{{{ 2004.05.09 -- Version 1.6.0 * Unchanged from 1.6-rc4 except for version number upgrade. 2004.04.01 -- Version 1.6-rc4 * Made minor customizations to devcon and renamed as tapinstall.exe for Windows version. * Fixed "storage size of `iv' isn't known" build problem on FreeBSD. * OpenSSL 0.9.7d bundled with Windows self-install. 2004.03.13 -- Version 1.6-rc3 * Minor Windows fixes for --ip-win32 dynamic, relating to the way the TAP-Win32 driver responds to a DHCP request from the Windows DHCP client. * The net_gateway environmental variable wasn't being set correctly for called scripts (Paul Zuber). * Added code to determine the default gateway on FreeBSD, allowing the --redirect-gateway option to work (Juan Rodriguez Hervella). 2004.03.04 -- Version 1.6-rc2 * Fixed bug in Windows version where the NetBIOS node-type DHCP option might have been passed even if it was not specified. * Fixed bug in Windows version introduced in 1.6-rc1, where DHCP timeout would be set to 0 seconds if --ifconfig option was used and --ip-win32 option was not explicitly specified. * Added some new --dhcp-option types for Windows version. 2004.03.02 -- Version 1.6-rc1 * For Windows, make "--ip-win32 dynamic" the default. * For Windows, make "--route-delay 10" the default unless --ip-win32 dynamic is not used or --route-delay is explicitly specified. * L_TLS mutex could have been left in a locked state for certain kinds of TLS errors. 2004.02.22 -- Version 1.6-beta7 * Allow scheduling priority increase (--nice) together with UID/GID downgrade (--user/--group). * Code that causes SIGUSR1 restart on TLS errors in TCP mode was not activated in pthread builds. * Save the certificate serial number in an environmental variable called tls_serial_{n} prior to calling the --tls-verify script. n is the current cert chain level. * Added NetBSD IPv6 tunnel capability (also requires a kernel patch) (Horst Laschinsky). * Fixed bug in checking the return value of the nice() function (Ian Pilcher). * Bug fix in new FreeBSD IPv6 over TUN code which was originally added in 1.6-beta5 (Nathanael Rensen). * More Socks5 fixes -- extended the struct frame infrastructure to accomodate proxy-based encapsulation overhead. * Added --dhcp-option to Windows version for setting adapter properties such as WINS & DNS servers. * Use a default route-delay of 5 seconds when --ip-win32 dynamic is specified (only applicable when --route-delay is not explicitly specified). * Added "log_append" registry variable to control whether the OpenVPN service wrapper on Windows opens log files in append (log_append="1") or truncate (log_append="0") mode. The default is truncate. 2004.02.05 -- Version 1.6-beta6 * UDP over Socks5 fix to accomodate Socks5 encapsulation overhead (Christof Meerwald). * Minor --ip-win32 dynamic tweaks (use long lease time, invalidate existing lease with DHCPNAK). 2004.02.01 -- Version 1.6-beta5 * Added Socks5 proxy support (Christof Meerwald). * IPv6 tun support for FreeBSD (Thomas Glanzmann). * Special TAP-Win32 debug mode for Windows self-install that was enabled in beta4 is now turned off. * Added some new Solaris notes to INSTALL (Koen Maris). * More work on --ip-win32 dynamic. 2004.01.27 -- Version 1.6-beta4 * For this beta, the Windows self-install is a debug version and will run slower -- use only for testing. * Reverted the --ip-win32 default back to 'ipapi' from 'dynamic'. * Added the offset parameter to '--ip-win32 dynamic' which can be used to control the address of the masqueraded DHCP server which replies to Windows DHCP requests. * Added a wait/nowait option to --inetd (nowait can only be used with TCP sockets, TLS authentication, and over a bridged configuration -- see FAQ for more info) (Stefan `Sec` Zehl). * Added a build-time capability where TAP-Win32 driver debug messages can be output by OpenVPN at --verb 6 or higher. 2004.01.20 -- Version 1.6-beta2 * Added ./configure --enable-iproute2 flag which uses iproute2 instead of route + ifconfig -- this is necessary for the LEAF Linux distro (Martin Hejl). * Added renewal-time and rebind-time to set of DHCP options returned by the TAP-Win32 driver when "--ip-win32 dynamic" is used. 2004.01.14 -- Version 1.6-beta1 * Fixed --proxy bug that sometimes caused plaintext control info generated by the proxy prior to http CONNECT method establishment to be incorrectly parsed as OpenVPN data. * For Windows version, implemented the "--ip-win32 dynamic" method and made it the default. This method sets the TAP-Win32 adapter IP address and netmask by replying to the kernel's DHCP queries. See the man page for more detailed info. * Added --connect-retry parameter which controls the time interval (in seconds) between connect() retries when --proto tcp-client is used. Previously, this value was hardcoded to 5 seconds, and still defaults as such. * --resolv-retry can now be used with a parameter of "infinite" to retry indefinitely. * Added SSL_CTX_use_certificate_chain_file() to ssl.c for support of multi-level certificate chains (Sten Kalenda). * Fixed --tls-auth incompatibility with 1.4.x and earlier versions of OpenVPN when the passphrase file is an OpenVPN static key file (as generated by --genkey). * Added shell-escape support in config files using the backslash character ("\") so that (for example) double quotes can be passed to the shell. * Added "contrib" subdirectory on tarball, source zip, and CVS containing user-submitted contributions. * Added an optional patch to the Redhat init script to allow the configuration file directory to be a multi-level directory hierarchy (Farkas Levente). See contrib/multilevel-init.patch * Added some scripts and documentation on using Linux "fwmark" iptables rules to enable fine-grained routing control over the VPN (Sean Reifschneider, ). See contrib/openvpn-fwmarkroute-1.00 2003.11.20 -- Version 1.5.0 * Minor documentation changes. 2003.11.04 -- Version 1.5-beta14 * Fixed build problem with ./configure --disable-ssl that was reported on Debian woody. * Fixed bug where --redirect-gateway could not be used together with --resolv-retry. 2003.11.03 -- Version 1.5-beta13 * Added CRL (certificate revocation list) capability using --crl-verify option (Stefano Bracalenti). * Added --replay-window option for variable replay-protection window sizes. * Fixed --fragment bug which might have caused certain large packets to be sent unfragmented. * Modified --secret and --tls-auth to permit different cipher and HMAC keys to be used for each data flow direction. Also increased static key file size generated by --genkey from 1024 to 2048 bits, where 512 bits each are reserved for send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward and backward compatibility is maintained. See --secret option documentation on the man page for more info. * Added --tls-remote option (Teemu Kiviniemi). * Fixed --tls-cipher documention regarding correct delimiter usage (Teemu Kiviniemi). * Added --key-method option for selecting alternative data channel key negotiation methods. Method 1 is the default. Method 2 has been added (see man page for more info). * Added French translation of HOWTO to web site (Guillaume Lehmann). * Fixed problem caused by late resolver library load on certain platforms when --resolv-retry and --chroot are used together (Teemu Kiviniemi). * In TCP mode, all decryption or TLS errors will abort the current connection (this is not done in UDP mode because UDP is "connectionless"). * Fixed a TCP client reconnect bug that only occurs on the BSDs, where connect() fails with an invalid argument. This bug was partially (but not completely) fixed in beta7. * Added "route_net_gateway" environmental variable which contains the pre-existing default gateway address from the routing table (there's no standard API for getting the default gateway, so right now this feature only works on Windows or Linux). * Renamed the "route_default_gateway" enviromental variable to "route_vpn_gateway" -- this is the remote VPN endpoint. * The special keywords vpn_gateway, net_gateway, and remote_host can now be used for the network or gateway components of the --route option. See the man page for more info. * Added the --redirect-gateway option to configure the VPN as the default gateway (implemented on Linux and Windows only). * Added the --http-proxy option with basic authentication support for use in TCP client mode. Successfully tested using Squid as the HTTP proxy, with and without authentication. 2003.10.12 -- Version 1.5-beta12 * Fixed Linux-only bug in --mktun and --rmtun which was introduced around beta8 or so, which would cause an error such as "I don't recognize device tun0 as a tun or tap device1". * Added --ifconfig-nowarn option to disable options consistency warnings about --ifconfig parameters. * Don't allow any kind of sequence number backtracking or message reordering when in TCP mode. * Changed beta naming convention to use '_' (underscore) rather than '-' (dash) to pacify rpmbuild. 