Changes between Version 2 and Version 3 of ChangesInOpenvpn20


Ignore:
Timestamp:
07/24/14 14:30:03 (3 years ago)
Author:
samuli
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ChangesInOpenvpn20

    v2 v3  
    14271427
    14281428* Initial testbed for 2.0.
    1429 
    1430 2004.05.09 -- Version 1.6.0
    1431        
    1432 * Unchanged from 1.6-rc4 except for version number
    1433   upgrade.
    1434 
    1435 2004.04.01 -- Version 1.6-rc4
    1436 
    1437 * Made minor customizations to devcon and
    1438   renamed as tapinstall.exe for Windows version.
    1439 * Fixed "storage size of `iv' isn't known" build
    1440   problem on FreeBSD.
    1441 * OpenSSL 0.9.7d bundled with Windows self-install.
    1442        
    1443 2004.03.13 -- Version 1.6-rc3
    1444 
    1445 * Minor Windows fixes for --ip-win32 dynamic, relating to
    1446   the way the TAP-Win32 driver responds to a DHCP request
    1447   from the Windows DHCP client.
    1448 * The net_gateway environmental variable wasn't being
    1449   set correctly for called scripts (Paul Zuber).
    1450 * Added code to determine the default gateway on FreeBSD,
    1451   allowing the --redirect-gateway option to work
    1452   (Juan Rodriguez Hervella).
    1453        
    1454 2004.03.04 -- Version 1.6-rc2
    1455 
    1456 * Fixed bug in Windows version where the NetBIOS node-type
    1457   DHCP option might have been passed even if it was not
    1458   specified.
    1459 * Fixed bug in Windows version introduced in 1.6-rc1, where
    1460   DHCP timeout would be set to 0 seconds if --ifconfig option
    1461   was used and --ip-win32 option was not explicitly specified.
    1462 * Added some new --dhcp-option types for Windows version.
    1463 
    1464 2004.03.02 -- Version 1.6-rc1
    1465 
    1466 * For Windows, make "--ip-win32 dynamic" the default.
    1467 * For Windows, make "--route-delay 10" the default
    1468   unless --ip-win32 dynamic is not used or --route-delay
    1469   is explicitly specified.
    1470 * L_TLS mutex could have been left in a locked state
    1471   for certain kinds of TLS errors.
    1472        
    1473 2004.02.22 -- Version 1.6-beta7
    1474        
    1475 * Allow scheduling priority increase (--nice) together
    1476   with UID/GID downgrade (--user/--group).
    1477 * Code that causes SIGUSR1 restart on TLS errors in TCP
    1478   mode was not activated in pthread builds.
    1479 * Save the certificate serial number in an environmental
    1480   variable called tls_serial_{n} prior to calling the
    1481   --tls-verify script.  n is the current cert chain level.
    1482 * Added NetBSD IPv6 tunnel capability (also requires
    1483   a kernel patch) (Horst Laschinsky).
    1484 * Fixed bug in checking the return value of the nice()
    1485   function (Ian Pilcher).
    1486 * Bug fix in new FreeBSD IPv6 over TUN code which was
    1487   originally added in 1.6-beta5 (Nathanael Rensen).
    1488 * More Socks5 fixes -- extended the struct frame
    1489   infrastructure to accomodate proxy-based encapsulation
    1490   overhead.
    1491 * Added --dhcp-option to Windows version for setting
    1492   adapter properties such as WINS & DNS servers.
    1493 * Use a default route-delay of 5 seconds when
    1494   --ip-win32 dynamic is specified (only applicable when
    1495   --route-delay is not explicitly specified).
    1496 * Added "log_append" registry variable to control
    1497   whether the OpenVPN service wrapper on Windows
    1498   opens log files in append (log_append="1") or
    1499   truncate (log_append="0") mode.  The default
    1500   is truncate.
    1501 
    1502 2004.02.05 -- Version 1.6-beta6
    1503 
    1504 * UDP over Socks5 fix to accomodate Socks5 encapsulation
    1505   overhead (Christof Meerwald).
    1506 * Minor --ip-win32 dynamic tweaks (use long lease time,
    1507   invalidate existing lease with DHCPNAK).
    1508 
    1509 2004.02.01 -- Version 1.6-beta5
    1510 
    1511 * Added Socks5 proxy support (Christof Meerwald).
    1512 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
    1513 * Special TAP-Win32 debug mode for Windows self-install that was
    1514   enabled in beta4 is now turned off.
    1515 * Added some new Solaris notes to INSTALL (Koen Maris).
    1516 * More work on --ip-win32 dynamic.
    1517 
    1518 2004.01.27 -- Version 1.6-beta4
    1519 
    1520 * For this beta, the Windows self-install is a debug version
    1521   and will run slower -- use only for testing.
    1522 * Reverted the --ip-win32 default back to 'ipapi'
    1523   from 'dynamic'.
