1429 | | |
1430 | | 2004.05.09 -- Version 1.6.0 |
1431 | | |
1432 | | * Unchanged from 1.6-rc4 except for version number |
1433 | | upgrade. |
1434 | | |
1435 | | 2004.04.01 -- Version 1.6-rc4 |
1436 | | |
1437 | | * Made minor customizations to devcon and |
1438 | | renamed as tapinstall.exe for Windows version. |
1439 | | * Fixed "storage size of `iv' isn't known" build |
1440 | | problem on FreeBSD. |
1441 | | * OpenSSL 0.9.7d bundled with Windows self-install. |
1442 | | |
1443 | | 2004.03.13 -- Version 1.6-rc3 |
1444 | | |
1445 | | * Minor Windows fixes for --ip-win32 dynamic, relating to |
1446 | | the way the TAP-Win32 driver responds to a DHCP request |
1447 | | from the Windows DHCP client. |
1448 | | * The net_gateway environmental variable wasn't being |
1449 | | set correctly for called scripts (Paul Zuber). |
1450 | | * Added code to determine the default gateway on FreeBSD, |
1451 | | allowing the --redirect-gateway option to work |
1452 | | (Juan Rodriguez Hervella). |
1453 | | |
1454 | | 2004.03.04 -- Version 1.6-rc2 |
1455 | | |
1456 | | * Fixed bug in Windows version where the NetBIOS node-type |
1457 | | DHCP option might have been passed even if it was not |
1458 | | specified. |
1459 | | * Fixed bug in Windows version introduced in 1.6-rc1, where |
1460 | | DHCP timeout would be set to 0 seconds if --ifconfig option |
1461 | | was used and --ip-win32 option was not explicitly specified. |
1462 | | * Added some new --dhcp-option types for Windows version. |
1463 | | |
1464 | | 2004.03.02 -- Version 1.6-rc1 |
1465 | | |
1466 | | * For Windows, make "--ip-win32 dynamic" the default. |
1467 | | * For Windows, make "--route-delay 10" the default |
1468 | | unless --ip-win32 dynamic is not used or --route-delay |
1469 | | is explicitly specified. |
1470 | | * L_TLS mutex could have been left in a locked state |
1471 | | for certain kinds of TLS errors. |
1472 | | |
1473 | | 2004.02.22 -- Version 1.6-beta7 |
1474 | | |
1475 | | * Allow scheduling priority increase (--nice) together |
1476 | | with UID/GID downgrade (--user/--group). |
1477 | | * Code that causes SIGUSR1 restart on TLS errors in TCP |
1478 | | mode was not activated in pthread builds. |
1479 | | * Save the certificate serial number in an environmental |
1480 | | variable called tls_serial_{n} prior to calling the |
1481 | | --tls-verify script. n is the current cert chain level. |
1482 | | * Added NetBSD IPv6 tunnel capability (also requires |
1483 | | a kernel patch) (Horst Laschinsky). |
1484 | | * Fixed bug in checking the return value of the nice() |
1485 | | function (Ian Pilcher). |
1486 | | * Bug fix in new FreeBSD IPv6 over TUN code which was |
1487 | | originally added in 1.6-beta5 (Nathanael Rensen). |
1488 | | * More Socks5 fixes -- extended the struct frame |
1489 | | infrastructure to accomodate proxy-based encapsulation |
1490 | | overhead. |
1491 | | * Added --dhcp-option to Windows version for setting |
1492 | | adapter properties such as WINS & DNS servers. |
1493 | | * Use a default route-delay of 5 seconds when |
1494 | | --ip-win32 dynamic is specified (only applicable when |
1495 | | --route-delay is not explicitly specified). |
1496 | | * Added "log_append" registry variable to control |
1497 | | whether the OpenVPN service wrapper on Windows |
1498 | | opens log files in append (log_append="1") or |
1499 | | truncate (log_append="0") mode. The default |
1500 | | is truncate. |
1501 | | |
1502 | | 2004.02.05 -- Version 1.6-beta6 |
1503 | | |
1504 | | * UDP over Socks5 fix to accomodate Socks5 encapsulation |
1505 | | overhead (Christof Meerwald). |
1506 | | * Minor --ip-win32 dynamic tweaks (use long lease time, |
1507 | | invalidate existing lease with DHCPNAK). |
1508 | | |
1509 | | 2004.02.01 -- Version 1.6-beta5 |
1510 | | |
1511 | | * Added Socks5 proxy support (Christof Meerwald). |
1512 | | * IPv6 tun support for FreeBSD (Thomas Glanzmann). |
1513 | | * Special TAP-Win32 debug mode for Windows self-install that was |
1514 | | enabled in beta4 is now turned off. |
1515 | | * Added some new Solaris notes to INSTALL (Koen Maris). |
1516 | | * More work on --ip-win32 dynamic. |
1517 | | |
1518 | | 2004.01.27 -- Version 1.6-beta4 |
1519 | | |
1520 | | * For this beta, the Windows self-install is a debug version |
1521 | | and will run slower -- use only for testing. |
1522 | | * Reverted the --ip-win32 default back to 'ipapi' |
1523 | | from 'dynamic'. |
1524 | | * Added the offset parameter to '--ip-win32 dynamic' which |
1525 | | can be used to control the address of the masqueraded |
1526 | | DHCP server which replies to Windows DHCP requests. |
1527 | | * Added a wait/nowait option to --inetd (nowait can only |
1528 | | be used with TCP sockets, TLS authentication, and over |
1529 | | a bridged configuration -- see FAQ for more info) |
1530 | | (Stefan `Sec` Zehl). |
1531 | | * Added a build-time capability where TAP-Win32 driver |
1532 | | debug messages can be output by OpenVPN at --verb 6 |
1533 | | or higher. |
1534 | | |
1535 | | 2004.01.20 -- Version 1.6-beta2 |
1536 | | |
1537 | | * Added ./configure --enable-iproute2 flag which |
1538 | | uses iproute2 instead of route + ifconfig -- |
1539 | | this is necessary for the LEAF Linux distro |
