Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Version 2 and Version 3 of ChangesInOpenvpn20

Timestamp:: 07/24/14 14:30:03 (10 years ago)
Author:: Samuli Seppänen
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ChangesInOpenvpn20

-                      v2
+                      v3
 * Initial testbed for 2.0.
-.05.09 -- Version 1.6.0
-* Unchanged from 1.6-rc4 except for version number
-  upgrade.
-.04.01 -- Version 1.6-rc4
-* Made minor customizations to devcon and
-  renamed as tapinstall.exe for Windows version.
-* Fixed "storage size of `iv' isn't known" build
-  problem on FreeBSD.
-* OpenSSL 0.9.7d bundled with Windows self-install.
-.03.13 -- Version 1.6-rc3
-* Minor Windows fixes for --ip-win32 dynamic, relating to
-  the way the TAP-Win32 driver responds to a DHCP request
-  from the Windows DHCP client.
-* The net_gateway environmental variable wasn't being
-  set correctly for called scripts (Paul Zuber).
-* Added code to determine the default gateway on FreeBSD,
-  allowing the --redirect-gateway option to work
-  (Juan Rodriguez Hervella).
-.03.04 -- Version 1.6-rc2
-* Fixed bug in Windows version where the NetBIOS node-type
-  DHCP option might have been passed even if it was not
-  specified.
-* Fixed bug in Windows version introduced in 1.6-rc1, where
-  DHCP timeout would be set to 0 seconds if --ifconfig option
-  was used and --ip-win32 option was not explicitly specified.
-* Added some new --dhcp-option types for Windows version.
-.03.02 -- Version 1.6-rc1
-* For Windows, make "--ip-win32 dynamic" the default.
-* For Windows, make "--route-delay 10" the default
-  unless --ip-win32 dynamic is not used or --route-delay
-  is explicitly specified.
-* L_TLS mutex could have been left in a locked state
-  for certain kinds of TLS errors.
-.02.22 -- Version 1.6-beta7
-* Allow scheduling priority increase (--nice) together
-  with UID/GID downgrade (--user/--group).
-* Code that causes SIGUSR1 restart on TLS errors in TCP
-  mode was not activated in pthread builds.
-* Save the certificate serial number in an environmental
-  variable called tls_serial_{n} prior to calling the
-  --tls-verify script.  n is the current cert chain level.
-* Added NetBSD IPv6 tunnel capability (also requires
-  a kernel patch) (Horst Laschinsky).
-* Fixed bug in checking the return value of the nice()
-  function (Ian Pilcher).
-* Bug fix in new FreeBSD IPv6 over TUN code which was
-  originally added in 1.6-beta5 (Nathanael Rensen).
-* More Socks5 fixes -- extended the struct frame
-  infrastructure to accomodate proxy-based encapsulation
-  overhead.
-* Added --dhcp-option to Windows version for setting
-  adapter properties such as WINS & DNS servers.
-* Use a default route-delay of 5 seconds when
-  --ip-win32 dynamic is specified (only applicable when
-  --route-delay is not explicitly specified).
-* Added "log_append" registry variable to control
-  whether the OpenVPN service wrapper on Windows
-  opens log files in append (log_append="1") or
-  truncate (log_append="0") mode.  The default
-  is truncate.
-.02.05 -- Version 1.6-beta6
-* UDP over Socks5 fix to accomodate Socks5 encapsulation
-  overhead (Christof Meerwald).
-* Minor --ip-win32 dynamic tweaks (use long lease time,
-  invalidate existing lease with DHCPNAK).
-.02.01 -- Version 1.6-beta5
-* Added Socks5 proxy support (Christof Meerwald).
-* IPv6 tun support for FreeBSD (Thomas Glanzmann).
-* Special TAP-Win32 debug mode for Windows self-install that was
-  enabled in beta4 is now turned off.
-* Added some new Solaris notes to INSTALL (Koen Maris).
-* More work on --ip-win32 dynamic.
-.01.27 -- Version 1.6-beta4
-* For this beta, the Windows self-install is a debug version
-  and will run slower -- use only for testing.
-* Reverted the --ip-win32 default back to 'ipapi'
-  from 'dynamic'.
-* Added the offset parameter to '--ip-win32 dynamic' which
-  can be used to control the address of the masqueraded
-  DHCP server which replies to Windows DHCP requests.