2003.10.08 -- Version 1.5-beta11 * Modified code in the Windows version which sets the IP address and netmask of the TAP-Win32 adapter using the IP Helper API. Most of the changes involve better error recovery when the IP Helper API returns an error status. See the manual page entry on --ip-win32 for more info. 2003.10.08 -- Version 1.5-beta10 * Added getpass() function for Windows version so that --askpass option works correctly (Stefano Bracalenti). * Added reboot advisory to end of Win32 install script. * Changed crypto code to use pseudo-random IVs rather than carrying forward the IV state from the previous packet. This is in response to item 2 in the following document: http://www.openssl.org/~bodo/tls-cbc.txt which points out weaknesses in TLS's use of the same IV carryforward approach. This change does not break protocol compatibility with previous versions of OpenVPN. * Made a change to the crypto replay protection code to also protect against certain kinds of packet reordering attacks. This change does not break protocol compatibility with previous versions of OpenVPN. * Added --ip-win32 option to provide several choices for setting the IP address on the TAP-Win32 adapter. * #ifdefed out non-CBC crypto modes by default. * Added --up-delay option to delay TUN/TAP open and --up script execution until after connection establishment. This option replaces the earlier windows-only option --tap-delay. 2003.10.01 -- Version 1.5-beta9 * Fixed --route-noexec bug where option was not parsed correctly. * Complain if --dev tun is specified without --ifconfig on Windows. * Fixed bug where TCP connections on windows would sometimes cause an assertion failure. * Added a new flag to TAP-Win32 advanced properties that allows one to set the adapter to be always "connected" even when an OpenVPN process doesn't have it open. The default behavior is to report a media status of connected only when an OpenVPN process has the adapter open. * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c DLLs in response to an OpenSSL security advisory. 2003.09.30 -- Version 1.5-beta8 * Extended the --ifconfig option to work on tap devices as well as tun devices. * Implemented the --ifconfig option for Windows, by calling the netsh tool. * By default, do an "arp -d *" on Windows after TAP-Win32 open to refresh the MAC cache. This behaviour can be disabled with --no-arp-del. * On Windows, allow the --dev-node parameter (which specifies the name of the TAP-Win32 adapter) to be omitted in cases where there is a single TAP-Win32 adapter on the system which can be assumed to be the default. * Modified the diagnostic --verb 5 debugging level to print 'R' for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, and 'w' for TUN/TAP write. * Conditionalize OpenBSD read_tun and write_tun based on tun or tap mode. * Added IPv6 tun support to OpenBSD (Thomas Glanzmann). * Make the --enable-mtu-dynamic ./configure option enabled by default. * Deprecated the --mtu-dynamic run-time option, in favor of --fragment. * DNS names can now be used as --ifconfig parameters. * Significant work on TAP-Win32 driver to bring up to SMP standards. * On Windows, fixed dangling IRP problem if TAP-Win32 driver is unloaded or disabled, while a user-space process has it open. * On Windows, if --tun-mtu is not specified, it will be read from the TAP-Win32 driver via ioctl. * On Windows, added TAP-Win32 driver status info to "F2" keyboard signal (only when run from a console window). * Added --mssfix option to control TCP MSS size (YANO Hirokuni). * Renamed --mtu-dynamic option to --fragment to more accurately reflect its function. Fragment accepts a single parameter which is the upper limit on acceptable UDP packet size. * Changed default --tun-mtu-extra parameter to 32 from 64. * Eliminated reference to malloc.o in configure.ac. * Added tun device emulation to the TAP-Win32 driver. * Added --route and related options. * Added init script for SuSE Linux (Frank Plohmann). * Extended option consistency check between peers to function in all crypto modes, including static-key and cleartext modes. Previously only TLS mode was supported. Disable with --disable-occ. * Overall, increased the amount of configuration option sanity checking, especially of networking parameters. * Added --mtu-test option for empirical MTU measurement. * Added Windows-only option --tap-delay to not set the TAP-Win32 adapter media state to 'connected' until TCP/UDP connection establishment with peer. * Slightly modified --route/--route-delay semantics so that when --route is given without --route-delay, routes are added immediately after tun/tap device open. When --route-delay is specified, routes will be added n seconds after connection initiation, where n is the --route-delay parameter (which can be set to 0). * Made TCP framing error into a non-fatal error that triggers a connection reset. 