| 1 | {{{ |
| 2 | 2004.05.09 -- Version 1.6.0 |
| 3 | |
| 4 | * Unchanged from 1.6-rc4 except for version number |
| 5 | upgrade. |
| 6 | |
| 7 | 2004.04.01 -- Version 1.6-rc4 |
| 8 | |
| 9 | * Made minor customizations to devcon and |
| 10 | renamed as tapinstall.exe for Windows version. |
| 11 | * Fixed "storage size of `iv' isn't known" build |
| 12 | problem on FreeBSD. |
| 13 | * OpenSSL 0.9.7d bundled with Windows self-install. |
| 14 | |
| 15 | 2004.03.13 -- Version 1.6-rc3 |
| 16 | |
| 17 | * Minor Windows fixes for --ip-win32 dynamic, relating to |
| 18 | the way the TAP-Win32 driver responds to a DHCP request |
| 19 | from the Windows DHCP client. |
| 20 | * The net_gateway environmental variable wasn't being |
| 21 | set correctly for called scripts (Paul Zuber). |
| 22 | * Added code to determine the default gateway on FreeBSD, |
| 23 | allowing the --redirect-gateway option to work |
| 24 | (Juan Rodriguez Hervella). |
| 25 | |
| 26 | 2004.03.04 -- Version 1.6-rc2 |
| 27 | |
| 28 | * Fixed bug in Windows version where the NetBIOS node-type |
| 29 | DHCP option might have been passed even if it was not |
| 30 | specified. |
| 31 | * Fixed bug in Windows version introduced in 1.6-rc1, where |
| 32 | DHCP timeout would be set to 0 seconds if --ifconfig option |
| 33 | was used and --ip-win32 option was not explicitly specified. |
| 34 | * Added some new --dhcp-option types for Windows version. |
| 35 | |
| 36 | 2004.03.02 -- Version 1.6-rc1 |
| 37 | |
| 38 | * For Windows, make "--ip-win32 dynamic" the default. |
| 39 | * For Windows, make "--route-delay 10" the default |
| 40 | unless --ip-win32 dynamic is not used or --route-delay |
| 41 | is explicitly specified. |
| 42 | * L_TLS mutex could have been left in a locked state |
| 43 | for certain kinds of TLS errors. |
| 44 | |
| 45 | 2004.02.22 -- Version 1.6-beta7 |
| 46 | |
| 47 | * Allow scheduling priority increase (--nice) together |
| 48 | with UID/GID downgrade (--user/--group). |
| 49 | * Code that causes SIGUSR1 restart on TLS errors in TCP |
| 50 | mode was not activated in pthread builds. |
| 51 | * Save the certificate serial number in an environmental |
| 52 | variable called tls_serial_{n} prior to calling the |
| 53 | --tls-verify script. n is the current cert chain level. |
| 54 | * Added NetBSD IPv6 tunnel capability (also requires |
| 55 | a kernel patch) (Horst Laschinsky). |
| 56 | * Fixed bug in checking the return value of the nice() |
| 57 | function (Ian Pilcher). |
| 58 | * Bug fix in new FreeBSD IPv6 over TUN code which was |
| 59 | originally added in 1.6-beta5 (Nathanael Rensen). |
| 60 | * More Socks5 fixes -- extended the struct frame |
| 61 | infrastructure to accomodate proxy-based encapsulation |
| 62 | overhead. |
| 63 | * Added --dhcp-option to Windows version for setting |
| 64 | adapter properties such as WINS & DNS servers. |
| 65 | * Use a default route-delay of 5 seconds when |
| 66 | --ip-win32 dynamic is specified (only applicable when |
| 67 | --route-delay is not explicitly specified). |
| 68 | * Added "log_append" registry variable to control |
| 69 | whether the OpenVPN service wrapper on Windows |
| 70 | opens log files in append (log_append="1") or |
| 71 | truncate (log_append="0") mode. The default |
| 72 | is truncate. |
| 73 | |
| 74 | 2004.02.05 -- Version 1.6-beta6 |
| 75 | |
| 76 | * UDP over Socks5 fix to accomodate Socks5 encapsulation |
| 77 | overhead (Christof Meerwald). |
| 78 | * Minor --ip-win32 dynamic tweaks (use long lease time, |
| 79 | invalidate existing lease with DHCPNAK). |
| 80 | |
| 81 | 2004.02.01 -- Version 1.6-beta5 |
| 82 | |
| 83 | * Added Socks5 proxy support (Christof Meerwald). |
| 84 | * IPv6 tun support for FreeBSD (Thomas Glanzmann). |
| 85 | * Special TAP-Win32 debug mode for Windows self-install that was |
| 86 | enabled in beta4 is now turned off. |
| 87 | * Added some new Solaris notes to INSTALL (Koen Maris). |
| 88 | * More work on --ip-win32 dynamic. |
| 89 | |
| 90 | 2004.01.27 -- Version 1.6-beta4 |
| 91 | |
| 92 | * For this beta, the Windows self-install is a debug version |
| 93 | and will run slower -- use only for testing. |
| 94 | * Reverted the --ip-win32 default back to 'ipapi' |
| 95 | from 'dynamic'. |
| 96 | * Added the offset parameter to '--ip-win32 dynamic' which |
| 97 | can be used to control the address of the masqueraded |
| 98 | DHCP server which replies to Windows DHCP requests. |
| 99 | * Added a wait/nowait option to --inetd (nowait can only |
| 100 | be used with TCP sockets, TLS authentication, and over |
| 101 | a bridged configuration -- see FAQ for more info) |
| 102 | (Stefan `Sec` Zehl). |
| 103 | * Added a build-time capability where TAP-Win32 driver |
| 104 | debug messages can be output by OpenVPN at --verb 6 |
| 105 | or higher. |
| 106 | |
| 107 | 2004.01.20 -- Version 1.6-beta2 |
| 108 | |
| 109 | * Added ./configure --enable-iproute2 flag which |
| 110 | uses iproute2 instead of route + ifconfig -- |
| 111 | this is necessary for the LEAF Linux distro |
| 112 | (Martin Hejl). |
| 113 | * Added renewal-time and rebind-time to set of |
