Changes between Initial Version and Version 1 of ChangesInOpenvpn1x

07/24/14 14:30:25 (4 years ago)
Samuli Seppänen



  • ChangesInOpenvpn1x

    v1 v1  
     22004.05.09 -- Version 1.6.0
     4* Unchanged from 1.6-rc4 except for version number
     5  upgrade.
     72004.04.01 -- Version 1.6-rc4
     9* Made minor customizations to devcon and
     10  renamed as tapinstall.exe for Windows version.
     11* Fixed "storage size of `iv' isn't known" build
     12  problem on FreeBSD.
     13* OpenSSL 0.9.7d bundled with Windows self-install.
     152004.03.13 -- Version 1.6-rc3
     17* Minor Windows fixes for --ip-win32 dynamic, relating to
     18  the way the TAP-Win32 driver responds to a DHCP request
     19  from the Windows DHCP client.
     20* The net_gateway environmental variable wasn't being
     21  set correctly for called scripts (Paul Zuber).
     22* Added code to determine the default gateway on FreeBSD,
     23  allowing the --redirect-gateway option to work
     24  (Juan Rodriguez Hervella).
     262004.03.04 -- Version 1.6-rc2
     28* Fixed bug in Windows version where the NetBIOS node-type
     29  DHCP option might have been passed even if it was not
     30  specified.
     31* Fixed bug in Windows version introduced in 1.6-rc1, where
     32  DHCP timeout would be set to 0 seconds if --ifconfig option
     33  was used and --ip-win32 option was not explicitly specified.
     34* Added some new --dhcp-option types for Windows version.
     362004.03.02 -- Version 1.6-rc1
     38* For Windows, make "--ip-win32 dynamic" the default.
     39* For Windows, make "--route-delay 10" the default
     40  unless --ip-win32 dynamic is not used or --route-delay
     41  is explicitly specified.
     42* L_TLS mutex could have been left in a locked state
     43  for certain kinds of TLS errors.
     452004.02.22 -- Version 1.6-beta7
     47* Allow scheduling priority increase (--nice) together
     48  with UID/GID downgrade (--user/--group).
     49* Code that causes SIGUSR1 restart on TLS errors in TCP
     50  mode was not activated in pthread builds.
     51* Save the certificate serial number in an environmental
     52  variable called tls_serial_{n} prior to calling the
     53  --tls-verify script.  n is the current cert chain level.
     54* Added NetBSD IPv6 tunnel capability (also requires
     55  a kernel patch) (Horst Laschinsky).
     56* Fixed bug in checking the return value of the nice()
     57  function (Ian Pilcher).
     58* Bug fix in new FreeBSD IPv6 over TUN code which was
     59  originally added in 1.6-beta5 (Nathanael Rensen).
     60* More Socks5 fixes -- extended the struct frame
     61  infrastructure to accomodate proxy-based encapsulation
     62  overhead.
     63* Added --dhcp-option to Windows version for setting
     64  adapter properties such as WINS & DNS servers.
     65* Use a default route-delay of 5 seconds when
     66  --ip-win32 dynamic is specified (only applicable when
     67  --route-delay is not explicitly specified).
     68* Added "log_append" registry variable to control
     69  whether the OpenVPN service wrapper on Windows
     70  opens log files in append (log_append="1") or
     71  truncate (log_append="0") mode.  The default
     72  is truncate.
     742004.02.05 -- Version 1.6-beta6
     76* UDP over Socks5 fix to accomodate Socks5 encapsulation
     77  overhead (Christof Meerwald).
     78* Minor --ip-win32 dynamic tweaks (use long lease time,
     79  invalidate existing lease with DHCPNAK).
     812004.02.01 -- Version 1.6-beta5
     83* Added Socks5 proxy support (Christof Meerwald).
     84* IPv6 tun support for FreeBSD (Thomas Glanzmann).
     85* Special TAP-Win32 debug mode for Windows self-install that was
     86  enabled in beta4 is now turned off.
     87* Added some new Solaris notes to INSTALL (Koen Maris).
     88* More work on --ip-win32 dynamic.
     902004.01.27 -- Version 1.6-beta4
     92* For this beta, the Windows self-install is a debug version
     93  and will run slower -- use only for testing.
     94* Reverted the --ip-win32 default back to 'ipapi'
     95  from 'dynamic'.
     96* Added the offset parameter to '--ip-win32 dynamic' which
     97  can be used to control the address of the masqueraded
     98  DHCP server which replies to Windows DHCP requests.
     99* Added a wait/nowait option to --inetd (nowait can only
     100  be used with TCP sockets, TLS authentication, and over
     101  a bridged configuration -- see FAQ for more info)
     102  (Stefan `Sec` Zehl).
