| 1 | {{{ |
| 2 | OpenVPN |
| 3 | Copyright (C) 2002-2008 OpenVPN, Inc. |
| 4 | |
| 5 | $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $ |
| 6 | |
| 7 | 2006.10.01 -- Version 2.0.9 |
| 8 | |
| 9 | * Windows installer updated with OpenSSL 0.9.7l DLLs to fix |
| 10 | published vulnerabilities. |
| 11 | |
| 12 | * Fixed TAP-Win32 bug that caused BSOD on Windows Vista |
| 13 | (Henry Nestler). The TAP-Win32 driver has now been |
| 14 | upgraded to version 8.4. |
| 15 | |
| 16 | 2006.09.12 -- Version 2.0.8 |
| 17 | |
| 18 | * Windows installer updated with OpenSSL 0.9.7k DLLs to fix |
| 19 | RSA Signature Forgery (CVE-2006-4339). |
| 20 | * No changes to OpenVPN source code between 2.0.7 and 2.0.8. |
| 21 | |
| 22 | 2006.04.12 -- Version 2.0.7 |
| 23 | |
| 24 | * Code added in 2.0.6-rc1 to extend byte counters |
| 25 | to 64 bits caused a bug in the Windows version which has now |
| 26 | been fixed. The bug could cause intermittent crashes. |
| 27 | |
| 28 | 2006.04.05 -- Version 2.0.6 |
| 29 | |
| 30 | * Security Vulnerability affecting OpenVPN 2.0 through 2.0.5. |
| 31 | An OpenVPN client connecting to a |
| 32 | malicious or compromised server could potentially receive |
| 33 | "setenv" configuration directives from the server which could |
| 34 | cause arbitrary code execution on the client via a LD_PRELOAD |
| 35 | attack. A successful attack appears to require that (a) the |
| 36 | client has agreed to allow the server to push configuration |
| 37 | directives to it by including "pull" or the macro "client" in |
| 38 | its configuration file, (b) the client configuration file uses |
| 39 | a scripting directive such as "up" or "down", (c) the client |
| 40 | succesfully authenticates the server, (d) the server is |
| 41 | malicious or has been compromised and is under the control of |
| 42 | the attacker, and (e) the attacker has at least some level of |
| 43 | pre-existing control over files on the client (this might be |
| 44 | accomplished by having the server respond to a client web |
| 45 | request with a specially crafted file). Credit: Hendrik Weimer. |
| 46 | CVE-2006-1629. |
| 47 | |
| 48 | The fix is to disallow "setenv" to be pushed to clients from |
| 49 | the server. For those who need this capability, OpenVPN |
| 50 | 2.1 supports a new "setenv-safe" directive which is free |
| 51 | of this vulnerability. |
| 52 | |
| 53 | * When deleting routes under Linux, use the route metric |
| 54 | as a differentiator to ensure that the route teardown |
| 55 | process only deletes the identical route which was originally |
| 56 | added via the "route" directive (Roy Marples). |
| 57 | |
| 58 | * Fix the t_cltsrv.sh file in FreeBSD 4 jails |
| 59 | (Matthias Andree, Dirk Meyer, Vasil Dimov). |
| 60 | |
| 61 | * Extended tun device configure code to support ethernet |
| 62 | bridging on NetBSD (Emmanuel Kasper). |
| 63 | |
| 64 | 2006.01.03 -- Version 2.0.6-rc1 |
| 65 | |
| 66 | * Fixed bug where "make check" inside a FreeBSD "jail" |
| 67 | would never complete (Matthias Andree). |
| 68 | * Fixed bug where --server directive in --dev tap mode |
| 69 | claimed that it would support subnets of /30 or less |
| 70 | but actually would only accept /29 or less. |
| 71 | * Extend byte counters to 64 bits (M. van Cuijk). |
| 72 | * Fixed bug in acinclude.m4 where capability of compiler |
| 73 | to handle zero-length arrays in structs is tested |
| 74 | (David Stipp). |
| 75 | * Fixed typo in manage.c where inline function declaration |
| 76 | was declared without the "static" keyword (David Stipp). |
| 77 | * Removed redundant base64 code. |
| 78 | * Better sanity checking of --server and --server-bridge |
| 79 | IP pool ranges, so as not to hit the assertion at |
| 80 | pool.c:119 (2.0.5). |
| 81 | * Fixed bug where --daemon and --management-query-passwords |
| 82 | used together would cause OpenVPN to block prior to |
| 83 | daemonization. |
| 84 | * Fixed client/server race condition which could occur |
| 85 | when --auth-retry interact is set and the initially |
| 86 | provided auth-user-pass credentials are incorrect, |
| 87 | forcing a username/password re-query. |
| 88 | * Fixed bug where if --daemon and --management-hold are |
| 89 | used together, --user or --group options would be ignored. |
| 90 | |
| 91 | 2005.11.02 -- Version 2.0.5 |
| 92 | |
| 93 | * Fixed bug in Linux get_default_gateway function |
| 94 | introduced in 2.0.4, which would cause redirect-gateway |
| 95 | on Linux clients to fail. |
| 96 | * Restored easy-rsa/2.0 tree (backported from 2.1 beta |
| 97 | series) which accidentally disappeared in |
| 98 | 2.0.2 -> 2.0.4 transition. |
| 99 | |
| 100 | 2005.11.01 -- Version 2.0.4 |
| 101 | |
| 102 | * Security fix -- Affects non-Windows OpenVPN clients of |
| 103 | version 2.0 or higher which connect to a malicious or |
| 104 | compromised server. A format string vulnerability |
| 105 | in the foreign_option function in options.c could |
| 106 | potentially allow a malicious or compromised server |
| 107 | to execute arbitrary code on the client. Only |
| 108 | non-Windows clients are affected. The vulnerability |
| 109 | only exists if (a) the client's TLS negotiation with |
| 110 | the server succeeds, (b) the server is malicious or |
| 111 | has been compromised such that it is configured to |
| 112 | push a maliciously crafted options string to the client, |
| 113 | and (c) the client indicates its willingness to accept |
| 114 | pushed options from the server by having "pull" or |
| 115 | "client" in its configuration file (Credit: Vade79). |
| 116 | CVE-2005-3393 |
| 117 | * Security fix -- Potential DoS vulnerability on the |
| 118 | server in TCP mode. If the TCP server accept() call |
| 119 | returns an error status, the resulting exception handler |
| 120 | may attempt to indirect through a NULL pointer, causing |
| 121 | a segfault. Affects all OpenVPN 2.0 versions. |
| 122 | CVE-2005-3409 |
| 123 | * Fix attempt of assertion at multi.c:1586 (note that |
| 124 | this precise line number will vary across different |
| 125 | versions of OpenVPN). |
| 126 | * Added ".PHONY: plugin" to Makefile.am to work around |
| 127 | "make dist" issue. |
| 128 | * Fixed double fork issue that occurs when --management-hold |
| 129 | is used. |
| 130 | * Moved TUN/TAP read/write log messages from --verb 8 to 6. |
| 131 | * Warn when multiple clients having the same common name or |
| 132 | username usurp each other when --duplicate-cn is not used. |
| 133 | * Modified Windows and Linux versions of get_default_gateway |
| 134 | to return the route with the smallest metric |
| 135 | if multiple 0.0.0.0/0.0.0.0 entries are present. |
| 136 | |
| 137 | 2005.09.25 -- Version 2.0.3-rc1 |
| 138 | |
| 139 | * openvpn_plugin_abort_v1 function wasn't being properly |
| 140 | registered on Windows. |
| 141 | * Fixed a bug where --mode server --proto tcp-server --cipher none |
| 142 | operation could cause tunnel packet truncation. |
| 143 | |
| 144 | 2005.08.25 -- Version 2.0.2 |
| 145 | |
| 146 | * No change from 2.0.2-rc1. |
| 147 | |
| 148 | 2005.08.24 -- Version 2.0.2-rc1 |
| 149 | |
| 150 | * Fixed regression bug in Win32 installer, introduced in 2.0.1, |
| 151 | which incorrectly set OpenVPN service to autostart. |
| 152 | * Don't package source code zip file in Windows installer |
| 153 | in order to reduce the size of the installer. The source |
| 154 | zip file can always be downloaded separately if needed. |
| 155 | * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD |
| 156 | version of get_default_gateway. Allocated socket for route |
| 157 | manipulation is never freed so number of mbufs continuously |
| 158 | grow and exhaust system resources after a while (Jaroslav Klaus). |
| 159 | * Fixed bug where "--proto tcp-server --mode p2p --management |
| 160 | host port" would cause the management port to not respond until |
| 161 | the OpenVPN peer connects. |
| 162 | * Modified pkitool script to be /bin/sh compatible (Johnny Lam). |
| 163 | |
| 164 | 2005.08.16 -- Version 2.0.1 |
| 165 | |
| 166 | * Security Fix -- DoS attack against server when run with "verb 0" and |
| 167 | without "tls-auth". If a client connection to the server fails |
| 168 | certificate verification, the OpenSSL error queue is not properly |
| 169 | flushed, which can result in another unrelated client instance on the |
| 170 | server seeing the error and responding to it, resulting in disconnection |
| 171 | of the unrelated client (CAN-2005-2531). |
| 172 | * Security Fix -- DoS attack against server by authenticated client. |
| 173 | This bug presents a potential DoS attack vector against the server |
| 174 | which can only be initiated by a connected and authenticated client. |
| 175 | If the client sends a packet which fails to decrypt on the server, |
| 176 | the OpenSSL error queue is not properly flushed, which can result in |
| 177 | another unrelated client instance on the server seeing the error and |
| 178 | responding to it, resulting in disconnection of the unrelated client |
| 179 | (CAN-2005-2532). Credit: Mike Ireton. |
| 180 | * Security Fix -- DoS attack against server by authenticated client. |
| 181 | A malicious client in "dev tap" ethernet bridging mode could |
| 182 | theoretically flood the server with packets appearing to come from |
| 183 | hundreds of thousands of different MAC addresses, causing the OpenVPN |
| 184 | process to deplete system virtual memory as it expands its internal |
| 185 | routing table. A --max-routes-per-client directive has been added |
| 186 | (default=256) to limit the maximum number of routes in OpenVPN's |
| 187 | internal routing table which can be associated with a given client |
| 188 | (CAN-2005-2533). |
| 189 | * Security Fix -- DoS attack against server by authenticated client. |
| 190 | If two or more client machines try to connect to the server at the |
| 191 | same time via TCP, using the same client certificate, and when |
| 192 | --duplicate-cn is not enabled on the server, a race condition can |
| 193 | crash the server with "Assertion failed at mtcp.c:411" |
| 194 | (CAN-2005-2534). |
| 195 | * Fixed server bug where under certain circumstances, the client instance |
| 196 | object deletion function would try to delete iroutes which had never been |
| 197 | added in the first place, triggering "Assertion failed at mroute.c:349". |
| 198 | * Added --auth-retry option to prevent auth errors from being fatal |
| 199 | on the client side, and to permit username/password requeries in case |
| 200 | of error. Also controllable via new "auth-retry" management interface |
| 201 | command. See man page for more info. |
| 202 | * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 |
| 203 | * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' |
| 204 | would fail to build. |
| 205 | * Implement "make check" to perform loopback tests (Matthias Andree). |
| 206 | |
| 207 | 2005.07.21 -- Version 2.0.1-rc7 |
| 208 | |
| 209 | * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree). |
| 210 | * Include linux/types.h before checking for linux/errqueue.h (Matthias |
| 211 | Andree). |
| 212 | |
| 213 | 2005.07.15 -- Version 2.0.1-rc6 |
| 214 | |
| 215 | * Commented out "user nobody" and "group nobody" in sample |
| 216 | client/server config files. |
| 217 | * Allow '@' character to be used in --client-config-dir |
| 218 | file names. |
| 219 | |
| 220 | 2005.07.04 -- Version 2.0.1-rc5 |
| 221 | |
| 222 | * Windows version will log a for-further-info URL when |
| 223 | initialization sequence is completed with errors. |
| 224 | * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile |
| 225 | to control whether auth-pam plugin links to PAM via |
| 226 | dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing |
| 227 | behavior should be preserved. DLOPEN_PAM=0 is the preferred |
| 228 | setting to link via -lpam, but DLOPEN_PAM=1 works around |
| 229 | a bug in SuSE 9.1 (and possibly other distros as well) |
| 230 | where the PAM modules are not linked with -lpam. See |
| 231 | thread on openvpn-devel for more discussion about this |
| 232 | patch (Simon Perreault). |
| 233 | |
| 234 | 2005.06.15 -- Version 2.0.1-rc4 |
| 235 | |
| 236 | * Support LZO 2.00, including changes to configure script to |
| 237 | autodetect LZO version. |
| 238 | |
| 239 | 2005.06.12 -- Version 2.0.1-rc3 |
| 240 | |
| 241 | * Fixed a bug which caused standard file handles to not be closed |
| 242 | after daemonization when --plugin and --daemon are used together, |
| 243 | and if the plugin initialization function forks (as does auth-pam |
| 244 | and down-root) (Simon Perreault). |
| 245 | * Added client-side up/down scripts in contrib/pull-resolv-conf |
| 246 | for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS" |
| 247 | on Linux/Unix systems (Jesse Adelman). |
| 248 | * Fixed bug where if client-connect scripts/plugins were cascaded, |
| 249 | and one (but not all) of them returned an error status, there might |
| 250 | be cases where for an individual script/plugin, client-connect was |
| 251 | called but not client-disconnect. The goal of this fix is to |
| 252 | ensure that if client-connect is called on a given client instance, |
| 253 | then client-disconnect will definitely be called. A potential |
| 254 | complication of this fix is that when client-connect functions are |
| 255 | cascaded, it's possible that the client-disconnect function would |
| 256 | be called in cases where the related client-connect function returned |
| 257 | an error status. This fix should not alter OpenVPN behavior when |
| 258 | scripts/plugins are not cascaded. |
| 259 | * Changed the hard-to-reproduce "Assertion failed at fragment.c:312" |
| 260 | fatal error to a warning: "FRAG: outgoing buffer is not empty". |
| 261 | Need more info on how to reproduce this one. |
| 262 | * When --duplicate-cn is used, the --ifconfig-pool allocation |
| 263 | algorithm will now allocate the first available IP address. |
| 264 | * When --daemon and --management-hold are used together, |