1540 | | (Martin Hejl). |
1541 | | * Added renewal-time and rebind-time to set of |
1542 | | DHCP options returned by the TAP-Win32 driver when |
1543 | | "--ip-win32 dynamic" is used. |
1544 | | |
1545 | | 2004.01.14 -- Version 1.6-beta1 |
1546 | | |
1547 | | * Fixed --proxy bug that sometimes caused plaintext |
1548 | | control info generated by the proxy prior to http |
1549 | | CONNECT method establishment to be incorrectly |
1550 | | parsed as OpenVPN data. |
1551 | | * For Windows version, implemented the |
1552 | | "--ip-win32 dynamic" method and made it the default. |
1553 | | This method sets the TAP-Win32 adapter IP address |
1554 | | and netmask by replying to the kernel's DHCP queries. |
1555 | | See the man page for more detailed info. |
1556 | | * Added --connect-retry parameter which controls |
1557 | | the time interval (in seconds) between connect() |
1558 | | retries when --proto tcp-client is used. Previously, |
1559 | | this value was hardcoded to 5 seconds, and still |
1560 | | defaults as such. |
1561 | | * --resolv-retry can now be used with a parameter |
1562 | | of "infinite" to retry indefinitely. |
1563 | | * Added SSL_CTX_use_certificate_chain_file() to ssl.c |
1564 | | for support of multi-level certificate chains |
1565 | | (Sten Kalenda). |
1566 | | * Fixed --tls-auth incompatibility with 1.4.x and earlier |
1567 | | versions of OpenVPN when the passphrase file is an |
1568 | | OpenVPN static key file (as generated by --genkey). |
1569 | | * Added shell-escape support in config files using |
1570 | | the backslash character ("\") so that (for example) |
1571 | | double quotes can be passed to the shell. |
1572 | | * Added "contrib" subdirectory on tarball, source zip, |
1573 | | and CVS containing user-submitted contributions. |
1574 | | * Added an optional patch to the Redhat init script to |
1575 | | allow the configuration file directory to be a |
1576 | | multi-level directory hierarchy (Farkas Levente). |
1577 | | See contrib/multilevel-init.patch |
1578 | | * Added some scripts and documentation on using |
1579 | | Linux "fwmark" iptables rules to enable |
1580 | | fine-grained routing control over the VPN |
1581 | | (Sean Reifschneider, ). |
1582 | | See contrib/openvpn-fwmarkroute-1.00 |
1583 | | |
1584 | | 2003.11.20 -- Version 1.5.0 |
1585 | | |
1586 | | * Minor documentation changes. |
1587 | | |
1588 | | 2003.11.04 -- Version 1.5-beta14 |
1589 | | |
1590 | | * Fixed build problem with ./configure --disable-ssl |
1591 | | that was reported on Debian woody. |
1592 | | * Fixed bug where --redirect-gateway could not be used |
1593 | | together with --resolv-retry. |
1594 | | |
1595 | | 2003.11.03 -- Version 1.5-beta13 |
1596 | | |
1597 | | * Added CRL (certificate revocation list) capability using |
1598 | | --crl-verify option (Stefano Bracalenti). |
1599 | | * Added --replay-window option for variable replay-protection |
1600 | | window sizes. |
1601 | | * Fixed --fragment bug which might have caused certain large |
1602 | | packets to be sent unfragmented. |
1603 | | * Modified --secret and --tls-auth to permit different cipher and |
1604 | | HMAC keys to be used for each data flow direction. Also |
1605 | | increased static key file size generated by --genkey from |
1606 | | 1024 to 2048 bits, where 512 bits each are reserved for |
1607 | | send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward |
1608 | | and backward compatibility is maintained. See --secret option |
1609 | | documentation on the man page for more info. |
1610 | | * Added --tls-remote option (Teemu Kiviniemi). |
1611 | | * Fixed --tls-cipher documention regarding correct delimiter |
1612 | | usage (Teemu Kiviniemi). |
1613 | | * Added --key-method option for selecting alternative data |
1614 | | channel key negotiation methods. Method 1 is the default. |
1615 | | Method 2 has been added (see man page for more info). |
1616 | | * Added French translation of HOWTO to web site |
1617 | | (Guillaume Lehmann). |
1618 | | * Fixed problem caused by late resolver library load on |
1619 | | certain platforms when --resolv-retry and --chroot are |
1620 | | used together (Teemu Kiviniemi). |
1621 | | * In TCP mode, all decryption or TLS errors will abort the current |
1622 | | connection (this is not done in UDP mode because UDP is |
1623 | | "connectionless"). |
1624 | | * Fixed a TCP client reconnect bug that only occurs on the |
1625 | | BSDs, where connect() fails with an invalid argument. This |
1626 | | bug was partially (but not completely) fixed in beta7. |
1627 | | * Added "route_net_gateway" environmental variable which contains |
1628 | | the pre-existing default gateway address from the routing table |
1629 | | (there's no standard API for getting the default gateway, so |
1630 | | right now this feature only works on Windows or Linux). |
1631 | | * Renamed the "route_default_gateway" enviromental variable to |
1632 | | "route_vpn_gateway" -- this is the remote VPN endpoint. |
1633 | | * The special keywords vpn_gateway, net_gateway, and remote_host |
1634 | | can now be used for the network or gateway components of the |
1635 | | --route option. See the man page for more info. |
1636 | | * Added the --redirect-gateway option to configure the VPN |
