL flags are enabled (Alon Bar-Lev). * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new --script-security rules. Also adds retrying if the addresses are in use (Matthias Andree). * Fixed build issue with ./configure --disable-socks --disable-http. * Fixed separate compile errors in options.c and ntlm.c that occur on strict C compilers (such as old versions of gcc) that require that C variable declarations occur at the start of a {} block, not in the middle. * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which the new implementation of extract_x509_field_ssl depends on. * LZO compression buffer overflow errors will now invalidate the packet rather than trigger a fatal assertion. * Fixed minor compile issue in ntlm.c (mid-block declaration). * Added --allow-pull-fqdn option which allows client to pull DNS names from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options. * 2.1_rc8 and earlier did implicit shell expansion on script arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded, so for example: client-connect "docc CLIENT-CONNECT" would fail to work because execve would try to execute a script called "docc CLIENT-CONNECT" instead of "docc" with "CLIENT-CONNECT" as the first argument. This patch fixes the issue, bringing the script argument semantics back to pre 2.1_rc9 behavior in order to preserve backward compatibility while still using execve or CreateProcess to execute the script/executable. * Modified ip_or_dns_addr_safe, which validates pulled DNS names, to more closely conform to RFC 3696: (1) DNS name length must not exceed 255 characters (2) DNS name characters must be limited to alphanumeric, dash ('-'), and dot ('.') * Fixed bug in intra-session TLS key rollover that was introduced with deferred authentication features in 2.1_rc8. 008.07.31 -- Version 2.1_rc9 * Security Fix -- affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable). An OpenVPN client connecting to a malicious or compromised server could potentially receive an "lladdr" or "iproute" configuration directive from the server which could cause arbitrary code execution on the client. A successful attack requires that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client succesfully authenticates the server, (c) the server is malicious or has been compromised and is under the control of the attacker, and (d) the client is running a non-Windows OS. Credit: David Wagner. * Miscellaneous defensive programming changes to multiple areas of the code. In particular, use of the system() call for calling executables such as ifconfig, route, and user-defined scripts has been completely revamped in favor of execve() on unix and CreateProcess() on Windows. * In Windows build, package a statically linked openssl.exe to work around observed instabilities in the dynamic build since the migration to OpenSSL 0.9.8h. 2008.06.11 -- Version 2.1_rc8 * Added client authentication and packet filtering capability to management interface. In addition, allow OpenVPN plugins to take advantage of deferred authentication and packet filtering capability. * Added support for client-side connection profiles. * Fixed unbounded memory growth bug in environmental variable code that could have caused long-running OpenVPN sessions with many TLS renegotiations to incrementally increase memory usage over time. * Windows release now packages openssl-0.9.8h. * Build system changes -- allow building on Windows using autoconf/automake scripts (Alon Bar-Lev). * Changes to Windows build system to make it easier to do partial builds, with a reduced set of prerequisites, where only a subset of OpenVPN installer components are built. See ./domake-win comments. * Cleanup IP address for persistence interfaces for tap and also using ifconfig, gentoo#209055 (Alon Bar-Lev). * Fall back to old version of extract_x509_field for OpenSSL 0.9.6. * Clarified tcp-queue-limit man page entry (Matti Linnanvuori). * Added new OpenVPN icon and installer graphic. * Minor pkitool changes. * Added --pkcs11-id-management option, which will cause OpenVPN to query the management interface via the new NEED-STR asynchronous notification query to get additional PKCS#11 options (Alon Bar-Lev). * Added NEED-STR management interface asynchronous query and "needstr" management interface command to respond to the query (Alon Bar-Lev). * Added Dragonfly BSD support (Francis-Gudin). * Quote device names before passing to up/down script (Josh Cepek). * Bracketed struct openvpn_pktinfo with #pragma pack(1) to prevent structure padding from causing an incorrect length to be returned by sizeof (struct openvpn_pktinfo) on 64-bit platforms. * On systems that support res_init, always call it before calling gethostbyname to ensure that resolver configuration state is current. * Added NTLMv2 proxy support (Miroslav Zajic). * Fixed an issue in extract_x509_field_ssl where the extraction would fail on the first field of the subject name, such as the common name in: /CN=foo/emailAddress= foo@bar.comThis e-mail address is being protected from spambots. You need JavaScript enabled to view it * Made "Linux ip addr del failed" error nonfatal. * Amplified --client-cert-not-required warning. * Added #pragma pack to proto.h.