     103* Added a build-time capability where TAP-Win32 driver
     104  debug messages can be output by OpenVPN at --verb 6
     105  or higher.
     1072004.01.20 -- Version 1.6-beta2
     109* Added ./configure --enable-iproute2 flag which
     110  uses iproute2 instead of route + ifconfig --
     111  this is necessary for the LEAF Linux distro
     112  (Martin Hejl).
     113* Added renewal-time and rebind-time to set of
     114  DHCP options returned by the TAP-Win32 driver when
     115  "--ip-win32 dynamic" is used.
     1172004.01.14 -- Version 1.6-beta1
     119* Fixed --proxy bug that sometimes caused plaintext
     120  control info generated by the proxy prior to http
     121  CONNECT method establishment to be incorrectly
     122  parsed as OpenVPN data.
     123* For Windows version, implemented the
     124  "--ip-win32 dynamic" method and made it the default.
     125  This method sets the TAP-Win32 adapter IP address
     126  and netmask by replying to the kernel's DHCP queries.
     127  See the man page for more detailed info.
     128* Added --connect-retry parameter which controls
     129  the time interval (in seconds) between connect()
     130  retries when --proto tcp-client is used.  Previously,
     131  this value was hardcoded to 5 seconds, and still
     132  defaults as such.
     133* --resolv-retry can now be used with a parameter
     134  of "infinite" to retry indefinitely.
     135* Added SSL_CTX_use_certificate_chain_file() to ssl.c
     136  for support of multi-level certificate chains
     137  (Sten Kalenda).
     138* Fixed --tls-auth incompatibility with 1.4.x and earlier
     139  versions of OpenVPN when the passphrase file is an
     140  OpenVPN static key file (as generated by --genkey).
     141* Added shell-escape support in config files using
     142  the backslash character ("\") so that (for example)
     143  double quotes can be passed to the shell.
     144* Added "contrib" subdirectory on tarball, source zip,
     145  and CVS containing user-submitted contributions.
     146* Added an optional patch to the Redhat init script to
     147  allow the configuration file directory to be a
     148  multi-level directory hierarchy (Farkas Levente).
     149  See contrib/multilevel-init.patch
     150* Added some scripts and documentation on using
     151  Linux "fwmark" iptables rules to enable
     152  fine-grained routing control over the VPN
     153  (Sean Reifschneider, ).
     154  See contrib/openvpn-fwmarkroute-1.00
     1562003.11.20 -- Version 1.5.0
     158* Minor documentation changes.
     1602003.11.04 -- Version 1.5-beta14
     162* Fixed build problem with ./configure --disable-ssl
     163  that was reported on Debian woody.
     164* Fixed bug where --redirect-gateway could not be used
     165  together with --resolv-retry.
     1672003.11.03 -- Version 1.5-beta13
     169* Added CRL (certificate revocation list) capability using
     170  --crl-verify option (Stefano Bracalenti).
     171* Added --replay-window option for variable replay-protection
     172  window sizes.
     173* Fixed --fragment bug which might have caused certain large
     174  packets to be sent unfragmented.
     175* Modified --secret and --tls-auth to permit different cipher and
     176  HMAC keys to be used for each data flow direction.  Also
     177  increased static key file size generated by --genkey from
     178  1024 to 2048 bits, where 512 bits each are reserved for
     179  send-HMAC, encrypt, receive-HMAC, and decrypt.  Key file forward
     180  and backward compatibility is maintained.  See --secret option
     181  documentation on the man page for more info.
     182* Added --tls-remote option (Teemu Kiviniemi).
     183* Fixed --tls-cipher documention regarding correct delimiter
     184  usage (Teemu Kiviniemi).
     185* Added --key-method option for selecting alternative data
     186  channel key negotiation methods.  Method 1 is the default.
     187  Method 2 has been added (see man page for more info).
     188* Added French translation of HOWTO to web site
     189  (Guillaume Lehmann).
     190* Fixed problem caused by late resolver library load on
     191  certain platforms when --resolv-retry and --chroot are
     192  used together (Teemu Kiviniemi).
     193* In TCP mode, all decryption or TLS errors will abort the current
     194  connection (this is not done in UDP mode because UDP is
     195  "connectionless").
     196* Fixed a TCP client reconnect bug that only occurs on the
     197  BSDs, where connect() fails with an invalid argument.  This
     198  bug was partially (but not completely) fixed in beta7.
     199* Added "route_net_gateway" environmental variable which contains
     200  the pre-existing default gateway address from the routing table
     201  (there's no standard API for getting the default gateway, so
     202  right now this feature only works on Windows or Linux).
