Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of ChangesInOpenvpn20

Timestamp:: 07/24/14 13:35:13 (10 years ago)
Author:: Samuli Seppänen
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ChangesInOpenvpn20

                       v1
+{{{
+OpenVPN
+Copyright (C) 2002-2008 OpenVPN, Inc.
+$Id: ChangeLog 1330 2006-10-01 11:45:06Z james $
+.10.01 -- Version 2.0.9
+* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
+  published vulnerabilities.
+* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
+  (Henry Nestler).  The TAP-Win32 driver has now been
+  upgraded to version 8.4.
+.09.12 -- Version 2.0.8
+* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
+  RSA Signature Forgery (CVE-2006-4339).
+* No changes to OpenVPN source code between 2.0.7 and 2.0.8.
+.04.12 -- Version 2.0.7
+* Code added in 2.0.6-rc1 to extend byte counters
+  to 64 bits caused a bug in the Windows version which has now
+  been fixed.  The bug could cause intermittent crashes.
+.04.05 -- Version 2.0.6
+* Security Vulnerability affecting OpenVPN 2.0 through 2.0.5.
+  An OpenVPN client connecting to a
+  malicious or compromised server could potentially receive
+  "setenv" configuration directives from the server which could
+  cause arbitrary code execution on the client via a LD_PRELOAD
+  attack.  A successful attack appears to require that (a) the
+  client has agreed to allow the server to push configuration
+  directives to it by including "pull" or the macro "client" in
+  its configuration file, (b) the client configuration file uses
+  a scripting directive such as "up" or "down", (c) the client
+  succesfully authenticates the server, (d) the server is
+  malicious or has been compromised and is under the control of
+  the attacker, and (e) the attacker has at least some level of
+  pre-existing control over files on the client (this might be
+  accomplished by having the server respond to a client web
+  request with a specially crafted file).  Credit: Hendrik Weimer.
+  CVE-2006-1629.
+  The fix is to disallow "setenv" to be pushed to clients from
+  the server.  For those who need this capability, OpenVPN
+.1 supports a new "setenv-safe" directive which is free
+  of this vulnerability.
+* When deleting routes under Linux, use the route metric
+  as a differentiator to ensure that the route teardown
+  process only deletes the identical route which was originally
+  added via the "route" directive (Roy Marples).
+* Fix the t_cltsrv.sh file in FreeBSD 4 jails
+  (Matthias Andree, Dirk Meyer, Vasil Dimov).
+* Extended tun device configure code to support ethernet
+  bridging on NetBSD (Emmanuel Kasper).
+.01.03 -- Version 2.0.6-rc1
+* Fixed bug where "make check" inside a FreeBSD "jail"
+  would never complete (Matthias Andree).
+* Fixed bug where --server directive in --dev tap mode
+  claimed that it would support subnets of /30 or less
+  but actually would only accept /29 or less.
+* Extend byte counters to 64 bits (M. van Cuijk).
+* Fixed bug in acinclude.m4 where capability of compiler
+  to handle zero-length arrays in structs is tested
+  (David Stipp).
+* Fixed typo in manage.c where inline function declaration
+  was declared without the "static" keyword (David Stipp).
+* Removed redundant base64 code.
+* Better sanity checking of --server and --server-bridge
+  IP pool ranges, so as not to hit the assertion at
+  pool.c:119 (2.0.5).
+* Fixed bug where --daemon and --management-query-passwords
+  used together would cause OpenVPN to block prior to
+  daemonization.
+* Fixed client/server race condition which could occur
+  when --auth-retry interact is set and the initially
+  provided auth-user-pass credentials are incorrect,
+  forcing a username/password re-query.
+* Fixed bug where if --daemon and --management-hold are
+  used together, --user or --group options would be ignored.
+.11.02 -- Version 2.0.5
+* Fixed bug in Linux get_default_gateway function
+  introduced in 2.0.4, which would cause redirect-gateway
+  on Linux clients to fail.
+* Restored easy-rsa/2.0 tree (backported from 2.1 beta
+  series) which accidentally disappeared in
+.0.2 -> 2.0.4 transition.
+.11.01 -- Version 2.0.4
+* Security fix -- Affects non-Windows OpenVPN clients of
+  version 2.0 or higher which connect to a malicious or
+  compromised server.  A format string vulnerability
+  in the foreign_option function in options.c could
+  potentially allow a malicious or compromised server
+  to execute arbitrary code on the client.  Only
+  non-Windows clients are affected.  The vulnerability
+  only exists if (a) the client's TLS negotiation with
+  the server succeeds, (b) the server is malicious or
+  has been compromised such that it is configured to
+  push a maliciously crafted options string to the client,
+  and (c) the client indicates its willingness to accept
+  pushed options from the server by having "pull" or
+  "client" in its configuration file (Credit: Vade79).
+  CVE-2005-3393
+* Security fix -- Potential DoS vulnerability on the
+  server in TCP mode.  If the TCP server accept() call
+  returns an error status, the resulting exception handler
+  may attempt to indirect through a NULL pointer, causing
+  a segfault.  Affects all OpenVPN 2.0 versions.
+  CVE-2005-3409
+* Fix attempt of assertion at multi.c:1586 (note that
+  this precise line number will vary across different
+  versions of OpenVPN).
+* Added ".PHONY: plugin" to Makefile.am to work around
+  "make dist" issue.
+* Fixed double fork issue that occurs when --management-hold
+  is used.
+* Moved TUN/TAP read/write log messages from --verb 8 to 6.
+* Warn when multiple clients having the same common name or
+  username usurp each other when --duplicate-cn is not used.
+* Modified Windows and Linux versions of get_default_gateway
+  to return the route with the smallest metric
+  if multiple 0.0.0.0/0.0.0.0 entries are present.
+.09.25 -- Version 2.0.3-rc1
+* openvpn_plugin_abort_v1 function wasn't being properly
+  registered on Windows.
+* Fixed a bug where --mode server --proto tcp-server --cipher none
+  operation could cause tunnel packet truncation.
+.08.25 -- Version 2.0.2
+* No change from 2.0.2-rc1.
+.08.24 -- Version 2.0.2-rc1
+* Fixed regression bug in Win32 installer, introduced in 2.0.1,
+  which incorrectly set OpenVPN service to autostart.
+* Don't package source code zip file in Windows installer
+  in order to reduce the size of the installer.  The source
+  zip file can always be downloaded separately if needed.
+* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
+  version of get_default_gateway.  Allocated socket for route
+  manipulation is never freed so number of mbufs continuously
+  grow and exhaust system resources after a while (Jaroslav Klaus).
+* Fixed bug where "--proto tcp-server --mode p2p --management
+  host port" would cause the management port to not respond until
+  the OpenVPN peer connects.
+* Modified pkitool script to be /bin/sh compatible (Johnny Lam).
+.08.16 -- Version 2.0.1
+* Security Fix -- DoS attack against server when run with "verb 0" and
+  without "tls-auth".  If a client connection to the server fails
+  certificate verification, the OpenSSL error queue is not properly
+  flushed, which can result in another unrelated client instance on the
+  server seeing the error and responding to it, resulting in disconnection
+  of the unrelated client (CAN-2005-2531).
+* Security Fix -- DoS attack against server by authenticated client.
+  This bug presents a potential DoS attack vector against the server
+  which can only be initiated by a connected and authenticated client.
+  If the client sends a packet which fails to decrypt on the server,
+  the OpenSSL error queue is not properly flushed, which can result in
+  another unrelated client instance on the server seeing the error and
+  responding to it, resulting in disconnection of the unrelated client
+  (CAN-2005-2532).  Credit: Mike Ireton.
+* Security Fix -- DoS attack against server by authenticated client.
+  A malicious client in "dev tap" ethernet bridging mode could
+  theoretically flood the server with packets appearing to come from
+  hundreds of thousands of different MAC addresses, causing the OpenVPN
+  process to deplete system virtual memory as it expands its internal
+  routing table.  A --max-routes-per-client directive has been added
+  (default=256) to limit the maximum number of routes in OpenVPN's
+  internal routing table which can be associated with a given client
+  (CAN-2005-2533).
+* Security Fix -- DoS attack against server by authenticated client.
+  If two or more client machines try to connect to the server at the
+  same time via TCP, using the same client certificate, and when
+  --duplicate-cn is not enabled on the server, a race condition can
+  crash the server with "Assertion failed at mtcp.c:411"
+  (CAN-2005-2534).
+* Fixed server bug where under certain circumstances, the client instance
+  object deletion function would try to delete iroutes which had never been
+  added in the first place, triggering "Assertion failed at mroute.c:349".
+* Added --auth-retry option to prevent auth errors from being fatal
+  on the client side, and to permit username/password requeries in case
+  of error.  Also controllable via new "auth-retry" management interface
+  command.  See man page for more info.
+* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
+* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
+  would fail to build.
+* Implement "make check" to perform loopback tests (Matthias Andree).
+.07.21 -- Version 2.0.1-rc7
+* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
+* Include linux/types.h before checking for linux/errqueue.h (Matthias
+  Andree).
+.07.15 -- Version 2.0.1-rc6
+* Commented out "user nobody" and "group nobody" in sample
+  client/server config files.
+* Allow '@' character to be used in --client-config-dir
+  file names.
+.07.04 -- Version 2.0.1-rc5
+* Windows version will log a for-further-info URL when
+  initialization sequence is completed with errors.
+* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
+  to control whether auth-pam plugin links to PAM via
+  dlopen or -lpam.  By default, DLOPEN_PAM=1 so pre-existing
+  behavior should be preserved.  DLOPEN_PAM=0 is the preferred
+  setting to link via -lpam, but DLOPEN_PAM=1 works around
+  a bug in SuSE 9.1 (and possibly other distros as well)
+  where the PAM modules are not linked with -lpam.  See
+  thread on openvpn-devel for more discussion about this
+  patch (Simon Perreault).
+.06.15 -- Version 2.0.1-rc4
+* Support LZO 2.00, including changes to configure script to
+  autodetect LZO version.
+.06.12 -- Version 2.0.1-rc3
+* Fixed a bug which caused standard file handles to not be closed
+  after daemonization when --plugin and --daemon are used together,
+  and if the plugin initialization function forks (as does auth-pam
+  and down-root) (Simon Perreault).
+* Added client-side up/down scripts in contrib/pull-resolv-conf
+  for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
+  on Linux/Unix systems (Jesse Adelman).
+* Fixed bug where if client-connect scripts/plugins were cascaded,
+  and one (but not all) of them returned an error status, there might
+  be cases where for an individual script/plugin, client-connect was
+  called but not client-disconnect.  The goal of this fix is to
+  ensure that if client-connect is called on a given client instance,
+  then client-disconnect will definitely be called.  A potential
+  complication of this fix is that when client-connect functions are
+  cascaded, it's possible that the client-disconnect function would
+  be called in cases where the related client-connect function returned
+  an error status.  This fix should not alter OpenVPN behavior when
+  scripts/plugins are not cascaded.
+* Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
+  fatal error to a warning: "FRAG: outgoing buffer is not empty".
+  Need more info on how to reproduce this one.
+* When --duplicate-cn is used, the --ifconfig-pool allocation
+  algorithm will now allocate the first available IP address.