| 265 | OpenVPN will daemonize before it enters the management hold state. |
| 266 | |
| 267 | 2005.05.16 -- Version 2.0.1-rc2 |
| 268 | |
| 269 | * Modified vendor test in openvpn.spec file to match against |
| 270 | "Mandrakesoft" in addition to "MandrakeSoft". |
| 271 | * Using --iroute in a --client-config-dir file while in --dev tap |
| 272 | mode is not currently supported and will produce a warning |
| 273 | message. Fixed bug where in certain cases, in addition to |
| 274 | generating a warning message, this combination of options |
| 275 | would also produce a fatal assertion in mroute.c. |
| 276 | * Pass --auth-user-pass username to server-side plugin without |
| 277 | performing any string remapping (plugins, unlike scripts, |
| 278 | don't get any security benefit from string remapping). |
| 279 | This is intended to fix an issue with openvpn-auth-pam/pam_winbind |
| 280 | where backslash characters in a username ('\') were being remapped |
| 281 | to underscore ('_'). |
| 282 | * Updated OpenSSL DLLs in Windows build to 0.9.7g. |
| 283 | * Documented --explicit-exit-notify in man page. |
| 284 | * --explicit-exit-notify seconds parameter defaults to 1 if |
| 285 | unspecified. |
| 286 | |
| 287 | 2005.04.30 -- Version 2.0.1-rc1 |
| 288 | |
| 289 | * Fixed bug where certain kinds of fatal errors after |
| 290 | initialization (such as port in use) would leave plugin |
| 291 | processes (such as openvpn-auth-pam) still running. |
| 292 | * Added optional openvpn_plugin_abort_v1 plugin function for |
| 293 | closing initialized plugin objects in the event of a fatal |
| 294 | error by main OpenVPN process. |
| 295 | * When the --remote list is > 1, and --resolv-retry is not |
| 296 | specified (meaning that it defaults to "infinite"), apply the |
| 297 | infinite timeout to the --remote list as a whole, but try each |
| 298 | list item only once before moving on to the next item. |
| 299 | * Added new --syslog directive which redirects output |
| 300 | to syslog without requiring the use of the --daemon or --inetd |
| 301 | directives. |
| 302 | * Added openvpn.spec option to allow RPM to be built with support |
| 303 | for passwords read from a file: |
| 304 | rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' |
| 305 | |
| 306 | 2005.04.17 -- Version 2.0 |
| 307 | |
| 308 | * Fixed minor options string typo in options.c. |
| 309 | |
| 310 | 2005.04.10 -- Version 2.0-rc21 |
| 311 | |
| 312 | * Change license description from "GPL Version 2 or (at your |
| 313 | option) any later version" to just "GPL Version 2". |
| 314 | |
| 315 | 2005.04.04 -- Version 2.0-rc20 |
| 316 | |
| 317 | * Dag Wieers has put together an OpenVPN/LZO binary RPM set with |
| 318 | excellent distro/version coverage for RH/EL/Fedora, though |
| 319 | using his own SPEC. I modified openvpn.spec to follow some of |
| 320 | the same conventions such as putting sample scripts and doc |
| 321 | files in %doc rather than /usr/share/openvpn. |
| 322 | * Minor change to init scripts to run the user-defined script |
| 323 | /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN |
| 324 | configs are started, and to run /etc/openvpn/openvpn-shutdown |
| 325 | after all OpenVPN configs have been stopped. The |
| 326 | openvpn-startup script can be used for stuff like |
| 327 | insmod tun.o, setting up firewall rules, or starting |
| 328 | ethernet bridges. |
| 329 | |
| 330 | 2005.03.29 -- Version 2.0-rc19 |
| 331 | |
| 332 | * Omit additions of routes where the network and |
| 333 | gateway are equal and the netmask is 255.255.255.255. |
| 334 | This can come up if you are using both |
| 335 | server/ifconfig-pool and client-config-dir with |
| 336 | ifconfig-push static addresses for some subset of clients |
| 337 | which directly reference the server IP address as the |
| 338 | remote endpoint. |
| 339 | |
| 340 | 2005.03.28 -- Version 2.0-rc18 |
| 341 | |
| 342 | * Packaged Windows installer with OpenSSL 0.9.7f. |
| 343 | * Built Windows installer with NSIS 2.06. |
| 344 | |
| 345 | 2005.03.12 -- Version 2.0-rc17 |
| 346 | |
| 347 | * "MANAGEMENT: CMD" log file output will now only occur |
| 348 | at --verb 7 or greater. |
| 349 | * Added an optional name/value configuration list to |
| 350 | the openvpn-auth-pam plugin module argument list. See |
| 351 | plugin/auth-pam/README for documentation. This is necessary |
| 352 | in order for openvpn-auth-pam to work with queries generated |
| 353 | by arbitrary PAM modules. |
| 354 | * In both auth-pam and down-root plugins, in the forked process, |
| 355 | a read error on the parent process socket is no longer fatal. |
| 356 | * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'. |
| 357 | A conditional test of the vendor has been added to |
| 358 | Require the appropriately named 'lzo' (liblzo1 / lzo). |
| 359 | (Tom Walsh - http://openhardware.net) |
| 360 | |
| 361 | |
| 362 | 2005.02.20 -- Version 2.0-rc16 |
| 363 | |
| 364 | * Fixed bug introduced in rc13 where Windows service wrapper |
| 365 | would be installed with a startup type of Automatic. |
| 366 | This fix restores the previous behavior of installing |
| 367 | with a startup type of Manual. |
| 368 | |
| 369 | 2005.02.19 -- Version 2.0-rc15 |
| 370 | |
| 371 | * Added warning when --keepalive is not used in a server |
| 372 | configuration. |
| 373 | * Don't include OpenSSL md4.h file if we are not building |
| 374 | NTLM proxy support (Waldemar Brodkorb). |
| 375 | * Added easy-rsa/build-key-pkcs12 and |
| 376 | easy-rsa/Windows/build-key-pkcs12.bat scripts |
| 377 | (Mathias Sundman). |
| 378 | |
| 379 | 2005.02.16 -- Version 2.0-rc14 |
| 380 | |
| 381 | * Fixed small memory leak that occurs when --crl-verify |
| 382 | is used. |
| 383 | * Upgraded Windows installer and .nsi script to NSIS 2.05 |
| 384 | (Mathias Sundman). |
| 385 | * Changed #include backslash usage in cryptoapi.c to use |
| 386 | forward slashes instead (Gisle Vanem). |
| 387 | * Created easy-rsa/revoke-full to handle revocations in |
| 388 | a single step: (a) revoke crt, (b) regenerate CRL, and |
| 389 | (c) verify that revocation succeeded. |
| 390 | * Renamed easy-rsa/Windows/revoke-key to revoke-full so |
| 391 | that both *nix and Windows scripts are equivalent. |
| 392 | |
| 393 | 2005.02.11 -- Version 2.0-rc13 |
| 394 | |
| 395 | * Improve human-readability of local/remote options |
| 396 | diff, when inconsistencies are present. |
| 397 | * For Windows easy-rsa, distribute vars.bat.sample and |
| 398 | openssl.cnf.sample, then copy them to their normal |
| 399 | filenames (without the .sample) when init-config.bat |
| 400 | is run. This is to prevent OpenVPN upgrades from |
| 401 | wiping out vars.bat and openssl.cnf edits. |
| 402 | * Modified service wrapper (Windows) to use a |
| 403 | case-insensitive search when scanning for .ovpn files |
| 404 | in \Program Files\OpenVPN\config. Prior versions |
| 405 | required an all-lower-case .ovpn file extension. |
| 406 | * Miscellaneous service wrapper code cleanup. |
| 407 | * If --user/--group is used on Windows, treat it |
| 408 | as a no-op with a warning (this makes it easier to |
| 409 | distribute the same client config file to Windows |
| 410 | and *nix users). |
| 411 | * Warn if --ifconfig-pool-persist is used with |
| 412 | --duplicate-cn. |
| 413 | |
| 414 | 2005.02.05 -- Version 2.0-rc12 |
| 415 | |
| 416 | * Removed some debugging code inadvertently included |
| 417 | in rc11 which would print the --auth-user-pass |
| 418 | username/password provided by clients in the server |
| 419 | logfile. |
| 420 | * Client code for cycling through --remote list will |
| 421 | retry the last address which successfully authenticated |
| 422 | before moving on through the list. |
| 423 | * Windows installer will now install sample configuration |
| 424 | files in \Program Files\OpenVPN\sample-configs as well |
| 425 | as generate a start menu shortcut to this directory. |
| 426 | * Minor type change in buffer.[ch] to work around char-type |
| 427 | ambiguity bug. Caused management interface lock-ups on |
| 428 | ARM when building with armv4b-hardhat-linux-gcc 2.95.3. |
| 429 | |
| 430 | 2005.02.03 -- Version 2.0-rc11 |
| 431 | |
| 432 | * Windows installer will now install easy-rsa directory |
| 433 | in \Program Files\OpenVPN |
| 434 | * Allow syslog facility to be controlled at compile time, |
| 435 | e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern). |
| 436 | * Changed certain shell scripts in distribution to use |
| 437 | #!/bin/sh rather than #!/bin/bash for better portability. |
| 438 | * If --ifconfig-pool-persist seconds parameter is 0, treat |
| 439 | persist file as an allocation of fixed IP addresses |
| 440 | (previous versions took IP-to-common-name associations |
| 441 | from this list as hints, not mandatory static allocations). |
| 442 | * Fixed bug on *nix where if --auth-user-pass and --log |
| 443 | were used together, the username prompt would be sent to |
| 444 | the log file rather than /dev/tty. |
| 445 | * Spurious text in openvpn.8 detected by doclifter |
| 446 | (Eric S. Raymond). |
| 447 | * Call closelog later on daemon kill so that process |
| 448 | exit message is written to syslog. |
| 449 | |
| 450 | 2005.01.27 -- Version 2.0-rc10 |
| 451 | |
| 452 | * When ./configure is run with plugins enabled (the default), |
| 453 | check whether or not dlopen exists in libc before testing |
| 454 | for libdl. This is to fix an issue on FreeBSD and possibly |
| 455 | other OSes which bundle libdl functions in libc. |
| 456 | * On Windows, filter initial WSAEINVAL warning which occurs |
| 457 | on the initial read attempt of an unbound socket. |
| 458 | * The easy-rsa scripts build-key, build-key-pass, and |
| 459 | build-key-server will now chmod the .key file |
| 460 | to 0600. This is in addition to the fact the generated |
| 461 | keys directory has always been similarly protected |
| 462 | (Pete Harlan). |
| 463 | |
| 464 | 2005.01.23 -- Version 2.0-rc9 |
| 465 | |
| 466 | * Fixed error "ROUTE: route addition failed using |
| 467 | CreateIpForwardEntry ..." on Windows when --redirect-gateway |
| 468 | is used over a RRAS internet link. |
| 469 | * When using --route-method exe on Windows, include the |
| 470 | gateway parameter on route delete commands (Mathias Sundman). |
| 471 | * Try not to do a hard reset (i.e. SIGHUP) when two |
| 472 | SIGUSR1 signals are received in close succession. |
| 473 | * If the push list tries to grow beyond its buffer capacity, |
| 474 | the resulting error will be non-fatal. |
| 475 | * To increase the push list capacity (must be done on both |
| 476 | client and server), increase TLS_CHANNEL_BUF_SIZE in |
| 477 | common.h (default=1024). |
| 478 | |
| 479 | 2005.01.15 -- Version 2.0-rc8 |
| 480 | |
| 481 | * Fixed bug introduced in rc7 where options error |
| 482 | "--auth-user-pass requires --pull" might occur even |
| 483 | if --pull was correctly specified. |
| 484 | * Changed management interface code to bind once |
| 485 | to TCP socket, rather than rebinding after every |
| 486 | client disconnect. |
| 487 | * Added "disable" directive for client-config-dir |
| 488 | files. |
| 489 | * Windows binary install is now distributed with |
| 490 | OpenSSL 0.9.7e. |
| 491 | * Query the management interface for --http-proxy |
| 492 | username/password if authfile is set to "stdin". |
| 493 | * Added current OpenVPN version number to "Unrecognized |
| 494 | option or missing parameter" error message. |
| 495 | * Added "-extensions server" to "openssl req" command |
| 496 | in easy-rsa/build-key-server (Nir Yeffet). |
| 497 | |
| 498 | 2005.01.10 -- Version 2.0-rc7 |
| 499 | |
| 500 | * Fixed bug in management interface which could cause |
| 501 | 100% CPU utilization in --proto tcp-server mode |
| 502 | on all *nix OSes except for Linux 2.6. |
| 503 | * --ifconfig-push now accepts DNS names as well as |
| 504 | IP addresses. |
| 505 | * Added sanity check errors when --pull or |
| 506 | --auth-user-pass is used in an incorrect mode. |
| 507 | * Updated man page entries for --client-connect and |
| 508 | --ifconfig-push. |
| 509 | * Added "String Types and Remapping" section to man |
| 510 | page to consisely document the way which OpenVPN |
| 511 | may convert certain types of characters in strings |
| 512 | to ('_'). |
| 513 | * Modified bridging description in HOWTO to emphasize |
| 514 | the fact that bridging allows Windows file and print |
| 515 | sharing without a WINS server (Charles Duffy). |
| 516 | |
| 517 | 2004.12.20 -- Version 2.0-rc6 |
| 518 | |
| 519 | * Improved checking for epoll support in ./configure |
| 520 | to fix false positive on RH9 (Jan Just Keijser). |
| 521 | * Made the "MULTI TCP: I/O wait required blocking in |
| 522 | multi_tcp_action, action=7" error nonfatal and replaced |
| 523 | with "MULTI: Outgoing TUN queue full, dropped packet". |
| 524 | So far the issue only seems to occur on Linux 2.2 |
| 525 | in --mode server --proto tcp mode. It occurs when |
| 526 | the TUN/TAP driver locks up and refuses to accept |
| 527 | new packet writes for a second or more. |
| 528 | * Fixed bug where if a --client-config-dir file tried |
| 529 | to include another file using "config", and if that |
| 530 | include failed, OpenVPN would abort with a fatal |
| 531 | error. Now such inclusion failures will be logged |
| 532 | but are no longer fatal. |
| 533 | * Global changes to the way that packet buffer alignment |
| 534 | is handled. Previously we didn't care about alignment |
| 535 | and took care, when handling 16 and 32 bit words |
| 536 | in buffers, to always use alignment-safe transfers. |
| 537 | This approach appears to be inadequate on some |
| 538 | architectures such as alpha. The new approach is |
| 539 | to initialize packet buffers in a way that anticipates |
| 540 | how component structures will be allocated within |
| 541 | them, to maintain correct alignment. |
| 542 | * Added --dhcp-option DISABLE-NBT to disable NetBIOS |
| 543 | over TCP (Jan Just Keijser). |