| 114 | DHCP options returned by the TAP-Win32 driver when |
| 115 | "--ip-win32 dynamic" is used. |
| 116 | |
| 117 | 2004.01.14 -- Version 1.6-beta1 |
| 118 | |
| 119 | * Fixed --proxy bug that sometimes caused plaintext |
| 120 | control info generated by the proxy prior to http |
| 121 | CONNECT method establishment to be incorrectly |
| 122 | parsed as OpenVPN data. |
| 123 | * For Windows version, implemented the |
| 124 | "--ip-win32 dynamic" method and made it the default. |
| 125 | This method sets the TAP-Win32 adapter IP address |
| 126 | and netmask by replying to the kernel's DHCP queries. |
| 127 | See the man page for more detailed info. |
| 128 | * Added --connect-retry parameter which controls |
| 129 | the time interval (in seconds) between connect() |
| 130 | retries when --proto tcp-client is used. Previously, |
| 131 | this value was hardcoded to 5 seconds, and still |
| 132 | defaults as such. |
| 133 | * --resolv-retry can now be used with a parameter |
| 134 | of "infinite" to retry indefinitely. |
| 135 | * Added SSL_CTX_use_certificate_chain_file() to ssl.c |
| 136 | for support of multi-level certificate chains |
| 137 | (Sten Kalenda). |
| 138 | * Fixed --tls-auth incompatibility with 1.4.x and earlier |
| 139 | versions of OpenVPN when the passphrase file is an |
| 140 | OpenVPN static key file (as generated by --genkey). |
| 141 | * Added shell-escape support in config files using |
| 142 | the backslash character ("\") so that (for example) |
| 143 | double quotes can be passed to the shell. |
| 144 | * Added "contrib" subdirectory on tarball, source zip, |
| 145 | and CVS containing user-submitted contributions. |
| 146 | * Added an optional patch to the Redhat init script to |
| 147 | allow the configuration file directory to be a |
| 148 | multi-level directory hierarchy (Farkas Levente). |
| 149 | See contrib/multilevel-init.patch |
| 150 | * Added some scripts and documentation on using |
| 151 | Linux "fwmark" iptables rules to enable |
| 152 | fine-grained routing control over the VPN |
| 153 | (Sean Reifschneider, ). |
| 154 | See contrib/openvpn-fwmarkroute-1.00 |
| 155 | |
| 156 | 2003.11.20 -- Version 1.5.0 |
| 157 | |
| 158 | * Minor documentation changes. |
| 159 | |
| 160 | 2003.11.04 -- Version 1.5-beta14 |
| 161 | |
| 162 | * Fixed build problem with ./configure --disable-ssl |
| 163 | that was reported on Debian woody. |
| 164 | * Fixed bug where --redirect-gateway could not be used |
| 165 | together with --resolv-retry. |
| 166 | |
| 167 | 2003.11.03 -- Version 1.5-beta13 |
| 168 | |
| 169 | * Added CRL (certificate revocation list) capability using |
| 170 | --crl-verify option (Stefano Bracalenti). |
| 171 | * Added --replay-window option for variable replay-protection |
| 172 | window sizes. |
| 173 | * Fixed --fragment bug which might have caused certain large |
| 174 | packets to be sent unfragmented. |
| 175 | * Modified --secret and --tls-auth to permit different cipher and |
| 176 | HMAC keys to be used for each data flow direction. Also |
| 177 | increased static key file size generated by --genkey from |
| 178 | 1024 to 2048 bits, where 512 bits each are reserved for |
| 179 | send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward |
| 180 | and backward compatibility is maintained. See --secret option |
| 181 | documentation on the man page for more info. |
| 182 | * Added --tls-remote option (Teemu Kiviniemi). |
| 183 | * Fixed --tls-cipher documention regarding correct delimiter |
| 184 | usage (Teemu Kiviniemi). |
| 185 | * Added --key-method option for selecting alternative data |
| 186 | channel key negotiation methods. Method 1 is the default. |
| 187 | Method 2 has been added (see man page for more info). |
| 188 | * Added French translation of HOWTO to web site |
| 189 | (Guillaume Lehmann). |
| 190 | * Fixed problem caused by late resolver library load on |
| 191 | certain platforms when --resolv-retry and --chroot are |
| 192 | used together (Teemu Kiviniemi). |
| 193 | * In TCP mode, all decryption or TLS errors will abort the current |
| 194 | connection (this is not done in UDP mode because UDP is |
| 195 | "connectionless"). |
| 196 | * Fixed a TCP client reconnect bug that only occurs on the |
| 197 | BSDs, where connect() fails with an invalid argument. This |
| 198 | bug was partially (but not completely) fixed in beta7. |
| 199 | * Added "route_net_gateway" environmental variable which contains |
| 200 | the pre-existing default gateway address from the routing table |
| 201 | (there's no standard API for getting the default gateway, so |
| 202 | right now this feature only works on Windows or Linux). |
| 203 | * Renamed the "route_default_gateway" enviromental variable to |
| 204 | "route_vpn_gateway" -- this is the remote VPN endpoint. |
| 205 | * The special keywords vpn_gateway, net_gateway, and remote_host |
| 206 | can now be used for the network or gateway components of the |
| 207 | --route option. See the man page for more info. |
| 208 | * Added the --redirect-gateway option to configure the VPN |
| 209 | as the default gateway (implemented on Linux and Windows only). |