1637 | | as the default gateway (implemented on Linux and Windows only). |
1638 | | * Added the --http-proxy option with basic authentication |
1639 | | support for use in TCP client mode. Successfully tested |
1640 | | using Squid as the HTTP proxy, with and without authentication. |
1641 | | |
1642 | | 2003.10.12 -- Version 1.5-beta12 |
1643 | | |
1644 | | * Fixed Linux-only bug in --mktun and --rmtun which was |
1645 | | introduced around beta8 or so, which would cause |
1646 | | an error such as "I don't recognize device tun0 as a |
1647 | | tun or tap device1". |
1648 | | * Added --ifconfig-nowarn option to disable options |
1649 | | consistency warnings about --ifconfig parameters. |
1650 | | * Don't allow any kind of sequence number backtracking or |
1651 | | message reordering when in TCP mode. |
1652 | | * Changed beta naming convention to use '_' (underscore) |
1653 | | rather than '-' (dash) to pacify rpmbuild. |
1654 | | |
1655 | | 2003.10.08 -- Version 1.5-beta11 |
1656 | | |
1657 | | * Modified code in the Windows version which sets the IP address |
1658 | | and netmask of the TAP-Win32 adapter using the IP Helper API. |
1659 | | Most of the changes involve better error recovery when |
1660 | | the IP Helper API returns an error status. See the |
1661 | | manual page entry on --ip-win32 for more info. |
1662 | | |
1663 | | 2003.10.08 -- Version 1.5-beta10 |
1664 | | |
1665 | | * Added getpass() function for Windows version so that --askpass |
1666 | | option works correctly (Stefano Bracalenti). |
1667 | | * Added reboot advisory to end of Win32 install script. |
1668 | | * Changed crypto code to use pseudo-random IVs rather than |
1669 | | carrying forward the IV state from the previous packet. |
1670 | | This is in response to item 2 in the following document: |
1671 | | http://www.openssl.org/~bodo/tls-cbc.txt which points |
1672 | | out weaknesses in TLS's use of the same IV carryforward |
1673 | | approach. This change does not break protocol compatibility |
1674 | | with previous versions of OpenVPN. |
1675 | | * Made a change to the crypto replay protection code to also |
1676 | | protect against certain kinds of packet reordering attacks. |
1677 | | This change does not break protocol compatibility with |
1678 | | previous versions of OpenVPN. |
1679 | | * Added --ip-win32 option to provide several choices for |
1680 | | setting the IP address on the TAP-Win32 adapter. |
1681 | | * #ifdefed out non-CBC crypto modes by default. |
1682 | | * Added --up-delay option to delay TUN/TAP open and --up script |
1683 | | execution until after connection establishment. This option |
1684 | | replaces the earlier windows-only option --tap-delay. |
1685 | | |
1686 | | 2003.10.01 -- Version 1.5-beta9 |
1687 | | |
1688 | | * Fixed --route-noexec bug where option was not parsed correctly. |
1689 | | * Complain if --dev tun is specified without --ifconfig on Windows. |
1690 | | * Fixed bug where TCP connections on windows would sometimes cause |
1691 | | an assertion failure. |
1692 | | * Added a new flag to TAP-Win32 advanced properties that allows one |
1693 | | to set the adapter to be always "connected" even when an OpenVPN |
1694 | | process doesn't have it open. The default behavior is to report |
1695 | | a media status of connected only when an OpenVPN process has the |
1696 | | adapter open. |
1697 | | * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c |
1698 | | DLLs in response to an OpenSSL security advisory. |
1699 | | |
1700 | | 2003.09.30 -- Version 1.5-beta8 |
1701 | | |
1702 | | * Extended the --ifconfig option to work on tap devices as well |
1703 | | as tun devices. |
1704 | | * Implemented the --ifconfig option for Windows, by calling the |
1705 | | netsh tool. |
1706 | | * By default, do an "arp -d *" on Windows after TAP-Win32 open to |
1707 | | refresh the MAC cache. This behaviour can be disabled with |
1708 | | --no-arp-del. |
1709 | | * On Windows, allow the --dev-node parameter (which specifies |
1710 | | the name of the TAP-Win32 adapter) to be omitted in cases where |
1711 | | there is a single TAP-Win32 adapter on the system which can be |
1712 | | assumed to be the default. |
1713 | | * Modified the diagnostic --verb 5 debugging level to print 'R' |
1714 | | for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, |
1715 | | and 'w' for TUN/TAP write. |
1716 | | * Conditionalize OpenBSD read_tun and write_tun based on tun or tap |
1717 | | mode. |
1718 | | * Added IPv6 tun support to OpenBSD (Thomas Glanzmann). |
1719 | | * Make the --enable-mtu-dynamic ./configure option enabled by |
1720 | | default. |
1721 | | * Deprecated the --mtu-dynamic run-time option, in favor of |
1722 | | --fragment. |
1723 | | * DNS names can now be used as --ifconfig parameters. |
1724 | | * Significant work on TAP-Win32 driver to bring up to SMP standards. |
1725 | | * On Windows, fixed dangling IRP problem if TAP-Win32 driver is |
1726 | | unloaded or disabled, while a user-space process has it open. |
1727 | | * On Windows, if --tun-mtu is not specified, it will be read from |
1728 | | the TAP-Win32 driver via ioctl. |
1729 | | * On Windows, added TAP-Win32 driver status info to "F2" keyboard |
1730 | | signal (only when run from a console window). |