+* When --daemon and --management-hold are used together,
+  OpenVPN will daemonize before it enters the management hold state.
+.05.16 -- Version 2.0.1-rc2
+* Modified vendor test in openvpn.spec file to match against
+  "Mandrakesoft" in addition to "MandrakeSoft".
+* Using --iroute in a --client-config-dir file while in --dev tap
+  mode is not currently supported and will produce a warning
+  message. Fixed bug where in certain cases, in addition to
+  generating a warning message, this combination of options
+  would also produce a fatal assertion in mroute.c.
+* Pass --auth-user-pass username to server-side plugin without
+  performing any string remapping (plugins, unlike scripts,
+  don't get any security benefit from string remapping).
+  This is intended to fix an issue with openvpn-auth-pam/pam_winbind
+  where backslash characters in a username ('\') were being remapped
+  to underscore ('_').
+* Updated OpenSSL DLLs in Windows build to 0.9.7g.
+* Documented --explicit-exit-notify in man page.
+* --explicit-exit-notify seconds parameter defaults to 1 if
+  unspecified.
+.04.30 -- Version 2.0.1-rc1
+* Fixed bug where certain kinds of fatal errors after
+  initialization (such as port in use) would leave plugin
+  processes (such as openvpn-auth-pam) still running.
+* Added optional openvpn_plugin_abort_v1 plugin function for
+  closing initialized plugin objects in the event of a fatal
+  error by main OpenVPN process.
+* When the --remote list is > 1, and --resolv-retry is not
+  specified (meaning that it defaults to "infinite"), apply the
+  infinite timeout to the --remote list as a whole, but try each
+  list item only once before moving on to the next item.
+* Added new --syslog directive which redirects output
+  to syslog without requiring the use of the --daemon or --inetd
+  directives.
+* Added openvpn.spec option to allow RPM to be built with support
+  for passwords read from a file:
+  rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
+.04.17 -- Version 2.0
+* Fixed minor options string typo in options.c.
+.04.10 -- Version 2.0-rc21
+* Change license description from "GPL Version 2 or (at your
+  option) any later version" to just "GPL Version 2".
+.04.04 -- Version 2.0-rc20
+* Dag Wieers has put together an OpenVPN/LZO binary RPM set with
+  excellent distro/version coverage for RH/EL/Fedora, though
+  using his own SPEC.  I modified openvpn.spec to follow some of
+  the same conventions such as putting sample scripts and doc
+  files in %doc rather than /usr/share/openvpn.
+* Minor change to init scripts to run the user-defined script
+  /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
+  configs are started, and to run /etc/openvpn/openvpn-shutdown
+  after all OpenVPN configs have been stopped.  The
+  openvpn-startup script can be used for stuff like
+  insmod tun.o, setting up firewall rules, or starting
+  ethernet bridges.
+.03.29 -- Version 2.0-rc19
+* Omit additions of routes where the network and
+  gateway are equal and the netmask is 255.255.255.255.
+  This can come up if you are using both
+  server/ifconfig-pool and client-config-dir with
+  ifconfig-push static addresses for some subset of clients
+  which directly reference the server IP address as the
+  remote endpoint.
+.03.28 -- Version 2.0-rc18
+* Packaged Windows installer with OpenSSL 0.9.7f.
+* Built Windows installer with NSIS 2.06.
+.03.12 -- Version 2.0-rc17
+* "MANAGEMENT: CMD" log file output will now only occur
+  at --verb 7 or greater.
+* Added an optional name/value configuration list to
+  the openvpn-auth-pam plugin module argument list.  See
+  plugin/auth-pam/README for documentation. This is necessary
+  in order for openvpn-auth-pam to work with queries generated
+  by arbitrary PAM modules.
+* In both auth-pam and down-root plugins, in the forked process,
+  a read error on the parent process socket is no longer fatal.
+* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
+  A conditional test of the vendor has been added to
+  Require the appropriately named 'lzo' (liblzo1 / lzo).
+  (Tom Walsh - http://openhardware.net)
+.02.20 -- Version 2.0-rc16
+* Fixed bug introduced in rc13 where Windows service wrapper
+  would be installed with a startup type of Automatic.
+  This fix restores the previous behavior of installing
+  with a startup type of Manual.
+.02.19 -- Version 2.0-rc15
+* Added warning when --keepalive is not used in a server
+  configuration.
+* Don't include OpenSSL md4.h file if we are not building
+  NTLM proxy support (Waldemar Brodkorb).
+* Added easy-rsa/build-key-pkcs12 and
+  easy-rsa/Windows/build-key-pkcs12.bat scripts
+  (Mathias Sundman).
+.02.16 -- Version 2.0-rc14
+* Fixed small memory leak that occurs when --crl-verify
+  is used.
+* Upgraded Windows installer and .nsi script to NSIS 2.05
+  (Mathias Sundman).
+* Changed #include backslash usage in cryptoapi.c to use
+  forward slashes instead (Gisle Vanem).
+* Created easy-rsa/revoke-full to handle revocations in
+  a single step: (a) revoke crt, (b) regenerate CRL, and
+  (c) verify that revocation succeeded.
+* Renamed easy-rsa/Windows/revoke-key to revoke-full so
+  that both *nix and Windows scripts are equivalent.
+.02.11 -- Version 2.0-rc13
+* Improve human-readability of local/remote options
+  diff, when inconsistencies are present.
+* For Windows easy-rsa, distribute vars.bat.sample and
+  openssl.cnf.sample, then copy them to their normal
+  filenames (without the .sample) when init-config.bat
+  is run.  This is to prevent OpenVPN upgrades from
+  wiping out vars.bat and openssl.cnf edits.
+* Modified service wrapper (Windows) to use a
+  case-insensitive search when scanning for .ovpn files
+  in \Program Files\OpenVPN\config.  Prior versions
+  required an all-lower-case .ovpn file extension.
+* Miscellaneous service wrapper code cleanup.
+* If --user/--group is used on Windows, treat it
+  as a no-op with a warning (this makes it easier to
+  distribute the same client config file to Windows
+  and *nix users).
+* Warn if --ifconfig-pool-persist is used with
+  --duplicate-cn.
+.02.05 -- Version 2.0-rc12
+* Removed some debugging code inadvertently included
+  in rc11 which would print the --auth-user-pass
+  username/password provided by clients in the server
+  logfile.
+* Client code for cycling through --remote list will
+  retry the last address which successfully authenticated
+  before moving on through the list.
+* Windows installer will now install sample configuration
+  files in \Program Files\OpenVPN\sample-configs as well
+  as generate a start menu shortcut to this directory.
+* Minor type change in buffer.[ch] to work around char-type
+  ambiguity bug.  Caused management interface lock-ups on
+  ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
+.02.03 -- Version 2.0-rc11
+* Windows installer will now install easy-rsa directory
+  in \Program Files\OpenVPN
+* Allow syslog facility to be controlled at compile time,
+  e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
+* Changed certain shell scripts in distribution to use
+  #!/bin/sh rather than #!/bin/bash for better portability.
+* If --ifconfig-pool-persist seconds parameter is 0, treat
+  persist file as an allocation of fixed IP addresses
+  (previous versions took IP-to-common-name associations
+  from this list as hints, not mandatory static allocations).
+* Fixed bug on *nix where if --auth-user-pass and --log
+  were used together, the username prompt would be sent to
+  the log file rather than /dev/tty.
+* Spurious text in openvpn.8 detected by doclifter
+  (Eric S. Raymond).
+* Call closelog later on daemon kill so that process
+  exit message is written to syslog.
+.01.27 -- Version 2.0-rc10
+* When ./configure is run with plugins enabled (the default),
+  check whether or not dlopen exists in libc before testing
+  for libdl.  This is to fix an issue on FreeBSD and possibly
+  other OSes which bundle libdl functions in libc.
+* On Windows, filter initial WSAEINVAL warning which occurs
+  on the initial read attempt of an unbound socket.
+* The easy-rsa scripts build-key, build-key-pass, and
+  build-key-server will now chmod the .key file
+  to 0600.  This is in addition to the fact the generated
+  keys directory has always been similarly protected
+  (Pete Harlan).
+.01.23 -- Version 2.0-rc9
+* Fixed error "ROUTE: route addition failed using
+  CreateIpForwardEntry ..." on Windows when --redirect-gateway
+  is used over a RRAS internet link.
+* When using --route-method exe on Windows, include the
+  gateway parameter on route delete commands (Mathias Sundman).
+* Try not to do a hard reset (i.e. SIGHUP) when two
+  SIGUSR1 signals are received in close succession.
+* If the push list tries to grow beyond its buffer capacity,
+  the resulting error will be non-fatal.
+* To increase the push list capacity (must be done on both
+  client and server), increase TLS_CHANNEL_BUF_SIZE in
+  common.h (default=1024).
+.01.15 -- Version 2.0-rc8
+* Fixed bug introduced in rc7 where options error
+  "--auth-user-pass requires --pull" might occur even
+  if --pull was correctly specified.
+* Changed management interface code to bind once
+  to TCP socket, rather than rebinding after every
+  client disconnect.
+* Added "disable" directive for client-config-dir
+  files.
+* Windows binary install is now distributed with
+  OpenSSL 0.9.7e.
+* Query the management interface for --http-proxy
+  username/password if authfile is set to "stdin".
+* Added current OpenVPN version number to "Unrecognized
+  option or missing parameter" error message.
+* Added "-extensions server" to "openssl req" command
+  in easy-rsa/build-key-server (Nir Yeffet).
+.01.10 -- Version 2.0-rc7
+* Fixed bug in management interface which could cause
+% CPU utilization in --proto tcp-server mode
+  on all *nix OSes except for Linux 2.6.
+* --ifconfig-push now accepts DNS names as well as
+  IP addresses.
+* Added sanity check errors when --pull or
+  --auth-user-pass is used in an incorrect mode.
+* Updated man page entries for --client-connect and
+  --ifconfig-push.
+* Added "String Types and Remapping" section to man
+  page to consisely document the way which OpenVPN
+  may convert certain types of characters in strings
+  to ('_').
+* Modified bridging description in HOWTO to emphasize
+  the fact that bridging allows Windows file and print
+  sharing without a WINS server (Charles Duffy).
+.12.20 -- Version 2.0-rc6
+* Improved checking for epoll support in ./configure
+  to fix false positive on RH9 (Jan Just Keijser).
+* Made the "MULTI TCP: I/O wait required blocking in
+  multi_tcp_action, action=7" error nonfatal and replaced
+  with "MULTI: Outgoing TUN queue full, dropped packet".
+  So far the issue only seems to occur on Linux 2.2
+  in --mode server --proto tcp mode.  It occurs when
+  the TUN/TAP driver locks up and refuses to accept
+  new packet writes for a second or more.
+* Fixed bug where if a --client-config-dir file tried
+  to include another file using "config", and if that
+  include failed, OpenVPN would abort with a fatal
+  error.  Now such inclusion failures will be logged
+  but are no longer fatal.
+* Global changes to the way that packet buffer alignment
+  is handled.  Previously we didn't care about alignment
+  and took care, when handling 16 and 32 bit words
+  in buffers, to always use alignment-safe transfers.