Updated net/openvpn to 2.1rc7 * Added a few extra files that exist in the svn repo but were not being copied into the tarball by make dist. * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev). * Fixed options checking bug introduced in rc5 where legitimate configuration files might elicit the error: "Options error: Parameter pkcs11_private_mode can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified." * Added "forget-passwords" command to the management interface (Alon Bar-Lev). * Added --management-signal option to signal SIGUSR1 when the management interface disconnects (Alon Bar-Lev). * Modified command line and config file parser to allow quoted strings using single quotes ('') (Alon Bar-Lev). * Use pkcs11-helper as external library, can be downloaded from https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev). * Fixed interim memory growth issue in TCP connect loop where "TCP: connect to %s failed, will try again in %d seconds: %s" is output. * Fixed bug in epoll driver in event.c, where the lack of a handler for EPOLLHUP could cause 99% CPU usage. * Defined ALLOW_NON_CBC_CIPHERS for people who don't want to use a CBC cipher for OpenVPN's data channel. * Added PLUGIN_LIBDIR preprocessor string to prepend a default plugin directory to the dlopen search list when the user specifies the basename of the plugin only (Marius Tomaschewski). * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS to allow forward slash characters ("/") in the X509 common name (Pavel Shramov). * Allow OpenVPN to run completely unprivileged under Linux by allowing openvpn --mktun to be used with --user and --group to set the UID/GID of the tun device node. Also added --iproute option to allow an alternative command to be executed in place of the default iproute2 command (Alon Bar-Lev). * Fixed --disable-iproute2 in ./configure to actually disable iproute2 usage (Alon Bar-Lev). * Added --management-forget-disconnect option -- forget passwords when management session disconnects (Alon Bar-Lev).
Merge Solaris tap support patch for OpenVPN by "Kazuyoshi".
Update net/openvpn to 2.1rc4. Changes from version 2.1rc2 include: * Fixed 64-bit portability bug in time_string function (Thomas Habets). * Clean up configure on FreeBSD for recent autotool versions that require that all .h files have to be compiled. Also, FreeBSD install does not support GNU long options which the Makefile in easy-rsa/2.0 uses (not checked the others as we don't install those on Gentoo) (Roy Marples).
Update to 2.1rc2. Mainly bug fixes and improvements to management interface
Update to 2.1_rc1. Many, many improvements including: Added optional minimum-number-of-bytes parameter to --inactive directive. Added --route-metric option to set a default route metric for --route Added --lladdr option to specify the link layer (MAC) address for the tap interface on non-Windows platforms Security Vulnerability CVE-2006-1629 Extended tun device configure code to support ethernet bridging on NetBSD Added --port-share option for allowing OpenVPN and HTTPS server to share the same port number. Added --management-client option to connect as a client to management GUI app rather than be connected to as a server. Added "bytecount" command to management interface. Added --connect-timeout option to control the timeout on TCP client connection attempts (doesn't work on all OSes). This patch also makes OpenVPN signalable during TCP connection attempts. Allow ca, cert, key, and dh files to be specified inline via XML-like syntax without needing to reference an explicit file. Allow plugin and push directives to have multi-line parameter lists Added connect-retry-max option Added a backtrack-hardened system time algorithm. Added --remote-cert-ku, --remote-cert-eku, and --remote-cert-tls options for verifying certificate attributes Added PKCS#11 support Added --bind option for TCP client connections Made LZO setting pushable Plus numerous bug fixes.
Update net/openvpn to 2.0.7. Changes from version 2.0.6 include fixing a Windows bug with 64bit counters which could cause intermittent crashes.