-* Added a wait/nowait option to --inetd (nowait can only
-  be used with TCP sockets, TLS authentication, and over
-  a bridged configuration -- see FAQ for more info)
-  (Stefan `Sec` Zehl).
-* Added a build-time capability where TAP-Win32 driver
-  debug messages can be output by OpenVPN at --verb 6
-  or higher.
-.01.20 -- Version 1.6-beta2
-* Added ./configure --enable-iproute2 flag which
-  uses iproute2 instead of route + ifconfig --
-  this is necessary for the LEAF Linux distro
-  (Martin Hejl).
-* Added renewal-time and rebind-time to set of
-  DHCP options returned by the TAP-Win32 driver when
-  "--ip-win32 dynamic" is used.
-.01.14 -- Version 1.6-beta1
-* Fixed --proxy bug that sometimes caused plaintext
-  control info generated by the proxy prior to http
-  CONNECT method establishment to be incorrectly
-  parsed as OpenVPN data.
-* For Windows version, implemented the
-  "--ip-win32 dynamic" method and made it the default.
-  This method sets the TAP-Win32 adapter IP address
-  and netmask by replying to the kernel's DHCP queries.
-  See the man page for more detailed info.
-* Added --connect-retry parameter which controls
-  the time interval (in seconds) between connect()
-  retries when --proto tcp-client is used.  Previously,
-  this value was hardcoded to 5 seconds, and still
-  defaults as such.
-* --resolv-retry can now be used with a parameter
-  of "infinite" to retry indefinitely.
-* Added SSL_CTX_use_certificate_chain_file() to ssl.c
-  for support of multi-level certificate chains
-  (Sten Kalenda).
-* Fixed --tls-auth incompatibility with 1.4.x and earlier
-  versions of OpenVPN when the passphrase file is an
-  OpenVPN static key file (as generated by --genkey).
-* Added shell-escape support in config files using
-  the backslash character ("\") so that (for example)
-  double quotes can be passed to the shell.
-* Added "contrib" subdirectory on tarball, source zip,
-  and CVS containing user-submitted contributions.
-* Added an optional patch to the Redhat init script to
-  allow the configuration file directory to be a
-  multi-level directory hierarchy (Farkas Levente).
-  See contrib/multilevel-init.patch
-* Added some scripts and documentation on using
-  Linux "fwmark" iptables rules to enable
-  fine-grained routing control over the VPN
-  (Sean Reifschneider, ).
-  See contrib/openvpn-fwmarkroute-1.00
-.11.20 -- Version 1.5.0
-* Minor documentation changes.
-.11.04 -- Version 1.5-beta14
-* Fixed build problem with ./configure --disable-ssl
-  that was reported on Debian woody.
-* Fixed bug where --redirect-gateway could not be used
-  together with --resolv-retry.
-.11.03 -- Version 1.5-beta13
-* Added CRL (certificate revocation list) capability using
-  --crl-verify option (Stefano Bracalenti).
-* Added --replay-window option for variable replay-protection
-  window sizes.
-* Fixed --fragment bug which might have caused certain large
-  packets to be sent unfragmented.
-* Modified --secret and --tls-auth to permit different cipher and
-  HMAC keys to be used for each data flow direction.  Also
-  increased static key file size generated by --genkey from
-to 2048 bits, where 512 bits each are reserved for
-  send-HMAC, encrypt, receive-HMAC, and decrypt.  Key file forward
-  and backward compatibility is maintained.  See --secret option
-  documentation on the man page for more info.
-* Added --tls-remote option (Teemu Kiviniemi).
-* Fixed --tls-cipher documention regarding correct delimiter
-  usage (Teemu Kiviniemi).
-* Added --key-method option for selecting alternative data
-  channel key negotiation methods.  Method 1 is the default.
-  Method 2 has been added (see man page for more info).
-* Added French translation of HOWTO to web site
-  (Guillaume Lehmann).
-* Fixed problem caused by late resolver library load on
-  certain platforms when --resolv-retry and --chroot are
-  used together (Teemu Kiviniemi).
-* In TCP mode, all decryption or TLS errors will abort the current
-  connection (this is not done in UDP mode because UDP is
-  "connectionless").
-* Fixed a TCP client reconnect bug that only occurs on the
-  BSDs, where connect() fails with an invalid argument.  This
-  bug was partially (but not completely) fixed in beta7.
-* Added "route_net_gateway" environmental variable which contains
-  the pre-existing default gateway address from the routing table
-  (there's no standard API for getting the default gateway, so
-  right now this feature only works on Windows or Linux).