+  This approach appears to be inadequate on some
+  architectures such as alpha.  The new approach is
+  to initialize packet buffers in a way that anticipates
+  how component structures will be allocated within
+  them, to maintain correct alignment.
+* Added --dhcp-option DISABLE-NBT to disable NetBIOS
+  over TCP (Jan Just Keijser).
+* Added --http-proxy-option directive for controlling
+  miscellaneous HTTP proxy options.
+* Management state will no longer transition to "WAIT"
+  during TLS renegotiations.
+.12.16 -- Version 2.0-rc5
+* The --client-config-dir option will now try to open
+  a default file called "DEFAULT" if no file matching
+  the common name of the incoming client was found.
+* The --client-connect script/plugin can now veto client
+  authentication by returning a failure code.
+* The --learn-address script/plugin can now prevent a
+  client-instance/address association from being learned
+  by returning a failure code.
+* Changed RPM group in .spec file to Applications/Internet.
+.12.14 -- Version 2.0-rc4
+* SuSE only -- Fixed interaction between openvpn.spec and
+  suse/openvpn.init where the .spec file was writing the
+  OpenVPN binary to a different location than where the
+  .init script was referencing it (Stefan Engel).
+* Solaris only -- Split Solaris ifconfig command into two
+  parts (Jan Just Keijser).
+* Some cleanup in add_option().
+* Better error checking on input dotted quad IP addresses.
+* Verify that --push argument is quoted, if there is
+  more than one.
+* More miscellaneous option sanity checks.
+.12.13 -- Version 2.0-rc3
+* On Windows, when --log or --log-append is used,
+  save the original stderr for username and password
+  prompts.
+* Fixed a bug introduced in the late 2.0 betas where
+  if a "verb" parameter >= 16 was used, it would be
+  ignored and the actual verb level would remain at 1.
+* Fixed a bug mostly seen on OS X where --management-hold
+  or --management-query-passwords would cause the management
+  interface to be unresponsive to incoming client connections.
+* Trigger an options error if one of the management-modifying
+  options is used without "management" itself.
+.12.12 -- Version 2.0-rc2
+* Amplified warnings in documentation about possible
+  man-in-the-middle attack when clients do not properly
+  verify server certificate.  Changes to easy-rsa README,
+  FAQ, HOWTO, man page, and sample client config file.
+* Added a warning message if --tls-client or --client
+  is used without also specifying one of either
+  --ns-cert-type, --tls-remote, or --tls-verify.
+* status_open() fixes for MSVC builds (Blaine Fleming).
+* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
+  compiler error which has been reported on some platforms.
+* The openvpn.spec file for rpmbuild has several
+  new build-time options.  See comments in the file.
+* Plugins are now built and packaged in the RPM and
+  will be saved in /usr/share/openvpn/plugin/lib.
+* Added --management-hold directive to start OpenVPN
+  in a hibernating state until released by the
+  management interface.  Also added "hold" command
+  to the management interface.
+.12.07 -- Version 2.0-rc1
+* openvpn.spec workaround for SuSE confusion regarding
+  /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
+.12.05 -- Version 2.0-beta20
+* The ability to read --askpass and --auth-user-pass
+  passwords from a file has been disabled by default.
+  To re-enable, use ./configure --enable-password-save.
+* Added additional pre-connected states to management
+  interface.  See management/management-notes.txt
+  for more info.
+* State history is now recorded by the management
+  interface, and the "state" command now works like
+  the log or echo commands.
+* State history and real-time state change notifications
+  are now prepended with an integer unix timestamp.
+* Added --http-proxy-timeout option, previously
+  the timeout was hardcoded to 5 seconds.
+.12.02 -- Version 2.0-beta19
+* Fixed bug in management interface line termination
+  where output lines incorrectly contained a \00 char
+  after the customary \0d \0a.
+* Fixed bug introduced in beta18 where Windows version
+  would segfault on options errors.
+* Fixed bug in management interface where an empty
+  quoted string ("") entered as a parameter would cause
+  a segfault.
+* Fixed bug where --resolv-retry was not working
+  properly with multiple --remote hosts.
+* Added additional ./configure options to reduce
+  executable size for embedded applications.
+  See ./configure --help.
+.11.28 -- Version 2.0-beta18
+* Added management interface.  See new --management-*
+  options or the full management interface documentation
+  in management/management-notes.txt in the tarball.
+  Management interface inclusion can be disabled by
+  ./configure --disable-management.
+* Added two new plugin modules: auth-pam and down-root.
+  Auth-pam supports pam-based authentication using a
+  split privilege execution model, while down-root enables
+  a down script to be executed with root privileges, even
+  when --user/--group is used to drop root privileges.
+  See the plugin directory in the tarball for READMEs,
+  source code, and Makefiles.
+* Plugin developers should note that some changes were
+  made to the plugin interface since beta17.  See
+  openvpn-plugin.h for details.
+  Plugin interface inclusion can be disabled with
+  ./configure --disable-plugins
+* Added easy-rsa/build-key-server script which will
+  build a certificate with with nsCertType=server.
+* Added --ns-cert-type option for verification
+  of nsCertType field in peer certificate.
+* If --fragment n is specified and --mssfix is specified
+  without a parameter, default --mssfix to n.  This restores
+  the 1.6 behavior when using --mssfix without a parameter.
+* Fixed SSL context initialization bug introduced in beta14
+  where this error might occur on restarts: "Cannot load
+  certificate chain ... PEM_read_bio:no start line".
+.11.11 -- Version 2.0-beta17
+* Changed default port number to 1194 per IANA official
+  port number assignment.
+* Added --plugin directive which allows compiled
+  modules to intercept script callbacks.  See
+  plugin folder in tarball for more info.
+* Fixed bug introduced in beta12 where --key-method 1
+  authentications which should have succeeded would fail.
+* Ignore SIGUSR1 during DNS resolution.
+* Added SuSE support to openvpn.spec (Umberto Nicoletti).
+* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
+  Runestig).
+.11.07 -- Version 2.0-beta16
+* Modified sample-scripts/auth-pam.pl to get username
+  and password from OpenVPN via a file rather than
+  via environmental variables.
+* Added bytes_sent and bytes_received environmental
+  variables to be set prior to client-disconnect script.
+* Changed client virtual IP derivation precedence:
+  (1) use --ifconfig-push directive from --client-connect
+  script, (2) use --ifconfig-push directive from
+  --client-config-dir, and (3) use --ifconfig-pool
+  address.
+* If a --client-config-dir file specifies --ifconfig-push,
+  it will be visible to the --client-connect-script in
+  the ifconfig_pool_remote_ip environmental variable.
+* For tun-style tunnels, the ifconfig_pool_local_ip
+  environmental variable will be set, while for
+  tap-style tunnels, the ifconfig_pool_netmask variable
+  will be set.
+* Added intelligence to autoconf script to test
+  compiler for the accepted form of zero-length arrays.
+* Fixed a bug introduced in beta12 where --ip-win32
+  netsh would fail if --dev-node was not explicitly
+  specified.
+* --ip-win32 netsh will now work on hidden adapters.
+* Fix attempt of "Assertion failed at crypto.c:149".
+  This assertion has also been reported on 1.x with a
+  slightly different line number.  The fix is twofold:
+  (1) In previous releases, --mtu-test may trigger this
+  assertion -- this bug has been fixed.  (2) If something
+  else causes the assertion to be thrown, don't panic,
+  just output a nonfatal warning to the log and drop
+  the packet which generated the error.
+* Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
+* Added --echo directive.
+* Added --auth-nocache directive.
+.10.28 -- Version 2.0-beta15
+* Changed environmental variable character classes
+  so that names must consist of alphanumeric or
+  underbar chars and values must consist of printable
+  characters.  Illegal chars will be deleted.
+  Versions prior to 2.0-beta12 were more restrictive
+  and would map spaces to '.'.
+* On Windows, when the TAP adapter fails to
+  initialize with the correct IP address, output
+  "Initialization Sequence Completed with Errors"
+  to the console or log file.
+* Added a warning when user/group/chroot is used
+  without persist-tun and persist-key.
+* Added cryptoapi.[ch] to tarball and source zip.
+* --tls-remote option now works with common name
+  prefixes as well as with the full X509 subject
+  string.  This is a useful alternative to using
+  a CRL on the client.
+* common names associated with a static
+  --ifconfig-push setting will no longer leave
+  any state in the --ifconfig-pool-persist file.
+* Hard TLS errors (TLS handshake failed) will now
+  trigger either a SIGUSR1 signal by default
+  or SIGTERM (if --tls-exit is specified).  In TCP
+  mode, all TLS errors are considered to be hard.
+  In server mode, the signal will be local to the
+  client instance.
+* Added method parameter to --auth-user-pass-verify
+  directive to select whether username/password
+  is passed to script via environment or a temporary
+  file.
+* Added --status-version option to control format
+  of --status file.  The --mode server
+  --status-version 2 format now includes a line
+  type token, the virtual IP address is shown
+  in the client list (even in --dev tap mode),
+  and the integer time_t value is shown anywhere
+  an ascii-formatted time/date is also shown.
+* Added --remap-usr1 directive which can be used
+  to control whether internally or externally
+  generated SIGUSR1 signals are remapped to
+  SIGHUP (restart without persisting state) or
+  SIGTERM (exit).
+* When running as a Windows service (using
+  --service option), check the exit event before
+  and after reading one line of input from
+  stdin, when reading username/password info.
+* For developers: Extended the --gremlin function
+  to better stress-test the new 2.0 features,
+  added Valgrind support on Linux and Dmalloc
+  support on Windows.
+.10.19 -- Version 2.0-beta14
+* Fixed a bug introduced in Beta12 that would occur
+  if you use a --client-connect script without also
+  defining --tmp-dir.
+* Fixed a bug introduced in Beta12 where a learn-address
+  script might segfault on the delete method.
+* Added Crypto API support in Windows version via
+  the --cryptoapicert option (Peter 'Luna' Runestig).
+.10.18 -- Version 2.0-beta13
+* Fixed an issue introduced in Beta12 where the private
+  key password would not be prompted for unless --askpass
+  was explicitly specified in the config.
+.10.17 -- Version 2.0-beta12
+* Added support for username/password-based authentication.
+  Clients can now authentication themselves with the server
+  using either a certificate, a username/password, or both.
+  New directives: --auth-user-pass, --auth-user-pass-verify,
+  --client-cert-not-required, and --username-as-common-name.
+* Added NTLM proxy patch (William Preston).
+* Added --ifconfig-pool-linear server flag to allocate
+  individual tun addresses for clients rather than /30
+  subnets (won't work with Windows clients).
+* Modified --http-proxy code to cache username/password
+  across restarts.
+* Modified --http-proxy code to read username/password
+  from the console when the auth file is given as "stdin".
+* Modified --askpass to take an optional filename argument.
+* --persist-tun and --persist-key now work in client mode
+  and can be pushed to clients as well.
+* Added --ifconfig-pool-persist directive, to maintain
+  ifconfig-pool info in a file which is persistent across
+  daemon instantiations.
+* --user and --group privilege downgrades as well as
+  --chroot now also work in client mode (the
+  dowgrade/chroot will be delayed until the initialization
+  sequence is completed).
+* Added --show-engines standalone directive to show
+  available OpenSSL crypto accelerator engine support.