Pullup ticket 1364 - requested by jlam NetBSD tap(4) support for openvpn Revisions pulled up: - pkgsrc/net/openvpn/Makefile 1.17 - pkgsrc/net/openvpn/distinfo 1.8 - pkgsrc/net/openvpn/patches/patch-ab 1.4 - pkgsrc/net/openvpn/patches/patch-ac 1.3 - pkgsrc/net/openvpn/patches/patch-ad 1.1 - pkgsrc/net/openvpn/patches/patch-ae 1.1 - pkgsrc/net/openvpn/patches/patch-af 1.1 Module Name: pkgsrc Committed By: jlam Date: Tue Apr 11 20:09:52 UTC 2006 Modified Files: pkgsrc/net/openvpn: Makefile distinfo Added Files: pkgsrc/net/openvpn/patches: patch-ab patch-ac patch-ad patch-ae patch-af Log Message: Add support for NetBSD's cloning tap device to support "device tap" configurations. Changes supplied in PR pkg/32929 by Alan Barrett. Bump PKGREVISION to 1.
Add support for NetBSD's cloning tap device to support "device tap" configurations. Changes supplied in PR pkg/32929 by Alan Barrett. Bump PKGREVISION to 1.
Pullup ticket 1327 - requested by jlam Security update for openvpn Revisions pulled up: - pkgsrc/net/openvpn/Makefile 1.16 - pkgsrc/net/openvpn/distinfo 1.7 Module Name: pkgsrc Committed By: jlam Date: Wed Apr 5 13:49:26 UTC 2006 Modified Files: pkgsrc/net/openvpn: Makefile distinfo Log Message: Update net/openvpn to 2.0.6. Changes from version 2.0.5 include: * [security] An OpenVPN client connecting to a malicious or compromised server could potentially receive "setenv" configuration directives from the server which could cause arbitrary code execution on the client via a LD_PRELOAD attack. A successful attack appears to require that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client configuration file uses a scripting directive such as "up" or "down", (c) the client succesfully authenticates the server, (d) the server is malicious or has been compromised and is under the control of the attacker, and (e) the attacker has at least some level of pre-existing control over files on the client (this might be accomplished by having the server respond to a client web request with a specially crafted file). The fix is to disallow "setenv" to be pushed to clients from the server. For those who need this capability, OpenVPN 2.1 supports a new "setenv-safe" directive which is free of this vulnerability. * When deleting routes under Linux, use the route metric as a differentiator to ensure that the route teardown process only deletes the identical route which was originally added via the "route" directive (Roy Marples). * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk Meyer, Vasil Dimov). * Extended tun device configure code to support ethernet bridging on NetBSD (Emmanuel Kasper).
Update net/openvpn to 2.0.6. Changes from version 2.0.5 include: * [security] An OpenVPN client connecting to a malicious or compromised server could potentially receive "setenv" configuration directives from the server which could cause arbitrary code execution on the client via a LD_PRELOAD attack. A successful attack appears to require that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client configuration file uses a scripting directive such as "up" or "down", (c) the client succesfully authenticates the server, (d) the server is malicious or has been compromised and is under the control of the attacker, and (e) the attacker has at least some level of pre-existing control over files on the client (this might be accomplished by having the server respond to a client web request with a specially crafted file). The fix is to disallow "setenv" to be pushed to clients from the server. For those who need this capability, OpenVPN 2.1 supports a new "setenv-safe" directive which is free of this vulnerability. * When deleting routes under Linux, use the route metric as a differentiator to ensure that the route teardown process only deletes the identical route which was originally added via the "route" directive (Roy Marples). * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk Meyer, Vasil Dimov). * Extended tun device configure code to support ethernet bridging on NetBSD (Emmanuel Kasper).
Pullup ticket 884 - requested by Lubomir Sedlacik security update of net/openvpn Revisions pulled up: - pkgsrc/net/openvpn/Makefile 1.11 - pkgsrc/net/openvpn/distinfo 1.6 - pkgsrc/net/openvpn/files/openvpn.sh 1.3 Module Name: pkgsrc Committed By: salo Date: Thu Nov 3 14:31:19 UTC 2005 Modified Files: pkgsrc/net/openvpn: Makefile distinfo pkgsrc/net/openvpn/files: openvpn.sh Log Message: Security update to version 2.0.5. Changes: 2.0.5: ====== - Fixed bug in Linux get_default_gateway function introduced in 2.0.4, which would cause redirect-gateway on Linux clients to fail. - Restored easy-rsa/2.0 tree (backported from 2.1 beta series) which accidentally disappeared in 2.0.2 -> 2.0.4 transition. 2.0.4: ====== - Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 - Security fix -- Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 - Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). - Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. - Fixed double fork issue that occurs when --management-hold is used. - Moved TUN/TAP read/write log messages from --verb 8 to 6. - Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. - Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. 2.0.3: ====== - openvpn_plugin_abort_v1 function wasn't being properly registered on Windows. - Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation.