2003.08.28 -- Version 1.5-beta7 * Fixed bug that caused OpenVPN not to respond to exit/restart signals when --resolv-retry is used and a local or remote DNS name cannot be resolved. * Exported a series of environmental variables with useful info for scripts. See man page for more info. Based on a suggestion by Anthony Ciaravalo. * Moved TCP/UDP socket bind to a point in the initialization before the --up script gets called. This is desirable because (a) a socket bind failure will happen before daemonization, allowing an error status code to be returned to the shell and (b) the possibility is eliminated of a socket bind failure causing the --up script to be run but not the --down script. This change has a side effect that --resolv-retry will no longer work with --local. * Fixed bug where if an OpenVPN TCP server went down and back up again, Solaris or FreeBSD clients would fail to reconnect to it. * Fixed bug that prevented OpenVPN from being run by inetd/xinetd in TCP mode. * Added --log and --log-append options for logging messages to a file. * On Windows, check that the current user is a member of the Administrator group before attempting install or uninstall. 2003.08.16 -- Version 1.5-beta6 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count. 2003.08.14 -- Version 1.5-beta5 * Added user-configurability of the TAP-Win32 adapter MTU through the adapter advanced properties page. * Added Windows Service support. * On Windows, added file association and right-clickability for .ovpn files (OpenVPN config files). 2003.08.05 -- Version 1.5-beta4 * Extra refinements and error checking added to Windows NSIS install script. 2003.08.05 -- Version 1.5-beta3 * Added md5.h include to crypto.c to fix build problem on OpenBSD. * Created a Win32 installer using NSIS. * Removed DelService command from TAP-Win32 INF file. It appears to be not necessary and it interfered with the ability to uninstall and reinstall the driver without needing to reboot. * On Windows version, added "addtap" and "deltapall" batch files to add and delete TAP-Win32 adapter instances. 2003.07.31 -- Version 1.5-beta2 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted in Windows ASCII so it's easier to click and view. * Added postscript and PDF versions of the HOWTO to the web site (C R Zamana). * Merged Michael Clarke's stability patch into TAP-Win32 driver which appears to fix the suspend/resume driver bug and significantly improve driver stability. * Added Christof Meerwald's Media Status patch to the TAP-Win32 driver which shows the TAP adapter to be disconnected when OpenVPN is not running. * Moved socket connect and TCP server listen code to a later point in openvpn() function so that the TCP server listen state is entered after daemonization. * Added keyboard shortcuts to simulate signals in the Windows version, see the window title bar for descriptions. 2003.07.24 -- Version 1.5-beta1 * Added TCP support via the new --proto option. * Renamed udp-centric options such as --udp-mtu to --link-mtu (old option names preserved for compatibility). * Ported to Windows 2000 + XP using mingw and a TAP driver derived from the Cipe-Win32 project by Damion K. Wilson. * Added --show-adapters flag for windows version. * Reworked the SSL/TLS packet acknowledge code to better handle certain corner cases. * Turned off the default enabling of IP forwarding in the sample-scripts/openvpn.init script for Redhat. Forwarding can be enabled by users in their --up scripts or firewall config. * Added --up-restart option based on suggestion from Sean Reifschneider. * If --dev tap or --dev-type tap is specified, --tun-mtu defaults to 1500 and --tun-mtu-extra defaults to 64. * Enabled --verb 5 debugging mode that prints 'R' and 'W' for each packet read or write on the TCP/UDP socket. 2003.08.04 -- Version 1.4.3 * Added md5.h include to crypto.c to fix build problem on OpenBSD. 2003.07.15 -- Version 1.4.2 * Removed adaptive bandwidth from --mtu-dynamic -- its absence appears to work better than its existence (1.4.1.2). * Minor changes to --shaper to fix long retransmit timeouts at low bandwidth (1.4.1.2). * Added LOG_RW flag to openvpn.h for debugging (1.4.1.2). * Silenced spurious configure warnings (1.4.1.2). * Backed out --dev-name patch, modified --dev to offer equivalent functionality (1.4.1.4). * Added an optional parameter to --daemon and --inetd to support the passing of a custom program name to the system logger (1.4.1.5). * Add compiled-in options to the program title (1.4.1.5). * Coded the beginnings of a WIN32 port (1.4.1.5). * Succeeded in porting to Win32 Mingw environment and running loopback tests (1.4.1.6). Still need a kernel driver for full Win32 functionality. * Fixed a bug in error.h where HAVE_CPP_VARARG_MACRO_GCC was misspelled. This would have caused a significant slowdown of OpenVPN when built by compilers that lack ISO C99 vararg macros (1.4.1.6). * Created an init script for Gentoo Linux in ./gentoo directory (1.4.1.6). 