-* Renamed the "route_default_gateway" enviromental variable to
-  "route_vpn_gateway" -- this is the remote VPN endpoint.
-* The special keywords vpn_gateway, net_gateway, and remote_host
-  can now be used for the network or gateway components of the
-  --route option.  See the man page for more info.
-* Added the --redirect-gateway option to configure the VPN
-  as the default gateway (implemented on Linux and Windows only).
-* Added the --http-proxy option with basic authentication
-  support for use in TCP client mode.  Successfully tested
-  using Squid as the HTTP proxy, with and without authentication.
-.10.12 -- Version 1.5-beta12
-* Fixed Linux-only bug in --mktun and --rmtun which was
-  introduced around beta8 or so, which would cause
-  an error such as "I don't recognize device tun0 as a
-  tun or tap device1".
-* Added --ifconfig-nowarn option to disable options
-  consistency warnings about --ifconfig parameters.
-* Don't allow any kind of sequence number backtracking or
-  message reordering when in TCP mode.
-* Changed beta naming convention to use '_' (underscore)
-  rather than '-' (dash) to pacify rpmbuild.
-.10.08 -- Version 1.5-beta11
-* Modified code in the Windows version which sets the IP address
-  and netmask of the TAP-Win32 adapter using the IP Helper API.
-  Most of the changes involve better error recovery when
-  the IP Helper API returns an error status.  See the
-  manual page entry on --ip-win32 for more info.
-.10.08 -- Version 1.5-beta10
-* Added getpass() function for Windows version so that --askpass
-  option works correctly (Stefano Bracalenti).
-* Added reboot advisory to end of Win32 install script.
-* Changed crypto code to use pseudo-random IVs rather than
-  carrying forward the IV state from the previous packet.
-  This is in response to item 2 in the following document:
-  http://www.openssl.org/~bodo/tls-cbc.txt which points
-  out weaknesses in TLS's use of the same IV carryforward
-  approach.  This change does not break protocol compatibility
-  with previous versions of OpenVPN.
-* Made a change to the crypto replay protection code to also
-  protect against certain kinds of packet reordering attacks.
-  This change does not break protocol compatibility with
-  previous versions of OpenVPN.
-* Added --ip-win32 option to provide several choices for
-  setting the IP address on the TAP-Win32 adapter.
-* #ifdefed out non-CBC crypto modes by default.
-* Added --up-delay option to delay TUN/TAP open and --up script
-  execution until after connection establishment.  This option
-  replaces the earlier windows-only option --tap-delay.
-.10.01 -- Version 1.5-beta9
-* Fixed --route-noexec bug where option was not parsed correctly.
-* Complain if --dev tun is specified without --ifconfig on Windows.
-* Fixed bug where TCP connections on windows would sometimes cause
-  an assertion failure.
-* Added a new flag to TAP-Win32 advanced properties that allows one
-  to set the adapter to be always "connected" even when an OpenVPN
-  process doesn't have it open.  The default behavior is to report
-  a media status of connected only when an OpenVPN process has the
-  adapter open.
-* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
-  DLLs in response to an OpenSSL security advisory.
-.09.30 -- Version 1.5-beta8
-* Extended the --ifconfig option to work on tap devices as well
-  as tun devices.
-* Implemented the --ifconfig option for Windows, by calling the
-  netsh tool.
-* By default, do an "arp -d *" on Windows after TAP-Win32 open to
-  refresh the MAC cache.  This behaviour can be disabled with
-  --no-arp-del.
-* On Windows, allow the --dev-node parameter (which specifies
-  the name of the TAP-Win32 adapter) to be omitted in cases where
-  there is a single TAP-Win32 adapter on the system which can be
-  assumed to be the default.
-* Modified the diagnostic --verb 5 debugging level to print 'R'
-  for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
-  and 'w' for TUN/TAP write.
-* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
-  mode.
-* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
-* Make the --enable-mtu-dynamic ./configure option enabled by
-  default.
-* Deprecated the --mtu-dynamic run-time option, in favor of
-  --fragment.
-* DNS names can now be used as --ifconfig parameters.
-* Significant work on TAP-Win32 driver to bring up to SMP standards.
-* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
-  unloaded or disabled, while a user-space process has it open.
-* On Windows, if --tun-mtu is not specified, it will be read from
-  the TAP-Win32 driver via ioctl.