| 544 | * Added --http-proxy-option directive for controlling |
| 545 | miscellaneous HTTP proxy options. |
| 546 | * Management state will no longer transition to "WAIT" |
| 547 | during TLS renegotiations. |
| 548 | |
| 549 | 2004.12.16 -- Version 2.0-rc5 |
| 550 | |
| 551 | * The --client-config-dir option will now try to open |
| 552 | a default file called "DEFAULT" if no file matching |
| 553 | the common name of the incoming client was found. |
| 554 | * The --client-connect script/plugin can now veto client |
| 555 | authentication by returning a failure code. |
| 556 | * The --learn-address script/plugin can now prevent a |
| 557 | client-instance/address association from being learned |
| 558 | by returning a failure code. |
| 559 | * Changed RPM group in .spec file to Applications/Internet. |
| 560 | |
| 561 | 2004.12.14 -- Version 2.0-rc4 |
| 562 | |
| 563 | * SuSE only -- Fixed interaction between openvpn.spec and |
| 564 | suse/openvpn.init where the .spec file was writing the |
| 565 | OpenVPN binary to a different location than where the |
| 566 | .init script was referencing it (Stefan Engel). |
| 567 | * Solaris only -- Split Solaris ifconfig command into two |
| 568 | parts (Jan Just Keijser). |
| 569 | * Some cleanup in add_option(). |
| 570 | * Better error checking on input dotted quad IP addresses. |
| 571 | * Verify that --push argument is quoted, if there is |
| 572 | more than one. |
| 573 | * More miscellaneous option sanity checks. |
| 574 | |
| 575 | 2004.12.13 -- Version 2.0-rc3 |
| 576 | |
| 577 | * On Windows, when --log or --log-append is used, |
| 578 | save the original stderr for username and password |
| 579 | prompts. |
| 580 | * Fixed a bug introduced in the late 2.0 betas where |
| 581 | if a "verb" parameter >= 16 was used, it would be |
| 582 | ignored and the actual verb level would remain at 1. |
| 583 | * Fixed a bug mostly seen on OS X where --management-hold |
| 584 | or --management-query-passwords would cause the management |
| 585 | interface to be unresponsive to incoming client connections. |
| 586 | * Trigger an options error if one of the management-modifying |
| 587 | options is used without "management" itself. |
| 588 | |
| 589 | 2004.12.12 -- Version 2.0-rc2 |
| 590 | |
| 591 | * Amplified warnings in documentation about possible |
| 592 | man-in-the-middle attack when clients do not properly |
| 593 | verify server certificate. Changes to easy-rsa README, |
| 594 | FAQ, HOWTO, man page, and sample client config file. |
| 595 | * Added a warning message if --tls-client or --client |
| 596 | is used without also specifying one of either |
| 597 | --ns-cert-type, --tls-remote, or --tls-verify. |
| 598 | * status_open() fixes for MSVC builds (Blaine Fleming). |
| 599 | * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared" |
| 600 | compiler error which has been reported on some platforms. |
| 601 | * The openvpn.spec file for rpmbuild has several |
| 602 | new build-time options. See comments in the file. |
| 603 | * Plugins are now built and packaged in the RPM and |
| 604 | will be saved in /usr/share/openvpn/plugin/lib. |
| 605 | * Added --management-hold directive to start OpenVPN |
| 606 | in a hibernating state until released by the |
| 607 | management interface. Also added "hold" command |
| 608 | to the management interface. |
| 609 | |
| 610 | 2004.12.07 -- Version 2.0-rc1 |
| 611 | |
| 612 | * openvpn.spec workaround for SuSE confusion regarding |
| 613 | /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel). |
| 614 | |
| 615 | 2004.12.05 -- Version 2.0-beta20 |
| 616 | |
| 617 | * The ability to read --askpass and --auth-user-pass |
| 618 | passwords from a file has been disabled by default. |
| 619 | To re-enable, use ./configure --enable-password-save. |
| 620 | * Added additional pre-connected states to management |
| 621 | interface. See management/management-notes.txt |
| 622 | for more info. |
| 623 | * State history is now recorded by the management |
| 624 | interface, and the "state" command now works like |
| 625 | the log or echo commands. |
| 626 | * State history and real-time state change notifications |
| 627 | are now prepended with an integer unix timestamp. |
| 628 | * Added --http-proxy-timeout option, previously |
| 629 | the timeout was hardcoded to 5 seconds. |
| 630 | |
| 631 | 2004.12.02 -- Version 2.0-beta19 |
| 632 | |
| 633 | * Fixed bug in management interface line termination |
| 634 | where output lines incorrectly contained a \00 char |
| 635 | after the customary \0d \0a. |
| 636 | * Fixed bug introduced in beta18 where Windows version |
| 637 | would segfault on options errors. |
| 638 | * Fixed bug in management interface where an empty |
| 639 | quoted string ("") entered as a parameter would cause |
| 640 | a segfault. |
| 641 | * Fixed bug where --resolv-retry was not working |
| 642 | properly with multiple --remote hosts. |
| 643 | * Added additional ./configure options to reduce |
| 644 | executable size for embedded applications. |
| 645 | See ./configure --help. |
| 646 | |
| 647 | 2004.11.28 -- Version 2.0-beta18 |
| 648 | |
| 649 | * Added management interface. See new --management-* |
| 650 | options or the full management interface documentation |
| 651 | in management/management-notes.txt in the tarball. |
| 652 | Management interface inclusion can be disabled by |
| 653 | ./configure --disable-management. |
| 654 | * Added two new plugin modules: auth-pam and down-root. |
| 655 | Auth-pam supports pam-based authentication using a |
| 656 | split privilege execution model, while down-root enables |
| 657 | a down script to be executed with root privileges, even |
| 658 | when --user/--group is used to drop root privileges. |
| 659 | See the plugin directory in the tarball for READMEs, |
| 660 | source code, and Makefiles. |
| 661 | * Plugin developers should note that some changes were |
| 662 | made to the plugin interface since beta17. See |
| 663 | openvpn-plugin.h for details. |
| 664 | Plugin interface inclusion can be disabled with |
| 665 | ./configure --disable-plugins |
| 666 | * Added easy-rsa/build-key-server script which will |
| 667 | build a certificate with with nsCertType=server. |
| 668 | * Added --ns-cert-type option for verification |
| 669 | of nsCertType field in peer certificate. |
| 670 | * If --fragment n is specified and --mssfix is specified |
| 671 | without a parameter, default --mssfix to n. This restores |
| 672 | the 1.6 behavior when using --mssfix without a parameter. |
| 673 | * Fixed SSL context initialization bug introduced in beta14 |
| 674 | where this error might occur on restarts: "Cannot load |
| 675 | certificate chain ... PEM_read_bio:no start line". |
| 676 | |
| 677 | 2004.11.11 -- Version 2.0-beta17 |
| 678 | |
| 679 | * Changed default port number to 1194 per IANA official |
| 680 | port number assignment. |
| 681 | * Added --plugin directive which allows compiled |
| 682 | modules to intercept script callbacks. See |
| 683 | plugin folder in tarball for more info. |
| 684 | * Fixed bug introduced in beta12 where --key-method 1 |
| 685 | authentications which should have succeeded would fail. |
| 686 | * Ignore SIGUSR1 during DNS resolution. |
| 687 | * Added SuSE support to openvpn.spec (Umberto Nicoletti). |
| 688 | * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna' |
| 689 | Runestig). |
| 690 | |
| 691 | 2004.11.07 -- Version 2.0-beta16 |
| 692 | |
| 693 | * Modified sample-scripts/auth-pam.pl to get username |
| 694 | and password from OpenVPN via a file rather than |
| 695 | via environmental variables. |
| 696 | * Added bytes_sent and bytes_received environmental |
| 697 | variables to be set prior to client-disconnect script. |
| 698 | * Changed client virtual IP derivation precedence: |
| 699 | (1) use --ifconfig-push directive from --client-connect |
| 700 | script, (2) use --ifconfig-push directive from |
| 701 | --client-config-dir, and (3) use --ifconfig-pool |
| 702 | address. |
| 703 | * If a --client-config-dir file specifies --ifconfig-push, |
| 704 | it will be visible to the --client-connect-script in |
| 705 | the ifconfig_pool_remote_ip environmental variable. |
| 706 | * For tun-style tunnels, the ifconfig_pool_local_ip |
| 707 | environmental variable will be set, while for |
| 708 | tap-style tunnels, the ifconfig_pool_netmask variable |
| 709 | will be set. |
| 710 | * Added intelligence to autoconf script to test |
| 711 | compiler for the accepted form of zero-length arrays. |
| 712 | * Fixed a bug introduced in beta12 where --ip-win32 |
| 713 | netsh would fail if --dev-node was not explicitly |
| 714 | specified. |
| 715 | * --ip-win32 netsh will now work on hidden adapters. |
| 716 | * Fix attempt of "Assertion failed at crypto.c:149". |
| 717 | This assertion has also been reported on 1.x with a |
| 718 | slightly different line number. The fix is twofold: |
| 719 | (1) In previous releases, --mtu-test may trigger this |
| 720 | assertion -- this bug has been fixed. (2) If something |
| 721 | else causes the assertion to be thrown, don't panic, |
| 722 | just output a nonfatal warning to the log and drop |
| 723 | the packet which generated the error. |
| 724 | * Support TAP interfaces on Mac OS X (Waldemar Brodkorb). |
| 725 | * Added --echo directive. |
| 726 | * Added --auth-nocache directive. |
| 727 | |
| 728 | 2004.10.28 -- Version 2.0-beta15 |
| 729 | |
| 730 | * Changed environmental variable character classes |
| 731 | so that names must consist of alphanumeric or |
| 732 | underbar chars and values must consist of printable |
| 733 | characters. Illegal chars will be deleted. |
| 734 | Versions prior to 2.0-beta12 were more restrictive |
| 735 | and would map spaces to '.'. |
| 736 | * On Windows, when the TAP adapter fails to |
| 737 | initialize with the correct IP address, output |
| 738 | "Initialization Sequence Completed with Errors" |
| 739 | to the console or log file. |
| 740 | * Added a warning when user/group/chroot is used |
| 741 | without persist-tun and persist-key. |
| 742 | * Added cryptoapi.[ch] to tarball and source zip. |
| 743 | * --tls-remote option now works with common name |
| 744 | prefixes as well as with the full X509 subject |
| 745 | string. This is a useful alternative to using |
| 746 | a CRL on the client. |
| 747 | * common names associated with a static |
| 748 | --ifconfig-push setting will no longer leave |
| 749 | any state in the --ifconfig-pool-persist file. |
| 750 | * Hard TLS errors (TLS handshake failed) will now |
| 751 | trigger either a SIGUSR1 signal by default |
| 752 | or SIGTERM (if --tls-exit is specified). In TCP |
| 753 | mode, all TLS errors are considered to be hard. |
| 754 | In server mode, the signal will be local to the |
| 755 | client instance. |
| 756 | * Added method parameter to --auth-user-pass-verify |
| 757 | directive to select whether username/password |
| 758 | is passed to script via environment or a temporary |
| 759 | file. |
| 760 | * Added --status-version option to control format |
| 761 | of --status file. The --mode server |
| 762 | --status-version 2 format now includes a line |
| 763 | type token, the virtual IP address is shown |
| 764 | in the client list (even in --dev tap mode), |
| 765 | and the integer time_t value is shown anywhere |
| 766 | an ascii-formatted time/date is also shown. |
| 767 | * Added --remap-usr1 directive which can be used |
| 768 | to control whether internally or externally |
| 769 | generated SIGUSR1 signals are remapped to |
| 770 | SIGHUP (restart without persisting state) or |
| 771 | SIGTERM (exit). |
| 772 | * When running as a Windows service (using |
| 773 | --service option), check the exit event before |
| 774 | and after reading one line of input from |
| 775 | stdin, when reading username/password info. |
| 776 | * For developers: Extended the --gremlin function |
| 777 | to better stress-test the new 2.0 features, |
| 778 | added Valgrind support on Linux and Dmalloc |
| 779 | support on Windows. |
| 780 | |
| 781 | 2004.10.19 -- Version 2.0-beta14 |
| 782 | |
| 783 | * Fixed a bug introduced in Beta12 that would occur |
| 784 | if you use a --client-connect script without also |
| 785 | defining --tmp-dir. |
| 786 | * Fixed a bug introduced in Beta12 where a learn-address |
| 787 | script might segfault on the delete method. |
| 788 | * Added Crypto API support in Windows version via |
| 789 | the --cryptoapicert option (Peter 'Luna' Runestig). |
| 790 | |
| 791 | 2004.10.18 -- Version 2.0-beta13 |
| 792 | |
| 793 | * Fixed an issue introduced in Beta12 where the private |
| 794 | key password would not be prompted for unless --askpass |
| 795 | was explicitly specified in the config. |
| 796 | |
| 797 | 2004.10.17 -- Version 2.0-beta12 |
| 798 | |
| 799 | * Added support for username/password-based authentication. |
| 800 | Clients can now authentication themselves with the server |
| 801 | using either a certificate, a username/password, or both. |
| 802 | New directives: --auth-user-pass, --auth-user-pass-verify, |
| 803 | --client-cert-not-required, and --username-as-common-name. |
| 804 | * Added NTLM proxy patch (William Preston). |
| 805 | * Added --ifconfig-pool-linear server flag to allocate |
| 806 | individual tun addresses for clients rather than /30 |
| 807 | subnets (won't work with Windows clients). |
| 808 | * Modified --http-proxy code to cache username/password |
| 809 | across restarts. |
| 810 | * Modified --http-proxy code to read username/password |
| 811 | from the console when the auth file is given as "stdin". |
| 812 | * Modified --askpass to take an optional filename argument. |
| 813 | * --persist-tun and --persist-key now work in client mode |
| 814 | and can be pushed to clients as well. |
| 815 | * Added --ifconfig-pool-persist directive, to maintain |
| 816 | ifconfig-pool info in a file which is persistent across |
| 817 | daemon instantiations. |
| 818 | * --user and --group privilege downgrades as well as |