+* --engine directive now accepts an optional engine-ID
+  parameter to control which engine is used.
+* "Connection reset, restarting" log message now shows
+  which client is being reset.
+* Added --dhcp-pre-release directive in Windows version.
+* Second parm to --ip-win32 can be "default", e.g.
+  --ip-win32 dynamic default 60.
+* Fixed documentation bug regarding environmental
+  variable settings for --ifconfig-pool IP addresses.
+  The correct environmental variable names are:
+  ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
+* ifconfig_pool_local_ip and ifconfig_pool_remote_ip
+  environmental variables are now passed to the
+  client-disconnect script.
+* In server mode, environmental variables are now scoped
+  according to the client they are associated with,
+  to solve the problem of "crosstalk" between different
+  client's environmental variable sets.
+* Added --down-pre flag to cause --down script to be
+  called before TUN/TAP close (rather than after).
+* Added --tls-exit flag which will cause OpenVPN
+  to exit on any TLS errors.
+* Don't push a route to a client if it exactly
+  matches an iroute (this lets you push routes to
+  all clients, and OpenVPN will automatically remove
+  the route from the route push list only for that client
+  which the route actually belongs to).
+* Made '--resolv-retry infinite' the default.
+  --resolv-retry can be disabled by using a parameter of 0.
+* For clients which plan to pull config info from server,
+  set an initial default ping-restart of 60 seconds.
+* Optimized mute code to lessen the load on the processor
+  when messages are being muted at a higher frequency.
+* Made route log messages non-mutable.
+* Silence the Linux "No buffer space available" message.
+* Added miscellaneous additional option sanity checks.
+* Added Windows version of easy-rsa scripts in
+  easy-rsa/Windows directory (Andrew J. Richardson).
+* Added NetBSD route patch (Ed Ravin).
+* Added OpenBSD patch for TAP + --redirect-gateway
+  (Waldemar Brodkorb).
+* Directives which prompt for a username and/or password
+  will now work with --daemon (OpenVPN will prompt
+  before forking).
+* Warn if CRL is from a different issuer than the
+  issuer of the peer certificate (Bernhard Weisshuhn).
+* Changed init script chkconfig parameters to start
+  OpenVPN daemon(s) before NFS.
+* Bug fix attempt of "too many I/O wait events" which occurs
+  on OSes which prefer select() over poll() such as Mac OS X.
+* Added --ccd-exclusive flag.  This flag will require, as a
+  condition of authentication, that a connecting client has
+  a --client-config-dir file.
+* TAP-Win32 open code will attempt to open a free adapter
+  if --dev-node is not specified (Mathias Sundman).
+* Resequenced --nice and --chroot ordering so that --nice
+  occurs first.
+* Added --suppress-timestamps flag (Charles Duffy).
+* Source code changes to allow compilation by MSVC
+  (Peter 'Luna' Runestig).
+* Added experimental --fast-io flag which optimizes
+  TUN/TAP/UDP writes on non-Windows systems.
+.08.18 -- Version 2.0-beta11
+* Added --server, --server-bridge, --client, and
+  --keepalive helper directives.  See client.conf
+  and server.conf in sample-config-files for sample
+  configurations which use the new directives.
+* On Windows, added --route-method to control
+  whether IP Helper API or route.exe is used
+  to add/delete routes.
+* On Windows, added a second parameter to
+  --route-delay to control the maximum time period
+  to wait for the TAP-Win32 adapter to come up
+  before adding routes.
+* Fixed bug in Windows version where configurations
+  which omit --ifconfig might fail to recognize when
+  the TAP adapter is up.
+* Proxy connection failures will now retry according
+  to the --connect-retry parameter.
+* Fixed --dev null handling on Windows so that TLS
+  loopback test described in INSTALL file works
+  correctly on Windows.
+* Added "Initialization Sequence Completed" message
+  after all initialization steps have been completed
+  and the VPN can be considered "up".
+* Better sanity-checking on --ifconfig-pool parameters.
+* Added --tcp-queue-limit option to control
+  TUN/TAP -> TCP socket overflow.
+* --ifconfig-nowarn flag will now silence general
+  warnings about possible --ifconfig address
+  conflicts, including the warning about --ifconfig
+  and --remote addresses being in same /24 subnet.
+* Fixed case where server mode did not correctly
+  identify certain types of ethernet multicast packets
+  (Marcel de Kogel).
+* Added --explicit-exit-notify option (experimental).
+.08.02 -- Version 2.0-beta10
+* Fixed possible reference after free of option strings
+  after a restart, bug was introduced in beta8.
+* Fixed segfault at route.c:919 in the beta9
+  Windows version that was being caused by indirection
+  through a NULL pointer.
+* Mistakenly built debug version of TAP-Win32 driver
+  for beta9.  Beta10 has correct release build.
+.07.30 -- Version 2.0-beta9
+* Fixed --route issue on Windows that was introduced with
+  the new beta8 route implementation based on the
+  IP Helper API.
+.07.27 -- Version 2.0-beta8
+* Added TCP support in server mode.
+* Added PKCS #12 support (Mathias Sundman).
+* Added patch to make revoke-crt and make-crl work
+  seamlessly within the easy-rsa environment (Jan Kiszka).
+* Modified --mode server ethernet bridge code to forward
+  special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
+* Added --dhcp-renew and --dhcp-release flags to Windows
+  version.  Normally DHCP renewal and release on the TAP
+  adapter occurs automatically under Windows, however
+  if you set the TAP-Win32 adapter Media Status property
+  to "Always Connected", you may need these flags.
+* Added --show-net standalone flag to Windows version to
+  show OpenVPN's view of the system adapter and routing
+  tables.
+* Added --show-net-up flag to Windows version to output
+  the system routing table and network adapter list to
+  the log file after the TAP-Win32 adapter has been brought
+  up and any routes have been added.
+* Modified Windows version to add routes using the IP Helper
+  API rather than by calling route.exe.
+* Fixed bug where --route-up script was not being called
+  if no --route options were specified.
+* Added --mute-replay-warnings to suppress packet replay
+  warnings.  This is a common false alarm on WiFi nets.
+* Added "def1" flag to --redirect-gateway option to override
+  the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
+  rather than 0.0.0.0/0.  This has the benefit of overriding
+  but not wiping out the original default gateway.
+  (Thanks to Jim Carter for pointing out this idea).
+* You can now run OpenVPN with a single config file argument.
+  For example, you can now say "openvpn config.conf"
+  rather than "openvpn --config config.conf".
+* On Windows, made --route and --route-delay more adaptive
+  with respect to waiting for interfaces referenced by the
+  route destination to come up.  Routes added by --route
+  should now be added as soon as the interface comes up,
+  rather than after an obligatory 10 second delay.  The
+  way this works internally is that --route-delay now
+  defaults to 0 on Windows.  Previous versions would
+  wait for --route-delay seconds then add the routes.
+  This version will wait --route-delay seconds and then
+  test the routing table at one second intervals for the
+  next 30 seconds and will not add the routes until they
+  can be added without errors.
+* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
+  default on TCP/UDP socket in light of reports that this
+  action can have undesirable global side effects on the
+  MTU settings of other adapters.  These parameters can
+  still be set, but you need to explicitly specify
+  --sndbuf and/or --rcvbuf.
+* Added --max-clients option to limit the maximum number
+  of simultaneously connected clients in server mode.
+* Added error message to illuminate shell escape gotcha when
+  single backslashes are used in Windows path names.
+* Added optional netmask parm to --ifconfig-pool.
+* Fixed bug where http-proxy connect retry attempts were
+  incorrectly going to the remote OpenVPN server,
+  not to the HTTP proxy server.
+.06.29 -- Version 2.0-beta7
+* Fixed bug in link_socket_verify_incoming_addr() which
+  under certain circumstances could have caused --float
+  behavior even if --float was not specified.
+* --tls-auth option now works with --mode server.
+  All clients and the server should use the same
+  --tls-auth key when operating in client/server mode.
+* Added --engine option to make use of OpenSSL-supported
+  crypto acceleration hardware.
+* Fixed some high verbosity print format size issues
+  in event.c for 64 bit platforms (Janne Johansson).
+* Made failure to open --log or --log-append file
+  a non-fatal error.
+.06.23 -- Version 2.0-beta6
+* Fixed Windows installer to intelligently put
+  up a reboot dialog only if tapinstall tells
+  us that it's really necessary.
+* Fixed "Assertion failed at fragment.c:309"
+  bug when --mode server and --fragment are used
+  together.
+* Ignore HUP, USR1, and USR2 signals during
+  initialization.  Prior versions would abort.
+* Fixed bug on OS X: "Assertion failed at event.c:406".
+* Added --service option to Windows version, for use
+  when OpenVPN is being programmatically instantiated
+  by another process (see man page for info).
+* --log and --log-append options now work on Windows.
+* Update OpenBSD INSTALL notes (Janne Johansson).
+* Enable multicast on tun interface when running on
+  OpenBSD (Pavlin Radoslavov).
+* Fixed recent --test-crypto breakage, where options
+  such as --cipher were not being parsed correctly.
+* Modified options compatibility string by removing
+  ifconfig substring if it is empty.  Incremented
+  options compatibility string version number to 4.
+* Fixed typo in --tls-timeout option parsing
+  (Mikael Lonnroth).
+.06.13 -- Version 2.0-beta5
+* Fixed rare --mode server crash that could occur
+  if data was being routed to a client at
+  high bandwidth at the precise moment that the
+  client instance object on the server was being
+  deleted.
+* Fixed issue on machines which have epoll.h and
+  the epoll_create glibc call defined, but which
+  don't actually implement epoll in the kernel.
+  OpenVPN will now gracefully fall back to the
+  poll API in this case.
+* Fixed Windows bug which would cause the following
+  error in a --mode server --dev tap configuration:
+  "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
+  exceeded".
+* Added CRL (certificate revocation list) management
+  scripts to easy-rsa directory (Jon Bendtsen).
+* Do a better job of getting the ifconfig component
+  of the options consistency check to work correctly
+  when --up-delay is used.
+* De-inlined some functions which were too complex
+  to be inlined anyway with gcc.
+* If a --dhcp-option option is pushed to a non-windows
+  client, the option will be saved in the client's
+  environment before the --up script is called, under
+  the name "foreign_option_{n}".
+* Added --learn-address script (see man page) which
+  allows for firewall access through the VPN to be
+  controlled based on the client common name.
+* In mode --server mode, when a client connects to
+  the server, the server will disconnect any
+  still-active clients which use the same common
+  name.  Use --duplicate-cn flag to revert to
+  previous behavior of allowing multiple clients
+  to concurrently connect with the same common name.
+.06.08 -- Version 2.0-beta4
+* Fixed issue with beta3 where Win32 service wrapper
+  was keying off of old TAP HWID as a dependency.  To
+  ensure that the new service wrapper is correctly
+  installed, the Windows install script will uninstall
+  the old wrapper before installing the new one,
+  causing a reset of service properties.
+* Fixed permissions issue on --status output file,
+  with default access permissions of owner read/write
+  only (default permissions can be changed of course with
+  chmod).