-* On Windows, added TAP-Win32 driver status info to "F2" keyboard
-  signal (only when run from a console window).
-* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
-* Renamed --mtu-dynamic option to --fragment to more accurately
-  reflect its function.  Fragment accepts a single parameter which
-  is the upper limit on acceptable UDP packet size.
-* Changed default --tun-mtu-extra parameter to 32 from 64.
-* Eliminated reference to malloc.o in configure.ac.
-* Added tun device emulation to the TAP-Win32 driver.
-* Added --route and related options.
-* Added init script for SuSE Linux (Frank Plohmann).
-* Extended option consistency check between peers to function
-  in all crypto modes, including static-key and cleartext modes.
-  Previously only TLS mode was supported.  Disable with
-  --disable-occ.
-* Overall, increased the amount of configuration option sanity
-  checking, especially of networking parameters.
-* Added --mtu-test option for empirical MTU measurement.
-* Added Windows-only option --tap-delay to not set the TAP-Win32
-  adapter media state to 'connected' until TCP/UDP connection
-  establishment with peer.
-* Slightly modified --route/--route-delay semantics so that when
-  --route is given without --route-delay, routes are added
-  immediately after tun/tap device open.  When --route-delay is
-  specified, routes will be added n seconds after connection
-  initiation, where n is the --route-delay parameter (which
-  can be set to 0).
-* Made TCP framing error into a non-fatal error that triggers a
-  connection reset.
-.08.28 -- Version 1.5-beta7
-* Fixed bug that caused OpenVPN not to respond to exit/restart
-  signals when --resolv-retry is used and a local or remote DNS
-  name cannot be resolved.
-* Exported a series of environmental variables with useful
-  info for scripts.  See man page for more info.  Based
-  on a suggestion by Anthony Ciaravalo.
-* Moved TCP/UDP socket bind to a point in the initialization
-  before the --up script gets called.  This is desirable
-  because (a) a socket bind failure will happen before
-  daemonization, allowing an error status code to be returned
-  to the shell and (b) the possibility is eliminated of a
-  socket bind failure causing the --up script to be run
-  but not the --down script.  This change has a side effect
-  that --resolv-retry will no longer work with --local.
-* Fixed bug where if an OpenVPN TCP server went down and back
-  up again, Solaris or FreeBSD clients would fail to reconnect
-  to it.
-* Fixed bug that prevented OpenVPN from being run by
-  inetd/xinetd in TCP mode.
-* Added --log and --log-append options for logging messages to
-  a file.
-* On Windows, check that the current user is a member of the
-  Administrator group before attempting install or uninstall.
-.08.16 -- Version 1.5-beta6
-* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
-.08.14 -- Version 1.5-beta5
-* Added user-configurability of the TAP-Win32 adapter MTU
-  through the adapter advanced properties page.
-* Added Windows Service support.
-* On Windows, added file association and right-clickability
-  for .ovpn files (OpenVPN config files).
-.08.05 -- Version 1.5-beta4
-* Extra refinements and error checking added to Windows
-  NSIS install script.
-.08.05 -- Version 1.5-beta3
-* Added md5.h include to crypto.c to fix build problem on
-  OpenBSD.
-* Created a Win32 installer using NSIS.
-* Removed DelService command from TAP-Win32 INF file.  It appears
-  to be not necessary and it interfered with the ability to
-  uninstall and reinstall the driver without needing to reboot.
-* On Windows version, added "addtap" and "deltapall" batch
-  files to add and delete TAP-Win32 adapter instances.
-.07.31 -- Version 1.5-beta2
-* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
-  in Windows ASCII so it's easier to click and view.
-* Added postscript and PDF versions of the HOWTO to the web
-  site (C R Zamana).
-* Merged Michael Clarke's stability patch into TAP-Win32
-  driver which appears to fix the suspend/resume driver bug
-  and significantly improve driver stability.
-* Added Christof Meerwald's Media Status patch to the
-  TAP-Win32 driver which shows the TAP adapter to be
-  disconnected when OpenVPN is not running.
-* Moved socket connect and TCP server listen code to a later
-  point in openvpn() function so that the TCP server listen
-  state is entered after daemonization.
-* Added keyboard shortcuts to simulate signals in the Windows
-  version, see the window title bar for descriptions.
-.07.24 -- Version 1.5-beta1
-* Added TCP support via the new --proto option.
-* Renamed udp-centric options such as --udp-mtu to
-  --link-mtu (old option names preserved for compatibility).