| 819 | --chroot now also work in client mode (the |
| 820 | dowgrade/chroot will be delayed until the initialization |
| 821 | sequence is completed). |
| 822 | * Added --show-engines standalone directive to show |
| 823 | available OpenSSL crypto accelerator engine support. |
| 824 | * --engine directive now accepts an optional engine-ID |
| 825 | parameter to control which engine is used. |
| 826 | * "Connection reset, restarting" log message now shows |
| 827 | which client is being reset. |
| 828 | * Added --dhcp-pre-release directive in Windows version. |
| 829 | * Second parm to --ip-win32 can be "default", e.g. |
| 830 | --ip-win32 dynamic default 60. |
| 831 | * Fixed documentation bug regarding environmental |
| 832 | variable settings for --ifconfig-pool IP addresses. |
| 833 | The correct environmental variable names are: |
| 834 | ifconfig_pool_local_ip and ifconfig_pool_remote_ip. |
| 835 | * ifconfig_pool_local_ip and ifconfig_pool_remote_ip |
| 836 | environmental variables are now passed to the |
| 837 | client-disconnect script. |
| 838 | * In server mode, environmental variables are now scoped |
| 839 | according to the client they are associated with, |
| 840 | to solve the problem of "crosstalk" between different |
| 841 | client's environmental variable sets. |
| 842 | * Added --down-pre flag to cause --down script to be |
| 843 | called before TUN/TAP close (rather than after). |
| 844 | * Added --tls-exit flag which will cause OpenVPN |
| 845 | to exit on any TLS errors. |
| 846 | * Don't push a route to a client if it exactly |
| 847 | matches an iroute (this lets you push routes to |
| 848 | all clients, and OpenVPN will automatically remove |
| 849 | the route from the route push list only for that client |
| 850 | which the route actually belongs to). |
| 851 | * Made '--resolv-retry infinite' the default. |
| 852 | --resolv-retry can be disabled by using a parameter of 0. |
| 853 | * For clients which plan to pull config info from server, |
| 854 | set an initial default ping-restart of 60 seconds. |
| 855 | * Optimized mute code to lessen the load on the processor |
| 856 | when messages are being muted at a higher frequency. |
| 857 | * Made route log messages non-mutable. |
| 858 | * Silence the Linux "No buffer space available" message. |
| 859 | * Added miscellaneous additional option sanity checks. |
| 860 | * Added Windows version of easy-rsa scripts in |
| 861 | easy-rsa/Windows directory (Andrew J. Richardson). |
| 862 | * Added NetBSD route patch (Ed Ravin). |
| 863 | * Added OpenBSD patch for TAP + --redirect-gateway |
| 864 | (Waldemar Brodkorb). |
| 865 | * Directives which prompt for a username and/or password |
| 866 | will now work with --daemon (OpenVPN will prompt |
| 867 | before forking). |
| 868 | * Warn if CRL is from a different issuer than the |
| 869 | issuer of the peer certificate (Bernhard Weisshuhn). |
| 870 | * Changed init script chkconfig parameters to start |
| 871 | OpenVPN daemon(s) before NFS. |
| 872 | * Bug fix attempt of "too many I/O wait events" which occurs |
| 873 | on OSes which prefer select() over poll() such as Mac OS X. |
| 874 | * Added --ccd-exclusive flag. This flag will require, as a |
| 875 | condition of authentication, that a connecting client has |
| 876 | a --client-config-dir file. |
| 877 | * TAP-Win32 open code will attempt to open a free adapter |
| 878 | if --dev-node is not specified (Mathias Sundman). |
| 879 | * Resequenced --nice and --chroot ordering so that --nice |
| 880 | occurs first. |
| 881 | * Added --suppress-timestamps flag (Charles Duffy). |
| 882 | * Source code changes to allow compilation by MSVC |
| 883 | (Peter 'Luna' Runestig). |
| 884 | * Added experimental --fast-io flag which optimizes |
| 885 | TUN/TAP/UDP writes on non-Windows systems. |
| 886 | |
| 887 | 2004.08.18 -- Version 2.0-beta11 |
| 888 | |
| 889 | * Added --server, --server-bridge, --client, and |
| 890 | --keepalive helper directives. See client.conf |
| 891 | and server.conf in sample-config-files for sample |
| 892 | configurations which use the new directives. |
| 893 | * On Windows, added --route-method to control |
| 894 | whether IP Helper API or route.exe is used |
| 895 | to add/delete routes. |
| 896 | * On Windows, added a second parameter to |
| 897 | --route-delay to control the maximum time period |
| 898 | to wait for the TAP-Win32 adapter to come up |
| 899 | before adding routes. |
| 900 | * Fixed bug in Windows version where configurations |
| 901 | which omit --ifconfig might fail to recognize when |
| 902 | the TAP adapter is up. |
| 903 | * Proxy connection failures will now retry according |
| 904 | to the --connect-retry parameter. |
| 905 | * Fixed --dev null handling on Windows so that TLS |
| 906 | loopback test described in INSTALL file works |
| 907 | correctly on Windows. |
| 908 | * Added "Initialization Sequence Completed" message |
| 909 | after all initialization steps have been completed |
| 910 | and the VPN can be considered "up". |
| 911 | * Better sanity-checking on --ifconfig-pool parameters. |
| 912 | * Added --tcp-queue-limit option to control |
| 913 | TUN/TAP -> TCP socket overflow. |
| 914 | * --ifconfig-nowarn flag will now silence general |
| 915 | warnings about possible --ifconfig address |
| 916 | conflicts, including the warning about --ifconfig |
| 917 | and --remote addresses being in same /24 subnet. |
| 918 | * Fixed case where server mode did not correctly |
| 919 | identify certain types of ethernet multicast packets |
| 920 | (Marcel de Kogel). |
| 921 | * Added --explicit-exit-notify option (experimental). |
| 922 | |
| 923 | 2004.08.02 -- Version 2.0-beta10 |
| 924 | |
| 925 | * Fixed possible reference after free of option strings |
| 926 | after a restart, bug was introduced in beta8. |
| 927 | * Fixed segfault at route.c:919 in the beta9 |
| 928 | Windows version that was being caused by indirection |
| 929 | through a NULL pointer. |
| 930 | * Mistakenly built debug version of TAP-Win32 driver |
| 931 | for beta9. Beta10 has correct release build. |
| 932 | |
| 933 | 2004.07.30 -- Version 2.0-beta9 |
| 934 | |
| 935 | * Fixed --route issue on Windows that was introduced with |
| 936 | the new beta8 route implementation based on the |
| 937 | IP Helper API. |
| 938 | |
| 939 | 2004.07.27 -- Version 2.0-beta8 |
| 940 | |
| 941 | * Added TCP support in server mode. |
| 942 | * Added PKCS #12 support (Mathias Sundman). |
| 943 | * Added patch to make revoke-crt and make-crl work |
| 944 | seamlessly within the easy-rsa environment (Jan Kiszka). |
| 945 | * Modified --mode server ethernet bridge code to forward |
| 946 | special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX. |
| 947 | * Added --dhcp-renew and --dhcp-release flags to Windows |
| 948 | version. Normally DHCP renewal and release on the TAP |
| 949 | adapter occurs automatically under Windows, however |
| 950 | if you set the TAP-Win32 adapter Media Status property |
| 951 | to "Always Connected", you may need these flags. |
| 952 | * Added --show-net standalone flag to Windows version to |
| 953 | show OpenVPN's view of the system adapter and routing |
| 954 | tables. |
| 955 | * Added --show-net-up flag to Windows version to output |
| 956 | the system routing table and network adapter list to |
| 957 | the log file after the TAP-Win32 adapter has been brought |
| 958 | up and any routes have been added. |
| 959 | * Modified Windows version to add routes using the IP Helper |
| 960 | API rather than by calling route.exe. |
| 961 | * Fixed bug where --route-up script was not being called |
| 962 | if no --route options were specified. |
| 963 | * Added --mute-replay-warnings to suppress packet replay |
| 964 | warnings. This is a common false alarm on WiFi nets. |
| 965 | * Added "def1" flag to --redirect-gateway option to override |
| 966 | the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 |
| 967 | rather than 0.0.0.0/0. This has the benefit of overriding |
| 968 | but not wiping out the original default gateway. |
| 969 | (Thanks to Jim Carter for pointing out this idea). |
| 970 | * You can now run OpenVPN with a single config file argument. |
| 971 | For example, you can now say "openvpn config.conf" |
| 972 | rather than "openvpn --config config.conf". |
| 973 | * On Windows, made --route and --route-delay more adaptive |
| 974 | with respect to waiting for interfaces referenced by the |
| 975 | route destination to come up. Routes added by --route |
| 976 | should now be added as soon as the interface comes up, |
| 977 | rather than after an obligatory 10 second delay. The |
| 978 | way this works internally is that --route-delay now |
| 979 | defaults to 0 on Windows. Previous versions would |
| 980 | wait for --route-delay seconds then add the routes. |
| 981 | This version will wait --route-delay seconds and then |
| 982 | test the routing table at one second intervals for the |
| 983 | next 30 seconds and will not add the routes until they |
| 984 | can be added without errors. |
| 985 | * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by |
| 986 | default on TCP/UDP socket in light of reports that this |
| 987 | action can have undesirable global side effects on the |
| 988 | MTU settings of other adapters. These parameters can |
| 989 | still be set, but you need to explicitly specify |
| 990 | --sndbuf and/or --rcvbuf. |
| 991 | * Added --max-clients option to limit the maximum number |
| 992 | of simultaneously connected clients in server mode. |
| 993 | * Added error message to illuminate shell escape gotcha when |
| 994 | single backslashes are used in Windows path names. |
| 995 | * Added optional netmask parm to --ifconfig-pool. |
| 996 | * Fixed bug where http-proxy connect retry attempts were |
| 997 | incorrectly going to the remote OpenVPN server, |
| 998 | not to the HTTP proxy server. |
| 999 | |
| 1000 | 2004.06.29 -- Version 2.0-beta7 |
| 1001 | |
| 1002 | * Fixed bug in link_socket_verify_incoming_addr() which |
| 1003 | under certain circumstances could have caused --float |
| 1004 | behavior even if --float was not specified. |
| 1005 | * --tls-auth option now works with --mode server. |
| 1006 | All clients and the server should use the same |
| 1007 | --tls-auth key when operating in client/server mode. |
| 1008 | * Added --engine option to make use of OpenSSL-supported |
| 1009 | crypto acceleration hardware. |
| 1010 | * Fixed some high verbosity print format size issues |
| 1011 | in event.c for 64 bit platforms (Janne Johansson). |
| 1012 | * Made failure to open --log or --log-append file |
| 1013 | a non-fatal error. |
| 1014 | |
| 1015 | 2004.06.23 -- Version 2.0-beta6 |
| 1016 | |
| 1017 | * Fixed Windows installer to intelligently put |
| 1018 | up a reboot dialog only if tapinstall tells |
| 1019 | us that it's really necessary. |
| 1020 | * Fixed "Assertion failed at fragment.c:309" |
| 1021 | bug when --mode server and --fragment are used |
| 1022 | together. |
| 1023 | * Ignore HUP, USR1, and USR2 signals during |
| 1024 | initialization. Prior versions would abort. |
| 1025 | * Fixed bug on OS X: "Assertion failed at event.c:406". |
| 1026 | * Added --service option to Windows version, for use |
| 1027 | when OpenVPN is being programmatically instantiated |
| 1028 | by another process (see man page for info). |
| 1029 | * --log and --log-append options now work on Windows. |
| 1030 | * Update OpenBSD INSTALL notes (Janne Johansson). |
| 1031 | * Enable multicast on tun interface when running on |
| 1032 | OpenBSD (Pavlin Radoslavov). |
| 1033 | * Fixed recent --test-crypto breakage, where options |
| 1034 | such as --cipher were not being parsed correctly. |
| 1035 | * Modified options compatibility string by removing |
| 1036 | ifconfig substring if it is empty. Incremented |
| 1037 | options compatibility string version number to 4. |
| 1038 | * Fixed typo in --tls-timeout option parsing |
| 1039 | (Mikael Lonnroth). |
| 1040 | |
| 1041 | 2004.06.13 -- Version 2.0-beta5 |
| 1042 | |
| 1043 | * Fixed rare --mode server crash that could occur |
| 1044 | if data was being routed to a client at |
| 1045 | high bandwidth at the precise moment that the |
| 1046 | client instance object on the server was being |
| 1047 | deleted. |
| 1048 | * Fixed issue on machines which have epoll.h and |
| 1049 | the epoll_create glibc call defined, but which |
| 1050 | don't actually implement epoll in the kernel. |
| 1051 | OpenVPN will now gracefully fall back to the |
| 1052 | poll API in this case. |
| 1053 | * Fixed Windows bug which would cause the following |
| 1054 | error in a --mode server --dev tap configuration: |
| 1055 | "resource limit WSA_MAXIMUM_WAIT_EVENTS has been |
| 1056 | exceeded". |
| 1057 | * Added CRL (certificate revocation list) management |
| 1058 | scripts to easy-rsa directory (Jon Bendtsen). |
| 1059 | * Do a better job of getting the ifconfig component |
| 1060 | of the options consistency check to work correctly |
| 1061 | when --up-delay is used. |
| 1062 | * De-inlined some functions which were too complex |
| 1063 | to be inlined anyway with gcc. |
| 1064 | * If a --dhcp-option option is pushed to a non-windows |
| 1065 | client, the option will be saved in the client's |
| 1066 | environment before the --up script is called, under |
| 1067 | the name "foreign_option_{n}". |
| 1068 | * Added --learn-address script (see man page) which |
| 1069 | allows for firewall access through the VPN to be |
| 1070 | controlled based on the client common name. |
| 1071 | * In mode --server mode, when a client connects to |
| 1072 | the server, the server will disconnect any |
| 1073 | still-active clients which use the same common |
| 1074 | name. Use --duplicate-cn flag to revert to |
| 1075 | previous behavior of allowing multiple clients |
| 1076 | to concurrently connect with the same common name. |
| 1077 | |
| 1078 | 2004.06.08 -- Version 2.0-beta4 |
| 1079 | |
| 1080 | * Fixed issue with beta3 where Win32 service wrapper |