| 210 | * Added the --http-proxy option with basic authentication |
| 211 | support for use in TCP client mode. Successfully tested |
| 212 | using Squid as the HTTP proxy, with and without authentication. |
| 213 | |
| 214 | 2003.10.12 -- Version 1.5-beta12 |
| 215 | |
| 216 | * Fixed Linux-only bug in --mktun and --rmtun which was |
| 217 | introduced around beta8 or so, which would cause |
| 218 | an error such as "I don't recognize device tun0 as a |
| 219 | tun or tap device1". |
| 220 | * Added --ifconfig-nowarn option to disable options |
| 221 | consistency warnings about --ifconfig parameters. |
| 222 | * Don't allow any kind of sequence number backtracking or |
| 223 | message reordering when in TCP mode. |
| 224 | * Changed beta naming convention to use '_' (underscore) |
| 225 | rather than '-' (dash) to pacify rpmbuild. |
| 226 | |
| 227 | 2003.10.08 -- Version 1.5-beta11 |
| 228 | |
| 229 | * Modified code in the Windows version which sets the IP address |
| 230 | and netmask of the TAP-Win32 adapter using the IP Helper API. |
| 231 | Most of the changes involve better error recovery when |
| 232 | the IP Helper API returns an error status. See the |
| 233 | manual page entry on --ip-win32 for more info. |
| 234 | |
| 235 | 2003.10.08 -- Version 1.5-beta10 |
| 236 | |
| 237 | * Added getpass() function for Windows version so that --askpass |
| 238 | option works correctly (Stefano Bracalenti). |
| 239 | * Added reboot advisory to end of Win32 install script. |
| 240 | * Changed crypto code to use pseudo-random IVs rather than |
| 241 | carrying forward the IV state from the previous packet. |
| 242 | This is in response to item 2 in the following document: |
| 243 | http://www.openssl.org/~bodo/tls-cbc.txt which points |
| 244 | out weaknesses in TLS's use of the same IV carryforward |
| 245 | approach. This change does not break protocol compatibility |
| 246 | with previous versions of OpenVPN. |
| 247 | * Made a change to the crypto replay protection code to also |
| 248 | protect against certain kinds of packet reordering attacks. |
| 249 | This change does not break protocol compatibility with |
| 250 | previous versions of OpenVPN. |
| 251 | * Added --ip-win32 option to provide several choices for |
| 252 | setting the IP address on the TAP-Win32 adapter. |
| 253 | * #ifdefed out non-CBC crypto modes by default. |
| 254 | * Added --up-delay option to delay TUN/TAP open and --up script |
| 255 | execution until after connection establishment. This option |
| 256 | replaces the earlier windows-only option --tap-delay. |
| 257 | |
| 258 | 2003.10.01 -- Version 1.5-beta9 |
| 259 | |
| 260 | * Fixed --route-noexec bug where option was not parsed correctly. |
| 261 | * Complain if --dev tun is specified without --ifconfig on Windows. |
| 262 | * Fixed bug where TCP connections on windows would sometimes cause |
| 263 | an assertion failure. |
| 264 | * Added a new flag to TAP-Win32 advanced properties that allows one |
| 265 | to set the adapter to be always "connected" even when an OpenVPN |
| 266 | process doesn't have it open. The default behavior is to report |
| 267 | a media status of connected only when an OpenVPN process has the |
| 268 | adapter open. |
| 269 | * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c |
| 270 | DLLs in response to an OpenSSL security advisory. |
| 271 | |
| 272 | 2003.09.30 -- Version 1.5-beta8 |
| 273 | |
| 274 | * Extended the --ifconfig option to work on tap devices as well |
| 275 | as tun devices. |
| 276 | * Implemented the --ifconfig option for Windows, by calling the |
| 277 | netsh tool. |
| 278 | * By default, do an "arp -d *" on Windows after TAP-Win32 open to |
| 279 | refresh the MAC cache. This behaviour can be disabled with |
| 280 | --no-arp-del. |
| 281 | * On Windows, allow the --dev-node parameter (which specifies |
| 282 | the name of the TAP-Win32 adapter) to be omitted in cases where |
| 283 | there is a single TAP-Win32 adapter on the system which can be |
| 284 | assumed to be the default. |
| 285 | * Modified the diagnostic --verb 5 debugging level to print 'R' |
| 286 | for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, |
| 287 | and 'w' for TUN/TAP write. |
| 288 | * Conditionalize OpenBSD read_tun and write_tun based on tun or tap |
| 289 | mode. |
| 290 | * Added IPv6 tun support to OpenBSD (Thomas Glanzmann). |
| 291 | * Make the --enable-mtu-dynamic ./configure option enabled by |
| 292 | default. |
| 293 | * Deprecated the --mtu-dynamic run-time option, in favor of |
| 294 | --fragment. |
| 295 | * DNS names can now be used as --ifconfig parameters. |
| 296 | * Significant work on TAP-Win32 driver to bring up to SMP standards. |
| 297 | * On Windows, fixed dangling IRP problem if TAP-Win32 driver is |
| 298 | unloaded or disabled, while a user-space process has it open. |
| 299 | * On Windows, if --tun-mtu is not specified, it will be read from |
| 300 | the TAP-Win32 driver via ioctl. |
| 301 | * On Windows, added TAP-Win32 driver status info to "F2" keyboard |
| 302 | signal (only when run from a console window). |
| 303 | * Added --mssfix option to control TCP MSS size (YANO Hirokuni). |