    1524 * Added the offset parameter to '--ip-win32 dynamic' which
    1525   can be used to control the address of the masqueraded
    1526   DHCP server which replies to Windows DHCP requests.
    1527 * Added a wait/nowait option to --inetd (nowait can only
    1528   be used with TCP sockets, TLS authentication, and over
    1529   a bridged configuration -- see FAQ for more info)
    1530   (Stefan `Sec` Zehl).
    1531 * Added a build-time capability where TAP-Win32 driver
    1532   debug messages can be output by OpenVPN at --verb 6
    1533   or higher.
    1534 
    1535 2004.01.20 -- Version 1.6-beta2
    1536 
    1537 * Added ./configure --enable-iproute2 flag which
    1538   uses iproute2 instead of route + ifconfig --
    1539   this is necessary for the LEAF Linux distro
    1540   (Martin Hejl).
    1541 * Added renewal-time and rebind-time to set of
    1542   DHCP options returned by the TAP-Win32 driver when
    1543   "--ip-win32 dynamic" is used.
    1544        
    1545 2004.01.14 -- Version 1.6-beta1
    1546 
    1547 * Fixed --proxy bug that sometimes caused plaintext
    1548   control info generated by the proxy prior to http
    1549   CONNECT method establishment to be incorrectly
    1550   parsed as OpenVPN data.
    1551 * For Windows version, implemented the
    1552   "--ip-win32 dynamic" method and made it the default.
    1553   This method sets the TAP-Win32 adapter IP address
    1554   and netmask by replying to the kernel's DHCP queries.
    1555   See the man page for more detailed info.
    1556 * Added --connect-retry parameter which controls
    1557   the time interval (in seconds) between connect()
    1558   retries when --proto tcp-client is used.  Previously,
    1559   this value was hardcoded to 5 seconds, and still
    1560   defaults as such.
    1561 * --resolv-retry can now be used with a parameter
    1562   of "infinite" to retry indefinitely.
    1563 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
    1564   for support of multi-level certificate chains
    1565   (Sten Kalenda).
    1566 * Fixed --tls-auth incompatibility with 1.4.x and earlier
    1567   versions of OpenVPN when the passphrase file is an
    1568   OpenVPN static key file (as generated by --genkey).
    1569 * Added shell-escape support in config files using
    1570   the backslash character ("\") so that (for example)
    1571   double quotes can be passed to the shell.
    1572 * Added "contrib" subdirectory on tarball, source zip,
    1573   and CVS containing user-submitted contributions.
    1574 * Added an optional patch to the Redhat init script to
    1575   allow the configuration file directory to be a
    1576   multi-level directory hierarchy (Farkas Levente).
    1577   See contrib/multilevel-init.patch
    1578 * Added some scripts and documentation on using
    1579   Linux "fwmark" iptables rules to enable
    1580   fine-grained routing control over the VPN
    1581   (Sean Reifschneider, ).
    1582   See contrib/openvpn-fwmarkroute-1.00
    1583 
    1584 2003.11.20 -- Version 1.5.0
    1585 
    1586 * Minor documentation changes.
    1587 
    1588 2003.11.04 -- Version 1.5-beta14
    1589 
    1590 * Fixed build problem with ./configure --disable-ssl
    1591   that was reported on Debian woody.
    1592 * Fixed bug where --redirect-gateway could not be used
    1593   together with --resolv-retry.
    1594 
    1595 2003.11.03 -- Version 1.5-beta13
    1596 
    1597 * Added CRL (certificate revocation list) capability using
    1598   --crl-verify option (Stefano Bracalenti).
    1599 * Added --replay-window option for variable replay-protection
    1600   window sizes.
    1601 * Fixed --fragment bug which might have caused certain large
    1602   packets to be sent unfragmented.
    1603 * Modified --secret and --tls-auth to permit different cipher and
    1604   HMAC keys to be used for each data flow direction.  Also
    1605   increased static key file size generated by --genkey from
    1606   1024 to 2048 bits, where 512 bits each are reserved for
    1607   send-HMAC, encrypt, receive-HMAC, and decrypt.  Key file forward
    1608   and backward compatibility is maintained.  See --secret option
    1609   documentation on the man page for more info.
    1610 * Added --tls-remote option (Teemu Kiviniemi).
    1611 * Fixed --tls-cipher documention regarding correct delimiter
    1612   usage (Teemu Kiviniemi).
    1613 * Added --key-method option for selecting alternative data
    1614   channel key negotiation methods.  Method 1 is the default.
    1615   Method 2 has been added (see man page for more info).
    1616 * Added French translation of HOWTO to web site
    1617   (Guillaume Lehmann).
    1618 * Fixed problem caused by late resolver library load on
    1619   certain platforms when --resolv-retry and --chroot are
    1620   used together (Teemu Kiviniemi).
    1621 * In TCP mode, all decryption or TLS errors will abort the current
    1622   connection (this is not done in UDP mode because UDP is
    1623   "connectionless").
    1624 * Fixed a TCP client reconnect bug that only occurs on the
    1625   BSDs, where connect() fails with an invalid argument.  This
    1626   bug was partially (but not completely) fixed in beta7.
    1627 * Added "route_net_gateway" environmental variable which contains
    1628   the pre-existing default gateway address from the routing table
    1629   (there's no standard API for getting the default gateway, so
    1630   right now this feature only works on Windows or Linux).