+.06.05 -- Version 2.0-beta3
+* More changes to TAP-Win32 driver's INF file which
+  affects the placement of the driver in the Windows
+  device namespace.  This is done to work around an
+  apparent bug in Windows when short HWIDs are used,
+  and will also ease the upgrade from 1.x to 2.0 by
+  reducing the chances that a reboot will be needed
+  on upgrade.  Like beta2, this upgrade will
+  delete existing TAP-Win32 interfaces, and reinstall
+  a single new interface with default properties.
+* Major rewrite of I/O event wait layer in the style
+  of libevent.  This is a precursor to TCP support
+  in --mode server.
+* New feature: --status.  Outputs a SIGUSR2-like
+  status summary to a given file, updated once
+  per n seconds.  The status file is comma delimited
+  for easy machine parsing.
+* --ifconfig-pool now remembers common names and
+  will try to assign a consistent IP to a given
+  common name.  Still to do: persist --ifconfig-pool
+  memory across restarts by saving state in file.
+* Fixed bug in event timer queue which could cause
+  recurring timer events such as --ping to not
+  correctly schedule again after firing.  This in
+  turn would cause spurrious ping restarts and possible
+  connection outages.  Thanks to Denis Vlasenko for
+  tracking this down.
+* Possible fix to reported bug where --daemon argument
+  was not printing to syslog correctly after restart.
+* Fixed bug where pulling --route or --dhcp-option
+  directives from a server would problematically
+  interact with --persist-tun on the client.
+* Updated contrib/multilevel-init.patch (Farkas Levente).
+* Added RPM build option to .spec and .spec.in files
+  to optionally disable LZO inclusion (Ian Pilcher).
+* The latest MingW runtime and headers define
+  'ssize_t', so a patch is needed (Gisle Vanem).
+.05.14 -- Version 2.0-beta2
+* Fixed signal handling bug in --mode server, where
+  SIGHUP and SIGUSR1 were treated as SIGTERM.
+* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
+  Apparently the larger string may work around
+  a problem where the TAP adapter is sometimes missing
+  from the network connections panel, especially under
+  XP SP2. Also note that installing this upgrade will
+  uninstall any pre-existing TAP-Win32 adapters, and then
+  install a single new adapter, meaning that old adapter
+  properties will be lost.  Thanks to Md5Chap for solving
+  this one.
+* For --mode server --dev tap, the options --ifconfig and
+  --ifconfig-pool are now optional.  This allows address
+  assignment via DHCP or use of a TAP VPN without
+  IP support, as has always been possible with 1.x.
+* Fixed bug where --ifconfig may not work correctly on
+  Linux 2.2.
+* Added 'local' flag to --redirect-gateway for use on
+  networks where both OpenVPN daemons are connected
+  to a shared subnet, such as wireless.
+.05.09 -- Version 2.0-beta1
+* Unchanged from test29 except for version number
+  upgrade.
+.05.08 -- Version 2.0-test29
+* Modified --dev-node on Windows to accept a TAP-Win32
+  GUID name.  In addition, --show-adapters will now
+  display the high-level name and GUID of each adapter.
+  This is an attempt to work around an issue in Windows
+  where sometimes the TAP-Win32 adapter installs correctly
+  but has no icon in the network connections control
+  panel.  In such cases, being able to specify
+  --dev-node {TAP-GUID} can work around the missing icon.
+.05.07 -- Version 2.0-test28
+* Fixed bug which could cause segfault on program
+  shutdown if --route and --persist-tun are used
+  together.
+.05.06 -- Version 2.0-test27
+* Fixed bug in close_instance() which might cause
+  memory to be accessed after it had already been freed.
+* Fixed bug in verify_callback() that might have
+  caused uninitialized data to be referenced.
+* --iroute now allows full CIDR subnet routing.
+* In "--mode server --dev tun" usage, source addresses
+  on VPN packets coming from a particular client must
+  be associated with that client in the OpenVPN internal
+  routing table.
+.04.28 -- Version 2.0-test26
+* Optimized broadcast path in multi-client mode.
+* Added socket buffer size options --rcvbuf & --sndbuf.
+* Configure Linux tun/tap driver to use a more sensible
+  txqueuelen default.  Also allow explicit setting
+  via --txqueuelen option (Harald Roelle).
+* The --remote option now allows the port number
+  to be specified as the second parameter.  If
+  unspecified, the port number defaults to the
+  --rport value.
+* Multiple --remote options on the client can now be
+  specified for load balancing and failover.  The
+  --remote-random flag can be used to initially randomize
+  the --remote list for basic load balancing.
+* If a remote DNS name resolves to multiple DNS addresses,
+  one will be chosen by random as a kind of basic
+  load-balancing feature if --remote-random is used.
+* Added --connect-freq option to control maximum
+  new connection frequency in multi-client mode.
+* In multi-client mode, all syslog messages associated
+  with a specific client now include a client-ID prefix.
+* For Windows, use a gettimeofday() function based
+  on QueryPerformanceCounter (Derek Burdick).
+* Fixed bug in interaction between --key-method 2
+  and DES ciphers, where dynamic keys would be generated
+  with bad parity and then be rejected.
+.04.17 -- Version 2.0-test24
+* Reworked multi-client broadcast handling.
+.04.13 -- Version 2.0-test23
+* Fixed bug in --dev tun --client-to-client routing.
+* Fixed a potential deadlock in --pull.
+* Fixed a problem with select() usage which could
+  cause a repeating sequence of "select : Invalid
+  argument (code=22)"
+.04.11 -- Version 2.0-test22
+* Fixed bug where --mode server + --daemon was
+  prematurely closing syslog connection.
+* Added support for --redirect-gateway on Mac OS X
+  (Jeremy Apple).
+* Minor changes to TAP-Win32 driver based on feedback
+  from the NDISTest tool.
+.04.11 -- Version 2.0-test21
+* Optimizations in multi-client server event loop.
+.04.10 -- Version 2.0-test20
+* --mode server capability now works with either tun
+  or tap interfaces.  When used with tap interfaces,
+  OpenVPN will internally bridge all client tap
+  interfaces with the server tap interface.
+* Connecting clients can now have a client-specific
+  configuration on the server, based on the client
+  common name embedded in the client certificate.
+  See --client-config-dir and --client-connect.
+  These options can be used to configure client-specific
+  routes.
+* Added an option --client-to-client that enables
+  internal client-to-client routing or bridging.
+  Otherwise, clients will only "see" the server,
+  not other connected clients.
+* Fixed bug in route scheduling which would have caused
+  --mode server to not work on Windows in test18
+  and test19 with the sample config file.
+* Man page is up to date with all new options.
+* OpenVPN 2.0 release notes on web site updated
+  with tap-style tunnel examples.
+.04.02 -- Version 2.0-test19
+* Fixed bug where routes pushed from server were
+  not working correctly on Windows clients.
+* Added Mac OS X route patch (Jeremy Apple).
+.03.30 -- Version 2.0-test18
+* Minor fixes + Windows self-install modified
+  to use OpenSSL 0.9.7d.
+.03.29 -- Version 2.0-test17
+* Fixed some bugs related to instance timeout and deletion.
+* Extended --push/--pull option to support additional
+  option classes.
+.03.28 -- Version 2.0-test16
+* Successful test of --mode udp-server, --push,
+  --pull, and --ifconfig-pool with server on
+  Linux 2.4 and clients on Linux and Windows.
+.03.25 -- Version 2.0-test15
+* Implemented hash-table lookup of client instances
+  based either on remote UDP address/port or remote
+  ifconfig endpoint.
+* Implemented a randomized binary tree based
+  scheduler for scalably scheduling a large number
+  of client instance events.  Uses the treap
+  data structure and node rotation algorithm
+  to keep the tree balanced.
+* Initial implementation of ifconfig-pool.
+* Made --key-method 2 the default.
+.03.20 -- Version 2.0-test14
+* Implemented --push and --pull.
+.03.20 -- Version 2.0-test13
+* Reduced struct tls_multi and --single-session
+  memory footprint.
+* Modified --single-session flag to be used
+  in multi-client UDP server client instances.
+.03.19 -- Version 2.0-test12
+* Added the key multi-client UDP server options,
+  --mode, --push, --pull, and --ifconfig-pool.
+* Revamped GC (garbage collection) code to not rely
+  on any global data.
+* Modifications to thread.[ch] to allow a more
+  flexible thread model.
+.03.16 -- Version 2.0-test11
+* Moved all timer code to interval.h, added new file
+  interval.c.
+* Fixed missing include.
+.03.16 -- Version 2.0-test10
+* More TAP-Win32 fixes.
+* Initial debugging and testing of multi.[ch].
+.03.14 -- Version 2.0-test9
+* Branch merge with 1.6-rc3
+* More point-to-multipoint work in multi.[ch].
+* Major TAP-Win32 driver restructuring to use
+  NdisMRegisterDevice instead of
+  IoCreateDevice/IoCreateSymbolicLink.
+* Changed TAP-Win32 symbolic links to use \DosDevices\Global\
+  pathname prefix.
+* In the majority of cases, TAP-Win32 should now be
+  able to install and uninstall on Win2K without requiring
+  a reboot.
+* TAP-Win32 MAC address can now be explicitly set in the
+  adapter advanced properties page.
+.03.04 -- Version 2.0-test8
+* Branch merge with 1.6-rc2.
+.03.03 -- Version 2.0-test7
+* Branch merge with 1.6-rc1.2.
+.03.02 -- Version 2.0-test6
+* Branch merge with 1.6-rc1.
+.03.02 -- Version 2.0-test5
+* Move Socks5 UDP header append/remove to socks.c, and is
+  called from forward.c.
+* Moved verify statics from ssl.c into struct tls_session.
+* Wrote multi.[ch] to handle top level of point-to-multipoint
+  mode.
+* Wrote some code to allow a struct link_socket in a child context
+  to be slaved to the parent context.
+* Broke up packet read and process functions in forward.c
+  (from socket or tuntap) into separate functions for read
+  and process, so that point-to-point and point-to-multipoint can
+  share the same code.
+* Expand TLS control channel to allow the passing of configuration
+  commands.
+* Wrote mroute.[ch] to handle internal packet routing for
+  point-to-multipoint mode.
+.02.22 -- Version 2.0-test3
+* Initial work on UDP multi-client server.
+* Branch merge of 1.6-beta7
+.02.14 -- Version 2.0-test2
+* Refactorization of openvpn.c into openvpn.[ch]
+  init.[ch] forward.[ch] forward-inline.h
+  occ.[ch] occ-inline.h  ping.[ch] ping-inline.h
+  sig.[ch].  Created a master per-tunnel
+  struct context in openvpn.h.
+* Branch merge of 1.6-beta6.2
+.11.06 -- Version 2.0-test1
+* Initial testbed for 2.0.
+.05.09 -- Version 1.6.0
+* Unchanged from 1.6-rc4 except for version number
+  upgrade.
+.04.01 -- Version 1.6-rc4
+* Made minor customizations to devcon and
+  renamed as tapinstall.exe for Windows version.
+* Fixed "storage size of `iv' isn't known" build
+  problem on FreeBSD.
+* OpenSSL 0.9.7d bundled with Windows self-install.
+.03.13 -- Version 1.6-rc3
+* Minor Windows fixes for --ip-win32 dynamic, relating to
+  the way the TAP-Win32 driver responds to a DHCP request
+  from the Windows DHCP client.