| 304 | * Renamed --mtu-dynamic option to --fragment to more accurately |
| 305 | reflect its function. Fragment accepts a single parameter which |
| 306 | is the upper limit on acceptable UDP packet size. |
| 307 | * Changed default --tun-mtu-extra parameter to 32 from 64. |
| 308 | * Eliminated reference to malloc.o in configure.ac. |
| 309 | * Added tun device emulation to the TAP-Win32 driver. |
| 310 | * Added --route and related options. |
| 311 | * Added init script for SuSE Linux (Frank Plohmann). |
| 312 | * Extended option consistency check between peers to function |
| 313 | in all crypto modes, including static-key and cleartext modes. |
| 314 | Previously only TLS mode was supported. Disable with |
| 315 | --disable-occ. |
| 316 | * Overall, increased the amount of configuration option sanity |
| 317 | checking, especially of networking parameters. |
| 318 | * Added --mtu-test option for empirical MTU measurement. |
| 319 | * Added Windows-only option --tap-delay to not set the TAP-Win32 |
| 320 | adapter media state to 'connected' until TCP/UDP connection |
| 321 | establishment with peer. |
| 322 | * Slightly modified --route/--route-delay semantics so that when |
| 323 | --route is given without --route-delay, routes are added |
| 324 | immediately after tun/tap device open. When --route-delay is |
| 325 | specified, routes will be added n seconds after connection |
| 326 | initiation, where n is the --route-delay parameter (which |
| 327 | can be set to 0). |
| 328 | * Made TCP framing error into a non-fatal error that triggers a |
| 329 | connection reset. |
| 330 | |
| 331 | 2003.08.28 -- Version 1.5-beta7 |
| 332 | |
| 333 | * Fixed bug that caused OpenVPN not to respond to exit/restart |
| 334 | signals when --resolv-retry is used and a local or remote DNS |
| 335 | name cannot be resolved. |
| 336 | * Exported a series of environmental variables with useful |
| 337 | info for scripts. See man page for more info. Based |
| 338 | on a suggestion by Anthony Ciaravalo. |
| 339 | * Moved TCP/UDP socket bind to a point in the initialization |
| 340 | before the --up script gets called. This is desirable |
| 341 | because (a) a socket bind failure will happen before |
| 342 | daemonization, allowing an error status code to be returned |
| 343 | to the shell and (b) the possibility is eliminated of a |
| 344 | socket bind failure causing the --up script to be run |
| 345 | but not the --down script. This change has a side effect |
| 346 | that --resolv-retry will no longer work with --local. |
| 347 | * Fixed bug where if an OpenVPN TCP server went down and back |
| 348 | up again, Solaris or FreeBSD clients would fail to reconnect |
| 349 | to it. |
| 350 | * Fixed bug that prevented OpenVPN from being run by |
| 351 | inetd/xinetd in TCP mode. |
| 352 | * Added --log and --log-append options for logging messages to |
| 353 | a file. |
| 354 | * On Windows, check that the current user is a member of the |
| 355 | Administrator group before attempting install or uninstall. |
| 356 | |
| 357 | 2003.08.16 -- Version 1.5-beta6 |
| 358 | |
| 359 | * Fixed TAP-Win32 driver to properly increment the Rx/Tx count. |
| 360 | |
| 361 | 2003.08.14 -- Version 1.5-beta5 |
| 362 | |
| 363 | * Added user-configurability of the TAP-Win32 adapter MTU |
| 364 | through the adapter advanced properties page. |
| 365 | * Added Windows Service support. |
| 366 | * On Windows, added file association and right-clickability |
| 367 | for .ovpn files (OpenVPN config files). |
| 368 | |
| 369 | 2003.08.05 -- Version 1.5-beta4 |
| 370 | |
| 371 | * Extra refinements and error checking added to Windows |
| 372 | NSIS install script. |
| 373 | |
| 374 | 2003.08.05 -- Version 1.5-beta3 |
| 375 | |
| 376 | * Added md5.h include to crypto.c to fix build problem on |
| 377 | OpenBSD. |
| 378 | * Created a Win32 installer using NSIS. |
| 379 | * Removed DelService command from TAP-Win32 INF file. It appears |
| 380 | to be not necessary and it interfered with the ability to |
| 381 | uninstall and reinstall the driver without needing to reboot. |
| 382 | * On Windows version, added "addtap" and "deltapall" batch |
| 383 | files to add and delete TAP-Win32 adapter instances. |
| 384 | |
| 385 | 2003.07.31 -- Version 1.5-beta2 |
| 386 | |
| 387 | * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted |
| 388 | in Windows ASCII so it's easier to click and view. |
| 389 | * Added postscript and PDF versions of the HOWTO to the web |
| 390 | site (C R Zamana). |
| 391 | * Merged Michael Clarke's stability patch into TAP-Win32 |
| 392 | driver which appears to fix the suspend/resume driver bug |
| 393 | and significantly improve driver stability. |
| 394 | * Added Christof Meerwald's Media Status patch to the |
| 395 | TAP-Win32 driver which shows the TAP adapter to be |
| 396 | disconnected when OpenVPN is not running. |
| 397 | * Moved socket connect and TCP server listen code to a later |
| 398 | point in openvpn() function so that the TCP server listen |
| 399 | state is entered after daemonization. |