1731 | | * Added --mssfix option to control TCP MSS size (YANO Hirokuni). |
1732 | | * Renamed --mtu-dynamic option to --fragment to more accurately |
1733 | | reflect its function. Fragment accepts a single parameter which |
1734 | | is the upper limit on acceptable UDP packet size. |
1735 | | * Changed default --tun-mtu-extra parameter to 32 from 64. |
1736 | | * Eliminated reference to malloc.o in configure.ac. |
1737 | | * Added tun device emulation to the TAP-Win32 driver. |
1738 | | * Added --route and related options. |
1739 | | * Added init script for SuSE Linux (Frank Plohmann). |
1740 | | * Extended option consistency check between peers to function |
1741 | | in all crypto modes, including static-key and cleartext modes. |
1742 | | Previously only TLS mode was supported. Disable with |
1743 | | --disable-occ. |
1744 | | * Overall, increased the amount of configuration option sanity |
1745 | | checking, especially of networking parameters. |
1746 | | * Added --mtu-test option for empirical MTU measurement. |
1747 | | * Added Windows-only option --tap-delay to not set the TAP-Win32 |
1748 | | adapter media state to 'connected' until TCP/UDP connection |
1749 | | establishment with peer. |
1750 | | * Slightly modified --route/--route-delay semantics so that when |
1751 | | --route is given without --route-delay, routes are added |
1752 | | immediately after tun/tap device open. When --route-delay is |
1753 | | specified, routes will be added n seconds after connection |
1754 | | initiation, where n is the --route-delay parameter (which |
1755 | | can be set to 0). |
1756 | | * Made TCP framing error into a non-fatal error that triggers a |
1757 | | connection reset. |
1758 | | |
1759 | | 2003.08.28 -- Version 1.5-beta7 |
1760 | | |
1761 | | * Fixed bug that caused OpenVPN not to respond to exit/restart |
1762 | | signals when --resolv-retry is used and a local or remote DNS |
1763 | | name cannot be resolved. |
1764 | | * Exported a series of environmental variables with useful |
1765 | | info for scripts. See man page for more info. Based |
1766 | | on a suggestion by Anthony Ciaravalo. |
1767 | | * Moved TCP/UDP socket bind to a point in the initialization |
1768 | | before the --up script gets called. This is desirable |
1769 | | because (a) a socket bind failure will happen before |
1770 | | daemonization, allowing an error status code to be returned |
1771 | | to the shell and (b) the possibility is eliminated of a |
1772 | | socket bind failure causing the --up script to be run |
1773 | | but not the --down script. This change has a side effect |
1774 | | that --resolv-retry will no longer work with --local. |
1775 | | * Fixed bug where if an OpenVPN TCP server went down and back |
1776 | | up again, Solaris or FreeBSD clients would fail to reconnect |
1777 | | to it. |
1778 | | * Fixed bug that prevented OpenVPN from being run by |
1779 | | inetd/xinetd in TCP mode. |
1780 | | * Added --log and --log-append options for logging messages to |
1781 | | a file. |
1782 | | * On Windows, check that the current user is a member of the |
1783 | | Administrator group before attempting install or uninstall. |
1784 | | |
1785 | | 2003.08.16 -- Version 1.5-beta6 |
1786 | | |
1787 | | * Fixed TAP-Win32 driver to properly increment the Rx/Tx count. |
1788 | | |
1789 | | 2003.08.14 -- Version 1.5-beta5 |
1790 | | |
1791 | | * Added user-configurability of the TAP-Win32 adapter MTU |
1792 | | through the adapter advanced properties page. |
1793 | | * Added Windows Service support. |
1794 | | * On Windows, added file association and right-clickability |
1795 | | for .ovpn files (OpenVPN config files). |
1796 | | |
1797 | | 2003.08.05 -- Version 1.5-beta4 |
1798 | | |
1799 | | * Extra refinements and error checking added to Windows |
1800 | | NSIS install script. |
1801 | | |
1802 | | 2003.08.05 -- Version 1.5-beta3 |
1803 | | |
1804 | | * Added md5.h include to crypto.c to fix build problem on |
1805 | | OpenBSD. |
1806 | | * Created a Win32 installer using NSIS. |
1807 | | * Removed DelService command from TAP-Win32 INF file. It appears |
1808 | | to be not necessary and it interfered with the ability to |
1809 | | uninstall and reinstall the driver without needing to reboot. |
1810 | | * On Windows version, added "addtap" and "deltapall" batch |
1811 | | files to add and delete TAP-Win32 adapter instances. |
1812 | | |
1813 | | 2003.07.31 -- Version 1.5-beta2 |
1814 | | |
1815 | | * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted |
1816 | | in Windows ASCII so it's easier to click and view. |
1817 | | * Added postscript and PDF versions of the HOWTO to the web |
1818 | | site (C R Zamana). |
1819 | | * Merged Michael Clarke's stability patch into TAP-Win32 |
1820 | | driver which appears to fix the suspend/resume driver bug |
1821 | | and significantly improve driver stability. |
1822 | | * Added Christof Meerwald's Media Status patch to the |
1823 | | TAP-Win32 driver which shows the TAP adapter to be |
1824 | | disconnected when OpenVPN is not running. |
1825 | | * Moved socket connect and TCP server listen code to a later |
1826 | | point in openvpn() function so that the TCP server listen |
1827 | | state is entered after daemonization. |
