Changes between Initial Version and Version 1 of ChangesInOpenvpn21

07/24/14 13:37:53 (7 years ago)
Samuli Seppänen

Migrated content from


  • ChangesInOpenvpn21

    v1 v1  
     2OpenVPN Change Log
     3Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <
     62010.11.09 -- Version 2.1.4
     8* Fix problem with special case route targets ('remote_host')
     9  The init_route() function will leave &netlist untouched for
     10  get_special_addr() routes ("remote_host" being one of them).
     11  netlist is on stack,  contains random garbage, and
     12  netlist.len will not be 0 - thus, random stack data is copied from
     13[] until the route_list is full.
     14  Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.
     172010.08.20 -- Version 2.1.3
     19* Windows build fixes
     20  Attempt to fix issue where domake-win build system was not properly
     21  signing drivers and .exe files.  This change is only affecting the
     22  Windows build scripts and not the OpenVPN code base.
     242010.08.09 -- Version 2.1.2
     26* Windows security issue:
     27  Fixed potential local privilege escalation vulnerability in
     28  Windows service. The Windows service did not properly quote the
     29  executable filename passed to CreateService.  A local attacker
     30  with write access to the root directory C:\ could create an
     31  executable that would be run with the same privilege level as
     32  the OpenVPN Windows service.  However, since non-Administrative
     33  users normally lack write permission on C:\, this vulnerability
     34  is generally not exploitable except on older versions of Windows
     35  (such as Win2K) where the default permissions on C:\ would allow
     36  any user to create files there.
     37  Credit:  Scott Laurie, MWR InfoSecurity
     39* Added Python-based based alternative build system for Windows using
     40  Visual Studio 2008 (in win directory).
     42* When aborting in a non-graceful way, try to execute do_close_tun in
     43  init.c prior to daemon exit to ensure that the tun/tap interface is
     44  closed and any added routes are deleted.
     46* Fixed an issue where AUTH_FAILED was not being properly delivered
     47  to the client when a bad password is given for mid-session reauth,
     48  causing the connection to fail without an error indication.
     50* Don't advance to the next connection profile on AUTH_FAILED errors.
     52* Fixed an issue in the Management Interface that could cause
     53  a process hang with 100% CPU utilization in --management-client
     54  mode if the management interface client disconnected at the
     55  point where credentials are queried.
     57* Fixed an issue where if reneg-sec was set to 0 on the client,
     58  so that the server-side value would take precedence,
     59  the auth_deferred_expire_window function would incorrectly
     60  return a window period of 0 seconds.  In this case, the
     61  correct window period should be the handshake window
     62  period.
     64* Modified ">PASSWORD:Verification Failed" management interface
     65  notification to include a client reason string:
     67    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
     69* Enable exponential backoff in reliability layer
     70  retransmits.
     72* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
     73  socket is created rather than waiting until after connect/listen.
     75* Management interface performance optimizations:
     77  1. Added env-filter MI command to perform filtering on env vars
     78     passed through as a part of --management-client-auth
     80  2. man_write will now try to aggregate output into larger blocks
     81     (up to 1024 bytes) for more efficient i/o
     83* Fixed minor issue in Windows TAP driver DEBUG builds
     84  where non-null-terminated unicode strings were being
     85  printed incorrectly.
     87* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
     88  was not being compiled in.
     90* Proxy improvements:
     92  Improved the ability of http-auth "auto" flag to dynamically detect
     93  the auth method required by the proxy.
     95  Added http-auth "auto-nct" flag to reject weak proxy auth methods.
     97  Added HTTP proxy digest authentication method.
     99  Removed extraneous openvpn_sleep calls from proxy.c.
     101* Implemented http-proxy-override and http-proxy-fallback directives to make it
     102  easier for OpenVPN client UIs to start a pre-existing client config file with
     103  proxy options, or to adaptively fall back to a proxy connection if a direct
     104  connection fails.
     106* Implemented a key/value auth channel from client to server.
     108* Fixed issue where bad creds provided by the management interface
     109  for HTTP Proxy Basic Authentication would go into an infinite
     110  retry-fail loop instead of requerying the management interface for
     111  new creds.
     113* Added support for MSVC debugging of openvpn.exe in
     115  # Build debugging version of openvpn.exe
     116  !define PRODUCT_OPENVPN_DEBUG
     118* Implemented multi-address DNS expansion on the network field of route
     119  commands.
     121  When only a single IP address is desired from a multi-address DNS
     122  expansion, use the first address rather than a random selection.
     124* Added --register-dns option for Windows.
     126  Fixed some issues on Windows with --log, subprocess creation
     127  for command execution, and stdout/stderr redirection.
     129* Fixed an issue where application payload transmissions on the
     130  TLS control channel (such as AUTH_FAILED) that occur during
     131  or immediately after a TLS renegotiation might be dropped.
     133* Added warning about tls-remote option in man page.