| 400 | * Added keyboard shortcuts to simulate signals in the Windows |
| 401 | version, see the window title bar for descriptions. |
| 402 | |
| 403 | 2003.07.24 -- Version 1.5-beta1 |
| 404 | |
| 405 | * Added TCP support via the new --proto option. |
| 406 | * Renamed udp-centric options such as --udp-mtu to |
| 407 | --link-mtu (old option names preserved for compatibility). |
| 408 | * Ported to Windows 2000 + XP using mingw and a TAP driver |
| 409 | derived from the Cipe-Win32 project by Damion K. Wilson. |
| 410 | * Added --show-adapters flag for windows version. |
| 411 | * Reworked the SSL/TLS packet acknowledge code to better |
| 412 | handle certain corner cases. |
| 413 | * Turned off the default enabling of IP forwarding in the |
| 414 | sample-scripts/openvpn.init script for Redhat. |
| 415 | Forwarding can be enabled by users in their --up scripts |
| 416 | or firewall config. |
| 417 | * Added --up-restart option based on suggestion from Sean |
| 418 | Reifschneider. |
| 419 | * If --dev tap or --dev-type tap is specified, --tun-mtu |
| 420 | defaults to 1500 and --tun-mtu-extra defaults to 64. |
| 421 | * Enabled --verb 5 debugging mode that prints 'R' and 'W' |
| 422 | for each packet read or write on the TCP/UDP socket. |
| 423 | |
| 424 | 2003.08.04 -- Version 1.4.3 |
| 425 | |
| 426 | * Added md5.h include to crypto.c |
| 427 | to fix build problem on OpenBSD. |
| 428 | |
| 429 | 2003.07.15 -- Version 1.4.2 |
| 430 | |
| 431 | * Removed adaptive bandwidth from |
| 432 | --mtu-dynamic -- its absence appears |
| 433 | to work better than its existence (1.4.1.2). |
| 434 | * Minor changes to --shaper to fix long |
| 435 | retransmit timeouts at low bandwidth |
| 436 | (1.4.1.2). |
| 437 | * Added LOG_RW flag to openvpn.h for |
| 438 | debugging (1.4.1.2). |
| 439 | * Silenced spurious configure warnings (1.4.1.2). |
| 440 | * Backed out --dev-name patch, modified --dev |
| 441 | to offer equivalent functionality (1.4.1.4). |
| 442 | * Added an optional parameter to --daemon and |
| 443 | --inetd to support the passing of a custom |
| 444 | program name to the system logger (1.4.1.5). |
| 445 | * Add compiled-in options to the program title |
| 446 | (1.4.1.5). |
| 447 | * Coded the beginnings of a WIN32 port (1.4.1.5). |
| 448 | * Succeeded in porting to Win32 Mingw environment |
| 449 | and running loopback tests (1.4.1.6). Still |
| 450 | need a kernel driver for full Win32 |
| 451 | functionality. |
| 452 | * Fixed a bug in error.h where |
| 453 | HAVE_CPP_VARARG_MACRO_GCC was misspelled. |
| 454 | This would have caused a significant slowdown |
| 455 | of OpenVPN when built by compilers that |
| 456 | lack ISO C99 vararg macros (1.4.1.6). |
| 457 | * Created an init script for Gentoo Linux |
| 458 | in ./gentoo directory (1.4.1.6). |
| 459 | |
| 460 | 2003.05.15 -- Version 1.4.1 |
| 461 | |
| 462 | * Modified the Linux 2.4 TUN/TAP open code to |
| 463 | fall back to the 2.2 TUN/TAP interface if the |
| 464 | open or ioctl fails. |
| 465 | * Fixed bug when --verb is set to 0 and non-fatal |
| 466 | socket errors occur, causing 100% CPU utilization. |
| 467 | Occurs on platorms where |
| 468 | EXTENDED_SOCKET_ERROR_CAPABILITY is defined, |
| 469 | such as Linux 2.4. |
| 470 | * Fixed typo in tun.c that was preventing |
| 471 | OpenBSD build. |
| 472 | * Added --enable-mtu-dynamic configure option |
| 473 | to enable --mtu-dynamic experimental option. |
| 474 | |
| 475 | 2003.05.07 -- Version 1.4.0 |
| 476 | |
| 477 | * Added --replay-persist feature to allow replay |
| 478 | protection across sessions. |
| 479 | * Fixed bug where --ifconfig could not be used |
| 480 | with --tun-mtu. |
| 481 | * Added --tun-mtu-extra parameter to deal with |
| 482 | the situation where a read on a TUN/TAP device |
| 483 | returns more data than the device's MTU size. |
| 484 | * Fixed bug where some IPv6 support code for |
| 485 | Linux was not being properly ifdefed out for |
| 486 | Linux 2.2, causing compile errors. |
| 487 | * Added OPENVPN_EXIT_STATUS_x codes to |
| 488 | openvpn.h to control which status value |
| 489 | openvpn returns to its caller (such as |
| 490 | a shell or inetd/xinetd) for various conditions. |
| 491 | * Added OPENVPN_DEBUG_COMMAND_LINE flag to |
| 492 | openvpn.h to allow debugging in situations |
| 493 | where stdout, stderr, and syslog cannot be used |
| 494 | for message output, such as when OpenVPN is |
| 495 | instantiated by inetd/xinetd. |
| 496 | * Removed owner-execute permission from file |
| 497 | created by static key generator (Herbert Xu |
| 498 | and Alberto Gonzalez Iniesta). |
| 499 | * Added --passtos option to allow IPv4 TOS bits |
| 500 | to be passed from TUN/TAP input packets to |
| 501 | the outgoing UDP socket (Craig Knox). |
| 502 | * Added code to prevent open socket file descriptors |
| 503 | from being accessible to called scripts. |
| 504 | * Added --dev-name option (Christian Lademann). |
| 505 | * Added --mtu-disc option for manual control |
| 506 | over MTU options. |
| 507 | * Show OS MTU value on UDP socket write failures |
| 508 | (linux only). |
| 509 | * Numerous build system and portability |