    1631 * Renamed the "route_default_gateway" enviromental variable to
    1632   "route_vpn_gateway" -- this is the remote VPN endpoint.
    1633 * The special keywords vpn_gateway, net_gateway, and remote_host
    1634   can now be used for the network or gateway components of the
    1635   --route option.  See the man page for more info.
    1636 * Added the --redirect-gateway option to configure the VPN
    1637   as the default gateway (implemented on Linux and Windows only).
    1638 * Added the --http-proxy option with basic authentication
    1639   support for use in TCP client mode.  Successfully tested
    1640   using Squid as the HTTP proxy, with and without authentication.
    1641 
    1642 2003.10.12 -- Version 1.5-beta12
    1643 
    1644 * Fixed Linux-only bug in --mktun and --rmtun which was
    1645   introduced around beta8 or so, which would cause
    1646   an error such as "I don't recognize device tun0 as a
    1647   tun or tap device1".
    1648 * Added --ifconfig-nowarn option to disable options
    1649   consistency warnings about --ifconfig parameters.
    1650 * Don't allow any kind of sequence number backtracking or
    1651   message reordering when in TCP mode.
    1652 * Changed beta naming convention to use '_' (underscore)
    1653   rather than '-' (dash) to pacify rpmbuild.
    1654        
    1655 2003.10.08 -- Version 1.5-beta11
    1656 
    1657 * Modified code in the Windows version which sets the IP address
    1658   and netmask of the TAP-Win32 adapter using the IP Helper API.
    1659   Most of the changes involve better error recovery when
    1660   the IP Helper API returns an error status.  See the
    1661   manual page entry on --ip-win32 for more info.
    1662 
    1663 2003.10.08 -- Version 1.5-beta10
    1664 
    1665 * Added getpass() function for Windows version so that --askpass
    1666   option works correctly (Stefano Bracalenti).
    1667 * Added reboot advisory to end of Win32 install script.
    1668 * Changed crypto code to use pseudo-random IVs rather than
    1669   carrying forward the IV state from the previous packet.
    1670   This is in response to item 2 in the following document:
    1671   http://www.openssl.org/~bodo/tls-cbc.txt which points
    1672   out weaknesses in TLS's use of the same IV carryforward
    1673   approach.  This change does not break protocol compatibility
    1674   with previous versions of OpenVPN.
    1675 * Made a change to the crypto replay protection code to also
    1676   protect against certain kinds of packet reordering attacks.
    1677   This change does not break protocol compatibility with
    1678   previous versions of OpenVPN.
    1679 * Added --ip-win32 option to provide several choices for
    1680   setting the IP address on the TAP-Win32 adapter.
    1681 * #ifdefed out non-CBC crypto modes by default.
    1682 * Added --up-delay option to delay TUN/TAP open and --up script
    1683   execution until after connection establishment.  This option
    1684   replaces the earlier windows-only option --tap-delay.
    1685  
    1686 2003.10.01 -- Version 1.5-beta9
    1687 
    1688 * Fixed --route-noexec bug where option was not parsed correctly.
    1689 * Complain if --dev tun is specified without --ifconfig on Windows.
    1690 * Fixed bug where TCP connections on windows would sometimes cause
    1691   an assertion failure.
    1692 * Added a new flag to TAP-Win32 advanced properties that allows one
    1693   to set the adapter to be always "connected" even when an OpenVPN
    1694   process doesn't have it open.  The default behavior is to report
    1695   a media status of connected only when an OpenVPN process has the
    1696   adapter open.
    1697 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
    1698   DLLs in response to an OpenSSL security advisory.
    1699 
    1700 2003.09.30 -- Version 1.5-beta8
    1701 
    1702 * Extended the --ifconfig option to work on tap devices as well
    1703   as tun devices.
    1704 * Implemented the --ifconfig option for Windows, by calling the
    1705   netsh tool.
    1706 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
    1707   refresh the MAC cache.  This behaviour can be disabled with
    1708   --no-arp-del.
    1709 * On Windows, allow the --dev-node parameter (which specifies
    1710   the name of the TAP-Win32 adapter) to be omitted in cases where
    1711   there is a single TAP-Win32 adapter on the system which can be
    1712   assumed to be the default.
    1713 * Modified the diagnostic --verb 5 debugging level to print 'R'
    1714   for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
    1715   and 'w' for TUN/TAP write.
    1716 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
    1717   mode.
    1718 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
    1719 * Make the --enable-mtu-dynamic ./configure option enabled by
    1720   default.
    1721 * Deprecated the --mtu-dynamic run-time option, in favor of
    1722   --fragment.
    1723 * DNS names can now be used as --ifconfig parameters.
    1724 * Significant work on TAP-Win32 driver to bring up to SMP standards.
    1725 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
    1726   unloaded or disabled, while a user-space process has it open.
    1727 * On Windows, if --tun-mtu is not specified, it will be read from
    1728   the TAP-Win32 driver via ioctl.