1828 | | * Added keyboard shortcuts to simulate signals in the Windows |
1829 | | version, see the window title bar for descriptions. |
1830 | | |
1831 | | 2003.07.24 -- Version 1.5-beta1 |
1832 | | |
1833 | | * Added TCP support via the new --proto option. |
1834 | | * Renamed udp-centric options such as --udp-mtu to |
1835 | | --link-mtu (old option names preserved for compatibility). |
1836 | | * Ported to Windows 2000 + XP using mingw and a TAP driver |
1837 | | derived from the Cipe-Win32 project by Damion K. Wilson. |
1838 | | * Added --show-adapters flag for windows version. |
1839 | | * Reworked the SSL/TLS packet acknowledge code to better |
1840 | | handle certain corner cases. |
1841 | | * Turned off the default enabling of IP forwarding in the |
1842 | | sample-scripts/openvpn.init script for Redhat. |
1843 | | Forwarding can be enabled by users in their --up scripts |
1844 | | or firewall config. |
1845 | | * Added --up-restart option based on suggestion from Sean |
1846 | | Reifschneider. |
1847 | | * If --dev tap or --dev-type tap is specified, --tun-mtu |
1848 | | defaults to 1500 and --tun-mtu-extra defaults to 64. |
1849 | | * Enabled --verb 5 debugging mode that prints 'R' and 'W' |
1850 | | for each packet read or write on the TCP/UDP socket. |
1851 | | |
1852 | | 2003.08.04 -- Version 1.4.3 |
1853 | | |
1854 | | * Added md5.h include to crypto.c |
1855 | | to fix build problem on OpenBSD. |
1856 | | |
1857 | | 2003.07.15 -- Version 1.4.2 |
1858 | | |
1859 | | * Removed adaptive bandwidth from |
1860 | | --mtu-dynamic -- its absence appears |
1861 | | to work better than its existence (1.4.1.2). |
1862 | | * Minor changes to --shaper to fix long |
1863 | | retransmit timeouts at low bandwidth |
1864 | | (1.4.1.2). |
1865 | | * Added LOG_RW flag to openvpn.h for |
1866 | | debugging (1.4.1.2). |
1867 | | * Silenced spurious configure warnings (1.4.1.2). |
1868 | | * Backed out --dev-name patch, modified --dev |
1869 | | to offer equivalent functionality (1.4.1.4). |
1870 | | * Added an optional parameter to --daemon and |
1871 | | --inetd to support the passing of a custom |
1872 | | program name to the system logger (1.4.1.5). |
1873 | | * Add compiled-in options to the program title |
1874 | | (1.4.1.5). |
1875 | | * Coded the beginnings of a WIN32 port (1.4.1.5). |
1876 | | * Succeeded in porting to Win32 Mingw environment |
1877 | | and running loopback tests (1.4.1.6). Still |
1878 | | need a kernel driver for full Win32 |
1879 | | functionality. |
1880 | | * Fixed a bug in error.h where |
1881 | | HAVE_CPP_VARARG_MACRO_GCC was misspelled. |
1882 | | This would have caused a significant slowdown |
1883 | | of OpenVPN when built by compilers that |
1884 | | lack ISO C99 vararg macros (1.4.1.6). |
1885 | | * Created an init script for Gentoo Linux |
1886 | | in ./gentoo directory (1.4.1.6). |
1887 | | |
1888 | | 2003.05.15 -- Version 1.4.1 |
1889 | | |
1890 | | * Modified the Linux 2.4 TUN/TAP open code to |
1891 | | fall back to the 2.2 TUN/TAP interface if the |
1892 | | open or ioctl fails. |
1893 | | * Fixed bug when --verb is set to 0 and non-fatal |
1894 | | socket errors occur, causing 100% CPU utilization. |
1895 | | Occurs on platorms where |
1896 | | EXTENDED_SOCKET_ERROR_CAPABILITY is defined, |
1897 | | such as Linux 2.4. |
1898 | | * Fixed typo in tun.c that was preventing |
1899 | | OpenBSD build. |
1900 | | * Added --enable-mtu-dynamic configure option |
1901 | | to enable --mtu-dynamic experimental option. |
1902 | | |
1903 | | 2003.05.07 -- Version 1.4.0 |
1904 | | |
1905 | | * Added --replay-persist feature to allow replay |
1906 | | protection across sessions. |
1907 | | * Fixed bug where --ifconfig could not be used |
1908 | | with --tun-mtu. |
1909 | | * Added --tun-mtu-extra parameter to deal with |
1910 | | the situation where a read on a TUN/TAP device |
1911 | | returns more data than the device's MTU size. |
1912 | | * Fixed bug where some IPv6 support code for |
1913 | | Linux was not being properly ifdefed out for |
1914 | | Linux 2.2, causing compile errors. |
1915 | | * Added OPENVPN_EXIT_STATUS_x codes to |
1916 | | openvpn.h to control which status value |
1917 | | openvpn returns to its caller (such as |
1918 | | a shell or inetd/xinetd) for various conditions. |
1919 | | * Added OPENVPN_DEBUG_COMMAND_LINE flag to |
1920 | | openvpn.h to allow debugging in situations |
1921 | | where stdout, stderr, and syslog cannot be used |
1922 | | for message output, such as when OpenVPN is |
1923 | | instantiated by inetd/xinetd. |
1924 | | * Removed owner-execute permission from file |
1925 | | created by static key generator (Herbert Xu |
1926 | | and Alberto Gonzalez Iniesta). |
1927 | | * Added --passtos option to allow IPv4 TOS bits |
1928 | | to be passed from TUN/TAP input packets to |
1929 | | the outgoing UDP socket (Craig Knox). |
1930 | | * Added code to prevent open socket file descriptors |
1931 | | from being accessible to called scripts. |
1932 | | * Added --dev-name option (Christian Lademann). |
1933 | | * Added --mtu-disc option for manual control |
1934 | | over MTU options. |
1935 | | * Show OS MTU value on UDP socket write failures |
1936 | | (linux only). |
1937 | | * Numerous build system and portability |