     1352009.12.11 -- Version 2.1.1
     137* Fixed some breakage in openvpn.spec (which is required to build an
     138  RPM distribution) where it was referencing a non-existent
     139  subdirectory in the tarball, causing it to fail (patch from
     140  David Sommerseth).
     1422009.12.11 -- Version 2.1.0
     144* Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
     145  (1) Fail gracefully rather than segfault if calloc returns NULL.
     146  (2) The openvpn_plugin_abort_v1 function can potentially be called
     147  with handle == NULL.  Add code to detect this case, and if  so, avoid
     148  dereferencing pointers derived from handle  (Thanks to David
     149  Sommerseth for finding this bug).
     151* Documented "multihome" option in the man page.
     1532009.11.20 -- Version 2.1_rc22
     155* Fixed a client-side bug on Windows that occurred when the
     156  "dhcp-pre-release" or "dhcp-renew" options were combined with
     157  "route-gateway dhcp".  The release/renew would not occur
     158  because the Windows DHCP renew function is blocking and
     159  therefore must be called from another process or thread
     160  so as not to stall the tunnel.
     162* Added a hard failure when peer provides a certificate chain
     163  with depth > 16.  Previously, a warning was issued.
     1652009.11.12 -- Version 2.1_rc21
     167* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
     168  CVE-2009-3555.  Note that OpenVPN has never relied on the session
     169  renegotiation capabilities that are built into the SSL/TLS protocol,
     170  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
     171  completely) will not adversely affect OpenVPN mid-session SSL/TLS
     172  renegotation or any other OpenVPN capabilities.
     174* Added additional session renegotiation hardening.  OpenVPN has always
     175  required that mid-session renegotiations build up a new SSL/TLS
     176  session from scratch.  While the client certificate common name is
     177  already locked against changes in mid-session TLS renegotiations, we
     178  now extend this locking to the auth-user-pass username as well as all
     179  certificate content in the full client certificate chain.
     1812009.10.01 -- Version 2.1_rc20
     183* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
     184  redirect-gateway option by itself, without any extra parameters,
     185  would cause the option to be ignored.
     187* Fixed build problem when ./configure --disable-server is used.
     189* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
     191* Added --remote-random-hostname option.
     193* Added "load-stats" management interface command to get global server
     194  load statistics.
     196* Added new ./configure flags:
     198  --disable-def-auth      Disable deferred authentication
     199  --disable-pf            Disable internal packet filter
     201* Added "setcon" directive for interoperability with SELinux (Sebastien
     202  Raveau).
     204* Optimized PUSH_REQUEST handshake sequence to shave several seconds
     205  off of a typical client connection initiation.
     207* The maximum number of "route" directives (specified in the config
     208  file or pulled from a server) can now be configured via the new
     209  "max-routes" directive.
     211* Eliminated the limitation on the number of options that can be pushed
     212  to clients, including routes.  Previously, all pushed options needed
     213  to fit within a 1024 byte options string.
     215* Added --server-poll-timeout option : when polling possible remote
     216  servers to connect to in a round-robin fashion, spend no more than
     217  n seconds waiting for a response before trying the next server.
     219* Added the ability for the server to provide a custom reason string
     220  when an AUTH_FAILED message is returned to the client.  This
     221  string can be set by the server-side managment interface and read
     222  by the client-side management interface.
     224* client-kill management interface command, when issued on server, will
     225  now send a RESTART message to client.
     226  This feature is intended to make UDP clients respond the same as TCP
     227  clients in the case where the server issues a RESTART message in
     228  order to force the client to reconnect and pull a new options/route
     229  list.
     2312009.07.16 -- Version 2.1_rc19
     233* In Windows TAP driver, refactor DHCP/ARP packet injection code to
     234  use a DPC (deferred procedure call) to defer packet injection until
     235  IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
     236  in the context of AdapterTransmit.  This is an attempt to reduce kernel
     237  stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
     238  observed on Vista.  Updated TAP driver version number to 9.6.
     240* In, use datadir instead of datarootdir for compatibility
     241  with <autoconf-2.60.
     2432009.06.07 -- Version 2.1_rc18
     245* Fixed compile error on ./configure --enable-small
     247* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
     248  does not build on Windows on non-MINGW32.
     2502009.05.30 -- Version 2.1_rc17
     252* Reduce the debug level (--verb) at which received management interface
     253  commands are echoed from 7 to 3.  Passwords will be filtered.
     255* Fixed race condition in management interface recv code on
     256  Windows, where sending a set of several commands to the
     257  management interface in quick succession might cause the
     258  latter commands in the set to be ignored.
     260* Increased management interface input command buffer size
     261  from 256 to 1024 bytes.
     263* Minor tweaks to Windows build system.
     265* Added "redirect-private" option which allows private subnets
     266  to be pushed to the client in such a way that they don't accidently
     267  obscure critical local addresses such as the DHCP server address and
     268  DNS server addresses.
     270* Added new 'autolocal' redirect-gateway flag.  When enabled, the OpenVPN
     271  client will examine the routing table and determine whether (a) the
     272  OpenVPN server is reachable via a locally connected interface, or (b)
     273  traffic to the server must be forwarded through the default router.