+* The net_gateway environmental variable wasn't being
+  set correctly for called scripts (Paul Zuber).
+* Added code to determine the default gateway on FreeBSD,
+  allowing the --redirect-gateway option to work
+  (Juan Rodriguez Hervella).
+.03.04 -- Version 1.6-rc2
+* Fixed bug in Windows version where the NetBIOS node-type
+  DHCP option might have been passed even if it was not
+  specified.
+* Fixed bug in Windows version introduced in 1.6-rc1, where
+  DHCP timeout would be set to 0 seconds if --ifconfig option
+  was used and --ip-win32 option was not explicitly specified.
+* Added some new --dhcp-option types for Windows version.
+.03.02 -- Version 1.6-rc1
+* For Windows, make "--ip-win32 dynamic" the default.
+* For Windows, make "--route-delay 10" the default
+  unless --ip-win32 dynamic is not used or --route-delay
+  is explicitly specified.
+* L_TLS mutex could have been left in a locked state
+  for certain kinds of TLS errors.
+.02.22 -- Version 1.6-beta7
+* Allow scheduling priority increase (--nice) together
+  with UID/GID downgrade (--user/--group).
+* Code that causes SIGUSR1 restart on TLS errors in TCP
+  mode was not activated in pthread builds.
+* Save the certificate serial number in an environmental
+  variable called tls_serial_{n} prior to calling the
+  --tls-verify script.  n is the current cert chain level.
+* Added NetBSD IPv6 tunnel capability (also requires
+  a kernel patch) (Horst Laschinsky).
+* Fixed bug in checking the return value of the nice()
+  function (Ian Pilcher).
+* Bug fix in new FreeBSD IPv6 over TUN code which was
+  originally added in 1.6-beta5 (Nathanael Rensen).
+* More Socks5 fixes -- extended the struct frame
+  infrastructure to accomodate proxy-based encapsulation
+  overhead.
+* Added --dhcp-option to Windows version for setting
+  adapter properties such as WINS & DNS servers.
+* Use a default route-delay of 5 seconds when
+  --ip-win32 dynamic is specified (only applicable when
+  --route-delay is not explicitly specified).
+* Added "log_append" registry variable to control
+  whether the OpenVPN service wrapper on Windows
+  opens log files in append (log_append="1") or
+  truncate (log_append="0") mode.  The default
+  is truncate.
+.02.05 -- Version 1.6-beta6
+* UDP over Socks5 fix to accomodate Socks5 encapsulation
+  overhead (Christof Meerwald).
+* Minor --ip-win32 dynamic tweaks (use long lease time,
+  invalidate existing lease with DHCPNAK).
+.02.01 -- Version 1.6-beta5
+* Added Socks5 proxy support (Christof Meerwald).
+* IPv6 tun support for FreeBSD (Thomas Glanzmann).
+* Special TAP-Win32 debug mode for Windows self-install that was
+  enabled in beta4 is now turned off.
+* Added some new Solaris notes to INSTALL (Koen Maris).
+* More work on --ip-win32 dynamic.
+.01.27 -- Version 1.6-beta4
+* For this beta, the Windows self-install is a debug version
+  and will run slower -- use only for testing.
+* Reverted the --ip-win32 default back to 'ipapi'
+  from 'dynamic'.
+* Added the offset parameter to '--ip-win32 dynamic' which
+  can be used to control the address of the masqueraded
+  DHCP server which replies to Windows DHCP requests.
+* Added a wait/nowait option to --inetd (nowait can only
+  be used with TCP sockets, TLS authentication, and over
+  a bridged configuration -- see FAQ for more info)
+  (Stefan `Sec` Zehl).
+* Added a build-time capability where TAP-Win32 driver
+  debug messages can be output by OpenVPN at --verb 6
+  or higher.
+.01.20 -- Version 1.6-beta2
+* Added ./configure --enable-iproute2 flag which
+  uses iproute2 instead of route + ifconfig --
+  this is necessary for the LEAF Linux distro
+  (Martin Hejl).
+* Added renewal-time and rebind-time to set of
+  DHCP options returned by the TAP-Win32 driver when
+  "--ip-win32 dynamic" is used.
+.01.14 -- Version 1.6-beta1
+* Fixed --proxy bug that sometimes caused plaintext
+  control info generated by the proxy prior to http
+  CONNECT method establishment to be incorrectly
+  parsed as OpenVPN data.
+* For Windows version, implemented the
+  "--ip-win32 dynamic" method and made it the default.
+  This method sets the TAP-Win32 adapter IP address
+  and netmask by replying to the kernel's DHCP queries.
+  See the man page for more detailed info.
+* Added --connect-retry parameter which controls
+  the time interval (in seconds) between connect()
+  retries when --proto tcp-client is used.  Previously,
+  this value was hardcoded to 5 seconds, and still
+  defaults as such.
+* --resolv-retry can now be used with a parameter
+  of "infinite" to retry indefinitely.
+* Added SSL_CTX_use_certificate_chain_file() to ssl.c
+  for support of multi-level certificate chains
+  (Sten Kalenda).
+* Fixed --tls-auth incompatibility with 1.4.x and earlier
+  versions of OpenVPN when the passphrase file is an
+  OpenVPN static key file (as generated by --genkey).
+* Added shell-escape support in config files using
+  the backslash character ("\") so that (for example)
+  double quotes can be passed to the shell.
+* Added "contrib" subdirectory on tarball, source zip,
+  and CVS containing user-submitted contributions.
+* Added an optional patch to the Redhat init script to
+  allow the configuration file directory to be a
+  multi-level directory hierarchy (Farkas Levente).
+  See contrib/multilevel-init.patch
+* Added some scripts and documentation on using
+  Linux "fwmark" iptables rules to enable
+  fine-grained routing control over the VPN
+  (Sean Reifschneider, ).
+  See contrib/openvpn-fwmarkroute-1.00
+.11.20 -- Version 1.5.0
+* Minor documentation changes.
+.11.04 -- Version 1.5-beta14
+* Fixed build problem with ./configure --disable-ssl
+  that was reported on Debian woody.
+* Fixed bug where --redirect-gateway could not be used
+  together with --resolv-retry.
+.11.03 -- Version 1.5-beta13
+* Added CRL (certificate revocation list) capability using
+  --crl-verify option (Stefano Bracalenti).
+* Added --replay-window option for variable replay-protection
+  window sizes.
+* Fixed --fragment bug which might have caused certain large
+  packets to be sent unfragmented.
+* Modified --secret and --tls-auth to permit different cipher and
+  HMAC keys to be used for each data flow direction.  Also
+  increased static key file size generated by --genkey from
+to 2048 bits, where 512 bits each are reserved for
+  send-HMAC, encrypt, receive-HMAC, and decrypt.  Key file forward
+  and backward compatibility is maintained.  See --secret option
+  documentation on the man page for more info.
+* Added --tls-remote option (Teemu Kiviniemi).
+* Fixed --tls-cipher documention regarding correct delimiter
+  usage (Teemu Kiviniemi).
+* Added --key-method option for selecting alternative data
+  channel key negotiation methods.  Method 1 is the default.
+  Method 2 has been added (see man page for more info).
+* Added French translation of HOWTO to web site
+  (Guillaume Lehmann).
+* Fixed problem caused by late resolver library load on
+  certain platforms when --resolv-retry and --chroot are
+  used together (Teemu Kiviniemi).
+* In TCP mode, all decryption or TLS errors will abort the current
+  connection (this is not done in UDP mode because UDP is
+  "connectionless").
+* Fixed a TCP client reconnect bug that only occurs on the
+  BSDs, where connect() fails with an invalid argument.  This
+  bug was partially (but not completely) fixed in beta7.
+* Added "route_net_gateway" environmental variable which contains
+  the pre-existing default gateway address from the routing table
+  (there's no standard API for getting the default gateway, so
+  right now this feature only works on Windows or Linux).
+* Renamed the "route_default_gateway" enviromental variable to
+  "route_vpn_gateway" -- this is the remote VPN endpoint.
+* The special keywords vpn_gateway, net_gateway, and remote_host
+  can now be used for the network or gateway components of the
+  --route option.  See the man page for more info.
+* Added the --redirect-gateway option to configure the VPN
+  as the default gateway (implemented on Linux and Windows only).
+* Added the --http-proxy option with basic authentication
+  support for use in TCP client mode.  Successfully tested
+  using Squid as the HTTP proxy, with and without authentication.
+.10.12 -- Version 1.5-beta12
+* Fixed Linux-only bug in --mktun and --rmtun which was
+  introduced around beta8 or so, which would cause
+  an error such as "I don't recognize device tun0 as a
+  tun or tap device1".
+* Added --ifconfig-nowarn option to disable options
+  consistency warnings about --ifconfig parameters.
+* Don't allow any kind of sequence number backtracking or
+  message reordering when in TCP mode.
+* Changed beta naming convention to use '_' (underscore)
+  rather than '-' (dash) to pacify rpmbuild.
+.10.08 -- Version 1.5-beta11
+* Modified code in the Windows version which sets the IP address
+  and netmask of the TAP-Win32 adapter using the IP Helper API.
+  Most of the changes involve better error recovery when
+  the IP Helper API returns an error status.  See the
+  manual page entry on --ip-win32 for more info.
+.10.08 -- Version 1.5-beta10
+* Added getpass() function for Windows version so that --askpass
+  option works correctly (Stefano Bracalenti).
+* Added reboot advisory to end of Win32 install script.
+* Changed crypto code to use pseudo-random IVs rather than
+  carrying forward the IV state from the previous packet.
+  This is in response to item 2 in the following document:
+  http://www.openssl.org/~bodo/tls-cbc.txt which points
+  out weaknesses in TLS's use of the same IV carryforward
+  approach.  This change does not break protocol compatibility
+  with previous versions of OpenVPN.
+* Made a change to the crypto replay protection code to also
+  protect against certain kinds of packet reordering attacks.
+  This change does not break protocol compatibility with
+  previous versions of OpenVPN.
+* Added --ip-win32 option to provide several choices for
+  setting the IP address on the TAP-Win32 adapter.
+* #ifdefed out non-CBC crypto modes by default.
+* Added --up-delay option to delay TUN/TAP open and --up script
+  execution until after connection establishment.  This option
+  replaces the earlier windows-only option --tap-delay.
+.10.01 -- Version 1.5-beta9
+* Fixed --route-noexec bug where option was not parsed correctly.
+* Complain if --dev tun is specified without --ifconfig on Windows.
+* Fixed bug where TCP connections on windows would sometimes cause
+  an assertion failure.
+* Added a new flag to TAP-Win32 advanced properties that allows one
+  to set the adapter to be always "connected" even when an OpenVPN
+  process doesn't have it open.  The default behavior is to report
+  a media status of connected only when an OpenVPN process has the
+  adapter open.
+* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
+  DLLs in response to an OpenSSL security advisory.
+.09.30 -- Version 1.5-beta8
+* Extended the --ifconfig option to work on tap devices as well
+  as tun devices.
+* Implemented the --ifconfig option for Windows, by calling the
+  netsh tool.
+* By default, do an "arp -d *" on Windows after TAP-Win32 open to
+  refresh the MAC cache.  This behaviour can be disabled with
+  --no-arp-del.