2003.05.15 -- Version 1.4.1 * Modified the Linux 2.4 TUN/TAP open code to fall back to the 2.2 TUN/TAP interface if the open or ioctl fails. * Fixed bug when --verb is set to 0 and non-fatal socket errors occur, causing 100% CPU utilization. Occurs on platorms where EXTENDED_SOCKET_ERROR_CAPABILITY is defined, such as Linux 2.4. * Fixed typo in tun.c that was preventing OpenBSD build. * Added --enable-mtu-dynamic configure option to enable --mtu-dynamic experimental option. 2003.05.07 -- Version 1.4.0 * Added --replay-persist feature to allow replay protection across sessions. * Fixed bug where --ifconfig could not be used with --tun-mtu. * Added --tun-mtu-extra parameter to deal with the situation where a read on a TUN/TAP device returns more data than the device's MTU size. * Fixed bug where some IPv6 support code for Linux was not being properly ifdefed out for Linux 2.2, causing compile errors. * Added OPENVPN_EXIT_STATUS_x codes to openvpn.h to control which status value openvpn returns to its caller (such as a shell or inetd/xinetd) for various conditions. * Added OPENVPN_DEBUG_COMMAND_LINE flag to openvpn.h to allow debugging in situations where stdout, stderr, and syslog cannot be used for message output, such as when OpenVPN is instantiated by inetd/xinetd. * Removed owner-execute permission from file created by static key generator (Herbert Xu and Alberto Gonzalez Iniesta). * Added --passtos option to allow IPv4 TOS bits to be passed from TUN/TAP input packets to the outgoing UDP socket (Craig Knox). * Added code to prevent open socket file descriptors from being accessible to called scripts. * Added --dev-name option (Christian Lademann). * Added --mtu-disc option for manual control over MTU options. * Show OS MTU value on UDP socket write failures (linux only). * Numerous build system and portability fixes (Matthias Andree). * Added better sensing of compiler support for variable argument macros, including (a) gcc style, (b) ISO C 1999 style, and (c) no support. * Removed generated files from CVS. Note INSTALL file for new CVS build commands. * Changed certain internal symbol names for C standards compliance. * Added TUN/TAP open code to cycle dynamically through unit numbers until it finds a free unit (based on code from Thomas Gielfeldt and VTun). * Added dynamic MTU and fragmenting infrastructure (Experimental). Rebuild with FRAGMENT_ENABLE defined to enable. * Minor changes to SSL/TLS negotiation, use exponential backoff on retransmits, and use a smaller MTU size (note that no protocol changes have been made which would break compatibility with 1.3.x). * Added --enable-strict-options flag to ./configure. This option will cause a more strict check for options compatibility between peers when SSL/TLS negotiation is used, but should only be used when both OpenVPN peers are of the same version. * Reorganization of debugging levels. * Added a workaround in configure.ac for default SSL header location on Linux to fix RH9 build problem. * Fixed potential deadlock when pthread support is used on OSes that allocate a small socketpair() message buffer. * Fixed openvpn.init to be sh compliant (Bishop Clark). * Changed --daemon to wait until all initialization is finished before becoming a daemon, for the benefit of initialization scripts that want a useful return status from the openvpn command. * Made openvpn.init script more robust, including positive indication of initialization errors in the openvpn daemon and better sanity checks. * Changed --chroot to wait until initialization is finished before calling chroot(), and allow the use of --user and --group with --chroot. * When syslog logging is enabled (--daemon or --inetd), set stdin/stdout/stderr to point to /dev/null. * For inetd instantiations, dup socket descriptor to a >2 value. * Fixed bug in verify-cn script, where test would incorrectly fail if CN=x was the last component of the X509 composite string (Anonymous). * Added Markus F.X.J. Oberhumer's special license exception to COPYING. 