-* Ported to Windows 2000 + XP using mingw and a TAP driver
-  derived from the Cipe-Win32 project by Damion K. Wilson.
-* Added --show-adapters flag for windows version.
-* Reworked the SSL/TLS packet acknowledge code to better
-  handle certain corner cases.
-* Turned off the default enabling of IP forwarding in the
-  sample-scripts/openvpn.init script for Redhat.
-  Forwarding can be enabled by users in their --up scripts
-  or firewall config.
-* Added --up-restart option based on suggestion from Sean
-  Reifschneider.
-* If --dev tap or --dev-type tap is specified, --tun-mtu
-  defaults to 1500 and --tun-mtu-extra defaults to 64.
-* Enabled --verb 5 debugging mode that prints 'R' and 'W'
-  for each packet read or write on the TCP/UDP socket.
-.08.04 -- Version 1.4.3
-* Added md5.h include to crypto.c
-  to fix build problem on OpenBSD.
-.07.15 -- Version 1.4.2
-* Removed adaptive bandwidth from
-  --mtu-dynamic -- its absence appears
-  to work better than its existence (1.4.1.2).
-* Minor changes to --shaper to fix long
-  retransmit timeouts at low bandwidth
-  (1.4.1.2).
-* Added LOG_RW flag to openvpn.h for
-  debugging (1.4.1.2).
-* Silenced spurious configure warnings (1.4.1.2).
-* Backed out --dev-name patch, modified --dev
-  to offer equivalent functionality (1.4.1.4).
-* Added an optional parameter to --daemon and
-  --inetd to support the passing of a custom
-  program name to the system logger (1.4.1.5).
-* Add compiled-in options to the program title
-  (1.4.1.5).
-* Coded the beginnings of a WIN32 port (1.4.1.5).
-* Succeeded in porting to Win32 Mingw environment
-  and running loopback tests (1.4.1.6).  Still
-  need a kernel driver for full Win32
-  functionality.
-* Fixed a bug in error.h where
-  HAVE_CPP_VARARG_MACRO_GCC was misspelled.
-  This would have caused a significant slowdown
-  of OpenVPN when built by compilers that
-  lack ISO C99 vararg macros (1.4.1.6).
-* Created an init script for Gentoo Linux
-  in ./gentoo directory (1.4.1.6).
-.05.15 -- Version 1.4.1
-* Modified the Linux 2.4 TUN/TAP open code to
-  fall back to the 2.2 TUN/TAP interface if the
-  open or ioctl fails.
-* Fixed bug when --verb is set to 0 and non-fatal
-  socket errors occur, causing 100% CPU utilization.
-  Occurs on platorms where
-  EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
-  such as Linux 2.4.
-* Fixed typo in tun.c that was preventing
-  OpenBSD build.
-* Added --enable-mtu-dynamic configure option
-  to enable --mtu-dynamic experimental option.
-.05.07 -- Version 1.4.0
-* Added --replay-persist feature to allow replay
-  protection across sessions.
-* Fixed bug where --ifconfig could not be used
-  with --tun-mtu.
-* Added --tun-mtu-extra parameter to deal with
-  the situation where a read on a TUN/TAP device
-  returns more data than the device's MTU size.
-* Fixed bug where some IPv6 support code for
-  Linux was not being properly ifdefed out for
-  Linux 2.2, causing compile errors.
-* Added OPENVPN_EXIT_STATUS_x codes to
-  openvpn.h to control which status value
-  openvpn returns to its caller (such as
-  a shell or inetd/xinetd) for various conditions.
-* Added OPENVPN_DEBUG_COMMAND_LINE flag to
-  openvpn.h to allow debugging in situations
-  where stdout, stderr, and syslog cannot be used
-  for message output, such as when OpenVPN is
-  instantiated by inetd/xinetd.
-* Removed owner-execute permission from file
-  created by static key generator (Herbert Xu
-  and Alberto Gonzalez Iniesta).
-* Added --passtos option to allow IPv4 TOS bits
-  to be passed from TUN/TAP input packets to
-  the outgoing UDP socket (Craig Knox).
-* Added code to prevent open socket file descriptors
-  from being accessible to called scripts.
-* Added --dev-name option (Christian Lademann).
-* Added --mtu-disc option for manual control
-  over MTU options.
-* Show OS MTU value on UDP socket write failures
-  (linux only).