+* On Windows, allow the --dev-node parameter (which specifies
+  the name of the TAP-Win32 adapter) to be omitted in cases where
+  there is a single TAP-Win32 adapter on the system which can be
+  assumed to be the default.
+* Modified the diagnostic --verb 5 debugging level to print 'R'
+  for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
+  and 'w' for TUN/TAP write.
+* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
+  mode.
+* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
+* Make the --enable-mtu-dynamic ./configure option enabled by
+  default.
+* Deprecated the --mtu-dynamic run-time option, in favor of
+  --fragment.
+* DNS names can now be used as --ifconfig parameters.
+* Significant work on TAP-Win32 driver to bring up to SMP standards.
+* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
+  unloaded or disabled, while a user-space process has it open.
+* On Windows, if --tun-mtu is not specified, it will be read from
+  the TAP-Win32 driver via ioctl.
+* On Windows, added TAP-Win32 driver status info to "F2" keyboard
+  signal (only when run from a console window).
+* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
+* Renamed --mtu-dynamic option to --fragment to more accurately
+  reflect its function.  Fragment accepts a single parameter which
+  is the upper limit on acceptable UDP packet size.
+* Changed default --tun-mtu-extra parameter to 32 from 64.
+* Eliminated reference to malloc.o in configure.ac.
+* Added tun device emulation to the TAP-Win32 driver.
+* Added --route and related options.
+* Added init script for SuSE Linux (Frank Plohmann).
+* Extended option consistency check between peers to function
+  in all crypto modes, including static-key and cleartext modes.
+  Previously only TLS mode was supported.  Disable with
+  --disable-occ.
+* Overall, increased the amount of configuration option sanity
+  checking, especially of networking parameters.
+* Added --mtu-test option for empirical MTU measurement.
+* Added Windows-only option --tap-delay to not set the TAP-Win32
+  adapter media state to 'connected' until TCP/UDP connection
+  establishment with peer.
+* Slightly modified --route/--route-delay semantics so that when
+  --route is given without --route-delay, routes are added
+  immediately after tun/tap device open.  When --route-delay is
+  specified, routes will be added n seconds after connection
+  initiation, where n is the --route-delay parameter (which
+  can be set to 0).
+* Made TCP framing error into a non-fatal error that triggers a
+  connection reset.
+.08.28 -- Version 1.5-beta7
+* Fixed bug that caused OpenVPN not to respond to exit/restart
+  signals when --resolv-retry is used and a local or remote DNS
+  name cannot be resolved.
+* Exported a series of environmental variables with useful
+  info for scripts.  See man page for more info.  Based
+  on a suggestion by Anthony Ciaravalo.
+* Moved TCP/UDP socket bind to a point in the initialization
+  before the --up script gets called.  This is desirable
+  because (a) a socket bind failure will happen before
+  daemonization, allowing an error status code to be returned
+  to the shell and (b) the possibility is eliminated of a
+  socket bind failure causing the --up script to be run
+  but not the --down script.  This change has a side effect
+  that --resolv-retry will no longer work with --local.
+* Fixed bug where if an OpenVPN TCP server went down and back
+  up again, Solaris or FreeBSD clients would fail to reconnect
+  to it.
+* Fixed bug that prevented OpenVPN from being run by
+  inetd/xinetd in TCP mode.
+* Added --log and --log-append options for logging messages to
+  a file.
+* On Windows, check that the current user is a member of the
+  Administrator group before attempting install or uninstall.
+.08.16 -- Version 1.5-beta6
+* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
+.08.14 -- Version 1.5-beta5
+* Added user-configurability of the TAP-Win32 adapter MTU
+  through the adapter advanced properties page.
+* Added Windows Service support.
+* On Windows, added file association and right-clickability
+  for .ovpn files (OpenVPN config files).
+.08.05 -- Version 1.5-beta4
+* Extra refinements and error checking added to Windows
+  NSIS install script.
+.08.05 -- Version 1.5-beta3
+* Added md5.h include to crypto.c to fix build problem on
+  OpenBSD.
+* Created a Win32 installer using NSIS.
+* Removed DelService command from TAP-Win32 INF file.  It appears
+  to be not necessary and it interfered with the ability to
+  uninstall and reinstall the driver without needing to reboot.
+* On Windows version, added "addtap" and "deltapall" batch
+  files to add and delete TAP-Win32 adapter instances.
+.07.31 -- Version 1.5-beta2
+* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
+  in Windows ASCII so it's easier to click and view.
+* Added postscript and PDF versions of the HOWTO to the web
+  site (C R Zamana).
+* Merged Michael Clarke's stability patch into TAP-Win32
+  driver which appears to fix the suspend/resume driver bug
+  and significantly improve driver stability.
+* Added Christof Meerwald's Media Status patch to the
+  TAP-Win32 driver which shows the TAP adapter to be
+  disconnected when OpenVPN is not running.
+* Moved socket connect and TCP server listen code to a later
+  point in openvpn() function so that the TCP server listen
+  state is entered after daemonization.
+* Added keyboard shortcuts to simulate signals in the Windows
+  version, see the window title bar for descriptions.
+.07.24 -- Version 1.5-beta1
+* Added TCP support via the new --proto option.
+* Renamed udp-centric options such as --udp-mtu to
+  --link-mtu (old option names preserved for compatibility).
+* Ported to Windows 2000 + XP using mingw and a TAP driver
+  derived from the Cipe-Win32 project by Damion K. Wilson.
+* Added --show-adapters flag for windows version.
+* Reworked the SSL/TLS packet acknowledge code to better
+  handle certain corner cases.
+* Turned off the default enabling of IP forwarding in the
+  sample-scripts/openvpn.init script for Redhat.
+  Forwarding can be enabled by users in their --up scripts
+  or firewall config.
+* Added --up-restart option based on suggestion from Sean
+  Reifschneider.
+* If --dev tap or --dev-type tap is specified, --tun-mtu
+  defaults to 1500 and --tun-mtu-extra defaults to 64.
+* Enabled --verb 5 debugging mode that prints 'R' and 'W'
+  for each packet read or write on the TCP/UDP socket.
+.08.04 -- Version 1.4.3
+* Added md5.h include to crypto.c
+  to fix build problem on OpenBSD.
+.07.15 -- Version 1.4.2
+* Removed adaptive bandwidth from
+  --mtu-dynamic -- its absence appears
+  to work better than its existence (1.4.1.2).
+* Minor changes to --shaper to fix long
+  retransmit timeouts at low bandwidth
+  (1.4.1.2).
+* Added LOG_RW flag to openvpn.h for
+  debugging (1.4.1.2).
+* Silenced spurious configure warnings (1.4.1.2).
+* Backed out --dev-name patch, modified --dev
+  to offer equivalent functionality (1.4.1.4).
+* Added an optional parameter to --daemon and
+  --inetd to support the passing of a custom
+  program name to the system logger (1.4.1.5).
+* Add compiled-in options to the program title
+  (1.4.1.5).
+* Coded the beginnings of a WIN32 port (1.4.1.5).
+* Succeeded in porting to Win32 Mingw environment
+  and running loopback tests (1.4.1.6).  Still
+  need a kernel driver for full Win32
+  functionality.
+* Fixed a bug in error.h where
+  HAVE_CPP_VARARG_MACRO_GCC was misspelled.
+  This would have caused a significant slowdown
+  of OpenVPN when built by compilers that
+  lack ISO C99 vararg macros (1.4.1.6).
+* Created an init script for Gentoo Linux
+  in ./gentoo directory (1.4.1.6).
+.05.15 -- Version 1.4.1
+* Modified the Linux 2.4 TUN/TAP open code to
+  fall back to the 2.2 TUN/TAP interface if the
+  open or ioctl fails.
+* Fixed bug when --verb is set to 0 and non-fatal
+  socket errors occur, causing 100% CPU utilization.
+  Occurs on platorms where
+  EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
+  such as Linux 2.4.
+* Fixed typo in tun.c that was preventing
+  OpenBSD build.
+* Added --enable-mtu-dynamic configure option
+  to enable --mtu-dynamic experimental option.
+.05.07 -- Version 1.4.0
+* Added --replay-persist feature to allow replay
+  protection across sessions.
+* Fixed bug where --ifconfig could not be used
+  with --tun-mtu.
+* Added --tun-mtu-extra parameter to deal with
+  the situation where a read on a TUN/TAP device
+  returns more data than the device's MTU size.
+* Fixed bug where some IPv6 support code for
+  Linux was not being properly ifdefed out for
+  Linux 2.2, causing compile errors.
+* Added OPENVPN_EXIT_STATUS_x codes to
+  openvpn.h to control which status value
+  openvpn returns to its caller (such as
+  a shell or inetd/xinetd) for various conditions.
+* Added OPENVPN_DEBUG_COMMAND_LINE flag to
+  openvpn.h to allow debugging in situations
+  where stdout, stderr, and syslog cannot be used
+  for message output, such as when OpenVPN is
+  instantiated by inetd/xinetd.
+* Removed owner-execute permission from file
+  created by static key generator (Herbert Xu
+  and Alberto Gonzalez Iniesta).
+* Added --passtos option to allow IPv4 TOS bits
+  to be passed from TUN/TAP input packets to
+  the outgoing UDP socket (Craig Knox).
+* Added code to prevent open socket file descriptors
+  from being accessible to called scripts.
+* Added --dev-name option (Christian Lademann).
+* Added --mtu-disc option for manual control
+  over MTU options.
+* Show OS MTU value on UDP socket write failures
+  (linux only).
+* Numerous build system and portability
+  fixes (Matthias Andree).
+* Added better sensing of compiler support for
+  variable argument macros, including (a) gcc
+  style, (b) ISO C 1999 style, and (c) no support.
+* Removed generated files from CVS.  Note INSTALL
+  file for new CVS build commands.
+* Changed certain internal symbol names
+  for C standards compliance.
+* Added TUN/TAP open code to cycle dynamically
+  through unit numbers until it finds a free
+  unit (based on code from Thomas Gielfeldt
+  and VTun).
+* Added dynamic MTU and fragmenting infrastructure
+  (Experimental).  Rebuild with FRAGMENT_ENABLE
+  defined to enable.
+* Minor changes to SSL/TLS negotiation, use
+  exponential backoff on retransmits, and use
+  a smaller MTU size (note that no protocol
+  changes have been made which would break
+  compatibility with 1.3.x).
+* Added --enable-strict-options flag
+  to ./configure.  This option will cause
+  a more strict check for options compatibility
+  between peers when SSL/TLS negotiation is used,
+  but should only be used when both OpenVPN peers
+  are of the same version.
+* Reorganization of debugging levels.
+* Added a workaround in configure.ac for
+  default SSL header location on Linux
+  to fix RH9 build problem.
+* Fixed potential deadlock when pthread support
+  is used on OSes that allocate a small socketpair()
+  message buffer.
+* Fixed openvpn.init to be sh compliant
+  (Bishop Clark).
+* Changed --daemon to wait until all
+  initialization is finished before becoming a
+  daemon, for the benefit of initialization
+  scripts that want a useful return status from
+  the openvpn command.
+* Made openvpn.init script more robust, including
+  positive indication of initialization errors
+  in the openvpn daemon and better sanity checks.