    1729 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
    1730   signal (only when run from a console window).
    1731 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
    1732 * Renamed --mtu-dynamic option to --fragment to more accurately
    1733   reflect its function.  Fragment accepts a single parameter which
    1734   is the upper limit on acceptable UDP packet size.
    1735 * Changed default --tun-mtu-extra parameter to 32 from 64.
    1736 * Eliminated reference to malloc.o in configure.ac.
    1737 * Added tun device emulation to the TAP-Win32 driver.
    1738 * Added --route and related options.
    1739 * Added init script for SuSE Linux (Frank Plohmann).
    1740 * Extended option consistency check between peers to function
    1741   in all crypto modes, including static-key and cleartext modes.
    1742   Previously only TLS mode was supported.  Disable with
    1743   --disable-occ.
    1744 * Overall, increased the amount of configuration option sanity
    1745   checking, especially of networking parameters.
    1746 * Added --mtu-test option for empirical MTU measurement.
    1747 * Added Windows-only option --tap-delay to not set the TAP-Win32
    1748   adapter media state to 'connected' until TCP/UDP connection
    1749   establishment with peer.
    1750 * Slightly modified --route/--route-delay semantics so that when
    1751   --route is given without --route-delay, routes are added
    1752   immediately after tun/tap device open.  When --route-delay is
    1753   specified, routes will be added n seconds after connection
    1754   initiation, where n is the --route-delay parameter (which
    1755   can be set to 0).     
    1756 * Made TCP framing error into a non-fatal error that triggers a
    1757   connection reset.
    1758 
    1759 2003.08.28 -- Version 1.5-beta7
    1760 
    1761 * Fixed bug that caused OpenVPN not to respond to exit/restart
    1762   signals when --resolv-retry is used and a local or remote DNS
    1763   name cannot be resolved.
    1764 * Exported a series of environmental variables with useful
    1765   info for scripts.  See man page for more info.  Based
    1766   on a suggestion by Anthony Ciaravalo.
    1767 * Moved TCP/UDP socket bind to a point in the initialization
    1768   before the --up script gets called.  This is desirable
    1769   because (a) a socket bind failure will happen before
    1770   daemonization, allowing an error status code to be returned
    1771   to the shell and (b) the possibility is eliminated of a
    1772   socket bind failure causing the --up script to be run
    1773   but not the --down script.  This change has a side effect
    1774   that --resolv-retry will no longer work with --local.
    1775 * Fixed bug where if an OpenVPN TCP server went down and back
    1776   up again, Solaris or FreeBSD clients would fail to reconnect
    1777   to it.
    1778 * Fixed bug that prevented OpenVPN from being run by
    1779   inetd/xinetd in TCP mode.
    1780 * Added --log and --log-append options for logging messages to
    1781   a file.
    1782 * On Windows, check that the current user is a member of the
    1783   Administrator group before attempting install or uninstall.
    1784 
    1785 2003.08.16 -- Version 1.5-beta6
    1786 
    1787 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
    1788 
    1789 2003.08.14 -- Version 1.5-beta5
    1790 
    1791 * Added user-configurability of the TAP-Win32 adapter MTU
    1792   through the adapter advanced properties page.
    1793 * Added Windows Service support.
    1794 * On Windows, added file association and right-clickability
    1795   for .ovpn files (OpenVPN config files).
    1796 
    1797 2003.08.05 -- Version 1.5-beta4
    1798 
    1799 * Extra refinements and error checking added to Windows
    1800   NSIS install script.
    1801        
    1802 2003.08.05 -- Version 1.5-beta3
    1803        
    1804 * Added md5.h include to crypto.c to fix build problem on
    1805   OpenBSD.
    1806 * Created a Win32 installer using NSIS.
    1807 * Removed DelService command from TAP-Win32 INF file.  It appears
    1808   to be not necessary and it interfered with the ability to
    1809   uninstall and reinstall the driver without needing to reboot.
    1810 * On Windows version, added "addtap" and "deltapall" batch
    1811   files to add and delete TAP-Win32 adapter instances.
    1812 
    1813 2003.07.31 -- Version 1.5-beta2
    1814        
    1815 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
    1816   in Windows ASCII so it's easier to click and view.
    1817 * Added postscript and PDF versions of the HOWTO to the web
    1818   site (C R Zamana).
    1819 * Merged Michael Clarke's stability patch into TAP-Win32
    1820   driver which appears to fix the suspend/resume driver bug
    1821   and significantly improve driver stability.
    1822 * Added Christof Meerwald's Media Status patch to the
    1823   TAP-Win32 driver which shows the TAP adapter to be
    1824   disconnected when OpenVPN is not running.
    1825 * Moved socket connect and TCP server listen code to a later
    1826   point in openvpn() function so that the TCP server listen
    1827   state is entered after daemonization.
    1828 * Added keyboard shortcuts to simulate signals in the Windows
    1829   version, see the window title bar for descriptions.
    1830 
    1831 2003.07.24 -- Version 1.5-beta1
    1832        
    1833 * Added TCP support via the new --proto option.