     203* Renamed the "route_default_gateway" enviromental variable to
     204  "route_vpn_gateway" -- this is the remote VPN endpoint.
     205* The special keywords vpn_gateway, net_gateway, and remote_host
     206  can now be used for the network or gateway components of the
     207  --route option.  See the man page for more info.
     208* Added the --redirect-gateway option to configure the VPN
     209  as the default gateway (implemented on Linux and Windows only).
     210* Added the --http-proxy option with basic authentication
     211  support for use in TCP client mode.  Successfully tested
     212  using Squid as the HTTP proxy, with and without authentication.
     2142003.10.12 -- Version 1.5-beta12
     216* Fixed Linux-only bug in --mktun and --rmtun which was
     217  introduced around beta8 or so, which would cause
     218  an error such as "I don't recognize device tun0 as a
     219  tun or tap device1".
     220* Added --ifconfig-nowarn option to disable options
     221  consistency warnings about --ifconfig parameters.
     222* Don't allow any kind of sequence number backtracking or
     223  message reordering when in TCP mode.
     224* Changed beta naming convention to use '_' (underscore)
     225  rather than '-' (dash) to pacify rpmbuild.
     2272003.10.08 -- Version 1.5-beta11
     229* Modified code in the Windows version which sets the IP address
     230  and netmask of the TAP-Win32 adapter using the IP Helper API.
     231  Most of the changes involve better error recovery when
     232  the IP Helper API returns an error status.  See the
     233  manual page entry on --ip-win32 for more info.
     2352003.10.08 -- Version 1.5-beta10
     237* Added getpass() function for Windows version so that --askpass
     238  option works correctly (Stefano Bracalenti).
     239* Added reboot advisory to end of Win32 install script.
     240* Changed crypto code to use pseudo-random IVs rather than
     241  carrying forward the IV state from the previous packet.
     242  This is in response to item 2 in the following document:
     243 which points
     244  out weaknesses in TLS's use of the same IV carryforward
     245  approach.  This change does not break protocol compatibility
     246  with previous versions of OpenVPN.
     247* Made a change to the crypto replay protection code to also
     248  protect against certain kinds of packet reordering attacks.
     249  This change does not break protocol compatibility with
     250  previous versions of OpenVPN.
     251* Added --ip-win32 option to provide several choices for
     252  setting the IP address on the TAP-Win32 adapter.
     253* #ifdefed out non-CBC crypto modes by default.
     254* Added --up-delay option to delay TUN/TAP open and --up script
     255  execution until after connection establishment.  This option
     256  replaces the earlier windows-only option --tap-delay.
     2582003.10.01 -- Version 1.5-beta9
     260* Fixed --route-noexec bug where option was not parsed correctly.
     261* Complain if --dev tun is specified without --ifconfig on Windows.
     262* Fixed bug where TCP connections on windows would sometimes cause
     263  an assertion failure.
     264* Added a new flag to TAP-Win32 advanced properties that allows one
     265  to set the adapter to be always "connected" even when an OpenVPN
     266  process doesn't have it open.  The default behavior is to report
     267  a media status of connected only when an OpenVPN process has the
     268  adapter open.
     269* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
     270  DLLs in response to an OpenSSL security advisory.
     2722003.09.30 -- Version 1.5-beta8
     274* Extended the --ifconfig option to work on tap devices as well
     275  as tun devices.
     276* Implemented the --ifconfig option for Windows, by calling the
     277  netsh tool.
     278* By default, do an "arp -d *" on Windows after TAP-Win32 open to
     279  refresh the MAC cache.  This behaviour can be disabled with
     280  --no-arp-del.
     281* On Windows, allow the --dev-node parameter (which specifies
     282  the name of the TAP-Win32 adapter) to be omitted in cases where
     283  there is a single TAP-Win32 adapter on the system which can be
     284  assumed to be the default.
     285* Modified the diagnostic --verb 5 debugging level to print 'R'
     286  for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
     287  and 'w' for TUN/TAP write.
     288* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
     289  mode.
     290* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
     291* Make the --enable-mtu-dynamic ./configure option enabled by
     292  default.
     293* Deprecated the --mtu-dynamic run-time option, in favor of
     294  --fragment.
     295* DNS names can now be used as --ifconfig parameters.
     296* Significant work on TAP-Win32 driver to bring up to SMP standards.
     297* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
     298  unloaded or disabled, while a user-space process has it open.
     299* On Windows, if --tun-mtu is not specified, it will be read from
     300  the TAP-Win32 driver via ioctl.