-* Numerous build system and portability
-  fixes (Matthias Andree).
-* Added better sensing of compiler support for
-  variable argument macros, including (a) gcc
-  style, (b) ISO C 1999 style, and (c) no support.
-* Removed generated files from CVS.  Note INSTALL
-  file for new CVS build commands.
-* Changed certain internal symbol names
-  for C standards compliance.
-* Added TUN/TAP open code to cycle dynamically
-  through unit numbers until it finds a free
-  unit (based on code from Thomas Gielfeldt
-  and VTun).
-* Added dynamic MTU and fragmenting infrastructure
-  (Experimental).  Rebuild with FRAGMENT_ENABLE
-  defined to enable.
-* Minor changes to SSL/TLS negotiation, use
-  exponential backoff on retransmits, and use
-  a smaller MTU size (note that no protocol
-  changes have been made which would break
-  compatibility with 1.3.x).
-* Added --enable-strict-options flag
-  to ./configure.  This option will cause
-  a more strict check for options compatibility
-  between peers when SSL/TLS negotiation is used,
-  but should only be used when both OpenVPN peers
-  are of the same version.
-* Reorganization of debugging levels.
-* Added a workaround in configure.ac for
-  default SSL header location on Linux
-  to fix RH9 build problem.
-* Fixed potential deadlock when pthread support
-  is used on OSes that allocate a small socketpair()
-  message buffer.
-* Fixed openvpn.init to be sh compliant
-  (Bishop Clark).
-* Changed --daemon to wait until all
-  initialization is finished before becoming a
-  daemon, for the benefit of initialization
-  scripts that want a useful return status from
-  the openvpn command.
-* Made openvpn.init script more robust, including
-  positive indication of initialization errors
-  in the openvpn daemon and better sanity checks.
-* Changed --chroot to wait until initialization
-  is finished before calling chroot(), and allow
-  the use of --user and --group with --chroot.
-* When syslog logging is enabled (--daemon or
-  --inetd), set stdin/stdout/stderr to point
-  to /dev/null.
-* For inetd instantiations, dup socket descriptor
-  to a >2 value.
-* Fixed bug in verify-cn script, where test would
-  incorrectly fail if CN=x was the last component
-  of the X509 composite string (Anonymous).
-* Added Markus F.X.J. Oberhumer's special
-  license exception to COPYING.
-.10.23 -- Version 1.3.2
-* Added SSL_CTX_set_client_CA_list call
-  to follow the canonical form for TLS initialization
-  recommended by the OpenSSL docs.  This change allows
-  better support for intermediate CAs and has no impact
-  on security.
-* Added build-inter script to easy-rsa package, to
-  facilitate the generation of intermediate CAs.
-* Ported to NetBSD (Dimitri Goldin).
-* Fixed minor bug in easy-rsa/sign-req.  It refers to
-  openssl.cnf file, instead of $KEY_CONFIG, like all
-  other scripts (Ernesto Baschny).
-* Added --days 3650 to the root CA generation command
-  in the HOWTO to override the woefully small 30 day
-  default (Dominik 'Aeneas' Schnitzer).
-* Fixed bug where --ping-restart would sometimes
-  not re-resolve remote DNS hostname.
-* Added --tun-ipv6 option and related infrastructure
-  support for IPv6 over tun.
-* Added IPv6 over tun support for Linux (Aaron Sethman).
-* Added FreeBSD 4.1.1+ TUN/TAP driver notes to
-  INSTALL (Matthias Andree).
-* Added inetd/xinetd support (--inetd) including
-  documentation in the HOWTO.
-* Added "Important Note on the use of commercial certificate
-  authorities (CAs) with OpenVPN" to HOWTO based on
-  issues raised on the openvpn-users list.
-.07.10 -- Version 1.3.1
-* Fixed bug in openvpn.spec and openvpn.init
-  which caused RPM upgrade to fail.
-.07.10 -- Version 1.3.0
-* Added --dev-node option to allow explicit selection of
-  tun/tap device node.
-* Removed mlockall call from child thread, as it doesn't
-  appear to be necessary (child thread inherits mlockall
-  state from parent).
-* Added --ping-timer-rem which causes timer for --ping-exit
-  and --ping-restart not to run unless we have a remote IP
-  address.
-* Added condrestart to openvpn.init and openvpn.spec
-  (Bishop Clark).
-* Added --ifconfig case for FreeBSD (Matthias Andree).