    1834 * Renamed udp-centric options such as --udp-mtu to
    1835   --link-mtu (old option names preserved for compatibility).
    1836 * Ported to Windows 2000 + XP using mingw and a TAP driver
    1837   derived from the Cipe-Win32 project by Damion K. Wilson.
    1838 * Added --show-adapters flag for windows version.
    1839 * Reworked the SSL/TLS packet acknowledge code to better
    1840   handle certain corner cases.
    1841 * Turned off the default enabling of IP forwarding in the
    1842   sample-scripts/openvpn.init script for Redhat.
    1843   Forwarding can be enabled by users in their --up scripts
    1844   or firewall config.
    1845 * Added --up-restart option based on suggestion from Sean
    1846   Reifschneider.
    1847 * If --dev tap or --dev-type tap is specified, --tun-mtu
    1848   defaults to 1500 and --tun-mtu-extra defaults to 64.
    1849 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
    1850   for each packet read or write on the TCP/UDP socket.
    1851 
    1852 2003.08.04 -- Version 1.4.3
    1853 
    1854 * Added md5.h include to crypto.c
    1855   to fix build problem on OpenBSD.
    1856 
    1857 2003.07.15 -- Version 1.4.2
    1858 
    1859 * Removed adaptive bandwidth from
    1860   --mtu-dynamic -- its absence appears
    1861   to work better than its existence (1.4.1.2).
    1862 * Minor changes to --shaper to fix long
    1863   retransmit timeouts at low bandwidth
    1864   (1.4.1.2).
    1865 * Added LOG_RW flag to openvpn.h for
    1866   debugging (1.4.1.2).
    1867 * Silenced spurious configure warnings (1.4.1.2).
    1868 * Backed out --dev-name patch, modified --dev
    1869   to offer equivalent functionality (1.4.1.4).
    1870 * Added an optional parameter to --daemon and
    1871   --inetd to support the passing of a custom
    1872   program name to the system logger (1.4.1.5).
    1873 * Add compiled-in options to the program title
    1874   (1.4.1.5).
    1875 * Coded the beginnings of a WIN32 port (1.4.1.5).
    1876 * Succeeded in porting to Win32 Mingw environment
    1877   and running loopback tests (1.4.1.6).  Still
    1878   need a kernel driver for full Win32
    1879   functionality.
    1880 * Fixed a bug in error.h where
    1881   HAVE_CPP_VARARG_MACRO_GCC was misspelled.
    1882   This would have caused a significant slowdown
    1883   of OpenVPN when built by compilers that
    1884   lack ISO C99 vararg macros (1.4.1.6).
    1885 * Created an init script for Gentoo Linux
    1886   in ./gentoo directory (1.4.1.6).
    1887 
    1888 2003.05.15 -- Version 1.4.1
    1889 
    1890 * Modified the Linux 2.4 TUN/TAP open code to
    1891   fall back to the 2.2 TUN/TAP interface if the
    1892   open or ioctl fails.
    1893 * Fixed bug when --verb is set to 0 and non-fatal
    1894   socket errors occur, causing 100% CPU utilization.
    1895   Occurs on platorms where
    1896   EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
    1897   such as Linux 2.4.
    1898 * Fixed typo in tun.c that was preventing
    1899   OpenBSD build.
    1900 * Added --enable-mtu-dynamic configure option
    1901   to enable --mtu-dynamic experimental option.
    1902        
    1903 2003.05.07 -- Version 1.4.0
    1904 
    1905 * Added --replay-persist feature to allow replay
    1906   protection across sessions.
    1907 * Fixed bug where --ifconfig could not be used
    1908   with --tun-mtu.
    1909 * Added --tun-mtu-extra parameter to deal with
    1910   the situation where a read on a TUN/TAP device
    1911   returns more data than the device's MTU size.
    1912 * Fixed bug where some IPv6 support code for
    1913   Linux was not being properly ifdefed out for
    1914   Linux 2.2, causing compile errors.
    1915 * Added OPENVPN_EXIT_STATUS_x codes to
    1916   openvpn.h to control which status value
    1917   openvpn returns to its caller (such as
    1918   a shell or inetd/xinetd) for various conditions.
    1919 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
    1920   openvpn.h to allow debugging in situations
    1921   where stdout, stderr, and syslog cannot be used
    1922   for message output, such as when OpenVPN is
    1923   instantiated by inetd/xinetd.
    1924 * Removed owner-execute permission from file
    1925   created by static key generator (Herbert Xu
    1926   and Alberto Gonzalez Iniesta).
    1927 * Added --passtos option to allow IPv4 TOS bits
    1928   to be passed from TUN/TAP input packets to
    1929   the outgoing UDP socket (Craig Knox).
    1930 * Added code to prevent open socket file descriptors
    1931   from being accessible to called scripts.
    1932 * Added --dev-name option (Christian Lademann).
    1933 * Added --mtu-disc option for manual control
    1934   over MTU options.
    1935 * Show OS MTU value on UDP socket write failures
    1936   (linux only).
    1937 * Numerous build system and portability
    1938   fixes (Matthias Andree).