     301* On Windows, added TAP-Win32 driver status info to "F2" keyboard
     302  signal (only when run from a console window).
     303* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
     304* Renamed --mtu-dynamic option to --fragment to more accurately
     305  reflect its function.  Fragment accepts a single parameter which
     306  is the upper limit on acceptable UDP packet size.
     307* Changed default --tun-mtu-extra parameter to 32 from 64.
     308* Eliminated reference to malloc.o in
     309* Added tun device emulation to the TAP-Win32 driver.
     310* Added --route and related options.
     311* Added init script for SuSE Linux (Frank Plohmann).
     312* Extended option consistency check between peers to function
     313  in all crypto modes, including static-key and cleartext modes.
     314  Previously only TLS mode was supported.  Disable with
     315  --disable-occ.
     316* Overall, increased the amount of configuration option sanity
     317  checking, especially of networking parameters.
     318* Added --mtu-test option for empirical MTU measurement.
     319* Added Windows-only option --tap-delay to not set the TAP-Win32
     320  adapter media state to 'connected' until TCP/UDP connection
     321  establishment with peer.
     322* Slightly modified --route/--route-delay semantics so that when
     323  --route is given without --route-delay, routes are added
     324  immediately after tun/tap device open.  When --route-delay is
     325  specified, routes will be added n seconds after connection
     326  initiation, where n is the --route-delay parameter (which
     327  can be set to 0).     
     328* Made TCP framing error into a non-fatal error that triggers a
     329  connection reset.
     3312003.08.28 -- Version 1.5-beta7
     333* Fixed bug that caused OpenVPN not to respond to exit/restart
     334  signals when --resolv-retry is used and a local or remote DNS
     335  name cannot be resolved.
     336* Exported a series of environmental variables with useful
     337  info for scripts.  See man page for more info.  Based
     338  on a suggestion by Anthony Ciaravalo.
     339* Moved TCP/UDP socket bind to a point in the initialization
     340  before the --up script gets called.  This is desirable
     341  because (a) a socket bind failure will happen before
     342  daemonization, allowing an error status code to be returned
     343  to the shell and (b) the possibility is eliminated of a
     344  socket bind failure causing the --up script to be run
     345  but not the --down script.  This change has a side effect
     346  that --resolv-retry will no longer work with --local.
     347* Fixed bug where if an OpenVPN TCP server went down and back
     348  up again, Solaris or FreeBSD clients would fail to reconnect
     349  to it.
     350* Fixed bug that prevented OpenVPN from being run by
     351  inetd/xinetd in TCP mode.
     352* Added --log and --log-append options for logging messages to
     353  a file.
     354* On Windows, check that the current user is a member of the
     355  Administrator group before attempting install or uninstall.
     3572003.08.16 -- Version 1.5-beta6
     359* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
     3612003.08.14 -- Version 1.5-beta5
     363* Added user-configurability of the TAP-Win32 adapter MTU
     364  through the adapter advanced properties page.
     365* Added Windows Service support.
     366* On Windows, added file association and right-clickability
     367  for .ovpn files (OpenVPN config files).
     3692003.08.05 -- Version 1.5-beta4
     371* Extra refinements and error checking added to Windows
     372  NSIS install script.
     3742003.08.05 -- Version 1.5-beta3
     376* Added md5.h include to crypto.c to fix build problem on
     377  OpenBSD.
     378* Created a Win32 installer using NSIS.
     379* Removed DelService command from TAP-Win32 INF file.  It appears
     380  to be not necessary and it interfered with the ability to
     381  uninstall and reinstall the driver without needing to reboot.
     382* On Windows version, added "addtap" and "deltapall" batch
     383  files to add and delete TAP-Win32 adapter instances.
     3852003.07.31 -- Version 1.5-beta2
     387* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
     388  in Windows ASCII so it's easier to click and view.
     389* Added postscript and PDF versions of the HOWTO to the web
     390  site (C R Zamana).
     391* Merged Michael Clarke's stability patch into TAP-Win32
     392  driver which appears to fix the suspend/resume driver bug
     393  and significantly improve driver stability.
     394* Added Christof Meerwald's Media Status patch to the
     395  TAP-Win32 driver which shows the TAP adapter to be
     396  disconnected when OpenVPN is not running.
     397* Moved socket connect and TCP server listen code to a later
     398  point in openvpn() function so that the TCP server listen
     399  state is entered after daemonization.
     400* Added keyboard shortcuts to simulate signals in the Windows
     401  version, see the window title bar for descriptions.
     4032003.07.24 -- Version 1.5-beta1
     405* Added TCP support via the new --proto option.