+* Changed --chroot to wait until initialization
+  is finished before calling chroot(), and allow
+  the use of --user and --group with --chroot.
+* When syslog logging is enabled (--daemon or
+  --inetd), set stdin/stdout/stderr to point
+  to /dev/null.
+* For inetd instantiations, dup socket descriptor
+  to a >2 value.
+* Fixed bug in verify-cn script, where test would
+  incorrectly fail if CN=x was the last component
+  of the X509 composite string (Anonymous).
+* Added Markus F.X.J. Oberhumer's special
+  license exception to COPYING.
+.10.23 -- Version 1.3.2
+* Added SSL_CTX_set_client_CA_list call
+  to follow the canonical form for TLS initialization
+  recommended by the OpenSSL docs.  This change allows
+  better support for intermediate CAs and has no impact
+  on security.
+* Added build-inter script to easy-rsa package, to
+  facilitate the generation of intermediate CAs.
+* Ported to NetBSD (Dimitri Goldin).
+* Fixed minor bug in easy-rsa/sign-req.  It refers to
+  openssl.cnf file, instead of $KEY_CONFIG, like all
+  other scripts (Ernesto Baschny).
+* Added --days 3650 to the root CA generation command
+  in the HOWTO to override the woefully small 30 day
+  default (Dominik 'Aeneas' Schnitzer).
+* Fixed bug where --ping-restart would sometimes
+  not re-resolve remote DNS hostname.
+* Added --tun-ipv6 option and related infrastructure
+  support for IPv6 over tun.
+* Added IPv6 over tun support for Linux (Aaron Sethman).
+* Added FreeBSD 4.1.1+ TUN/TAP driver notes to
+  INSTALL (Matthias Andree).
+* Added inetd/xinetd support (--inetd) including
+  documentation in the HOWTO.
+* Added "Important Note on the use of commercial certificate
+  authorities (CAs) with OpenVPN" to HOWTO based on
+  issues raised on the openvpn-users list.
+.07.10 -- Version 1.3.1
+* Fixed bug in openvpn.spec and openvpn.init
+  which caused RPM upgrade to fail.
+.07.10 -- Version 1.3.0
+* Added --dev-node option to allow explicit selection of
+  tun/tap device node.
+* Removed mlockall call from child thread, as it doesn't
+  appear to be necessary (child thread inherits mlockall
+  state from parent).
+* Added --ping-timer-rem which causes timer for --ping-exit
+  and --ping-restart not to run unless we have a remote IP
+  address.
+* Added condrestart to openvpn.init and openvpn.spec
+  (Bishop Clark).
+* Added --ifconfig case for FreeBSD (Matthias Andree).
+* Call openlog with facility=LOG_DAEMON (Matthias Andree).
+* Changed LOG_INFO messages to LOG_NOTICE.
+* Added warning when key files are group/others accessible.
+* Added --single-session flag for TLS mode.
+* Fixed bug where --writepid would segfault if used with
+  an invalid filename.
+* Fixed bug where --ipchange status message was formatted
+  incorrectly.
+* Print more concise error message when system() call
+  fails.
+* Added --disable-occ option.
+* Added --local, --remote, and --ifconfig options sanity
+  check.
+* Changed default UDP MTU to 1300 and TUN/TAP MTU to
+.
+* Successfully tested with OpenSSL 0.9.7 Beta 2.
+* Broke out debug level definitions to errlevel.h
+* Minor documentation and web site changes.
+* All changes maintain protocol compatibility
+  with OpenVPN versions since 1.1.0, however default
+  MTU changes will require setting the MTU explicitly
+  by command line option, if you want 1.3.0 to
+  communicate with previous versions.
+.06.12 -- Version 1.2.1
+* Added --ping-restart option to restart
+  connection on ping timeout using SIGUSR1
+  logic (Matthias Andree).
+* Added --persist-tun, --persist-key,
+  --persist-local-ip, and --persist-remote-ip
+  options for finer-grained control over SIGUSR1
+  and --ping-restart restarts.  To
+  replicate previous SIGUSR1 functionality,
+  use --persist-remote-ip.
+* Changed residual IV fetching code to take
+  IV from tail of ciphertext.
+* Added check to make sure that CFB or OFB
+  cipher modes are only used with SSL/TLS
+  authentication mode, and added a caveat
+  to INSTALL.
+* Changed signal handling during initialization
+  (including re-initialization during restarts)
+  to exit on SIGTERM or SIGINT and ignore other
+  signals which would ordinarily be caught.
+* Added --resolv-retry option to allow
+  retries on hostname resolution.
+* Expanded the --float option to also
+  allow dynamic changes in source port number
+  on incoming datagrams.
+* Added --mute option to limit repetitive
+  logging of similar message types.
+* Added --group option to downgrade GID
+  after initialization.
+* Try to set ifconfig path automatically
+  in configure.
+* Added --ifconfig code for Mac OS X
+  (Christoph Pfisterer).
+* Moved "Peer Connection Initiated" message
+  to --verb level 1.
+* Successfully tested with
+  OpenSSL 0.9.7 Beta 1 and AES cipher.
+* Added RPM notes to INSTALL.
+* Added ACX_PTHREAD (from the autoconf
+  macro archive) to configure.ac
+  to figure out the right pthread
+  options for a given platform.
+* Broke out macro definitions from
+  configure.ac to acinclude.m4.
+* Minor changes to docs and HOWTO.
+* All changes maintain protocol compatibility
+  with OpenVPN versions since 1.1.0.
+.05.22 -- Version 1.2.0
+* Added configuration file support via
+  the --config option.
+* Added pthread support to improve latency.
+  With pthread support, OpenVPN
+  will offload CPU-intensive tasks such as RSA
+  key number crunching to a background thread
+  to improve tunnel packet forwarding
+  latency.  pthread support can be enabled
+  with the --enable-pthread configure option.
+  Pthread support is currently available
+  only for Linux and Solaris.
+* Added --dev-type option so that tun/tap
+  device names don't need to begin with
+  "tun" or "tap".
+* Added --writepid option to write main
+  process ID to a file.
+* Numerous portability fixes to ease
+  porting to other OSes including changing
+  all network types to uint8_t and uint32_t,
+  and not assuming that time_t is 32 bits.
+* Backported to OpenSSL 0.9.5.
+* Ported to Solaris.
+* Finished OpenBSD port except for
+  pthread support.
+* Added initialization script:
+  sample-scripts/openvpn.init
+  (Douglas Keller)
+* Ported to Mac OS X (Christoph Pfisterer).
+* Improved resilience to DoS attacks when
+  TLS mode is used without --remote or
+  --tls-auth, or when --float is used
+  with --remote.  Note however that the best
+  defense against DoS attacks in TLS mode
+  is to use --tls-auth.
+* Eliminated automake/autoconf dependency
+  for non-developers.
+* Ported configure.in to configure.ac
+  and autoconf 2.50+.
+* SIGHUP signal now causes OpenVPN to restart
+  and re-read command line and or config file,
+  in conformance with canonical daemon behaviour.
+* SIGUSR1 now does what SIGHUP did in
+  version 1.1.1 and earlier -- close and reopen
+  the UDP socket for use when DHCP changes
+  host's IP address and preserve most recently
+  authenticated peer address without rereading
+  config file.
+* SIGUSR2 added -- outputs current statistics,
+  including compression statistics.
+* All changes maintain protocol compatibility
+  with 1.1.1 and 1.1.0.
+.04.22 -- Version 1.1.1
+* Added --ifconfig option to automatically configure
+  TUN device.
+* Added inactivity disconnect (--inactive
+  and --ping-exit options).
+* Added --ping option to keep stateful firewalls
+  from timing out.
+* Added sanity check to command line parser to
+  err if any TLS options are used in non-TLS mode.
+* Fixed build problem with compiler environments that
+  define printf as a macro.
+* Fixed build problem on linux systems that have
+  an integrated TUN/TAP driver but lack the persistent
+  tunnel feature (TUNSETPERSIST).  Some linux kernels
+  >= 2.4.0 and < 2.4.7 fall into this category.
+* Changed all calls to EVP_CipherInit to use explicit
+  encrypt/decrypt mode in order to fix problem with
+  IDEA-CBC and AES-256-CBC ciphers.
+* Minor changes to control channel transmit limiter
+  algorithm to fix problem where TLS control channel
+  might not renegotiate within the default 60 second window.
+* Simplified man page examples by taking advantage
+  of the new --ifconfig option.
+* Minor changes to configure.in to check more
+  rigourously for OpenSSL 0.9.6 or greater.
+* Put back openvpn.spec, eliminated
+  openvpn.spec.in.
+* Modified openvpn.spec to reflect new automake-based
+  build environment (Bishop Clark).
+* Other documentation changes.
+* Added --test-crypto option for debugging.
+* Added "missing" and "mkinstalldirs" automake
+  support files.
+.04.09 -- Version 1.1.0
+* Strengthened replay protection and IV handling,
+  extending it fully to both static key and
+  TLS dynamic key exchange modes.
+* Added --mlock option to disable paging and ensure that key
+  material and tunnel data is never paged to disk.
+* Added optional traffic shaping feature to cap the maximum
+  data rate of the tunnel.
+* Converted to automake (The Platypus Brothers 2002-04-01).
+* Ported to OpenBSD by Janne Johansson.
+* Added --tun-af-inet option to work around an incompatibility
+  between Linux and BSD tun drivers.
+* Sequence number-based replay protection using the
+  IPSec sliding window model is now the default,
+  disable with --no-replay.
+* Explicit IV is now the default, disable with --no-iv.
+* Disabled all cipher modes except CBC, CFB, and OFB.
+* In CBC mode, use explicit IV and carry forward residuals,
+  using IPSec model.
+* In CFB/OFB mode, IV is timestamp, sequence number.
+* Eliminated --packet-id, --timestamp, and max-delta parameter to
+  the --tls-auth option as they are now supplanted by improved
+  replay code which is enabled by default.
+* Eliminated --rand-iv as it is now obsolete with improved
+  IV code.
+* Eliminated --reneg-err option as it increases vulnerability
+  to DoS attacks.
+* Added weak key check for DES ciphers.
+* --tls-freq option is no longer specified on the command line,
+  instead it now inherits its parameter from the
+  --tls-timeout option.
+* Fixed bug that would try to free memory on exit that was
+  never malloced if --comp-lzo was not specified.
+* Errata fixed in the man page examples: "test-ca" should be
+  "tmp-ca".
+* Updated manual page.
+* Preliminary work in porting to OpenSSL 0.9.7.
+* Changed license to allowing linking with OpenSSL.
+.03.29 -- Version 1.0.3
+* Fixed a problem in configure with library ordering on the
+  command line.
+.03.28 -- Version 1.0.2
+* Improved the efficiency of the inner event loop.
+* Fixed a minor bug with timeout handling.
+* Improved the build system to build on RH 6.2 through 7.2.
+* Added an openvpn.spec file for RPM builders (Bishop Clark).
+.03.23 -- Version 1.0
+* Added TLS-based authentication and key exchange.
+* Added gremlin mode to stress test.
+* Wrote man page.
+.12.26 -- Version 0.91
+* Added any choice of cipher or HMAC digest.
+.5.13 -- Version 0.90
+* Initial release.
+* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.
+}}}