Security update to version 2.0.5. Changes: 2.0.5: ====== - Fixed bug in Linux get_default_gateway function introduced in 2.0.4, which would cause redirect-gateway on Linux clients to fail. - Restored easy-rsa/2.0 tree (backported from 2.1 beta series) which accidentally disappeared in 2.0.2 -> 2.0.4 transition. 2.0.4: ====== - Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 - Security fix -- Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 - Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). - Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. - Fixed double fork issue that occurs when --management-hold is used. - Moved TUN/TAP read/write log messages from --verb 8 to 6. - Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. - Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. 2.0.3: ====== - openvpn_plugin_abort_v1 function wasn't being properly registered on Windows. - Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation.
Update net/openvpn to 2.0.2. Changes from version 2.0.1 include: * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD version of get_default_gateway. Allocated socket for route manipulation is never freed so number of mbufs continuously grow and exhaust system resources after a while (Jaroslav Klaus). * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects.
Update net/openvpn to version 2.0.1. Major changes from version 1.6.0 include: Adding a highly scalable server for handling multiple TCP/UDP clients over point-to-point TUN interfaces, all using a single port number. The server has been designed so that it can run with reduced privilege. On the client side, "pull" has been added, which basically says "accept certain config file options which the server pushes back to you." The major win of the push/pull capability is that the same client configuration file can be used on each client provided each client has its own set of SSL/TLS keys which have been signed by the master CA. A management interface has been developed which can be used to remotely control or centrally manage an OpenVPN daemon. "remote" can now specify a set of machines, or a hostname can be configured with multiple addresses in DNS. A server will be randomly chosen from the list, and if the connect fails, another will be tried (see the "remote-random" option) A package for easy RSA key management (easy-rsa-2.0rc1) has been included to aid in generating SSL keys and certificates for use with OpenVPN.
Add RMD160 digests.
Update openvpn to 1.6.0. While here port it properly so that the route statements in the configuration file work. Also add patches so that der Mouse's if_tap driver can be used. Changes since 1.5.0: 2004.05.09 -- Version 1.6.0 * Unchanged from 1.6-rc4 except for version number upgrade. 2004.04.01 -- Version 1.6-rc4 * Made minor customizations to devcon and renamed as tapinstall.exe for Windows version. * Fixed "storage size of `iv' isn't known" build problem on FreeBSD. * OpenSSL 0.9.7d bundled with Windows self-install. 2004.03.13 -- Version 1.6-rc3 * Minor Windows fixes for --ip-win32 dynamic, relating to the way the TAP-Win32 driver responds to a DHCP request from the Windows DHCP client. * The net_gateway environmental variable wasn't being set correctly for called scripts (Paul Zuber). * Added code to determine the default gateway on FreeBSD, allowing the --redirect-gateway option to work (Juan Rodriguez Hervella). 2004.03.04 -- Version 1.6-rc2 * Fixed bug in Windows version where the NetBIOS node-type DHCP option might have been passed even if it was not specified. * Fixed bug in Windows version introduced in 1.6-rc1, where DHCP timeout would be set to 0 seconds if --ifconfig option was used and --ip-win32 option was not explicitly specified. * Added some new --dhcp-option types for Windows version. 2004.03.02 -- Version 1.6-rc1 * For Windows, make "--ip-win32 dynamic" the default. * For Windows, make "--route-delay 10" the default unless --ip-win32 dynamic is not used or --route-delay is explicitly specified. * L_TLS mutex could have been left in a locked state for certain kinds of TLS errors. 