     406* Renamed udp-centric options such as --udp-mtu to
     407  --link-mtu (old option names preserved for compatibility).
     408* Ported to Windows 2000 + XP using mingw and a TAP driver
     409  derived from the Cipe-Win32 project by Damion K. Wilson.
     410* Added --show-adapters flag for windows version.
     411* Reworked the SSL/TLS packet acknowledge code to better
     412  handle certain corner cases.
     413* Turned off the default enabling of IP forwarding in the
     414  sample-scripts/openvpn.init script for Redhat.
     415  Forwarding can be enabled by users in their --up scripts
     416  or firewall config.
     417* Added --up-restart option based on suggestion from Sean
     418  Reifschneider.
     419* If --dev tap or --dev-type tap is specified, --tun-mtu
     420  defaults to 1500 and --tun-mtu-extra defaults to 64.
     421* Enabled --verb 5 debugging mode that prints 'R' and 'W'
     422  for each packet read or write on the TCP/UDP socket.
     4242003.08.04 -- Version 1.4.3
     426* Added md5.h include to crypto.c
     427  to fix build problem on OpenBSD.
     4292003.07.15 -- Version 1.4.2
     431* Removed adaptive bandwidth from
     432  --mtu-dynamic -- its absence appears
     433  to work better than its existence (
     434* Minor changes to --shaper to fix long
     435  retransmit timeouts at low bandwidth
     436  (
     437* Added LOG_RW flag to openvpn.h for
     438  debugging (
     439* Silenced spurious configure warnings (
     440* Backed out --dev-name patch, modified --dev
     441  to offer equivalent functionality (
     442* Added an optional parameter to --daemon and
     443  --inetd to support the passing of a custom
     444  program name to the system logger (
     445* Add compiled-in options to the program title
     446  (
     447* Coded the beginnings of a WIN32 port (
     448* Succeeded in porting to Win32 Mingw environment
     449  and running loopback tests (  Still
     450  need a kernel driver for full Win32
     451  functionality.
     452* Fixed a bug in error.h where
     453  HAVE_CPP_VARARG_MACRO_GCC was misspelled.
     454  This would have caused a significant slowdown
     455  of OpenVPN when built by compilers that
     456  lack ISO C99 vararg macros (
     457* Created an init script for Gentoo Linux
     458  in ./gentoo directory (
     4602003.05.15 -- Version 1.4.1
     462* Modified the Linux 2.4 TUN/TAP open code to
     463  fall back to the 2.2 TUN/TAP interface if the
     464  open or ioctl fails.
     465* Fixed bug when --verb is set to 0 and non-fatal
     466  socket errors occur, causing 100% CPU utilization.
     467  Occurs on platorms where
     469  such as Linux 2.4.
     470* Fixed typo in tun.c that was preventing
     471  OpenBSD build.
     472* Added --enable-mtu-dynamic configure option
     473  to enable --mtu-dynamic experimental option.
     4752003.05.07 -- Version 1.4.0
     477* Added --replay-persist feature to allow replay
     478  protection across sessions.
     479* Fixed bug where --ifconfig could not be used
     480  with --tun-mtu.
     481* Added --tun-mtu-extra parameter to deal with
     482  the situation where a read on a TUN/TAP device
     483  returns more data than the device's MTU size.
     484* Fixed bug where some IPv6 support code for
     485  Linux was not being properly ifdefed out for
     486  Linux 2.2, causing compile errors.
     487* Added OPENVPN_EXIT_STATUS_x codes to
     488  openvpn.h to control which status value
     489  openvpn returns to its caller (such as
     490  a shell or inetd/xinetd) for various conditions.
     491* Added OPENVPN_DEBUG_COMMAND_LINE flag to
     492  openvpn.h to allow debugging in situations
     493  where stdout, stderr, and syslog cannot be used
     494  for message output, such as when OpenVPN is
     495  instantiated by inetd/xinetd.
     496* Removed owner-execute permission from file
     497  created by static key generator (Herbert Xu
     498  and Alberto Gonzalez Iniesta).
     499* Added --passtos option to allow IPv4 TOS bits
     500  to be passed from TUN/TAP input packets to
     501  the outgoing UDP socket (Craig Knox).
     502* Added code to prevent open socket file descriptors
     503  from being accessible to called scripts.
     504* Added --dev-name option (Christian Lademann).
     505* Added --mtu-disc option for manual control
     506  over MTU options.
     507* Show OS MTU value on UDP socket write failures
     508  (linux only).
     509* Numerous build system and portability
     510  fixes (Matthias Andree).