2002.10.23 -- Version 1.3.2 * Added SSL_CTX_set_client_CA_list call to follow the canonical form for TLS initialization recommended by the OpenSSL docs. This change allows better support for intermediate CAs and has no impact on security. * Added build-inter script to easy-rsa package, to facilitate the generation of intermediate CAs. * Ported to NetBSD (Dimitri Goldin). * Fixed minor bug in easy-rsa/sign-req. It refers to openssl.cnf file, instead of $KEY_CONFIG, like all other scripts (Ernesto Baschny). * Added --days 3650 to the root CA generation command in the HOWTO to override the woefully small 30 day default (Dominik 'Aeneas' Schnitzer). * Fixed bug where --ping-restart would sometimes not re-resolve remote DNS hostname. * Added --tun-ipv6 option and related infrastructure support for IPv6 over tun. * Added IPv6 over tun support for Linux (Aaron Sethman). * Added FreeBSD 4.1.1+ TUN/TAP driver notes to INSTALL (Matthias Andree). * Added inetd/xinetd support (--inetd) including documentation in the HOWTO. * Added "Important Note on the use of commercial certificate authorities (CAs) with OpenVPN" to HOWTO based on issues raised on the openvpn-users list. 2002.07.10 -- Version 1.3.1 * Fixed bug in openvpn.spec and openvpn.init which caused RPM upgrade to fail. 2002.07.10 -- Version 1.3.0 * Added --dev-node option to allow explicit selection of tun/tap device node. * Removed mlockall call from child thread, as it doesn't appear to be necessary (child thread inherits mlockall state from parent). * Added --ping-timer-rem which causes timer for --ping-exit and --ping-restart not to run unless we have a remote IP address. * Added condrestart to openvpn.init and openvpn.spec (Bishop Clark). * Added --ifconfig case for FreeBSD (Matthias Andree). * Call openlog with facility=LOG_DAEMON (Matthias Andree). * Changed LOG_INFO messages to LOG_NOTICE. * Added warning when key files are group/others accessible. * Added --single-session flag for TLS mode. * Fixed bug where --writepid would segfault if used with an invalid filename. * Fixed bug where --ipchange status message was formatted incorrectly. * Print more concise error message when system() call fails. * Added --disable-occ option. * Added --local, --remote, and --ifconfig options sanity check. * Changed default UDP MTU to 1300 and TUN/TAP MTU to 1300. * Successfully tested with OpenSSL 0.9.7 Beta 2. * Broke out debug level definitions to errlevel.h * Minor documentation and web site changes. * All changes maintain protocol compatibility with OpenVPN versions since 1.1.0, however default MTU changes will require setting the MTU explicitly by command line option, if you want 1.3.0 to communicate with previous versions. 2002.06.12 -- Version 1.2.1 * Added --ping-restart option to restart connection on ping timeout using SIGUSR1 logic (Matthias Andree). * Added --persist-tun, --persist-key, --persist-local-ip, and --persist-remote-ip options for finer-grained control over SIGUSR1 and --ping-restart restarts. To replicate previous SIGUSR1 functionality, use --persist-remote-ip. * Changed residual IV fetching code to take IV from tail of ciphertext. * Added check to make sure that CFB or OFB cipher modes are only used with SSL/TLS authentication mode, and added a caveat to INSTALL. * Changed signal handling during initialization (including re-initialization during restarts) to exit on SIGTERM or SIGINT and ignore other signals which would ordinarily be caught. * Added --resolv-retry option to allow retries on hostname resolution. * Expanded the --float option to also allow dynamic changes in source port number on incoming datagrams. * Added --mute option to limit repetitive logging of similar message types. * Added --group option to downgrade GID after initialization. * Try to set ifconfig path automatically in configure. * Added --ifconfig code for Mac OS X (Christoph Pfisterer). * Moved "Peer Connection Initiated" message to --verb level 1. * Successfully tested with OpenSSL 0.9.7 Beta 1 and AES cipher. * Added RPM notes to INSTALL. * Added ACX_PTHREAD (from the autoconf macro archive) to configure.ac to figure out the right pthread options for a given platform. * Broke out macro definitions from configure.ac to acinclude.m4. * Minor changes to docs and HOWTO. * All changes maintain protocol compatibility with OpenVPN versions since 1.1.0. 2002.05.22 -- Version 1.2.0 * Added configuration file support via the --config option. * Added pthread support to improve latency. With pthread support, OpenVPN will offload CPU-intensive tasks such as RSA key number crunching to a background thread to improve tunnel packet forwarding latency. pthread support can be enabled with the --enable-pthread configure option. Pthread support is currently available only for Linux and Solaris. * Added --dev-type option so that tun/tap device names don't need to begin with "tun" or "tap". * Added --writepid option to write main process ID to a file. * Numerous portability fixes to ease porting to other OSes including changing all network types to uint8_t and uint32_t, and not assuming that time_t is 32 bits. * Backported to OpenSSL 0.9.5. * Ported to Solaris. * Finished OpenBSD port except for pthread