| 510 | fixes (Matthias Andree). |
| 511 | * Added better sensing of compiler support for |
| 512 | variable argument macros, including (a) gcc |
| 513 | style, (b) ISO C 1999 style, and (c) no support. |
| 514 | * Removed generated files from CVS. Note INSTALL |
| 515 | file for new CVS build commands. |
| 516 | * Changed certain internal symbol names |
| 517 | for C standards compliance. |
| 518 | * Added TUN/TAP open code to cycle dynamically |
| 519 | through unit numbers until it finds a free |
| 520 | unit (based on code from Thomas Gielfeldt |
| 521 | and VTun). |
| 522 | * Added dynamic MTU and fragmenting infrastructure |
| 523 | (Experimental). Rebuild with FRAGMENT_ENABLE |
| 524 | defined to enable. |
| 525 | * Minor changes to SSL/TLS negotiation, use |
| 526 | exponential backoff on retransmits, and use |
| 527 | a smaller MTU size (note that no protocol |
| 528 | changes have been made which would break |
| 529 | compatibility with 1.3.x). |
| 530 | * Added --enable-strict-options flag |
| 531 | to ./configure. This option will cause |
| 532 | a more strict check for options compatibility |
| 533 | between peers when SSL/TLS negotiation is used, |
| 534 | but should only be used when both OpenVPN peers |
| 535 | are of the same version. |
| 536 | * Reorganization of debugging levels. |
| 537 | * Added a workaround in configure.ac for |
| 538 | default SSL header location on Linux |
| 539 | to fix RH9 build problem. |
| 540 | * Fixed potential deadlock when pthread support |
| 541 | is used on OSes that allocate a small socketpair() |
| 542 | message buffer. |
| 543 | * Fixed openvpn.init to be sh compliant |
| 544 | (Bishop Clark). |
| 545 | * Changed --daemon to wait until all |
| 546 | initialization is finished before becoming a |
| 547 | daemon, for the benefit of initialization |
| 548 | scripts that want a useful return status from |
| 549 | the openvpn command. |
| 550 | * Made openvpn.init script more robust, including |
| 551 | positive indication of initialization errors |
| 552 | in the openvpn daemon and better sanity checks. |
| 553 | * Changed --chroot to wait until initialization |
| 554 | is finished before calling chroot(), and allow |
| 555 | the use of --user and --group with --chroot. |
| 556 | * When syslog logging is enabled (--daemon or |
| 557 | --inetd), set stdin/stdout/stderr to point |
| 558 | to /dev/null. |
| 559 | * For inetd instantiations, dup socket descriptor |
| 560 | to a >2 value. |
| 561 | * Fixed bug in verify-cn script, where test would |
| 562 | incorrectly fail if CN=x was the last component |
| 563 | of the X509 composite string (Anonymous). |
| 564 | * Added Markus F.X.J. Oberhumer's special |
| 565 | license exception to COPYING. |
| 566 | |
| 567 | 2002.10.23 -- Version 1.3.2 |
| 568 | |
| 569 | * Added SSL_CTX_set_client_CA_list call |
| 570 | to follow the canonical form for TLS initialization |
| 571 | recommended by the OpenSSL docs. This change allows |
| 572 | better support for intermediate CAs and has no impact |
| 573 | on security. |
| 574 | * Added build-inter script to easy-rsa package, to |
| 575 | facilitate the generation of intermediate CAs. |
| 576 | * Ported to NetBSD (Dimitri Goldin). |
| 577 | * Fixed minor bug in easy-rsa/sign-req. It refers to |
| 578 | openssl.cnf file, instead of $KEY_CONFIG, like all |
| 579 | other scripts (Ernesto Baschny). |
| 580 | * Added --days 3650 to the root CA generation command |
| 581 | in the HOWTO to override the woefully small 30 day |
| 582 | default (Dominik 'Aeneas' Schnitzer). |
| 583 | * Fixed bug where --ping-restart would sometimes |
| 584 | not re-resolve remote DNS hostname. |
| 585 | * Added --tun-ipv6 option and related infrastructure |
| 586 | support for IPv6 over tun. |
| 587 | * Added IPv6 over tun support for Linux (Aaron Sethman). |
| 588 | * Added FreeBSD 4.1.1+ TUN/TAP driver notes to |
| 589 | INSTALL (Matthias Andree). |
| 590 | * Added inetd/xinetd support (--inetd) including |
| 591 | documentation in the HOWTO. |
| 592 | * Added "Important Note on the use of commercial certificate |
| 593 | authorities (CAs) with OpenVPN" to HOWTO based on |
| 594 | issues raised on the openvpn-users list. |
| 595 | |
| 596 | 2002.07.10 -- Version 1.3.1 |
| 597 | |
| 598 | * Fixed bug in openvpn.spec and openvpn.init |
| 599 | which caused RPM upgrade to fail. |
| 600 | |
| 601 | 2002.07.10 -- Version 1.3.0 |
| 602 | |
| 603 | * Added --dev-node option to allow explicit selection of |
| 604 | tun/tap device node. |
| 605 | * Removed mlockall call from child thread, as it doesn't |
| 606 | appear to be necessary (child thread inherits mlockall |
| 607 | state from parent). |
| 608 | * Added --ping-timer-rem which causes timer for --ping-exit |
| 609 | and --ping-restart not to run unless we have a remote IP |
| 610 | address. |
| 611 | * Added condrestart to openvpn.init and openvpn.spec |
| 612 | (Bishop Clark). |
| 613 | * Added --ifconfig case for FreeBSD (Matthias Andree). |
| 614 | * Call openlog with facility=LOG_DAEMON (Matthias Andree). |
| 615 | * Changed LOG_INFO messages to LOG_NOTICE. |