1938 | | fixes (Matthias Andree). |
1939 | | * Added better sensing of compiler support for |
1940 | | variable argument macros, including (a) gcc |
1941 | | style, (b) ISO C 1999 style, and (c) no support. |
1942 | | * Removed generated files from CVS. Note INSTALL |
1943 | | file for new CVS build commands. |
1944 | | * Changed certain internal symbol names |
1945 | | for C standards compliance. |
1946 | | * Added TUN/TAP open code to cycle dynamically |
1947 | | through unit numbers until it finds a free |
1948 | | unit (based on code from Thomas Gielfeldt |
1949 | | and VTun). |
1950 | | * Added dynamic MTU and fragmenting infrastructure |
1951 | | (Experimental). Rebuild with FRAGMENT_ENABLE |
1952 | | defined to enable. |
1953 | | * Minor changes to SSL/TLS negotiation, use |
1954 | | exponential backoff on retransmits, and use |
1955 | | a smaller MTU size (note that no protocol |
1956 | | changes have been made which would break |
1957 | | compatibility with 1.3.x). |
1958 | | * Added --enable-strict-options flag |
1959 | | to ./configure. This option will cause |
1960 | | a more strict check for options compatibility |
1961 | | between peers when SSL/TLS negotiation is used, |
1962 | | but should only be used when both OpenVPN peers |
1963 | | are of the same version. |
1964 | | * Reorganization of debugging levels. |
1965 | | * Added a workaround in configure.ac for |
1966 | | default SSL header location on Linux |
1967 | | to fix RH9 build problem. |
1968 | | * Fixed potential deadlock when pthread support |
1969 | | is used on OSes that allocate a small socketpair() |
1970 | | message buffer. |
1971 | | * Fixed openvpn.init to be sh compliant |
1972 | | (Bishop Clark). |
1973 | | * Changed --daemon to wait until all |
1974 | | initialization is finished before becoming a |
1975 | | daemon, for the benefit of initialization |
1976 | | scripts that want a useful return status from |
1977 | | the openvpn command. |
1978 | | * Made openvpn.init script more robust, including |
1979 | | positive indication of initialization errors |
1980 | | in the openvpn daemon and better sanity checks. |
1981 | | * Changed --chroot to wait until initialization |
1982 | | is finished before calling chroot(), and allow |
1983 | | the use of --user and --group with --chroot. |
1984 | | * When syslog logging is enabled (--daemon or |
1985 | | --inetd), set stdin/stdout/stderr to point |
1986 | | to /dev/null. |
1987 | | * For inetd instantiations, dup socket descriptor |
1988 | | to a >2 value. |
1989 | | * Fixed bug in verify-cn script, where test would |
1990 | | incorrectly fail if CN=x was the last component |
1991 | | of the X509 composite string (Anonymous). |
1992 | | * Added Markus F.X.J. Oberhumer's special |
1993 | | license exception to COPYING. |
1994 | | |
1995 | | 2002.10.23 -- Version 1.3.2 |
1996 | | |
1997 | | * Added SSL_CTX_set_client_CA_list call |
1998 | | to follow the canonical form for TLS initialization |
1999 | | recommended by the OpenSSL docs. This change allows |
2000 | | better support for intermediate CAs and has no impact |
2001 | | on security. |
2002 | | * Added build-inter script to easy-rsa package, to |
2003 | | facilitate the generation of intermediate CAs. |
2004 | | * Ported to NetBSD (Dimitri Goldin). |
2005 | | * Fixed minor bug in easy-rsa/sign-req. It refers to |
2006 | | openssl.cnf file, instead of $KEY_CONFIG, like all |
2007 | | other scripts (Ernesto Baschny). |
2008 | | * Added --days 3650 to the root CA generation command |
2009 | | in the HOWTO to override the woefully small 30 day |
2010 | | default (Dominik 'Aeneas' Schnitzer). |
2011 | | * Fixed bug where --ping-restart would sometimes |
2012 | | not re-resolve remote DNS hostname. |
2013 | | * Added --tun-ipv6 option and related infrastructure |
2014 | | support for IPv6 over tun. |
2015 | | * Added IPv6 over tun support for Linux (Aaron Sethman). |
2016 | | * Added FreeBSD 4.1.1+ TUN/TAP driver notes to |
2017 | | INSTALL (Matthias Andree). |
2018 | | * Added inetd/xinetd support (--inetd) including |
2019 | | documentation in the HOWTO. |
2020 | | * Added "Important Note on the use of commercial certificate |
2021 | | authorities (CAs) with OpenVPN" to HOWTO based on |
2022 | | issues raised on the openvpn-users list. |
2023 | | |
2024 | | 2002.07.10 -- Version 1.3.1 |
2025 | | |
2026 | | * Fixed bug in openvpn.spec and openvpn.init |
2027 | | which caused RPM upgrade to fail. |
2028 | | |
2029 | | 2002.07.10 -- Version 1.3.0 |
2030 | | |
2031 | | * Added --dev-node option to allow explicit selection of |
2032 | | tun/tap device node. |
2033 | | * Removed mlockall call from child thread, as it doesn't |
2034 | | appear to be necessary (child thread inherits mlockall |
2035 | | state from parent). |
2036 | | * Added --ping-timer-rem which causes timer for --ping-exit |
2037 | | and --ping-restart not to run unless we have a remote IP |
2038 | | address. |
2039 | | * Added condrestart to openvpn.init and openvpn.spec |
2040 | | (Bishop Clark). |
2041 | | * Added --ifconfig case for FreeBSD (Matthias Andree). |
2042 | | * Call openlog with facility=LOG_DAEMON (Matthias Andree). |
2043 | | * Changed LOG_INFO messages to LOG_NOTICE. |