    1939 * Added better sensing of compiler support for
    1940   variable argument macros, including (a) gcc
    1941   style, (b) ISO C 1999 style, and (c) no support.
    1942 * Removed generated files from CVS.  Note INSTALL
    1943   file for new CVS build commands.
    1944 * Changed certain internal symbol names
    1945   for C standards compliance.
    1946 * Added TUN/TAP open code to cycle dynamically
    1947   through unit numbers until it finds a free
    1948   unit (based on code from Thomas Gielfeldt
    1949   and VTun).
    1950 * Added dynamic MTU and fragmenting infrastructure
    1951   (Experimental).  Rebuild with FRAGMENT_ENABLE
    1952   defined to enable.
    1953 * Minor changes to SSL/TLS negotiation, use
    1954   exponential backoff on retransmits, and use
    1955   a smaller MTU size (note that no protocol
    1956   changes have been made which would break
    1957   compatibility with 1.3.x).
    1958 * Added --enable-strict-options flag
    1959   to ./configure.  This option will cause
    1960   a more strict check for options compatibility
    1961   between peers when SSL/TLS negotiation is used,
    1962   but should only be used when both OpenVPN peers
    1963   are of the same version.
    1964 * Reorganization of debugging levels.
    1965 * Added a workaround in configure.ac for
    1966   default SSL header location on Linux
    1967   to fix RH9 build problem.
    1968 * Fixed potential deadlock when pthread support
    1969   is used on OSes that allocate a small socketpair()
    1970   message buffer.
    1971 * Fixed openvpn.init to be sh compliant
    1972   (Bishop Clark).
    1973 * Changed --daemon to wait until all
    1974   initialization is finished before becoming a
    1975   daemon, for the benefit of initialization
    1976   scripts that want a useful return status from
    1977   the openvpn command.
    1978 * Made openvpn.init script more robust, including
    1979   positive indication of initialization errors
    1980   in the openvpn daemon and better sanity checks.
    1981 * Changed --chroot to wait until initialization
    1982   is finished before calling chroot(), and allow
    1983   the use of --user and --group with --chroot.
    1984 * When syslog logging is enabled (--daemon or
    1985   --inetd), set stdin/stdout/stderr to point
    1986   to /dev/null.
    1987 * For inetd instantiations, dup socket descriptor
    1988   to a >2 value.
    1989 * Fixed bug in verify-cn script, where test would
    1990   incorrectly fail if CN=x was the last component
    1991   of the X509 composite string (Anonymous).
    1992 * Added Markus F.X.J. Oberhumer's special
    1993   license exception to COPYING.
    1994 
    1995 2002.10.23 -- Version 1.3.2
    1996 
    1997 * Added SSL_CTX_set_client_CA_list call
    1998   to follow the canonical form for TLS initialization
    1999   recommended by the OpenSSL docs.  This change allows
    2000   better support for intermediate CAs and has no impact
    2001   on security.
    2002 * Added build-inter script to easy-rsa package, to
    2003   facilitate the generation of intermediate CAs.
    2004 * Ported to NetBSD (Dimitri Goldin).
    2005 * Fixed minor bug in easy-rsa/sign-req.  It refers to
    2006   openssl.cnf file, instead of $KEY_CONFIG, like all
    2007   other scripts (Ernesto Baschny).
    2008 * Added --days 3650 to the root CA generation command
    2009   in the HOWTO to override the woefully small 30 day
    2010   default (Dominik 'Aeneas' Schnitzer).
    2011 * Fixed bug where --ping-restart would sometimes
    2012   not re-resolve remote DNS hostname.
    2013 * Added --tun-ipv6 option and related infrastructure
    2014   support for IPv6 over tun.
    2015 * Added IPv6 over tun support for Linux (Aaron Sethman).
    2016 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
    2017   INSTALL (Matthias Andree).
    2018 * Added inetd/xinetd support (--inetd) including
    2019   documentation in the HOWTO.
    2020 * Added "Important Note on the use of commercial certificate
    2021   authorities (CAs) with OpenVPN" to HOWTO based on
    2022   issues raised on the openvpn-users list.
    2023 
    2024 2002.07.10 -- Version 1.3.1
    2025 
    2026 * Fixed bug in openvpn.spec and openvpn.init
    2027   which caused RPM upgrade to fail.
    2028 
    2029 2002.07.10 -- Version 1.3.0
    2030 
    2031 * Added --dev-node option to allow explicit selection of
    2032   tun/tap device node.
    2033 * Removed mlockall call from child thread, as it doesn't
    2034   appear to be necessary (child thread inherits mlockall
    2035   state from parent).
    2036 * Added --ping-timer-rem which causes timer for --ping-exit
    2037   and --ping-restart not to run unless we have a remote IP
    2038   address.
    2039 * Added condrestart to openvpn.init and openvpn.spec
    2040   (Bishop Clark).
    2041 * Added --ifconfig case for FreeBSD (Matthias Andree).
    2042 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
    2043 * Changed LOG_INFO messages to LOG_NOTICE.
    2044 * Added warning when key files are group/others accessible.