| 616 | * Added warning when key files are group/others accessible. |
| 617 | * Added --single-session flag for TLS mode. |
| 618 | * Fixed bug where --writepid would segfault if used with |
| 619 | an invalid filename. |
| 620 | * Fixed bug where --ipchange status message was formatted |
| 621 | incorrectly. |
| 622 | * Print more concise error message when system() call |
| 623 | fails. |
| 624 | * Added --disable-occ option. |
| 625 | * Added --local, --remote, and --ifconfig options sanity |
| 626 | check. |
| 627 | * Changed default UDP MTU to 1300 and TUN/TAP MTU to |
| 628 | 1300. |
| 629 | * Successfully tested with OpenSSL 0.9.7 Beta 2. |
| 630 | * Broke out debug level definitions to errlevel.h |
| 631 | * Minor documentation and web site changes. |
| 632 | * All changes maintain protocol compatibility |
| 633 | with OpenVPN versions since 1.1.0, however default |
| 634 | MTU changes will require setting the MTU explicitly |
| 635 | by command line option, if you want 1.3.0 to |
| 636 | communicate with previous versions. |
| 637 | |
| 638 | 2002.06.12 -- Version 1.2.1 |
| 639 | |
| 640 | * Added --ping-restart option to restart |
| 641 | connection on ping timeout using SIGUSR1 |
| 642 | logic (Matthias Andree). |
| 643 | * Added --persist-tun, --persist-key, |
| 644 | --persist-local-ip, and --persist-remote-ip |
| 645 | options for finer-grained control over SIGUSR1 |
| 646 | and --ping-restart restarts. To |
| 647 | replicate previous SIGUSR1 functionality, |
| 648 | use --persist-remote-ip. |
| 649 | * Changed residual IV fetching code to take |
| 650 | IV from tail of ciphertext. |
| 651 | * Added check to make sure that CFB or OFB |
| 652 | cipher modes are only used with SSL/TLS |
| 653 | authentication mode, and added a caveat |
| 654 | to INSTALL. |
| 655 | * Changed signal handling during initialization |
| 656 | (including re-initialization during restarts) |
| 657 | to exit on SIGTERM or SIGINT and ignore other |
| 658 | signals which would ordinarily be caught. |
| 659 | * Added --resolv-retry option to allow |
| 660 | retries on hostname resolution. |
| 661 | * Expanded the --float option to also |
| 662 | allow dynamic changes in source port number |
| 663 | on incoming datagrams. |
| 664 | * Added --mute option to limit repetitive |
| 665 | logging of similar message types. |
| 666 | * Added --group option to downgrade GID |
| 667 | after initialization. |
| 668 | * Try to set ifconfig path automatically |
| 669 | in configure. |
| 670 | * Added --ifconfig code for Mac OS X |
| 671 | (Christoph Pfisterer). |
| 672 | * Moved "Peer Connection Initiated" message |
| 673 | to --verb level 1. |
| 674 | * Successfully tested with |
| 675 | OpenSSL 0.9.7 Beta 1 and AES cipher. |
| 676 | * Added RPM notes to INSTALL. |
| 677 | * Added ACX_PTHREAD (from the autoconf |
| 678 | macro archive) to configure.ac |
| 679 | to figure out the right pthread |
| 680 | options for a given platform. |
| 681 | * Broke out macro definitions from |
| 682 | configure.ac to acinclude.m4. |
| 683 | * Minor changes to docs and HOWTO. |
| 684 | * All changes maintain protocol compatibility |
| 685 | with OpenVPN versions since 1.1.0. |
| 686 | |
| 687 | 2002.05.22 -- Version 1.2.0 |
| 688 | |
| 689 | * Added configuration file support via |
| 690 | the --config option. |
| 691 | * Added pthread support to improve latency. |
| 692 | With pthread support, OpenVPN |
| 693 | will offload CPU-intensive tasks such as RSA |
| 694 | key number crunching to a background thread |
| 695 | to improve tunnel packet forwarding |
| 696 | latency. pthread support can be enabled |
| 697 | with the --enable-pthread configure option. |
| 698 | Pthread support is currently available |
| 699 | only for Linux and Solaris. |
| 700 | * Added --dev-type option so that tun/tap |
| 701 | device names don't need to begin with |
| 702 | "tun" or "tap". |
| 703 | * Added --writepid option to write main |
| 704 | process ID to a file. |
| 705 | * Numerous portability fixes to ease |
| 706 | porting to other OSes including changing |
| 707 | all network types to uint8_t and uint32_t, |
| 708 | and not assuming that time_t is 32 bits. |
| 709 | * Backported to OpenSSL 0.9.5. |
| 710 | * Ported to Solaris. |
| 711 | * Finished OpenBSD port except for |
| 712 | pthread support. |
| 713 | * Added initialization script: |
| 714 | sample-scripts/openvpn.init |
| 715 | (Douglas Keller) |
| 716 | * Ported to Mac OS X (Christoph Pfisterer). |
| 717 | * Improved resilience to DoS attacks when |
| 718 | TLS mode is used without --remote or |
| 719 | --tls-auth, or when --float is used |
| 720 | with --remote. Note however that the best |
| 721 | defense against DoS attacks in TLS mode |
| 722 | is to use --tls-auth. |
| 723 | * Eliminated automake/autoconf dependency |
| 724 | for non-developers. |
| 725 | * Ported configure.in to configure.ac |
| 726 | and autoconf 2.50+. |
| 727 | * SIGHUP signal now causes OpenVPN to restart |
| 728 | and re-read command line and or config file, |
| 729 | in conformance with canonical daemon behaviour. |
| 730 | * SIGUSR1 now does what SIGHUP did in |
| 731 | version 1.1.1 and earlier -- close and reopen |