2044 | | * Added warning when key files are group/others accessible. |
2045 | | * Added --single-session flag for TLS mode. |
2046 | | * Fixed bug where --writepid would segfault if used with |
2047 | | an invalid filename. |
2048 | | * Fixed bug where --ipchange status message was formatted |
2049 | | incorrectly. |
2050 | | * Print more concise error message when system() call |
2051 | | fails. |
2052 | | * Added --disable-occ option. |
2053 | | * Added --local, --remote, and --ifconfig options sanity |
2054 | | check. |
2055 | | * Changed default UDP MTU to 1300 and TUN/TAP MTU to |
2056 | | 1300. |
2057 | | * Successfully tested with OpenSSL 0.9.7 Beta 2. |
2058 | | * Broke out debug level definitions to errlevel.h |
2059 | | * Minor documentation and web site changes. |
2060 | | * All changes maintain protocol compatibility |
2061 | | with OpenVPN versions since 1.1.0, however default |
2062 | | MTU changes will require setting the MTU explicitly |
2063 | | by command line option, if you want 1.3.0 to |
2064 | | communicate with previous versions. |
2065 | | |
2066 | | 2002.06.12 -- Version 1.2.1 |
2067 | | |
2068 | | * Added --ping-restart option to restart |
2069 | | connection on ping timeout using SIGUSR1 |
2070 | | logic (Matthias Andree). |
2071 | | * Added --persist-tun, --persist-key, |
2072 | | --persist-local-ip, and --persist-remote-ip |
2073 | | options for finer-grained control over SIGUSR1 |
2074 | | and --ping-restart restarts. To |
2075 | | replicate previous SIGUSR1 functionality, |
2076 | | use --persist-remote-ip. |
2077 | | * Changed residual IV fetching code to take |
2078 | | IV from tail of ciphertext. |
2079 | | * Added check to make sure that CFB or OFB |
2080 | | cipher modes are only used with SSL/TLS |
2081 | | authentication mode, and added a caveat |
2082 | | to INSTALL. |
2083 | | * Changed signal handling during initialization |
2084 | | (including re-initialization during restarts) |
2085 | | to exit on SIGTERM or SIGINT and ignore other |
2086 | | signals which would ordinarily be caught. |
2087 | | * Added --resolv-retry option to allow |
2088 | | retries on hostname resolution. |
2089 | | * Expanded the --float option to also |
2090 | | allow dynamic changes in source port number |
2091 | | on incoming datagrams. |
2092 | | * Added --mute option to limit repetitive |
2093 | | logging of similar message types. |
2094 | | * Added --group option to downgrade GID |
2095 | | after initialization. |
2096 | | * Try to set ifconfig path automatically |
2097 | | in configure. |
2098 | | * Added --ifconfig code for Mac OS X |
2099 | | (Christoph Pfisterer). |
2100 | | * Moved "Peer Connection Initiated" message |
2101 | | to --verb level 1. |
2102 | | * Successfully tested with |
2103 | | OpenSSL 0.9.7 Beta 1 and AES cipher. |
2104 | | * Added RPM notes to INSTALL. |
2105 | | * Added ACX_PTHREAD (from the autoconf |
2106 | | macro archive) to configure.ac |
2107 | | to figure out the right pthread |
2108 | | options for a given platform. |
2109 | | * Broke out macro definitions from |
2110 | | configure.ac to acinclude.m4. |
2111 | | * Minor changes to docs and HOWTO. |
2112 | | * All changes maintain protocol compatibility |
2113 | | with OpenVPN versions since 1.1.0. |
2114 | | |
2115 | | 2002.05.22 -- Version 1.2.0 |
2116 | | |
2117 | | * Added configuration file support via |
2118 | | the --config option. |
2119 | | * Added pthread support to improve latency. |
2120 | | With pthread support, OpenVPN |
2121 | | will offload CPU-intensive tasks such as RSA |
2122 | | key number crunching to a background thread |
2123 | | to improve tunnel packet forwarding |
2124 | | latency. pthread support can be enabled |
2125 | | with the --enable-pthread configure option. |
2126 | | Pthread support is currently available |
2127 | | only for Linux and Solaris. |
2128 | | * Added --dev-type option so that tun/tap |
2129 | | device names don't need to begin with |
2130 | | "tun" or "tap". |
2131 | | * Added --writepid option to write main |
2132 | | process ID to a file. |
2133 | | * Numerous portability fixes to ease |
2134 | | porting to other OSes including changing |
2135 | | all network types to uint8_t and uint32_t, |
2136 | | and not assuming that time_t is 32 bits. |
2137 | | * Backported to OpenSSL 0.9.5. |
2138 | | * Ported to Solaris. |
2139 | | * Finished OpenBSD port except for |
2140 | | pthread support. |
2141 | | * Added initialization script: |
2142 | | sample-scripts/openvpn.init |
2143 | | (Douglas Keller) |
2144 | | * Ported to Mac OS X (Christoph Pfisterer). |
2145 | | * Improved resilience to DoS attacks when |
2146 | | TLS mode is used without --remote or |
2147 | | --tls-auth, or when --float is used |
2148 | | with --remote. Note however that the best |
2149 | | defense against DoS attacks in TLS mode |
2150 | | is to use --tls-auth. |
2151 | | * Eliminated automake/autoconf dependency |
2152 | | for non-developers. |
2153 | | * Ported configure.in to configure.ac |
2154 | | and autoconf 2.50+. |
2155 | | * SIGHUP signal now causes OpenVPN to restart |
2156 | | and re-read command line and or config file, |
2157 | | in conformance with canonical daemon behaviour. |
2158 | | * SIGUSR1 now does what SIGHUP did in |