| 1081 | was keying off of old TAP HWID as a dependency. To |
| 1082 | ensure that the new service wrapper is correctly |
| 1083 | installed, the Windows install script will uninstall |
| 1084 | the old wrapper before installing the new one, |
| 1085 | causing a reset of service properties. |
| 1086 | * Fixed permissions issue on --status output file, |
| 1087 | with default access permissions of owner read/write |
| 1088 | only (default permissions can be changed of course with |
| 1089 | chmod). |
| 1090 | |
| 1091 | 2004.06.05 -- Version 2.0-beta3 |
| 1092 | |
| 1093 | * More changes to TAP-Win32 driver's INF file which |
| 1094 | affects the placement of the driver in the Windows |
| 1095 | device namespace. This is done to work around an |
| 1096 | apparent bug in Windows when short HWIDs are used, |
| 1097 | and will also ease the upgrade from 1.x to 2.0 by |
| 1098 | reducing the chances that a reboot will be needed |
| 1099 | on upgrade. Like beta2, this upgrade will |
| 1100 | delete existing TAP-Win32 interfaces, and reinstall |
| 1101 | a single new interface with default properties. |
| 1102 | * Major rewrite of I/O event wait layer in the style |
| 1103 | of libevent. This is a precursor to TCP support |
| 1104 | in --mode server. |
| 1105 | * New feature: --status. Outputs a SIGUSR2-like |
| 1106 | status summary to a given file, updated once |
| 1107 | per n seconds. The status file is comma delimited |
| 1108 | for easy machine parsing. |
| 1109 | * --ifconfig-pool now remembers common names and |
| 1110 | will try to assign a consistent IP to a given |
| 1111 | common name. Still to do: persist --ifconfig-pool |
| 1112 | memory across restarts by saving state in file. |
| 1113 | * Fixed bug in event timer queue which could cause |
| 1114 | recurring timer events such as --ping to not |
| 1115 | correctly schedule again after firing. This in |
| 1116 | turn would cause spurrious ping restarts and possible |
| 1117 | connection outages. Thanks to Denis Vlasenko for |
| 1118 | tracking this down. |
| 1119 | * Possible fix to reported bug where --daemon argument |
| 1120 | was not printing to syslog correctly after restart. |
| 1121 | * Fixed bug where pulling --route or --dhcp-option |
| 1122 | directives from a server would problematically |
| 1123 | interact with --persist-tun on the client. |
| 1124 | * Updated contrib/multilevel-init.patch (Farkas Levente). |
| 1125 | * Added RPM build option to .spec and .spec.in files |
| 1126 | to optionally disable LZO inclusion (Ian Pilcher). |
| 1127 | * The latest MingW runtime and headers define |
| 1128 | 'ssize_t', so a patch is needed (Gisle Vanem). |
| 1129 | |
| 1130 | 2004.05.14 -- Version 2.0-beta2 |
| 1131 | |
| 1132 | * Fixed signal handling bug in --mode server, where |
| 1133 | SIGHUP and SIGUSR1 were treated as SIGTERM. |
| 1134 | * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV". |
| 1135 | Apparently the larger string may work around |
| 1136 | a problem where the TAP adapter is sometimes missing |
| 1137 | from the network connections panel, especially under |
| 1138 | XP SP2. Also note that installing this upgrade will |
| 1139 | uninstall any pre-existing TAP-Win32 adapters, and then |
| 1140 | install a single new adapter, meaning that old adapter |
| 1141 | properties will be lost. Thanks to Md5Chap for solving |
| 1142 | this one. |
| 1143 | * For --mode server --dev tap, the options --ifconfig and |
| 1144 | --ifconfig-pool are now optional. This allows address |
| 1145 | assignment via DHCP or use of a TAP VPN without |
| 1146 | IP support, as has always been possible with 1.x. |
| 1147 | * Fixed bug where --ifconfig may not work correctly on |
| 1148 | Linux 2.2. |
| 1149 | * Added 'local' flag to --redirect-gateway for use on |
| 1150 | networks where both OpenVPN daemons are connected |
| 1151 | to a shared subnet, such as wireless. |
| 1152 | |
| 1153 | 2004.05.09 -- Version 2.0-beta1 |
| 1154 | |
| 1155 | * Unchanged from test29 except for version number |
| 1156 | upgrade. |
| 1157 | |
| 1158 | 2004.05.08 -- Version 2.0-test29 |
| 1159 | |
| 1160 | * Modified --dev-node on Windows to accept a TAP-Win32 |
| 1161 | GUID name. In addition, --show-adapters will now |
| 1162 | display the high-level name and GUID of each adapter. |
| 1163 | This is an attempt to work around an issue in Windows |
| 1164 | where sometimes the TAP-Win32 adapter installs correctly |
| 1165 | but has no icon in the network connections control |
| 1166 | panel. In such cases, being able to specify |
| 1167 | --dev-node {TAP-GUID} can work around the missing icon. |
| 1168 | |
| 1169 | 2004.05.07 -- Version 2.0-test28 |
| 1170 | |
| 1171 | * Fixed bug which could cause segfault on program |
| 1172 | shutdown if --route and --persist-tun are used |
| 1173 | together. |
| 1174 | |
| 1175 | 2004.05.06 -- Version 2.0-test27 |
| 1176 | |
| 1177 | * Fixed bug in close_instance() which might cause |
| 1178 | memory to be accessed after it had already been freed. |
| 1179 | * Fixed bug in verify_callback() that might have |
| 1180 | caused uninitialized data to be referenced. |
| 1181 | * --iroute now allows full CIDR subnet routing. |
| 1182 | * In "--mode server --dev tun" usage, source addresses |
| 1183 | on VPN packets coming from a particular client must |
| 1184 | be associated with that client in the OpenVPN internal |
| 1185 | routing table. |
| 1186 | |
| 1187 | 2004.04.28 -- Version 2.0-test26 |
| 1188 | |
| 1189 | * Optimized broadcast path in multi-client mode. |
| 1190 | * Added socket buffer size options --rcvbuf & --sndbuf. |
| 1191 | * Configure Linux tun/tap driver to use a more sensible |
| 1192 | txqueuelen default. Also allow explicit setting |
| 1193 | via --txqueuelen option (Harald Roelle). |
| 1194 | * The --remote option now allows the port number |
| 1195 | to be specified as the second parameter. If |
| 1196 | unspecified, the port number defaults to the |
| 1197 | --rport value. |
| 1198 | * Multiple --remote options on the client can now be |
| 1199 | specified for load balancing and failover. The |
| 1200 | --remote-random flag can be used to initially randomize |
| 1201 | the --remote list for basic load balancing. |
| 1202 | * If a remote DNS name resolves to multiple DNS addresses, |
| 1203 | one will be chosen by random as a kind of basic |
| 1204 | load-balancing feature if --remote-random is used. |
| 1205 | * Added --connect-freq option to control maximum |
| 1206 | new connection frequency in multi-client mode. |
| 1207 | * In multi-client mode, all syslog messages associated |
| 1208 | with a specific client now include a client-ID prefix. |
| 1209 | * For Windows, use a gettimeofday() function based |
| 1210 | on QueryPerformanceCounter (Derek Burdick). |
| 1211 | * Fixed bug in interaction between --key-method 2 |
| 1212 | and DES ciphers, where dynamic keys would be generated |
| 1213 | with bad parity and then be rejected. |
| 1214 | |
| 1215 | 2004.04.17 -- Version 2.0-test24 |
| 1216 | |
| 1217 | * Reworked multi-client broadcast handling. |
| 1218 | |
| 1219 | 2004.04.13 -- Version 2.0-test23 |
| 1220 | |
| 1221 | * Fixed bug in --dev tun --client-to-client routing. |
| 1222 | * Fixed a potential deadlock in --pull. |
| 1223 | * Fixed a problem with select() usage which could |
| 1224 | cause a repeating sequence of "select : Invalid |
| 1225 | argument (code=22)" |
| 1226 | |
| 1227 | 2004.04.11 -- Version 2.0-test22 |
| 1228 | |
| 1229 | * Fixed bug where --mode server + --daemon was |
| 1230 | prematurely closing syslog connection. |
| 1231 | * Added support for --redirect-gateway on Mac OS X |
| 1232 | (Jeremy Apple). |
| 1233 | * Minor changes to TAP-Win32 driver based on feedback |
| 1234 | from the NDISTest tool. |
| 1235 | |
| 1236 | 2004.04.11 -- Version 2.0-test21 |
| 1237 | |
| 1238 | * Optimizations in multi-client server event loop. |
| 1239 | |
| 1240 | 2004.04.10 -- Version 2.0-test20 |
| 1241 | |
| 1242 | * --mode server capability now works with either tun |
| 1243 | or tap interfaces. When used with tap interfaces, |
| 1244 | OpenVPN will internally bridge all client tap |
| 1245 | interfaces with the server tap interface. |
| 1246 | * Connecting clients can now have a client-specific |
| 1247 | configuration on the server, based on the client |
| 1248 | common name embedded in the client certificate. |
| 1249 | See --client-config-dir and --client-connect. |
| 1250 | These options can be used to configure client-specific |
| 1251 | routes. |
| 1252 | * Added an option --client-to-client that enables |
| 1253 | internal client-to-client routing or bridging. |
| 1254 | Otherwise, clients will only "see" the server, |
| 1255 | not other connected clients. |
| 1256 | * Fixed bug in route scheduling which would have caused |
| 1257 | --mode server to not work on Windows in test18 |
| 1258 | and test19 with the sample config file. |
| 1259 | * Man page is up to date with all new options. |
| 1260 | * OpenVPN 2.0 release notes on web site updated |
| 1261 | with tap-style tunnel examples. |
| 1262 | |
| 1263 | 2004.04.02 -- Version 2.0-test19 |
| 1264 | |
| 1265 | * Fixed bug where routes pushed from server were |
| 1266 | not working correctly on Windows clients. |
| 1267 | * Added Mac OS X route patch (Jeremy Apple). |
| 1268 | |
| 1269 | 2004.03.30 -- Version 2.0-test18 |
| 1270 | |
| 1271 | * Minor fixes + Windows self-install modified |
| 1272 | to use OpenSSL 0.9.7d. |
| 1273 | |
| 1274 | 2004.03.29 -- Version 2.0-test17 |
| 1275 | |
| 1276 | * Fixed some bugs related to instance timeout and deletion. |
| 1277 | * Extended --push/--pull option to support additional |
| 1278 | option classes. |
| 1279 | |
| 1280 | 2004.03.28 -- Version 2.0-test16 |
| 1281 | |
| 1282 | * Successful test of --mode udp-server, --push, |
| 1283 | --pull, and --ifconfig-pool with server on |
| 1284 | Linux 2.4 and clients on Linux and Windows. |
| 1285 | |
| 1286 | 2004.03.25 -- Version 2.0-test15 |
| 1287 | |
| 1288 | * Implemented hash-table lookup of client instances |
| 1289 | based either on remote UDP address/port or remote |
| 1290 | ifconfig endpoint. |
| 1291 | * Implemented a randomized binary tree based |
| 1292 | scheduler for scalably scheduling a large number |
| 1293 | of client instance events. Uses the treap |
| 1294 | data structure and node rotation algorithm |
| 1295 | to keep the tree balanced. |
| 1296 | * Initial implementation of ifconfig-pool. |
| 1297 | * Made --key-method 2 the default. |
| 1298 | |
| 1299 | 2004.03.20 -- Version 2.0-test14 |
| 1300 | |
| 1301 | * Implemented --push and --pull. |
| 1302 | |
| 1303 | 2004.03.20 -- Version 2.0-test13 |
| 1304 | |
| 1305 | * Reduced struct tls_multi and --single-session |
| 1306 | memory footprint. |
| 1307 | * Modified --single-session flag to be used |
| 1308 | in multi-client UDP server client instances. |
| 1309 | |
| 1310 | 2004.03.19 -- Version 2.0-test12 |
| 1311 | |
| 1312 | * Added the key multi-client UDP server options, |
| 1313 | --mode, --push, --pull, and --ifconfig-pool. |
| 1314 | * Revamped GC (garbage collection) code to not rely |
| 1315 | on any global data. |
| 1316 | * Modifications to thread.[ch] to allow a more |
| 1317 | flexible thread model. |
| 1318 | |
| 1319 | 2004.03.16 -- Version 2.0-test11 |
| 1320 | |
| 1321 | * Moved all timer code to interval.h, added new file |
| 1322 | interval.c. |
| 1323 | * Fixed missing include. |
| 1324 | |
| 1325 | 2004.03.16 -- Version 2.0-test10 |
| 1326 | |
| 1327 | * More TAP-Win32 fixes. |
| 1328 | * Initial debugging and testing of multi.[ch]. |
| 1329 | |
| 1330 | 2004.03.14 -- Version 2.0-test9 |
| 1331 | |
| 1332 | * Branch merge with 1.6-rc3 |
| 1333 | * More point-to-multipoint work in multi.[ch]. |
| 1334 | * Major TAP-Win32 driver restructuring to use |
| 1335 | NdisMRegisterDevice instead of |
| 1336 | IoCreateDevice/IoCreateSymbolicLink. |
| 1337 | * Changed TAP-Win32 symbolic links to use \DosDevices\Global\ |
| 1338 | pathname prefix. |
| 1339 | * In the majority of cases, TAP-Win32 should now be |
| 1340 | able to install and uninstall on Win2K without requiring |
| 1341 | a reboot. |
| 1342 | * TAP-Win32 MAC address can now be explicitly set in the |
| 1343 | adapter advanced properties page. |
| 1344 | |
| 1345 | 2004.03.04 -- Version 2.0-test8 |
| 1346 | |
| 1347 | * Branch merge with 1.6-rc2. |
| 1348 | |
| 1349 | 2004.03.03 -- Version 2.0-test7 |
| 1350 | |
| 1351 | * Branch merge with 1.6-rc1.2. |
| 1352 | |
| 1353 | 2004.03.02 -- Version 2.0-test6 |
| 1354 | |
| 1355 | * Branch merge with 1.6-rc1. |
| 1356 | |
| 1357 | 2004.03.02 -- Version 2.0-test5 |
| 1358 | |
| 1359 | * Move Socks5 UDP header append/remove to socks.c, and is |
| 1360 | called from forward.c. |
| 1361 | * Moved verify statics from ssl.c into struct tls_session. |
| 1362 | * Wrote multi.[ch] to handle top level of point-to-multipoint |
| 1363 | mode. |
| 1364 | * Wrote some code to allow a struct link_socket in a child context |
| 1365 | to be slaved to the parent context. |
| 1366 | * Broke up packet read and process functions in forward.c |
| 1367 | (from socket or tuntap) into separate functions for read |
| 1368 | and process, so that point-to-point and point-to-multipoint can |
| 1369 | share the same code. |
| 1370 | * Expand TLS control channel to allow the passing of configuration |
| 1371 | commands. |
| 1372 | * Wrote mroute.[ch] to handle internal packet routing for |
| 1373 | point-to-multipoint mode. |
| 1374 | |
| 1375 | 2004.02.22 -- Version 2.0-test3 |
| 1376 | |
| 1377 | * Initial work on UDP multi-client server. |
| 1378 | * Branch merge of 1.6-beta7 |
| 1379 | |
| 1380 | 2004.02.14 -- Version 2.0-test2 |
| 1381 | |
| 1382 | * Refactorization of openvpn.c into openvpn.[ch] |
| 1383 | init.[ch] forward.[ch] forward-inline.h |
| 1384 | occ.[ch] occ-inline.h ping.[ch] ping-inline.h |
| 1385 | sig.[ch]. Created a master per-tunnel |
| 1386 | struct context in openvpn.h. |
| 1387 | * Branch merge of 1.6-beta6.2 |
| 1388 | |