2004.02.22 -- Version 1.6-beta7 * Allow scheduling priority increase (--nice) together with UID/GID downgrade (--user/--group). * Code that causes SIGUSR1 restart on TLS errors in TCP mode was not activated in pthread builds. * Save the certificate serial number in an environmental variable called tls_serial_{n} prior to calling the --tls-verify script. n is the current cert chain level. * Added NetBSD IPv6 tunnel capability (also requires a kernel patch) (Horst Laschinsky). * Fixed bug in checking the return value of the nice() function (Ian Pilcher). * Bug fix in new FreeBSD IPv6 over TUN code which was originally added in 1.6-beta5 (Nathanael Rensen). * More Socks5 fixes -- extended the struct frame infrastructure to accomodate proxy-based encapsulation overhead. * Added --dhcp-option to Windows version for setting adapter properties such as WINS & DNS servers. * Use a default route-delay of 5 seconds when --ip-win32 dynamic is specified (only applicable when --route-delay is not explicitly specified). * Added "log_append" registry variable to control whether the OpenVPN service wrapper on Windows opens log files in append (log_append="1") or truncate (log_append="0") mode. The default is truncate. 2004.02.05 -- Version 1.6-beta6 * UDP over Socks5 fix to accomodate Socks5 encapsulation overhead (Christof Meerwald). * Minor --ip-win32 dynamic tweaks (use long lease time, invalidate existing lease with DHCPNAK). 2004.02.01 -- Version 1.6-beta5 * Added Socks5 proxy support (Christof Meerwald). * IPv6 tun support for FreeBSD (Thomas Glanzmann). * Special TAP-Win32 debug mode for Windows self-install that was enabled in beta4 is now turned off. * Added some new Solaris notes to INSTALL (Koen Maris). * More work on --ip-win32 dynamic. 2004.01.27 -- Version 1.6-beta4 * For this beta, the Windows self-install is a debug version and will run slower -- use only for testing. * Reverted the --ip-win32 default back to 'ipapi' from 'dynamic'. * Added the offset parameter to '--ip-win32 dynamic' which can be used to control the address of the masqueraded DHCP server which replies to Windows DHCP requests. * Added a wait/nowait option to --inetd (nowait can only be used with TCP sockets, TLS authentication, and over a bridged configuration -- see FAQ for more info) (Stefan `Sec` Zehl). * Added a build-time capability where TAP-Win32 driver debug messages can be output by OpenVPN at --verb 6 or higher. 2004.01.20 -- Version 1.6-beta2 * Added ./configure --enable-iproute2 flag which uses iproute2 instead of route + ifconfig -- this is necessary for the LEAF Linux distro (Martin Hejl). * Added renewal-time and rebind-time to set of DHCP options returned by the TAP-Win32 driver when "--ip-win32 dynamic" is used. 2004.01.14 -- Version 1.6-beta1 * Fixed --proxy bug that sometimes caused plaintext control info generated by the proxy prior to http CONNECT method establishment to be incorrectly parsed as OpenVPN data. * For Windows version, implemented the "--ip-win32 dynamic" method and made it the default. This method sets the TAP-Win32 adapter IP address and netmask by replying to the kernel's DHCP queries. See the man page for more detailed info. * Added --connect-retry parameter which controls the time interval (in seconds) between connect() retries when --proto tcp-client is used. Previously, this value was hardcoded to 5 seconds, and still defaults as such. * --resolv-retry can now be used with a parameter of "infinite" to retry indefinitely. * Added SSL_CTX_use_certificate_chain_file() to ssl.c for support of multi-level certificate chains (Sten Kalenda). * Fixed --tls-auth incompatibility with 1.4.x and earlier versions of OpenVPN when the passphrase file is an OpenVPN static key file (as generated by --genkey). * Added shell-escape support in config files using the backslash character ("\") so that (for example) double quotes can be passed to the shell. * Added "contrib" subdirectory on tarball, source zip, and CVS containing user-submitted contributions. * Added an optional patch to the Redhat init script to allow the configuration file directory to be a multi-level directory hierarchy (Farkas Levente). See contrib/multilevel-init.patch * Added some scripts and documentation on using Linux "fwmark" iptables rules to enable fine-grained routing control over the VPN (Sean Reifschneider, <jafo@tummy.com>). See contrib/openvpn-fwmarkroute-1.00
Initial commit of openvpn-1.5.0: A robust and highly configurable VPN
Initial revision