    2045 * Added --single-session flag for TLS mode.
    2046 * Fixed bug where --writepid would segfault if used with
    2047   an invalid filename.
    2048 * Fixed bug where --ipchange status message was formatted
    2049   incorrectly.
    2050 * Print more concise error message when system() call
    2051   fails.
    2052 * Added --disable-occ option.
    2053 * Added --local, --remote, and --ifconfig options sanity
    2054   check.
    2055 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
    2056   1300.
    2057 * Successfully tested with OpenSSL 0.9.7 Beta 2.
    2058 * Broke out debug level definitions to errlevel.h
    2059 * Minor documentation and web site changes.
    2060 * All changes maintain protocol compatibility
    2061   with OpenVPN versions since 1.1.0, however default
    2062   MTU changes will require setting the MTU explicitly
    2063   by command line option, if you want 1.3.0 to
    2064   communicate with previous versions.
    2065 
    2066 2002.06.12 -- Version 1.2.1
    2067 
    2068 * Added --ping-restart option to restart
    2069   connection on ping timeout using SIGUSR1
    2070   logic (Matthias Andree).
    2071 * Added --persist-tun, --persist-key,
    2072   --persist-local-ip, and --persist-remote-ip
    2073   options for finer-grained control over SIGUSR1
    2074   and --ping-restart restarts.  To
    2075   replicate previous SIGUSR1 functionality,
    2076   use --persist-remote-ip.
    2077 * Changed residual IV fetching code to take
    2078   IV from tail of ciphertext.
    2079 * Added check to make sure that CFB or OFB
    2080   cipher modes are only used with SSL/TLS
    2081   authentication mode, and added a caveat
    2082   to INSTALL.
    2083 * Changed signal handling during initialization
    2084   (including re-initialization during restarts)
    2085   to exit on SIGTERM or SIGINT and ignore other
    2086   signals which would ordinarily be caught.
    2087 * Added --resolv-retry option to allow
    2088   retries on hostname resolution.
    2089 * Expanded the --float option to also
    2090   allow dynamic changes in source port number
    2091   on incoming datagrams.
    2092 * Added --mute option to limit repetitive
    2093   logging of similar message types.
    2094 * Added --group option to downgrade GID
    2095   after initialization.
    2096 * Try to set ifconfig path automatically
    2097   in configure.
    2098 * Added --ifconfig code for Mac OS X
    2099   (Christoph Pfisterer).
    2100 * Moved "Peer Connection Initiated" message
    2101   to --verb level 1.
    2102 * Successfully tested with
    2103   OpenSSL 0.9.7 Beta 1 and AES cipher.
    2104 * Added RPM notes to INSTALL.
    2105 * Added ACX_PTHREAD (from the autoconf
    2106   macro archive) to configure.ac
    2107   to figure out the right pthread
    2108   options for a given platform.
    2109 * Broke out macro definitions from
    2110   configure.ac to acinclude.m4.
    2111 * Minor changes to docs and HOWTO.
    2112 * All changes maintain protocol compatibility
    2113   with OpenVPN versions since 1.1.0.
    2114 
    2115 2002.05.22 -- Version 1.2.0
    2116 
    2117 * Added configuration file support via
    2118   the --config option.
    2119 * Added pthread support to improve latency.
    2120   With pthread support, OpenVPN
    2121   will offload CPU-intensive tasks such as RSA
    2122   key number crunching to a background thread
    2123   to improve tunnel packet forwarding
    2124   latency.  pthread support can be enabled
    2125   with the --enable-pthread configure option.
    2126   Pthread support is currently available
    2127   only for Linux and Solaris.
    2128 * Added --dev-type option so that tun/tap
    2129   device names don't need to begin with
    2130   "tun" or "tap".
    2131 * Added --writepid option to write main
    2132   process ID to a file.
    2133 * Numerous portability fixes to ease
    2134   porting to other OSes including changing
    2135   all network types to uint8_t and uint32_t,
    2136   and not assuming that time_t is 32 bits.
    2137 * Backported to OpenSSL 0.9.5.
    2138 * Ported to Solaris.
    2139 * Finished OpenBSD port except for
    2140   pthread support.
    2141 * Added initialization script:
    2142   sample-scripts/openvpn.init
    2143   (Douglas Keller)
    2144 * Ported to Mac OS X (Christoph Pfisterer).
    2145 * Improved resilience to DoS attacks when
    2146   TLS mode is used without --remote or
    2147   --tls-auth, or when --float is used
    2148   with --remote.  Note however that the best
    2149   defense against DoS attacks in TLS mode
    2150   is to use --tls-auth.
    2151 * Eliminated automake/autoconf dependency
    2152   for non-developers.
    2153 * Ported configure.in to configure.ac
    2154   and autoconf 2.50+.
    2155 * SIGHUP signal now causes OpenVPN to restart
    2156   and re-read command line and or config file,
    2157   in conformance with canonical daemon behaviour.
    2158 * SIGUSR1 now does what SIGHUP did in
    2159   version 1.1.1 and earlier -- close and reopen
    2160   the UDP socket for use when DHCP changes
    2161   host's IP address and preserve most recently
    2162   authenticated peer address without rereading
    2163   config file.