support. * Added initialization script: sample-scripts/openvpn.init (Douglas Keller) * Ported to Mac OS X (Christoph Pfisterer). * Improved resilience to DoS attacks when TLS mode is used without --remote or --tls-auth, or when --float is used with --remote. Note however that the best defense against DoS attacks in TLS mode is to use --tls-auth. * Eliminated automake/autoconf dependency for non-developers. * Ported configure.in to configure.ac and autoconf 2.50+. * SIGHUP signal now causes OpenVPN to restart and re-read command line and or config file, in conformance with canonical daemon behaviour. * SIGUSR1 now does what SIGHUP did in version 1.1.1 and earlier -- close and reopen the UDP socket for use when DHCP changes host's IP address and preserve most recently authenticated peer address without rereading config file. * SIGUSR2 added -- outputs current statistics, including compression statistics. * All changes maintain protocol compatibility with 1.1.1 and 1.1.0. 2002.04.22 -- Version 1.1.1 * Added --ifconfig option to automatically configure TUN device. * Added inactivity disconnect (--inactive and --ping-exit options). * Added --ping option to keep stateful firewalls from timing out. * Added sanity check to command line parser to err if any TLS options are used in non-TLS mode. * Fixed build problem with compiler environments that define printf as a macro. * Fixed build problem on linux systems that have an integrated TUN/TAP driver but lack the persistent tunnel feature (TUNSETPERSIST). Some linux kernels >= 2.4.0 and < 2.4.7 fall into this category. * Changed all calls to EVP_CipherInit to use explicit encrypt/decrypt mode in order to fix problem with IDEA-CBC and AES-256-CBC ciphers. * Minor changes to control channel transmit limiter algorithm to fix problem where TLS control channel might not renegotiate within the default 60 second window. * Simplified man page examples by taking advantage of the new --ifconfig option. * Minor changes to configure.in to check more rigourously for OpenSSL 0.9.6 or greater. * Put back openvpn.spec, eliminated openvpn.spec.in. * Modified openvpn.spec to reflect new automake-based build environment (Bishop Clark). * Other documentation changes. * Added --test-crypto option for debugging. * Added "missing" and "mkinstalldirs" automake support files. 2002.04.09 -- Version 1.1.0 * Strengthened replay protection and IV handling, extending it fully to both static key and TLS dynamic key exchange modes. * Added --mlock option to disable paging and ensure that key material and tunnel data is never paged to disk. * Added optional traffic shaping feature to cap the maximum data rate of the tunnel. * Converted to automake (The Platypus Brothers 2002-04-01). * Ported to OpenBSD by Janne Johansson. * Added --tun-af-inet option to work around an incompatibility between Linux and BSD tun drivers. * Sequence number-based replay protection using the IPSec sliding window model is now the default, disable with --no-replay. * Explicit IV is now the default, disable with --no-iv. * Disabled all cipher modes except CBC, CFB, and OFB. * In CBC mode, use explicit IV and carry forward residuals, using IPSec model. * In CFB/OFB mode, IV is timestamp, sequence number. * Eliminated --packet-id, --timestamp, and max-delta parameter to the --tls-auth option as they are now supplanted by improved replay code which is enabled by default. * Eliminated --rand-iv as it is now obsolete with improved IV code. * Eliminated --reneg-err option as it increases vulnerability to DoS attacks. * Added weak key check for DES ciphers. * --tls-freq option is no longer specified on the command line, instead it now inherits its parameter from the --tls-timeout option. * Fixed bug that would try to free memory on exit that was never malloced if --comp-lzo was not specified. * Errata fixed in the man page examples: "test-ca" should be "tmp-ca". * Updated manual page. * Preliminary work in porting to OpenSSL 0.9.7. * Changed license to allowing linking with OpenSSL. 2002.03.29 -- Version 1.0.3 * Fixed a problem in configure with library ordering on the command line. 2002.03.28 -- Version 1.0.2 * Improved the efficiency of the inner event loop. * Fixed a minor bug with timeout handling. * Improved the build system to build on RH 6.2 through 7.2. * Added an openvpn.spec file for RPM builders (Bishop Clark). 2002.03.23 -- Version 1.0 * Added TLS-based authentication and key exchange. * Added gremlin mode to stress test. * Wrote man page. 2001.12.26 -- Version 0.91 * Added any choice of cipher or HMAC digest. 2001.5.13 -- Version 0.90 * Initial release. * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. }}}