     511* Added better sensing of compiler support for
     512  variable argument macros, including (a) gcc
     513  style, (b) ISO C 1999 style, and (c) no support.
     514* Removed generated files from CVS.  Note INSTALL
     515  file for new CVS build commands.
     516* Changed certain internal symbol names
     517  for C standards compliance.
     518* Added TUN/TAP open code to cycle dynamically
     519  through unit numbers until it finds a free
     520  unit (based on code from Thomas Gielfeldt
     521  and VTun).
     522* Added dynamic MTU and fragmenting infrastructure
     523  (Experimental).  Rebuild with FRAGMENT_ENABLE
     524  defined to enable.
     525* Minor changes to SSL/TLS negotiation, use
     526  exponential backoff on retransmits, and use
     527  a smaller MTU size (note that no protocol
     528  changes have been made which would break
     529  compatibility with 1.3.x).
     530* Added --enable-strict-options flag
     531  to ./configure.  This option will cause
     532  a more strict check for options compatibility
     533  between peers when SSL/TLS negotiation is used,
     534  but should only be used when both OpenVPN peers
     535  are of the same version.
     536* Reorganization of debugging levels.
     537* Added a workaround in for
     538  default SSL header location on Linux
     539  to fix RH9 build problem.
     540* Fixed potential deadlock when pthread support
     541  is used on OSes that allocate a small socketpair()
     542  message buffer.
     543* Fixed openvpn.init to be sh compliant
     544  (Bishop Clark).
     545* Changed --daemon to wait until all
     546  initialization is finished before becoming a
     547  daemon, for the benefit of initialization
     548  scripts that want a useful return status from
     549  the openvpn command.
     550* Made openvpn.init script more robust, including
     551  positive indication of initialization errors
     552  in the openvpn daemon and better sanity checks.
     553* Changed --chroot to wait until initialization
     554  is finished before calling chroot(), and allow
     555  the use of --user and --group with --chroot.
     556* When syslog logging is enabled (--daemon or
     557  --inetd), set stdin/stdout/stderr to point
     558  to /dev/null.
     559* For inetd instantiations, dup socket descriptor
     560  to a >2 value.
     561* Fixed bug in verify-cn script, where test would
     562  incorrectly fail if CN=x was the last component
     563  of the X509 composite string (Anonymous).
     564* Added Markus F.X.J. Oberhumer's special
     565  license exception to COPYING.
     5672002.10.23 -- Version 1.3.2
     569* Added SSL_CTX_set_client_CA_list call
     570  to follow the canonical form for TLS initialization
     571  recommended by the OpenSSL docs.  This change allows
     572  better support for intermediate CAs and has no impact
     573  on security.
     574* Added build-inter script to easy-rsa package, to
     575  facilitate the generation of intermediate CAs.
     576* Ported to NetBSD (Dimitri Goldin).
     577* Fixed minor bug in easy-rsa/sign-req.  It refers to
     578  openssl.cnf file, instead of $KEY_CONFIG, like all
     579  other scripts (Ernesto Baschny).
     580* Added --days 3650 to the root CA generation command
     581  in the HOWTO to override the woefully small 30 day
     582  default (Dominik 'Aeneas' Schnitzer).
     583* Fixed bug where --ping-restart would sometimes
     584  not re-resolve remote DNS hostname.
     585* Added --tun-ipv6 option and related infrastructure
     586  support for IPv6 over tun.
     587* Added IPv6 over tun support for Linux (Aaron Sethman).
     588* Added FreeBSD 4.1.1+ TUN/TAP driver notes to
     589  INSTALL (Matthias Andree).
     590* Added inetd/xinetd support (--inetd) including
     591  documentation in the HOWTO.
     592* Added "Important Note on the use of commercial certificate
     593  authorities (CAs) with OpenVPN" to HOWTO based on
     594  issues raised on the openvpn-users list.
     5962002.07.10 -- Version 1.3.1
     598* Fixed bug in openvpn.spec and openvpn.init
     599  which caused RPM upgrade to fail.
     6012002.07.10 -- Version 1.3.0
     603* Added --dev-node option to allow explicit selection of
     604  tun/tap device node.
     605* Removed mlockall call from child thread, as it doesn't
     606  appear to be necessary (child thread inherits mlockall
     607  state from parent).
     608* Added --ping-timer-rem which causes timer for --ping-exit
     609  and --ping-restart not to run unless we have a remote IP
     610  address.
     611* Added condrestart to openvpn.init and openvpn.spec
     612  (Bishop Clark).
     613* Added --ifconfig case for FreeBSD (Matthias Andree).
     614* Call openlog with facility=LOG_DAEMON (Matthias Andree).