| 1389 | 2003.11.06 -- Version 2.0-test1 |
| 1390 | |
| 1391 | * Initial testbed for 2.0. |
| 1392 | |
| 1393 | 2004.05.09 -- Version 1.6.0 |
| 1394 | |
| 1395 | * Unchanged from 1.6-rc4 except for version number |
| 1396 | upgrade. |
| 1397 | |
| 1398 | 2004.04.01 -- Version 1.6-rc4 |
| 1399 | |
| 1400 | * Made minor customizations to devcon and |
| 1401 | renamed as tapinstall.exe for Windows version. |
| 1402 | * Fixed "storage size of `iv' isn't known" build |
| 1403 | problem on FreeBSD. |
| 1404 | * OpenSSL 0.9.7d bundled with Windows self-install. |
| 1405 | |
| 1406 | 2004.03.13 -- Version 1.6-rc3 |
| 1407 | |
| 1408 | * Minor Windows fixes for --ip-win32 dynamic, relating to |
| 1409 | the way the TAP-Win32 driver responds to a DHCP request |
| 1410 | from the Windows DHCP client. |
| 1411 | * The net_gateway environmental variable wasn't being |
| 1412 | set correctly for called scripts (Paul Zuber). |
| 1413 | * Added code to determine the default gateway on FreeBSD, |
| 1414 | allowing the --redirect-gateway option to work |
| 1415 | (Juan Rodriguez Hervella). |
| 1416 | |
| 1417 | 2004.03.04 -- Version 1.6-rc2 |
| 1418 | |
| 1419 | * Fixed bug in Windows version where the NetBIOS node-type |
| 1420 | DHCP option might have been passed even if it was not |
| 1421 | specified. |
| 1422 | * Fixed bug in Windows version introduced in 1.6-rc1, where |
| 1423 | DHCP timeout would be set to 0 seconds if --ifconfig option |
| 1424 | was used and --ip-win32 option was not explicitly specified. |
| 1425 | * Added some new --dhcp-option types for Windows version. |
| 1426 | |
| 1427 | 2004.03.02 -- Version 1.6-rc1 |
| 1428 | |
| 1429 | * For Windows, make "--ip-win32 dynamic" the default. |
| 1430 | * For Windows, make "--route-delay 10" the default |
| 1431 | unless --ip-win32 dynamic is not used or --route-delay |
| 1432 | is explicitly specified. |
| 1433 | * L_TLS mutex could have been left in a locked state |
| 1434 | for certain kinds of TLS errors. |
| 1435 | |
| 1436 | 2004.02.22 -- Version 1.6-beta7 |
| 1437 | |
| 1438 | * Allow scheduling priority increase (--nice) together |
| 1439 | with UID/GID downgrade (--user/--group). |
| 1440 | * Code that causes SIGUSR1 restart on TLS errors in TCP |
| 1441 | mode was not activated in pthread builds. |
| 1442 | * Save the certificate serial number in an environmental |
| 1443 | variable called tls_serial_{n} prior to calling the |
| 1444 | --tls-verify script. n is the current cert chain level. |
| 1445 | * Added NetBSD IPv6 tunnel capability (also requires |
| 1446 | a kernel patch) (Horst Laschinsky). |
| 1447 | * Fixed bug in checking the return value of the nice() |
| 1448 | function (Ian Pilcher). |
| 1449 | * Bug fix in new FreeBSD IPv6 over TUN code which was |
| 1450 | originally added in 1.6-beta5 (Nathanael Rensen). |
| 1451 | * More Socks5 fixes -- extended the struct frame |
| 1452 | infrastructure to accomodate proxy-based encapsulation |
| 1453 | overhead. |
| 1454 | * Added --dhcp-option to Windows version for setting |
| 1455 | adapter properties such as WINS & DNS servers. |
| 1456 | * Use a default route-delay of 5 seconds when |
| 1457 | --ip-win32 dynamic is specified (only applicable when |
| 1458 | --route-delay is not explicitly specified). |
| 1459 | * Added "log_append" registry variable to control |
| 1460 | whether the OpenVPN service wrapper on Windows |
| 1461 | opens log files in append (log_append="1") or |
| 1462 | truncate (log_append="0") mode. The default |
| 1463 | is truncate. |
| 1464 | |
| 1465 | 2004.02.05 -- Version 1.6-beta6 |
| 1466 | |
| 1467 | * UDP over Socks5 fix to accomodate Socks5 encapsulation |
| 1468 | overhead (Christof Meerwald). |
| 1469 | * Minor --ip-win32 dynamic tweaks (use long lease time, |
| 1470 | invalidate existing lease with DHCPNAK). |
| 1471 | |
| 1472 | 2004.02.01 -- Version 1.6-beta5 |
| 1473 | |
| 1474 | * Added Socks5 proxy support (Christof Meerwald). |
| 1475 | * IPv6 tun support for FreeBSD (Thomas Glanzmann). |
| 1476 | * Special TAP-Win32 debug mode for Windows self-install that was |
| 1477 | enabled in beta4 is now turned off. |
| 1478 | * Added some new Solaris notes to INSTALL (Koen Maris). |
| 1479 | * More work on --ip-win32 dynamic. |
| 1480 | |
| 1481 | 2004.01.27 -- Version 1.6-beta4 |
| 1482 | |
| 1483 | * For this beta, the Windows self-install is a debug version |
| 1484 | and will run slower -- use only for testing. |
| 1485 | * Reverted the --ip-win32 default back to 'ipapi' |
| 1486 | from 'dynamic'. |
| 1487 | * Added the offset parameter to '--ip-win32 dynamic' which |
| 1488 | can be used to control the address of the masqueraded |
| 1489 | DHCP server which replies to Windows DHCP requests. |
| 1490 | * Added a wait/nowait option to --inetd (nowait can only |
| 1491 | be used with TCP sockets, TLS authentication, and over |
| 1492 | a bridged configuration -- see FAQ for more info) |
| 1493 | (Stefan `Sec` Zehl). |
| 1494 | * Added a build-time capability where TAP-Win32 driver |
| 1495 | debug messages can be output by OpenVPN at --verb 6 |
| 1496 | or higher. |
| 1497 | |
| 1498 | 2004.01.20 -- Version 1.6-beta2 |
| 1499 | |
| 1500 | * Added ./configure --enable-iproute2 flag which |
| 1501 | uses iproute2 instead of route + ifconfig -- |
| 1502 | this is necessary for the LEAF Linux distro |
| 1503 | (Martin Hejl). |
| 1504 | * Added renewal-time and rebind-time to set of |
| 1505 | DHCP options returned by the TAP-Win32 driver when |
| 1506 | "--ip-win32 dynamic" is used. |
| 1507 | |
| 1508 | 2004.01.14 -- Version 1.6-beta1 |
| 1509 | |
| 1510 | * Fixed --proxy bug that sometimes caused plaintext |
| 1511 | control info generated by the proxy prior to http |
| 1512 | CONNECT method establishment to be incorrectly |
| 1513 | parsed as OpenVPN data. |
| 1514 | * For Windows version, implemented the |
| 1515 | "--ip-win32 dynamic" method and made it the default. |
| 1516 | This method sets the TAP-Win32 adapter IP address |
| 1517 | and netmask by replying to the kernel's DHCP queries. |
| 1518 | See the man page for more detailed info. |
| 1519 | * Added --connect-retry parameter which controls |
| 1520 | the time interval (in seconds) between connect() |
| 1521 | retries when --proto tcp-client is used. Previously, |
| 1522 | this value was hardcoded to 5 seconds, and still |
| 1523 | defaults as such. |
| 1524 | * --resolv-retry can now be used with a parameter |
| 1525 | of "infinite" to retry indefinitely. |
| 1526 | * Added SSL_CTX_use_certificate_chain_file() to ssl.c |
| 1527 | for support of multi-level certificate chains |
| 1528 | (Sten Kalenda). |
| 1529 | * Fixed --tls-auth incompatibility with 1.4.x and earlier |
| 1530 | versions of OpenVPN when the passphrase file is an |
| 1531 | OpenVPN static key file (as generated by --genkey). |
| 1532 | * Added shell-escape support in config files using |
| 1533 | the backslash character ("\") so that (for example) |
| 1534 | double quotes can be passed to the shell. |
| 1535 | * Added "contrib" subdirectory on tarball, source zip, |
| 1536 | and CVS containing user-submitted contributions. |
| 1537 | * Added an optional patch to the Redhat init script to |
| 1538 | allow the configuration file directory to be a |
| 1539 | multi-level directory hierarchy (Farkas Levente). |
| 1540 | See contrib/multilevel-init.patch |
| 1541 | * Added some scripts and documentation on using |
| 1542 | Linux "fwmark" iptables rules to enable |
| 1543 | fine-grained routing control over the VPN |
| 1544 | (Sean Reifschneider, ). |
| 1545 | See contrib/openvpn-fwmarkroute-1.00 |
| 1546 | |
| 1547 | 2003.11.20 -- Version 1.5.0 |
| 1548 | |
| 1549 | * Minor documentation changes. |
| 1550 | |
| 1551 | 2003.11.04 -- Version 1.5-beta14 |
| 1552 | |
| 1553 | * Fixed build problem with ./configure --disable-ssl |
| 1554 | that was reported on Debian woody. |
| 1555 | * Fixed bug where --redirect-gateway could not be used |
| 1556 | together with --resolv-retry. |
| 1557 | |
| 1558 | 2003.11.03 -- Version 1.5-beta13 |
| 1559 | |
| 1560 | * Added CRL (certificate revocation list) capability using |
| 1561 | --crl-verify option (Stefano Bracalenti). |
| 1562 | * Added --replay-window option for variable replay-protection |
| 1563 | window sizes. |
| 1564 | * Fixed --fragment bug which might have caused certain large |
| 1565 | packets to be sent unfragmented. |
| 1566 | * Modified --secret and --tls-auth to permit different cipher and |
| 1567 | HMAC keys to be used for each data flow direction. Also |
| 1568 | increased static key file size generated by --genkey from |
| 1569 | 1024 to 2048 bits, where 512 bits each are reserved for |
| 1570 | send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward |
| 1571 | and backward compatibility is maintained. See --secret option |
| 1572 | documentation on the man page for more info. |
| 1573 | * Added --tls-remote option (Teemu Kiviniemi). |
| 1574 | * Fixed --tls-cipher documention regarding correct delimiter |
| 1575 | usage (Teemu Kiviniemi). |
| 1576 | * Added --key-method option for selecting alternative data |
| 1577 | channel key negotiation methods. Method 1 is the default. |
| 1578 | Method 2 has been added (see man page for more info). |
| 1579 | * Added French translation of HOWTO to web site |
| 1580 | (Guillaume Lehmann). |
| 1581 | * Fixed problem caused by late resolver library load on |
| 1582 | certain platforms when --resolv-retry and --chroot are |
| 1583 | used together (Teemu Kiviniemi). |
| 1584 | * In TCP mode, all decryption or TLS errors will abort the current |
| 1585 | connection (this is not done in UDP mode because UDP is |
| 1586 | "connectionless"). |
| 1587 | * Fixed a TCP client reconnect bug that only occurs on the |
| 1588 | BSDs, where connect() fails with an invalid argument. This |
| 1589 | bug was partially (but not completely) fixed in beta7. |
| 1590 | * Added "route_net_gateway" environmental variable which contains |
| 1591 | the pre-existing default gateway address from the routing table |
| 1592 | (there's no standard API for getting the default gateway, so |
| 1593 | right now this feature only works on Windows or Linux). |
| 1594 | * Renamed the "route_default_gateway" enviromental variable to |
| 1595 | "route_vpn_gateway" -- this is the remote VPN endpoint. |
| 1596 | * The special keywords vpn_gateway, net_gateway, and remote_host |
| 1597 | can now be used for the network or gateway components of the |
| 1598 | --route option. See the man page for more info. |
| 1599 | * Added the --redirect-gateway option to configure the VPN |
| 1600 | as the default gateway (implemented on Linux and Windows only). |
| 1601 | * Added the --http-proxy option with basic authentication |
| 1602 | support for use in TCP client mode. Successfully tested |
| 1603 | using Squid as the HTTP proxy, with and without authentication. |
| 1604 | |
| 1605 | 2003.10.12 -- Version 1.5-beta12 |
| 1606 | |
| 1607 | * Fixed Linux-only bug in --mktun and --rmtun which was |
| 1608 | introduced around beta8 or so, which would cause |
| 1609 | an error such as "I don't recognize device tun0 as a |
| 1610 | tun or tap device1". |
| 1611 | * Added --ifconfig-nowarn option to disable options |
| 1612 | consistency warnings about --ifconfig parameters. |
| 1613 | * Don't allow any kind of sequence number backtracking or |
| 1614 | message reordering when in TCP mode. |
| 1615 | * Changed beta naming convention to use '_' (underscore) |
| 1616 | rather than '-' (dash) to pacify rpmbuild. |
| 1617 | |
| 1618 | 2003.10.08 -- Version 1.5-beta11 |
| 1619 | |
| 1620 | * Modified code in the Windows version which sets the IP address |
| 1621 | and netmask of the TAP-Win32 adapter using the IP Helper API. |
| 1622 | Most of the changes involve better error recovery when |
| 1623 | the IP Helper API returns an error status. See the |
| 1624 | manual page entry on --ip-win32 for more info. |
| 1625 | |
| 1626 | 2003.10.08 -- Version 1.5-beta10 |
| 1627 | |
| 1628 | * Added getpass() function for Windows version so that --askpass |
| 1629 | option works correctly (Stefano Bracalenti). |
| 1630 | * Added reboot advisory to end of Win32 install script. |
| 1631 | * Changed crypto code to use pseudo-random IVs rather than |
| 1632 | carrying forward the IV state from the previous packet. |
| 1633 | This is in response to item 2 in the following document: |
| 1634 | http://www.openssl.org/~bodo/tls-cbc.txt which points |
| 1635 | out weaknesses in TLS's use of the same IV carryforward |
| 1636 | approach. This change does not break protocol compatibility |
| 1637 | with previous versions of OpenVPN. |
| 1638 | * Made a change to the crypto replay protection code to also |
| 1639 | protect against certain kinds of packet reordering attacks. |
| 1640 | This change does not break protocol compatibility with |
| 1641 | previous versions of OpenVPN. |
| 1642 | * Added --ip-win32 option to provide several choices for |
| 1643 | setting the IP address on the TAP-Win32 adapter. |
| 1644 | * #ifdefed out non-CBC crypto modes by default. |
| 1645 | * Added --up-delay option to delay TUN/TAP open and --up script |
| 1646 | execution until after connection establishment. This option |
| 1647 | replaces the earlier windows-only option --tap-delay. |
| 1648 | |
| 1649 | 2003.10.01 -- Version 1.5-beta9 |
| 1650 | |
| 1651 | * Fixed --route-noexec bug where option was not parsed correctly. |
| 1652 | * Complain if --dev tun is specified without --ifconfig on Windows. |
| 1653 | * Fixed bug where TCP connections on windows would sometimes cause |
| 1654 | an assertion failure. |
| 1655 | * Added a new flag to TAP-Win32 advanced properties that allows one |
| 1656 | to set the adapter to be always "connected" even when an OpenVPN |
| 1657 | process doesn't have it open. The default behavior is to report |
| 1658 | a media status of connected only when an OpenVPN process has the |
| 1659 | adapter open. |
| 1660 | * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c |