-* Call openlog with facility=LOG_DAEMON (Matthias Andree).
-* Changed LOG_INFO messages to LOG_NOTICE.
-* Added warning when key files are group/others accessible.
-* Added --single-session flag for TLS mode.
-* Fixed bug where --writepid would segfault if used with
-  an invalid filename.
-* Fixed bug where --ipchange status message was formatted
-  incorrectly.
-* Print more concise error message when system() call
-  fails.
-* Added --disable-occ option.
-* Added --local, --remote, and --ifconfig options sanity
-  check.
-* Changed default UDP MTU to 1300 and TUN/TAP MTU to
-.
-* Successfully tested with OpenSSL 0.9.7 Beta 2.
-* Broke out debug level definitions to errlevel.h
-* Minor documentation and web site changes.
-* All changes maintain protocol compatibility
-  with OpenVPN versions since 1.1.0, however default
-  MTU changes will require setting the MTU explicitly
-  by command line option, if you want 1.3.0 to
-  communicate with previous versions.
-.06.12 -- Version 1.2.1
-* Added --ping-restart option to restart
-  connection on ping timeout using SIGUSR1
-  logic (Matthias Andree).
-* Added --persist-tun, --persist-key,
-  --persist-local-ip, and --persist-remote-ip
-  options for finer-grained control over SIGUSR1
-  and --ping-restart restarts.  To
-  replicate previous SIGUSR1 functionality,
-  use --persist-remote-ip.
-* Changed residual IV fetching code to take
-  IV from tail of ciphertext.
-* Added check to make sure that CFB or OFB
-  cipher modes are only used with SSL/TLS
-  authentication mode, and added a caveat
-  to INSTALL.
-* Changed signal handling during initialization
-  (including re-initialization during restarts)
-  to exit on SIGTERM or SIGINT and ignore other
-  signals which would ordinarily be caught.
-* Added --resolv-retry option to allow
-  retries on hostname resolution.
-* Expanded the --float option to also
-  allow dynamic changes in source port number
-  on incoming datagrams.
-* Added --mute option to limit repetitive
-  logging of similar message types.
-* Added --group option to downgrade GID
-  after initialization.
-* Try to set ifconfig path automatically
-  in configure.
-* Added --ifconfig code for Mac OS X
-  (Christoph Pfisterer).
-* Moved "Peer Connection Initiated" message
-  to --verb level 1.
-* Successfully tested with
-  OpenSSL 0.9.7 Beta 1 and AES cipher.
-* Added RPM notes to INSTALL.
-* Added ACX_PTHREAD (from the autoconf
-  macro archive) to configure.ac
-  to figure out the right pthread
-  options for a given platform.
-* Broke out macro definitions from
-  configure.ac to acinclude.m4.
-* Minor changes to docs and HOWTO.
-* All changes maintain protocol compatibility
-  with OpenVPN versions since 1.1.0.
-.05.22 -- Version 1.2.0
-* Added configuration file support via
-  the --config option.
-* Added pthread support to improve latency.
-  With pthread support, OpenVPN
-  will offload CPU-intensive tasks such as RSA
-  key number crunching to a background thread
-  to improve tunnel packet forwarding
-  latency.  pthread support can be enabled
-  with the --enable-pthread configure option.
-  Pthread support is currently available
-  only for Linux and Solaris.
-* Added --dev-type option so that tun/tap
-  device names don't need to begin with
-  "tun" or "tap".
-* Added --writepid option to write main
-  process ID to a file.
-* Numerous portability fixes to ease
-  porting to other OSes including changing
-  all network types to uint8_t and uint32_t,
-  and not assuming that time_t is 32 bits.
-* Backported to OpenSSL 0.9.5.
-* Ported to Solaris.
-* Finished OpenBSD port except for
-  pthread support.
-* Added initialization script:
-  sample-scripts/openvpn.init
-  (Douglas Keller)
-* Ported to Mac OS X (Christoph Pfisterer).
-* Improved resilience to DoS attacks when
-  TLS mode is used without --remote or
-  --tls-auth, or when --float is used
-  with --remote.  Note however that the best
-  defense against DoS attacks in TLS mode
-  is to use --tls-auth.
-* Eliminated automake/autoconf dependency
-  for non-developers.
-* Ported configure.in to configure.ac
-  and autoconf 2.50+.
-* SIGHUP signal now causes OpenVPN to restart
-  and re-read command line and or config file,
-  in conformance with canonical daemon behaviour.