     615* Changed LOG_INFO messages to LOG_NOTICE.
     616* Added warning when key files are group/others accessible.
     617* Added --single-session flag for TLS mode.
     618* Fixed bug where --writepid would segfault if used with
     619  an invalid filename.
     620* Fixed bug where --ipchange status message was formatted
     621  incorrectly.
     622* Print more concise error message when system() call
     623  fails.
     624* Added --disable-occ option.
     625* Added --local, --remote, and --ifconfig options sanity
     626  check.
     627* Changed default UDP MTU to 1300 and TUN/TAP MTU to
     628  1300.
     629* Successfully tested with OpenSSL 0.9.7 Beta 2.
     630* Broke out debug level definitions to errlevel.h
     631* Minor documentation and web site changes.
     632* All changes maintain protocol compatibility
     633  with OpenVPN versions since 1.1.0, however default
     634  MTU changes will require setting the MTU explicitly
     635  by command line option, if you want 1.3.0 to
     636  communicate with previous versions.
     6382002.06.12 -- Version 1.2.1
     640* Added --ping-restart option to restart
     641  connection on ping timeout using SIGUSR1
     642  logic (Matthias Andree).
     643* Added --persist-tun, --persist-key,
     644  --persist-local-ip, and --persist-remote-ip
     645  options for finer-grained control over SIGUSR1
     646  and --ping-restart restarts.  To
     647  replicate previous SIGUSR1 functionality,
     648  use --persist-remote-ip.
     649* Changed residual IV fetching code to take
     650  IV from tail of ciphertext.
     651* Added check to make sure that CFB or OFB
     652  cipher modes are only used with SSL/TLS
     653  authentication mode, and added a caveat
     654  to INSTALL.
     655* Changed signal handling during initialization
     656  (including re-initialization during restarts)
     657  to exit on SIGTERM or SIGINT and ignore other
     658  signals which would ordinarily be caught.
     659* Added --resolv-retry option to allow
     660  retries on hostname resolution.
     661* Expanded the --float option to also
     662  allow dynamic changes in source port number
     663  on incoming datagrams.
     664* Added --mute option to limit repetitive
     665  logging of similar message types.
     666* Added --group option to downgrade GID
     667  after initialization.
     668* Try to set ifconfig path automatically
     669  in configure.
     670* Added --ifconfig code for Mac OS X
     671  (Christoph Pfisterer).
     672* Moved "Peer Connection Initiated" message
     673  to --verb level 1.
     674* Successfully tested with
     675  OpenSSL 0.9.7 Beta 1 and AES cipher.
     676* Added RPM notes to INSTALL.
     677* Added ACX_PTHREAD (from the autoconf
     678  macro archive) to
     679  to figure out the right pthread
     680  options for a given platform.
     681* Broke out macro definitions from
     682 to acinclude.m4.
     683* Minor changes to docs and HOWTO.
     684* All changes maintain protocol compatibility
     685  with OpenVPN versions since 1.1.0.
     6872002.05.22 -- Version 1.2.0
     689* Added configuration file support via
     690  the --config option.
     691* Added pthread support to improve latency.
     692  With pthread support, OpenVPN
     693  will offload CPU-intensive tasks such as RSA
     694  key number crunching to a background thread
     695  to improve tunnel packet forwarding
     696  latency.  pthread support can be enabled
     697  with the --enable-pthread configure option.
     698  Pthread support is currently available
     699  only for Linux and Solaris.
     700* Added --dev-type option so that tun/tap
     701  device names don't need to begin with
     702  "tun" or "tap".
     703* Added --writepid option to write main
     704  process ID to a file.
     705* Numerous portability fixes to ease
     706  porting to other OSes including changing
     707  all network types to uint8_t and uint32_t,
     708  and not assuming that time_t is 32 bits.
     709* Backported to OpenSSL 0.9.5.
     710* Ported to Solaris.
     711* Finished OpenBSD port except for
     712  pthread support.
     713* Added initialization script:
     714  sample-scripts/openvpn.init
     715  (Douglas Keller)
     716* Ported to Mac OS X (Christoph Pfisterer).
     717* Improved resilience to DoS attacks when
     718  TLS mode is used without --remote or
     719  --tls-auth, or when --float is used
     720  with --remote.  Note however that the best
     721  defense against DoS attacks in TLS mode
     722  is to use --tls-auth.
     723* Eliminated automake/autoconf dependency
     724  for non-developers.
     725* Ported to
     726  and autoconf 2.50+.
     727* SIGHUP signal now causes OpenVPN to restart
     728  and re-read command line and or config file,
     729  in conformance with canonical daemon behaviour.