| 1661 | DLLs in response to an OpenSSL security advisory. |
| 1662 | |
| 1663 | 2003.09.30 -- Version 1.5-beta8 |
| 1664 | |
| 1665 | * Extended the --ifconfig option to work on tap devices as well |
| 1666 | as tun devices. |
| 1667 | * Implemented the --ifconfig option for Windows, by calling the |
| 1668 | netsh tool. |
| 1669 | * By default, do an "arp -d *" on Windows after TAP-Win32 open to |
| 1670 | refresh the MAC cache. This behaviour can be disabled with |
| 1671 | --no-arp-del. |
| 1672 | * On Windows, allow the --dev-node parameter (which specifies |
| 1673 | the name of the TAP-Win32 adapter) to be omitted in cases where |
| 1674 | there is a single TAP-Win32 adapter on the system which can be |
| 1675 | assumed to be the default. |
| 1676 | * Modified the diagnostic --verb 5 debugging level to print 'R' |
| 1677 | for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, |
| 1678 | and 'w' for TUN/TAP write. |
| 1679 | * Conditionalize OpenBSD read_tun and write_tun based on tun or tap |
| 1680 | mode. |
| 1681 | * Added IPv6 tun support to OpenBSD (Thomas Glanzmann). |
| 1682 | * Make the --enable-mtu-dynamic ./configure option enabled by |
| 1683 | default. |
| 1684 | * Deprecated the --mtu-dynamic run-time option, in favor of |
| 1685 | --fragment. |
| 1686 | * DNS names can now be used as --ifconfig parameters. |
| 1687 | * Significant work on TAP-Win32 driver to bring up to SMP standards. |
| 1688 | * On Windows, fixed dangling IRP problem if TAP-Win32 driver is |
| 1689 | unloaded or disabled, while a user-space process has it open. |
| 1690 | * On Windows, if --tun-mtu is not specified, it will be read from |
| 1691 | the TAP-Win32 driver via ioctl. |
| 1692 | * On Windows, added TAP-Win32 driver status info to "F2" keyboard |
| 1693 | signal (only when run from a console window). |
| 1694 | * Added --mssfix option to control TCP MSS size (YANO Hirokuni). |
| 1695 | * Renamed --mtu-dynamic option to --fragment to more accurately |
| 1696 | reflect its function. Fragment accepts a single parameter which |
| 1697 | is the upper limit on acceptable UDP packet size. |
| 1698 | * Changed default --tun-mtu-extra parameter to 32 from 64. |
| 1699 | * Eliminated reference to malloc.o in configure.ac. |
| 1700 | * Added tun device emulation to the TAP-Win32 driver. |
| 1701 | * Added --route and related options. |
| 1702 | * Added init script for SuSE Linux (Frank Plohmann). |
| 1703 | * Extended option consistency check between peers to function |
| 1704 | in all crypto modes, including static-key and cleartext modes. |
| 1705 | Previously only TLS mode was supported. Disable with |
| 1706 | --disable-occ. |
| 1707 | * Overall, increased the amount of configuration option sanity |
| 1708 | checking, especially of networking parameters. |
| 1709 | * Added --mtu-test option for empirical MTU measurement. |
| 1710 | * Added Windows-only option --tap-delay to not set the TAP-Win32 |
| 1711 | adapter media state to 'connected' until TCP/UDP connection |
| 1712 | establishment with peer. |
| 1713 | * Slightly modified --route/--route-delay semantics so that when |
| 1714 | --route is given without --route-delay, routes are added |
| 1715 | immediately after tun/tap device open. When --route-delay is |
| 1716 | specified, routes will be added n seconds after connection |
| 1717 | initiation, where n is the --route-delay parameter (which |
| 1718 | can be set to 0). |
| 1719 | * Made TCP framing error into a non-fatal error that triggers a |
| 1720 | connection reset. |
| 1721 | |
| 1722 | 2003.08.28 -- Version 1.5-beta7 |
| 1723 | |
| 1724 | * Fixed bug that caused OpenVPN not to respond to exit/restart |
| 1725 | signals when --resolv-retry is used and a local or remote DNS |
| 1726 | name cannot be resolved. |
| 1727 | * Exported a series of environmental variables with useful |
| 1728 | info for scripts. See man page for more info. Based |
| 1729 | on a suggestion by Anthony Ciaravalo. |
| 1730 | * Moved TCP/UDP socket bind to a point in the initialization |
| 1731 | before the --up script gets called. This is desirable |
| 1732 | because (a) a socket bind failure will happen before |
| 1733 | daemonization, allowing an error status code to be returned |
| 1734 | to the shell and (b) the possibility is eliminated of a |
| 1735 | socket bind failure causing the --up script to be run |
| 1736 | but not the --down script. This change has a side effect |
| 1737 | that --resolv-retry will no longer work with --local. |
| 1738 | * Fixed bug where if an OpenVPN TCP server went down and back |
| 1739 | up again, Solaris or FreeBSD clients would fail to reconnect |
| 1740 | to it. |
| 1741 | * Fixed bug that prevented OpenVPN from being run by |
| 1742 | inetd/xinetd in TCP mode. |
| 1743 | * Added --log and --log-append options for logging messages to |
| 1744 | a file. |
| 1745 | * On Windows, check that the current user is a member of the |
| 1746 | Administrator group before attempting install or uninstall. |
| 1747 | |
| 1748 | 2003.08.16 -- Version 1.5-beta6 |
| 1749 | |
| 1750 | * Fixed TAP-Win32 driver to properly increment the Rx/Tx count. |
| 1751 | |
| 1752 | 2003.08.14 -- Version 1.5-beta5 |
| 1753 | |
| 1754 | * Added user-configurability of the TAP-Win32 adapter MTU |
| 1755 | through the adapter advanced properties page. |
| 1756 | * Added Windows Service support. |
| 1757 | * On Windows, added file association and right-clickability |
| 1758 | for .ovpn files (OpenVPN config files). |
| 1759 | |
| 1760 | 2003.08.05 -- Version 1.5-beta4 |
| 1761 | |
| 1762 | * Extra refinements and error checking added to Windows |
| 1763 | NSIS install script. |
| 1764 | |
| 1765 | 2003.08.05 -- Version 1.5-beta3 |
| 1766 | |
| 1767 | * Added md5.h include to crypto.c to fix build problem on |
| 1768 | OpenBSD. |
| 1769 | * Created a Win32 installer using NSIS. |
| 1770 | * Removed DelService command from TAP-Win32 INF file. It appears |
| 1771 | to be not necessary and it interfered with the ability to |
| 1772 | uninstall and reinstall the driver without needing to reboot. |
| 1773 | * On Windows version, added "addtap" and "deltapall" batch |
| 1774 | files to add and delete TAP-Win32 adapter instances. |
| 1775 | |
| 1776 | 2003.07.31 -- Version 1.5-beta2 |
| 1777 | |
| 1778 | * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted |
| 1779 | in Windows ASCII so it's easier to click and view. |
| 1780 | * Added postscript and PDF versions of the HOWTO to the web |
| 1781 | site (C R Zamana). |
| 1782 | * Merged Michael Clarke's stability patch into TAP-Win32 |
| 1783 | driver which appears to fix the suspend/resume driver bug |
| 1784 | and significantly improve driver stability. |
| 1785 | * Added Christof Meerwald's Media Status patch to the |
| 1786 | TAP-Win32 driver which shows the TAP adapter to be |
| 1787 | disconnected when OpenVPN is not running. |
| 1788 | * Moved socket connect and TCP server listen code to a later |
| 1789 | point in openvpn() function so that the TCP server listen |
| 1790 | state is entered after daemonization. |
| 1791 | * Added keyboard shortcuts to simulate signals in the Windows |
| 1792 | version, see the window title bar for descriptions. |
| 1793 | |
| 1794 | 2003.07.24 -- Version 1.5-beta1 |
| 1795 | |
| 1796 | * Added TCP support via the new --proto option. |
| 1797 | * Renamed udp-centric options such as --udp-mtu to |
| 1798 | --link-mtu (old option names preserved for compatibility). |
| 1799 | * Ported to Windows 2000 + XP using mingw and a TAP driver |
| 1800 | derived from the Cipe-Win32 project by Damion K. Wilson. |
| 1801 | * Added --show-adapters flag for windows version. |
| 1802 | * Reworked the SSL/TLS packet acknowledge code to better |
| 1803 | handle certain corner cases. |
| 1804 | * Turned off the default enabling of IP forwarding in the |
| 1805 | sample-scripts/openvpn.init script for Redhat. |
| 1806 | Forwarding can be enabled by users in their --up scripts |
| 1807 | or firewall config. |
| 1808 | * Added --up-restart option based on suggestion from Sean |
| 1809 | Reifschneider. |
| 1810 | * If --dev tap or --dev-type tap is specified, --tun-mtu |
| 1811 | defaults to 1500 and --tun-mtu-extra defaults to 64. |
| 1812 | * Enabled --verb 5 debugging mode that prints 'R' and 'W' |
| 1813 | for each packet read or write on the TCP/UDP socket. |
| 1814 | |
| 1815 | 2003.08.04 -- Version 1.4.3 |
| 1816 | |
| 1817 | * Added md5.h include to crypto.c |
| 1818 | to fix build problem on OpenBSD. |
| 1819 | |
| 1820 | 2003.07.15 -- Version 1.4.2 |
| 1821 | |
| 1822 | * Removed adaptive bandwidth from |
| 1823 | --mtu-dynamic -- its absence appears |
| 1824 | to work better than its existence (1.4.1.2). |
| 1825 | * Minor changes to --shaper to fix long |
| 1826 | retransmit timeouts at low bandwidth |
| 1827 | (1.4.1.2). |
| 1828 | * Added LOG_RW flag to openvpn.h for |
| 1829 | debugging (1.4.1.2). |
| 1830 | * Silenced spurious configure warnings (1.4.1.2). |
| 1831 | * Backed out --dev-name patch, modified --dev |
| 1832 | to offer equivalent functionality (1.4.1.4). |
| 1833 | * Added an optional parameter to --daemon and |
| 1834 | --inetd to support the passing of a custom |
| 1835 | program name to the system logger (1.4.1.5). |
| 1836 | * Add compiled-in options to the program title |
| 1837 | (1.4.1.5). |
| 1838 | * Coded the beginnings of a WIN32 port (1.4.1.5). |
| 1839 | * Succeeded in porting to Win32 Mingw environment |
| 1840 | and running loopback tests (1.4.1.6). Still |
| 1841 | need a kernel driver for full Win32 |
| 1842 | functionality. |
| 1843 | * Fixed a bug in error.h where |
| 1844 | HAVE_CPP_VARARG_MACRO_GCC was misspelled. |
| 1845 | This would have caused a significant slowdown |
| 1846 | of OpenVPN when built by compilers that |
| 1847 | lack ISO C99 vararg macros (1.4.1.6). |
| 1848 | * Created an init script for Gentoo Linux |
| 1849 | in ./gentoo directory (1.4.1.6). |
| 1850 | |
| 1851 | 2003.05.15 -- Version 1.4.1 |
| 1852 | |
| 1853 | * Modified the Linux 2.4 TUN/TAP open code to |
| 1854 | fall back to the 2.2 TUN/TAP interface if the |
| 1855 | open or ioctl fails. |
| 1856 | * Fixed bug when --verb is set to 0 and non-fatal |
| 1857 | socket errors occur, causing 100% CPU utilization. |
| 1858 | Occurs on platorms where |
| 1859 | EXTENDED_SOCKET_ERROR_CAPABILITY is defined, |
| 1860 | such as Linux 2.4. |
| 1861 | * Fixed typo in tun.c that was preventing |
| 1862 | OpenBSD build. |
| 1863 | * Added --enable-mtu-dynamic configure option |
| 1864 | to enable --mtu-dynamic experimental option. |
| 1865 | |
| 1866 | 2003.05.07 -- Version 1.4.0 |
| 1867 | |
| 1868 | * Added --replay-persist feature to allow replay |
| 1869 | protection across sessions. |
| 1870 | * Fixed bug where --ifconfig could not be used |
| 1871 | with --tun-mtu. |
| 1872 | * Added --tun-mtu-extra parameter to deal with |
| 1873 | the situation where a read on a TUN/TAP device |
| 1874 | returns more data than the device's MTU size. |
| 1875 | * Fixed bug where some IPv6 support code for |
| 1876 | Linux was not being properly ifdefed out for |
| 1877 | Linux 2.2, causing compile errors. |
| 1878 | * Added OPENVPN_EXIT_STATUS_x codes to |
| 1879 | openvpn.h to control which status value |
| 1880 | openvpn returns to its caller (such as |
| 1881 | a shell or inetd/xinetd) for various conditions. |
| 1882 | * Added OPENVPN_DEBUG_COMMAND_LINE flag to |
| 1883 | openvpn.h to allow debugging in situations |
| 1884 | where stdout, stderr, and syslog cannot be used |
| 1885 | for message output, such as when OpenVPN is |
| 1886 | instantiated by inetd/xinetd. |
| 1887 | * Removed owner-execute permission from file |
| 1888 | created by static key generator (Herbert Xu |
| 1889 | and Alberto Gonzalez Iniesta). |
| 1890 | * Added --passtos option to allow IPv4 TOS bits |
| 1891 | to be passed from TUN/TAP input packets to |
| 1892 | the outgoing UDP socket (Craig Knox). |
| 1893 | * Added code to prevent open socket file descriptors |
| 1894 | from being accessible to called scripts. |
| 1895 | * Added --dev-name option (Christian Lademann). |
| 1896 | * Added --mtu-disc option for manual control |
| 1897 | over MTU options. |
| 1898 | * Show OS MTU value on UDP socket write failures |
| 1899 | (linux only). |
| 1900 | * Numerous build system and portability |
| 1901 | fixes (Matthias Andree). |
| 1902 | * Added better sensing of compiler support for |
| 1903 | variable argument macros, including (a) gcc |
| 1904 | style, (b) ISO C 1999 style, and (c) no support. |
| 1905 | * Removed generated files from CVS. Note INSTALL |
| 1906 | file for new CVS build commands. |
| 1907 | * Changed certain internal symbol names |
| 1908 | for C standards compliance. |
| 1909 | * Added TUN/TAP open code to cycle dynamically |
| 1910 | through unit numbers until it finds a free |
| 1911 | unit (based on code from Thomas Gielfeldt |
| 1912 | and VTun). |
| 1913 | * Added dynamic MTU and fragmenting infrastructure |
| 1914 | (Experimental). Rebuild with FRAGMENT_ENABLE |
| 1915 | defined to enable. |
| 1916 | * Minor changes to SSL/TLS negotiation, use |
| 1917 | exponential backoff on retransmits, and use |
| 1918 | a smaller MTU size (note that no protocol |
| 1919 | changes have been made which would break |
| 1920 | compatibility with 1.3.x). |
| 1921 | * Added --enable-strict-options flag |
| 1922 | to ./configure. This option will cause |
| 1923 | a more strict check for options compatibility |
| 1924 | between peers when SSL/TLS negotiation is used, |
| 1925 | but should only be used when both OpenVPN peers |
| 1926 | are of the same version. |
| 1927 | * Reorganization of debugging levels. |
| 1928 | * Added a workaround in configure.ac for |
| 1929 | default SSL header location on Linux |
| 1930 | to fix RH9 build problem. |
| 1931 | * Fixed potential deadlock when pthread support |
| 1932 | is used on OSes that allocate a small socketpair() |
| 1933 | message buffer. |
| 1934 | * Fixed openvpn.init to be sh compliant |
| 1935 | (Bishop Clark). |