    2164 * SIGUSR2 added -- outputs current statistics,
    2165   including compression statistics.
    2166 * All changes maintain protocol compatibility
    2167   with 1.1.1 and 1.1.0.
    2168 
    2169 2002.04.22 -- Version 1.1.1
    2170        
    2171 * Added --ifconfig option to automatically configure
    2172   TUN device.
    2173 * Added inactivity disconnect (--inactive
    2174   and --ping-exit options).
    2175 * Added --ping option to keep stateful firewalls
    2176   from timing out.
    2177 * Added sanity check to command line parser to
    2178   err if any TLS options are used in non-TLS mode.
    2179 * Fixed build problem with compiler environments that
    2180   define printf as a macro.
    2181 * Fixed build problem on linux systems that have
    2182   an integrated TUN/TAP driver but lack the persistent
    2183   tunnel feature (TUNSETPERSIST).  Some linux kernels
    2184   >= 2.4.0 and < 2.4.7 fall into this category.
    2185 * Changed all calls to EVP_CipherInit to use explicit
    2186   encrypt/decrypt mode in order to fix problem with
    2187   IDEA-CBC and AES-256-CBC ciphers.
    2188 * Minor changes to control channel transmit limiter
    2189   algorithm to fix problem where TLS control channel
    2190   might not renegotiate within the default 60 second window.
    2191 * Simplified man page examples by taking advantage
    2192   of the new --ifconfig option.
    2193 * Minor changes to configure.in to check more
    2194   rigourously for OpenSSL 0.9.6 or greater.
    2195 * Put back openvpn.spec, eliminated
    2196   openvpn.spec.in.
    2197 * Modified openvpn.spec to reflect new automake-based
    2198   build environment (Bishop Clark).
    2199 * Other documentation changes.
    2200 * Added --test-crypto option for debugging.
    2201 * Added "missing" and "mkinstalldirs" automake
    2202   support files.
    2203 
    2204 
    2205 2002.04.09 -- Version 1.1.0
    2206 
    2207 * Strengthened replay protection and IV handling,
    2208   extending it fully to both static key and
    2209   TLS dynamic key exchange modes.
    2210 * Added --mlock option to disable paging and ensure that key
    2211   material and tunnel data is never paged to disk.
    2212 * Added optional traffic shaping feature to cap the maximum
    2213   data rate of the tunnel.
    2214 * Converted to automake (The Platypus Brothers 2002-04-01).
    2215 * Ported to OpenBSD by Janne Johansson.
    2216 * Added --tun-af-inet option to work around an incompatibility
    2217   between Linux and BSD tun drivers.
    2218 * Sequence number-based replay protection using the
    2219   IPSec sliding window model is now the default,
    2220   disable with --no-replay.
    2221 * Explicit IV is now the default, disable with --no-iv.
    2222 * Disabled all cipher modes except CBC, CFB, and OFB.
    2223 * In CBC mode, use explicit IV and carry forward residuals,
    2224   using IPSec model.
    2225 * In CFB/OFB mode, IV is timestamp, sequence number.
    2226 * Eliminated --packet-id, --timestamp, and max-delta parameter to
    2227   the --tls-auth option as they are now supplanted by improved
    2228   replay code which is enabled by default.
    2229 * Eliminated --rand-iv as it is now obsolete with improved
    2230   IV code.
    2231 * Eliminated --reneg-err option as it increases vulnerability
    2232   to DoS attacks.
    2233 * Added weak key check for DES ciphers.
    2234 * --tls-freq option is no longer specified on the command line,
    2235   instead it now inherits its parameter from the
    2236   --tls-timeout option.
    2237 * Fixed bug that would try to free memory on exit that was
    2238   never malloced if --comp-lzo was not specified.
    2239 * Errata fixed in the man page examples: "test-ca" should be
    2240   "tmp-ca".
    2241 * Updated manual page.
    2242 * Preliminary work in porting to OpenSSL 0.9.7.
    2243 * Changed license to allowing linking with OpenSSL.
    2244 
    2245 2002.03.29 -- Version 1.0.3
    2246 
    2247 * Fixed a problem in configure with library ordering on the
    2248   command line.
    2249 
    2250 2002.03.28 -- Version 1.0.2
    2251 
    2252 * Improved the efficiency of the inner event loop.
    2253 * Fixed a minor bug with timeout handling.
    2254 * Improved the build system to build on RH 6.2 through 7.2.
    2255 * Added an openvpn.spec file for RPM builders (Bishop Clark).
    2256 
    2257 2002.03.23 -- Version 1.0
    2258 
    2259 * Added TLS-based authentication and key exchange.
    2260 * Added gremlin mode to stress test.
    2261 * Wrote man page.
    2262 
    2263 2001.12.26 -- Version 0.91
    2264 
    2265 * Added any choice of cipher or HMAC digest.
    2266 
    2267 2001.5.13 -- Version 0.90
    2268 
    2269 * Initial release.
    2270 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.
    22711429}}}