     730* SIGUSR1 now does what SIGHUP did in
     731  version 1.1.1 and earlier -- close and reopen
     732  the UDP socket for use when DHCP changes
     733  host's IP address and preserve most recently
     734  authenticated peer address without rereading
     735  config file.
     736* SIGUSR2 added -- outputs current statistics,
     737  including compression statistics.
     738* All changes maintain protocol compatibility
     739  with 1.1.1 and 1.1.0.
     7412002.04.22 -- Version 1.1.1
     743* Added --ifconfig option to automatically configure
     744  TUN device.
     745* Added inactivity disconnect (--inactive
     746  and --ping-exit options).
     747* Added --ping option to keep stateful firewalls
     748  from timing out.
     749* Added sanity check to command line parser to
     750  err if any TLS options are used in non-TLS mode.
     751* Fixed build problem with compiler environments that
     752  define printf as a macro.
     753* Fixed build problem on linux systems that have
     754  an integrated TUN/TAP driver but lack the persistent
     755  tunnel feature (TUNSETPERSIST).  Some linux kernels
     756  >= 2.4.0 and < 2.4.7 fall into this category.
     757* Changed all calls to EVP_CipherInit to use explicit
     758  encrypt/decrypt mode in order to fix problem with
     759  IDEA-CBC and AES-256-CBC ciphers.
     760* Minor changes to control channel transmit limiter
     761  algorithm to fix problem where TLS control channel
     762  might not renegotiate within the default 60 second window.
     763* Simplified man page examples by taking advantage
     764  of the new --ifconfig option.
     765* Minor changes to to check more
     766  rigourously for OpenSSL 0.9.6 or greater.
     767* Put back openvpn.spec, eliminated
     769* Modified openvpn.spec to reflect new automake-based
     770  build environment (Bishop Clark).
     771* Other documentation changes.
     772* Added --test-crypto option for debugging.
     773* Added "missing" and "mkinstalldirs" automake
     774  support files.
     7772002.04.09 -- Version 1.1.0
     779* Strengthened replay protection and IV handling,
     780  extending it fully to both static key and
     781  TLS dynamic key exchange modes.
     782* Added --mlock option to disable paging and ensure that key
     783  material and tunnel data is never paged to disk.
     784* Added optional traffic shaping feature to cap the maximum
     785  data rate of the tunnel.
     786* Converted to automake (The Platypus Brothers 2002-04-01).
     787* Ported to OpenBSD by Janne Johansson.
     788* Added --tun-af-inet option to work around an incompatibility
     789  between Linux and BSD tun drivers.
     790* Sequence number-based replay protection using the
     791  IPSec sliding window model is now the default,
     792  disable with --no-replay.
     793* Explicit IV is now the default, disable with --no-iv.
     794* Disabled all cipher modes except CBC, CFB, and OFB.
     795* In CBC mode, use explicit IV and carry forward residuals,
     796  using IPSec model.
     797* In CFB/OFB mode, IV is timestamp, sequence number.
     798* Eliminated --packet-id, --timestamp, and max-delta parameter to
     799  the --tls-auth option as they are now supplanted by improved
     800  replay code which is enabled by default.
     801* Eliminated --rand-iv as it is now obsolete with improved
     802  IV code.
     803* Eliminated --reneg-err option as it increases vulnerability
     804  to DoS attacks.
     805* Added weak key check for DES ciphers.
     806* --tls-freq option is no longer specified on the command line,
     807  instead it now inherits its parameter from the
     808  --tls-timeout option.
     809* Fixed bug that would try to free memory on exit that was
     810  never malloced if --comp-lzo was not specified.
     811* Errata fixed in the man page examples: "test-ca" should be
     812  "tmp-ca".
     813* Updated manual page.
     814* Preliminary work in porting to OpenSSL 0.9.7.
     815* Changed license to allowing linking with OpenSSL.
     8172002.03.29 -- Version 1.0.3
     819* Fixed a problem in configure with library ordering on the
     820  command line.
     8222002.03.28 -- Version 1.0.2
     824* Improved the efficiency of the inner event loop.
     825* Fixed a minor bug with timeout handling.
     826* Improved the build system to build on RH 6.2 through 7.2.
     827* Added an openvpn.spec file for RPM builders (Bishop Clark).
     8292002.03.23 -- Version 1.0
     831* Added TLS-based authentication and key exchange.
     832* Added gremlin mode to stress test.
     833* Wrote man page.
     8352001.12.26 -- Version 0.91
     837* Added any choice of cipher or HMAC digest.
     8392001.5.13 -- Version 0.90
     841* Initial release.
     842* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.