| 1936 | * Changed --daemon to wait until all |
| 1937 | initialization is finished before becoming a |
| 1938 | daemon, for the benefit of initialization |
| 1939 | scripts that want a useful return status from |
| 1940 | the openvpn command. |
| 1941 | * Made openvpn.init script more robust, including |
| 1942 | positive indication of initialization errors |
| 1943 | in the openvpn daemon and better sanity checks. |
| 1944 | * Changed --chroot to wait until initialization |
| 1945 | is finished before calling chroot(), and allow |
| 1946 | the use of --user and --group with --chroot. |
| 1947 | * When syslog logging is enabled (--daemon or |
| 1948 | --inetd), set stdin/stdout/stderr to point |
| 1949 | to /dev/null. |
| 1950 | * For inetd instantiations, dup socket descriptor |
| 1951 | to a >2 value. |
| 1952 | * Fixed bug in verify-cn script, where test would |
| 1953 | incorrectly fail if CN=x was the last component |
| 1954 | of the X509 composite string (Anonymous). |
| 1955 | * Added Markus F.X.J. Oberhumer's special |
| 1956 | license exception to COPYING. |
| 1957 | |
| 1958 | 2002.10.23 -- Version 1.3.2 |
| 1959 | |
| 1960 | * Added SSL_CTX_set_client_CA_list call |
| 1961 | to follow the canonical form for TLS initialization |
| 1962 | recommended by the OpenSSL docs. This change allows |
| 1963 | better support for intermediate CAs and has no impact |
| 1964 | on security. |
| 1965 | * Added build-inter script to easy-rsa package, to |
| 1966 | facilitate the generation of intermediate CAs. |
| 1967 | * Ported to NetBSD (Dimitri Goldin). |
| 1968 | * Fixed minor bug in easy-rsa/sign-req. It refers to |
| 1969 | openssl.cnf file, instead of $KEY_CONFIG, like all |
| 1970 | other scripts (Ernesto Baschny). |
| 1971 | * Added --days 3650 to the root CA generation command |
| 1972 | in the HOWTO to override the woefully small 30 day |
| 1973 | default (Dominik 'Aeneas' Schnitzer). |
| 1974 | * Fixed bug where --ping-restart would sometimes |
| 1975 | not re-resolve remote DNS hostname. |
| 1976 | * Added --tun-ipv6 option and related infrastructure |
| 1977 | support for IPv6 over tun. |
| 1978 | * Added IPv6 over tun support for Linux (Aaron Sethman). |
| 1979 | * Added FreeBSD 4.1.1+ TUN/TAP driver notes to |
| 1980 | INSTALL (Matthias Andree). |
| 1981 | * Added inetd/xinetd support (--inetd) including |
| 1982 | documentation in the HOWTO. |
| 1983 | * Added "Important Note on the use of commercial certificate |
| 1984 | authorities (CAs) with OpenVPN" to HOWTO based on |
| 1985 | issues raised on the openvpn-users list. |
| 1986 | |
| 1987 | 2002.07.10 -- Version 1.3.1 |
| 1988 | |
| 1989 | * Fixed bug in openvpn.spec and openvpn.init |
| 1990 | which caused RPM upgrade to fail. |
| 1991 | |
| 1992 | 2002.07.10 -- Version 1.3.0 |
| 1993 | |
| 1994 | * Added --dev-node option to allow explicit selection of |
| 1995 | tun/tap device node. |
| 1996 | * Removed mlockall call from child thread, as it doesn't |
| 1997 | appear to be necessary (child thread inherits mlockall |
| 1998 | state from parent). |
| 1999 | * Added --ping-timer-rem which causes timer for --ping-exit |
| 2000 | and --ping-restart not to run unless we have a remote IP |
| 2001 | address. |
| 2002 | * Added condrestart to openvpn.init and openvpn.spec |
| 2003 | (Bishop Clark). |
| 2004 | * Added --ifconfig case for FreeBSD (Matthias Andree). |
| 2005 | * Call openlog with facility=LOG_DAEMON (Matthias Andree). |
| 2006 | * Changed LOG_INFO messages to LOG_NOTICE. |
| 2007 | * Added warning when key files are group/others accessible. |
| 2008 | * Added --single-session flag for TLS mode. |
| 2009 | * Fixed bug where --writepid would segfault if used with |
| 2010 | an invalid filename. |
| 2011 | * Fixed bug where --ipchange status message was formatted |
| 2012 | incorrectly. |
| 2013 | * Print more concise error message when system() call |
| 2014 | fails. |
| 2015 | * Added --disable-occ option. |
| 2016 | * Added --local, --remote, and --ifconfig options sanity |
| 2017 | check. |
| 2018 | * Changed default UDP MTU to 1300 and TUN/TAP MTU to |
| 2019 | 1300. |
| 2020 | * Successfully tested with OpenSSL 0.9.7 Beta 2. |
| 2021 | * Broke out debug level definitions to errlevel.h |
| 2022 | * Minor documentation and web site changes. |
| 2023 | * All changes maintain protocol compatibility |
| 2024 | with OpenVPN versions since 1.1.0, however default |
| 2025 | MTU changes will require setting the MTU explicitly |
| 2026 | by command line option, if you want 1.3.0 to |
| 2027 | communicate with previous versions. |
| 2028 | |
| 2029 | 2002.06.12 -- Version 1.2.1 |
| 2030 | |
| 2031 | * Added --ping-restart option to restart |
| 2032 | connection on ping timeout using SIGUSR1 |
| 2033 | logic (Matthias Andree). |
| 2034 | * Added --persist-tun, --persist-key, |
| 2035 | --persist-local-ip, and --persist-remote-ip |
| 2036 | options for finer-grained control over SIGUSR1 |
| 2037 | and --ping-restart restarts. To |
| 2038 | replicate previous SIGUSR1 functionality, |
| 2039 | use --persist-remote-ip. |
| 2040 | * Changed residual IV fetching code to take |
| 2041 | IV from tail of ciphertext. |
| 2042 | * Added check to make sure that CFB or OFB |
| 2043 | cipher modes are only used with SSL/TLS |
| 2044 | authentication mode, and added a caveat |
| 2045 | to INSTALL. |
| 2046 | * Changed signal handling during initialization |
| 2047 | (including re-initialization during restarts) |
| 2048 | to exit on SIGTERM or SIGINT and ignore other |
| 2049 | signals which would ordinarily be caught. |
| 2050 | * Added --resolv-retry option to allow |
| 2051 | retries on hostname resolution. |
| 2052 | * Expanded the --float option to also |
| 2053 | allow dynamic changes in source port number |
| 2054 | on incoming datagrams. |
| 2055 | * Added --mute option to limit repetitive |
| 2056 | logging of similar message types. |
| 2057 | * Added --group option to downgrade GID |
| 2058 | after initialization. |
| 2059 | * Try to set ifconfig path automatically |
| 2060 | in configure. |
| 2061 | * Added --ifconfig code for Mac OS X |
| 2062 | (Christoph Pfisterer). |
| 2063 | * Moved "Peer Connection Initiated" message |
| 2064 | to --verb level 1. |
| 2065 | * Successfully tested with |
| 2066 | OpenSSL 0.9.7 Beta 1 and AES cipher. |
| 2067 | * Added RPM notes to INSTALL. |
| 2068 | * Added ACX_PTHREAD (from the autoconf |
| 2069 | macro archive) to configure.ac |
| 2070 | to figure out the right pthread |
| 2071 | options for a given platform. |
| 2072 | * Broke out macro definitions from |
| 2073 | configure.ac to acinclude.m4. |
| 2074 | * Minor changes to docs and HOWTO. |
| 2075 | * All changes maintain protocol compatibility |
| 2076 | with OpenVPN versions since 1.1.0. |
| 2077 | |
| 2078 | 2002.05.22 -- Version 1.2.0 |
| 2079 | |
| 2080 | * Added configuration file support via |
| 2081 | the --config option. |
| 2082 | * Added pthread support to improve latency. |
| 2083 | With pthread support, OpenVPN |
| 2084 | will offload CPU-intensive tasks such as RSA |
| 2085 | key number crunching to a background thread |
| 2086 | to improve tunnel packet forwarding |
| 2087 | latency. pthread support can be enabled |
| 2088 | with the --enable-pthread configure option. |
| 2089 | Pthread support is currently available |
| 2090 | only for Linux and Solaris. |
| 2091 | * Added --dev-type option so that tun/tap |
| 2092 | device names don't need to begin with |
| 2093 | "tun" or "tap". |
| 2094 | * Added --writepid option to write main |
| 2095 | process ID to a file. |
| 2096 | * Numerous portability fixes to ease |
| 2097 | porting to other OSes including changing |
| 2098 | all network types to uint8_t and uint32_t, |
| 2099 | and not assuming that time_t is 32 bits. |
| 2100 | * Backported to OpenSSL 0.9.5. |
| 2101 | * Ported to Solaris. |
| 2102 | * Finished OpenBSD port except for |
| 2103 | pthread support. |
| 2104 | * Added initialization script: |
| 2105 | sample-scripts/openvpn.init |
| 2106 | (Douglas Keller) |
| 2107 | * Ported to Mac OS X (Christoph Pfisterer). |
| 2108 | * Improved resilience to DoS attacks when |
| 2109 | TLS mode is used without --remote or |
| 2110 | --tls-auth, or when --float is used |
| 2111 | with --remote. Note however that the best |
| 2112 | defense against DoS attacks in TLS mode |
| 2113 | is to use --tls-auth. |
| 2114 | * Eliminated automake/autoconf dependency |
| 2115 | for non-developers. |
| 2116 | * Ported configure.in to configure.ac |
| 2117 | and autoconf 2.50+. |
| 2118 | * SIGHUP signal now causes OpenVPN to restart |
| 2119 | and re-read command line and or config file, |
| 2120 | in conformance with canonical daemon behaviour. |
| 2121 | * SIGUSR1 now does what SIGHUP did in |
| 2122 | version 1.1.1 and earlier -- close and reopen |
| 2123 | the UDP socket for use when DHCP changes |
| 2124 | host's IP address and preserve most recently |
| 2125 | authenticated peer address without rereading |
| 2126 | config file. |
| 2127 | * SIGUSR2 added -- outputs current statistics, |
| 2128 | including compression statistics. |
| 2129 | * All changes maintain protocol compatibility |
| 2130 | with 1.1.1 and 1.1.0. |
| 2131 | |
| 2132 | 2002.04.22 -- Version 1.1.1 |
| 2133 | |
| 2134 | * Added --ifconfig option to automatically configure |
| 2135 | TUN device. |
| 2136 | * Added inactivity disconnect (--inactive |
| 2137 | and --ping-exit options). |
| 2138 | * Added --ping option to keep stateful firewalls |
| 2139 | from timing out. |
| 2140 | * Added sanity check to command line parser to |
| 2141 | err if any TLS options are used in non-TLS mode. |
| 2142 | * Fixed build problem with compiler environments that |
| 2143 | define printf as a macro. |
| 2144 | * Fixed build problem on linux systems that have |
| 2145 | an integrated TUN/TAP driver but lack the persistent |
| 2146 | tunnel feature (TUNSETPERSIST). Some linux kernels |
| 2147 | >= 2.4.0 and < 2.4.7 fall into this category. |
| 2148 | * Changed all calls to EVP_CipherInit to use explicit |
| 2149 | encrypt/decrypt mode in order to fix problem with |
| 2150 | IDEA-CBC and AES-256-CBC ciphers. |
| 2151 | * Minor changes to control channel transmit limiter |
| 2152 | algorithm to fix problem where TLS control channel |
| 2153 | might not renegotiate within the default 60 second window. |
| 2154 | * Simplified man page examples by taking advantage |
| 2155 | of the new --ifconfig option. |
| 2156 | * Minor changes to configure.in to check more |
| 2157 | rigourously for OpenSSL 0.9.6 or greater. |
| 2158 | * Put back openvpn.spec, eliminated |
| 2159 | openvpn.spec.in. |
| 2160 | * Modified openvpn.spec to reflect new automake-based |
| 2161 | build environment (Bishop Clark). |
| 2162 | * Other documentation changes. |
| 2163 | * Added --test-crypto option for debugging. |
| 2164 | * Added "missing" and "mkinstalldirs" automake |
| 2165 | support files. |
| 2166 | |
| 2167 | |
| 2168 | 2002.04.09 -- Version 1.1.0 |
| 2169 | |
| 2170 | * Strengthened replay protection and IV handling, |
| 2171 | extending it fully to both static key and |
| 2172 | TLS dynamic key exchange modes. |
| 2173 | * Added --mlock option to disable paging and ensure that key |
| 2174 | material and tunnel data is never paged to disk. |
| 2175 | * Added optional traffic shaping feature to cap the maximum |
| 2176 | data rate of the tunnel. |
| 2177 | * Converted to automake (The Platypus Brothers 2002-04-01). |
| 2178 | * Ported to OpenBSD by Janne Johansson. |
| 2179 | * Added --tun-af-inet option to work around an incompatibility |
| 2180 | between Linux and BSD tun drivers. |
| 2181 | * Sequence number-based replay protection using the |
| 2182 | IPSec sliding window model is now the default, |
| 2183 | disable with --no-replay. |
| 2184 | * Explicit IV is now the default, disable with --no-iv. |
| 2185 | * Disabled all cipher modes except CBC, CFB, and OFB. |
| 2186 | * In CBC mode, use explicit IV and carry forward residuals, |
| 2187 | using IPSec model. |
| 2188 | * In CFB/OFB mode, IV is timestamp, sequence number. |
| 2189 | * Eliminated --packet-id, --timestamp, and max-delta parameter to |
| 2190 | the --tls-auth option as they are now supplanted by improved |
| 2191 | replay code which is enabled by default. |
| 2192 | * Eliminated --rand-iv as it is now obsolete with improved |
| 2193 | IV code. |
| 2194 | * Eliminated --reneg-err option as it increases vulnerability |
| 2195 | to DoS attacks. |
| 2196 | * Added weak key check for DES ciphers. |
| 2197 | * --tls-freq option is no longer specified on the command line, |
| 2198 | instead it now inherits its parameter from the |
| 2199 | --tls-timeout option. |
| 2200 | * Fixed bug that would try to free memory on exit that was |
| 2201 | never malloced if --comp-lzo was not specified. |
| 2202 | * Errata fixed in the man page examples: "test-ca" should be |
| 2203 | "tmp-ca". |
| 2204 | * Updated manual page. |
| 2205 | * Preliminary work in porting to OpenSSL 0.9.7. |
| 2206 | * Changed license to allowing linking with OpenSSL. |
| 2207 | |
| 2208 | 2002.03.29 -- Version 1.0.3 |
| 2209 | |
| 2210 | * Fixed a problem in configure with library ordering on the |
| 2211 | command line. |
| 2212 | |
| 2213 | 2002.03.28 -- Version 1.0.2 |
| 2214 | |
| 2215 | * Improved the efficiency of the inner event loop. |
| 2216 | * Fixed a minor bug with timeout handling. |
| 2217 | * Improved the build system to build on RH 6.2 through 7.2. |
| 2218 | * Added an openvpn.spec file for RPM builders (Bishop Clark). |
| 2219 | |
| 2220 | 2002.03.23 -- Version 1.0 |
| 2221 | |
| 2222 | * Added TLS-based authentication and key exchange. |
| 2223 | * Added gremlin mode to stress test. |
| 2224 | * Wrote man page. |
| 2225 | |
| 2226 | 2001.12.26 -- Version 0.91 |
| 2227 | |
| 2228 | * Added any choice of cipher or HMAC digest. |
| 2229 | |
| 2230 | 2001.5.13 -- Version 0.90 |
| 2231 | |
| 2232 | * Initial release. |
| 2233 | * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. |
| 2234 | }}} |