| 732 | the UDP socket for use when DHCP changes |
| 733 | host's IP address and preserve most recently |
| 734 | authenticated peer address without rereading |
| 735 | config file. |
| 736 | * SIGUSR2 added -- outputs current statistics, |
| 737 | including compression statistics. |
| 738 | * All changes maintain protocol compatibility |
| 739 | with 1.1.1 and 1.1.0. |
| 740 | |
| 741 | 2002.04.22 -- Version 1.1.1 |
| 742 | |
| 743 | * Added --ifconfig option to automatically configure |
| 744 | TUN device. |
| 745 | * Added inactivity disconnect (--inactive |
| 746 | and --ping-exit options). |
| 747 | * Added --ping option to keep stateful firewalls |
| 748 | from timing out. |
| 749 | * Added sanity check to command line parser to |
| 750 | err if any TLS options are used in non-TLS mode. |
| 751 | * Fixed build problem with compiler environments that |
| 752 | define printf as a macro. |
| 753 | * Fixed build problem on linux systems that have |
| 754 | an integrated TUN/TAP driver but lack the persistent |
| 755 | tunnel feature (TUNSETPERSIST). Some linux kernels |
| 756 | >= 2.4.0 and < 2.4.7 fall into this category. |
| 757 | * Changed all calls to EVP_CipherInit to use explicit |
| 758 | encrypt/decrypt mode in order to fix problem with |
| 759 | IDEA-CBC and AES-256-CBC ciphers. |
| 760 | * Minor changes to control channel transmit limiter |
| 761 | algorithm to fix problem where TLS control channel |
| 762 | might not renegotiate within the default 60 second window. |
| 763 | * Simplified man page examples by taking advantage |
| 764 | of the new --ifconfig option. |
| 765 | * Minor changes to configure.in to check more |
| 766 | rigourously for OpenSSL 0.9.6 or greater. |
| 767 | * Put back openvpn.spec, eliminated |
| 768 | openvpn.spec.in. |
| 769 | * Modified openvpn.spec to reflect new automake-based |
| 770 | build environment (Bishop Clark). |
| 771 | * Other documentation changes. |
| 772 | * Added --test-crypto option for debugging. |
| 773 | * Added "missing" and "mkinstalldirs" automake |
| 774 | support files. |
| 775 | |
| 776 | |
| 777 | 2002.04.09 -- Version 1.1.0 |
| 778 | |
| 779 | * Strengthened replay protection and IV handling, |
| 780 | extending it fully to both static key and |
| 781 | TLS dynamic key exchange modes. |
| 782 | * Added --mlock option to disable paging and ensure that key |
| 783 | material and tunnel data is never paged to disk. |
| 784 | * Added optional traffic shaping feature to cap the maximum |
| 785 | data rate of the tunnel. |
| 786 | * Converted to automake (The Platypus Brothers 2002-04-01). |
| 787 | * Ported to OpenBSD by Janne Johansson. |
| 788 | * Added --tun-af-inet option to work around an incompatibility |
| 789 | between Linux and BSD tun drivers. |
| 790 | * Sequence number-based replay protection using the |
| 791 | IPSec sliding window model is now the default, |
| 792 | disable with --no-replay. |
| 793 | * Explicit IV is now the default, disable with --no-iv. |
| 794 | * Disabled all cipher modes except CBC, CFB, and OFB. |
| 795 | * In CBC mode, use explicit IV and carry forward residuals, |
| 796 | using IPSec model. |
| 797 | * In CFB/OFB mode, IV is timestamp, sequence number. |
| 798 | * Eliminated --packet-id, --timestamp, and max-delta parameter to |
| 799 | the --tls-auth option as they are now supplanted by improved |
| 800 | replay code which is enabled by default. |
| 801 | * Eliminated --rand-iv as it is now obsolete with improved |
| 802 | IV code. |
| 803 | * Eliminated --reneg-err option as it increases vulnerability |
| 804 | to DoS attacks. |
| 805 | * Added weak key check for DES ciphers. |
| 806 | * --tls-freq option is no longer specified on the command line, |
| 807 | instead it now inherits its parameter from the |
| 808 | --tls-timeout option. |
| 809 | * Fixed bug that would try to free memory on exit that was |
| 810 | never malloced if --comp-lzo was not specified. |
| 811 | * Errata fixed in the man page examples: "test-ca" should be |
| 812 | "tmp-ca". |
| 813 | * Updated manual page. |
| 814 | * Preliminary work in porting to OpenSSL 0.9.7. |
| 815 | * Changed license to allowing linking with OpenSSL. |
| 816 | |
| 817 | 2002.03.29 -- Version 1.0.3 |
| 818 | |
| 819 | * Fixed a problem in configure with library ordering on the |
| 820 | command line. |
| 821 | |
| 822 | 2002.03.28 -- Version 1.0.2 |
| 823 | |
| 824 | * Improved the efficiency of the inner event loop. |
| 825 | * Fixed a minor bug with timeout handling. |
| 826 | * Improved the build system to build on RH 6.2 through 7.2. |
| 827 | * Added an openvpn.spec file for RPM builders (Bishop Clark). |
| 828 | |
| 829 | 2002.03.23 -- Version 1.0 |
| 830 | |
| 831 | * Added TLS-based authentication and key exchange. |
| 832 | * Added gremlin mode to stress test. |
| 833 | * Wrote man page. |
| 834 | |
| 835 | 2001.12.26 -- Version 0.91 |
| 836 | |
| 837 | * Added any choice of cipher or HMAC digest. |
| 838 | |
| 839 | 2001.5.13 -- Version 0.90 |
| 840 | |
| 841 | * Initial release. |
| 842 | * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. |
| 843 | }}} |