-* SIGUSR1 now does what SIGHUP did in
-  version 1.1.1 and earlier -- close and reopen
-  the UDP socket for use when DHCP changes
-  host's IP address and preserve most recently
-  authenticated peer address without rereading
-  config file.
-* SIGUSR2 added -- outputs current statistics,
-  including compression statistics.
-* All changes maintain protocol compatibility
-  with 1.1.1 and 1.1.0.
-.04.22 -- Version 1.1.1
-* Added --ifconfig option to automatically configure
-  TUN device.
-* Added inactivity disconnect (--inactive
-  and --ping-exit options).
-* Added --ping option to keep stateful firewalls
-  from timing out.
-* Added sanity check to command line parser to
-  err if any TLS options are used in non-TLS mode.
-* Fixed build problem with compiler environments that
-  define printf as a macro.
-* Fixed build problem on linux systems that have
-  an integrated TUN/TAP driver but lack the persistent
-  tunnel feature (TUNSETPERSIST).  Some linux kernels
-  >= 2.4.0 and < 2.4.7 fall into this category.
-* Changed all calls to EVP_CipherInit to use explicit
-  encrypt/decrypt mode in order to fix problem with
-  IDEA-CBC and AES-256-CBC ciphers.
-* Minor changes to control channel transmit limiter
-  algorithm to fix problem where TLS control channel
-  might not renegotiate within the default 60 second window.
-* Simplified man page examples by taking advantage
-  of the new --ifconfig option.
-* Minor changes to configure.in to check more
-  rigourously for OpenSSL 0.9.6 or greater.
-* Put back openvpn.spec, eliminated
-  openvpn.spec.in.
-* Modified openvpn.spec to reflect new automake-based
-  build environment (Bishop Clark).
-* Other documentation changes.
-* Added --test-crypto option for debugging.
-* Added "missing" and "mkinstalldirs" automake
-  support files.
-.04.09 -- Version 1.1.0
-* Strengthened replay protection and IV handling,
-  extending it fully to both static key and
-  TLS dynamic key exchange modes.
-* Added --mlock option to disable paging and ensure that key
-  material and tunnel data is never paged to disk.
-* Added optional traffic shaping feature to cap the maximum
-  data rate of the tunnel.
-* Converted to automake (The Platypus Brothers 2002-04-01).
-* Ported to OpenBSD by Janne Johansson.
-* Added --tun-af-inet option to work around an incompatibility
-  between Linux and BSD tun drivers.
-* Sequence number-based replay protection using the
-  IPSec sliding window model is now the default,
-  disable with --no-replay.
-* Explicit IV is now the default, disable with --no-iv.
-* Disabled all cipher modes except CBC, CFB, and OFB.
-* In CBC mode, use explicit IV and carry forward residuals,
-  using IPSec model.
-* In CFB/OFB mode, IV is timestamp, sequence number.
-* Eliminated --packet-id, --timestamp, and max-delta parameter to
-  the --tls-auth option as they are now supplanted by improved
-  replay code which is enabled by default.
-* Eliminated --rand-iv as it is now obsolete with improved
-  IV code.
-* Eliminated --reneg-err option as it increases vulnerability
-  to DoS attacks.
-* Added weak key check for DES ciphers.
-* --tls-freq option is no longer specified on the command line,
-  instead it now inherits its parameter from the
-  --tls-timeout option.
-* Fixed bug that would try to free memory on exit that was
-  never malloced if --comp-lzo was not specified.
-* Errata fixed in the man page examples: "test-ca" should be
-  "tmp-ca".
-* Updated manual page.
-* Preliminary work in porting to OpenSSL 0.9.7.
-* Changed license to allowing linking with OpenSSL.
-.03.29 -- Version 1.0.3
-* Fixed a problem in configure with library ordering on the
-  command line.
-.03.28 -- Version 1.0.2
-* Improved the efficiency of the inner event loop.
-* Fixed a minor bug with timeout handling.
-* Improved the build system to build on RH 6.2 through 7.2.
-* Added an openvpn.spec file for RPM builders (Bishop Clark).
-.03.23 -- Version 1.0
-* Added TLS-based authentication and key exchange.
-* Added gremlin mode to stress test.
-* Wrote man page.
-.12.26 -- Version 0.91
-* Added any choice of cipher or HMAC digest.
-.5.13 -- Version 0.90
-* Initial release.
-* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.
 }}}