2159 | | version 1.1.1 and earlier -- close and reopen |
2160 | | the UDP socket for use when DHCP changes |
2161 | | host's IP address and preserve most recently |
2162 | | authenticated peer address without rereading |
2163 | | config file. |
2164 | | * SIGUSR2 added -- outputs current statistics, |
2165 | | including compression statistics. |
2166 | | * All changes maintain protocol compatibility |
2167 | | with 1.1.1 and 1.1.0. |
2168 | | |
2169 | | 2002.04.22 -- Version 1.1.1 |
2170 | | |
2171 | | * Added --ifconfig option to automatically configure |
2172 | | TUN device. |
2173 | | * Added inactivity disconnect (--inactive |
2174 | | and --ping-exit options). |
2175 | | * Added --ping option to keep stateful firewalls |
2176 | | from timing out. |
2177 | | * Added sanity check to command line parser to |
2178 | | err if any TLS options are used in non-TLS mode. |
2179 | | * Fixed build problem with compiler environments that |
2180 | | define printf as a macro. |
2181 | | * Fixed build problem on linux systems that have |
2182 | | an integrated TUN/TAP driver but lack the persistent |
2183 | | tunnel feature (TUNSETPERSIST). Some linux kernels |
2184 | | >= 2.4.0 and < 2.4.7 fall into this category. |
2185 | | * Changed all calls to EVP_CipherInit to use explicit |
2186 | | encrypt/decrypt mode in order to fix problem with |
2187 | | IDEA-CBC and AES-256-CBC ciphers. |
2188 | | * Minor changes to control channel transmit limiter |
2189 | | algorithm to fix problem where TLS control channel |
2190 | | might not renegotiate within the default 60 second window. |
2191 | | * Simplified man page examples by taking advantage |
2192 | | of the new --ifconfig option. |
2193 | | * Minor changes to configure.in to check more |
2194 | | rigourously for OpenSSL 0.9.6 or greater. |
2195 | | * Put back openvpn.spec, eliminated |
2196 | | openvpn.spec.in. |
2197 | | * Modified openvpn.spec to reflect new automake-based |
2198 | | build environment (Bishop Clark). |
2199 | | * Other documentation changes. |
2200 | | * Added --test-crypto option for debugging. |
2201 | | * Added "missing" and "mkinstalldirs" automake |
2202 | | support files. |
2203 | | |
2204 | | |
2205 | | 2002.04.09 -- Version 1.1.0 |
2206 | | |
2207 | | * Strengthened replay protection and IV handling, |
2208 | | extending it fully to both static key and |
2209 | | TLS dynamic key exchange modes. |
2210 | | * Added --mlock option to disable paging and ensure that key |
2211 | | material and tunnel data is never paged to disk. |
2212 | | * Added optional traffic shaping feature to cap the maximum |
2213 | | data rate of the tunnel. |
2214 | | * Converted to automake (The Platypus Brothers 2002-04-01). |
2215 | | * Ported to OpenBSD by Janne Johansson. |
2216 | | * Added --tun-af-inet option to work around an incompatibility |
2217 | | between Linux and BSD tun drivers. |
2218 | | * Sequence number-based replay protection using the |
2219 | | IPSec sliding window model is now the default, |
2220 | | disable with --no-replay. |
2221 | | * Explicit IV is now the default, disable with --no-iv. |
2222 | | * Disabled all cipher modes except CBC, CFB, and OFB. |
2223 | | * In CBC mode, use explicit IV and carry forward residuals, |
2224 | | using IPSec model. |
2225 | | * In CFB/OFB mode, IV is timestamp, sequence number. |
2226 | | * Eliminated --packet-id, --timestamp, and max-delta parameter to |
2227 | | the --tls-auth option as they are now supplanted by improved |
2228 | | replay code which is enabled by default. |
2229 | | * Eliminated --rand-iv as it is now obsolete with improved |
2230 | | IV code. |
2231 | | * Eliminated --reneg-err option as it increases vulnerability |
2232 | | to DoS attacks. |
2233 | | * Added weak key check for DES ciphers. |
2234 | | * --tls-freq option is no longer specified on the command line, |
2235 | | instead it now inherits its parameter from the |
2236 | | --tls-timeout option. |
2237 | | * Fixed bug that would try to free memory on exit that was |
2238 | | never malloced if --comp-lzo was not specified. |
2239 | | * Errata fixed in the man page examples: "test-ca" should be |
2240 | | "tmp-ca". |
2241 | | * Updated manual page. |
2242 | | * Preliminary work in porting to OpenSSL 0.9.7. |
2243 | | * Changed license to allowing linking with OpenSSL. |
2244 | | |
2245 | | 2002.03.29 -- Version 1.0.3 |
2246 | | |
2247 | | * Fixed a problem in configure with library ordering on the |
2248 | | command line. |
2249 | | |
2250 | | 2002.03.28 -- Version 1.0.2 |
2251 | | |
2252 | | * Improved the efficiency of the inner event loop. |
2253 | | * Fixed a minor bug with timeout handling. |
2254 | | * Improved the build system to build on RH 6.2 through 7.2. |
2255 | | * Added an openvpn.spec file for RPM builders (Bishop Clark). |
2256 | | |
2257 | | 2002.03.23 -- Version 1.0 |
2258 | | |
2259 | | * Added TLS-based authentication and key exchange. |
2260 | | * Added gremlin mode to stress test. |
2261 | | * Wrote man page. |
2262 | | |
2263 | | 2001.12.26 -- Version 0.91 |
2264 | | |
2265 | | * Added any choice of cipher or HMAC digest. |
2266 | | |
2267 | | 2001.5.13 -- Version 0.90 |
2268 | | |
2269 | | * Initial release. |
2270 | | * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. |