     274  Only add a special bypass route for the OpenVPN server if (b) is true.
     275  If (a) is true, behave as if the 'local' flag is specified, and do not
     276  add a bypass route.
     278  The new 'autolocal' flag depends on the non-portable test_local_addr()
     279  function in route.c, which is currently only implemented for Windows.
     280  The 'autolocal' flag will act as a no-op on platforms that have not
     281  yet defined a test_local_addr() function.
     283* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
     284  more option content to be pushed from server to client).
     286* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
     287  levels <=3) a common and usually innocuous warning.
     289* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
     290  functionality (Alon Bar-Lev).
     292* Fixed bug where the remote_X environmental variables were not being
     293  set correctly when the 'local' option is specifed.
     2952009.05.17 -- Version 2.1_rc16
     297* Windows installer changes:
     299  1. ifdefed out the check Windows version code which is causing
     300  problems on Windows 7
     302  2. don't define SF_SELECTED if it is already defined
     304  3. Use LZMA instead of BZIP2 compression for better compression
     306  4. Upgraded OpenSSL to 0.9.8k
     308* Added the ability to read the configuration file
     309  from stdin, when "stdin" is given as the config
     310  file name.
     312* Allow "management-client" directive to be used
     313  with unix domain sockets.
     315* Added errors-to-stderr option.  When enabled, fatal errors
     316  that result in the termination of the daemon will be written
     317  to stderr.
     319* Added optional "nogw" (no gateway) flag to --server-bridge
     320  to inhibit the pushing of the route-gateway parameter to
     321  clients.
     323* Added new management interface command "pid" to show the
     324  process ID of the current OpenVPN process (Angelo Laub).
     326* Fixed issue where SIGUSR1 restarts would fail if private
     327  key was specified as an inline file.
     329* Added daemon_start_time and daemon_pid environmental variables.
     331* In management interface, added new ">CLIENT:ESTABLISHED" notification.
     333* Build fixes:
     335  1. Fixed some issues with C++ style comments that leaked into the code.
     337  2. Updated to work on MinGW64.
     339  3. Updated common.h types for _WIN64.
     341  4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
     342     compilers.
     344  5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
     345     OpenVPNCryptAcquireCertificatePrivateKey to work around
     346     a symbol conflict in MinGW-5.1.4.
     3482008.11.19 -- Version 2.1_rc15
     350* Fixed issue introduced in 2.1_rc14 that may cause a
     351  segfault when a --plugin module is used.
     353* Added server-side --opt-verify option: clients that connect
     354  with options that are incompatible with those of the server
     355  will be disconnected (without this option, incompatible
     356  clients would trigger a warning message in the server log
     357  but would not be disconnected).
     359* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
     360  flag on the server as well as pushes it to connecting clients.
     362* Minor options check fix: --no-name-remapping is a
     363  server-only option and should therefore generate an
     364  error when used on the client.
     366* Added --prng option to control PRNG (pseudo-random
     367  number generator) parameters.  In previous OpenVPN
     368  versions, the PRNG was hardcoded to use the SHA1
     369  hash.  Now any OpenSSL hash may be used.  This is
     370  part of an effort to remove hardcoded references to
     371  a specific cipher or cryptographic hash algorithm.
     373* Cleaned up man page synopsis.
     3752008.11.16 -- Version 2.1_rc14
     377* Added AC_GNU_SOURCE to to enable struct ucred,
     378  with the goal of fixing a build issue on Fedora 9 that was
     379  introduced in 2.1_rc13.
     381* Added additional method parameter to --script-security to preserve
     382  backward compatibility with system() call semantics used in OpenVPN
     383  2.1_rc8 and earlier.  To preserve backward compatibility use:
     385    script-security 3 system
     387* Added additional warning messages about --script-security 2
     388  or higher being required to execute user-defined scripts or
     389  executables.
     391* Windows build system changes:
     393  Modified Windows domake-win build system to write all openvpn.nsi
     394  input files to gen, so that gen can be disconnected from
     395  the rest of the source tree and makensis openvpn.nsi will
     396  still function correctly.
     398  Added additional SAMPCONF_(CA|CRT|KEY) macros to
     399  (commented out by default).
     401  Added optional files SAMPCONF_CONF2 (second sample configuration
     402  file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
     403  build system, and may be defined in
     405* Extended Management Interface "bytecount" command
     406  to work when OpenVPN is running as a server.
     407  Documented Management Interface "bytecount" command in
     408  management/management-notes.txt.
     410* Fixed informational message in ssl.c to properly indicate
     411  deferred authentication.
     413* Added server-side --auth-user-pass-optional directive, to allow
     414  connections by clients that do not specify a username/password, when a
     415  user-defined authentication script/module is in place (via
     416  --auth-user-pass-verify, --management-client-auth, or a plugin module).
     418* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
     420  Calling scripts can set the KEY_NAME environmental variable to set
     421  the "name" X509 subject field in generated certificates.
     423  Modified pkitool to allow flexibility in separating the Common Name
     424  convention from the cert/key filename convention.
     426  For example:
     428  KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
     430  will create a client certificate/key pair of james.crt/james.key
     431  having a Common Name of "James's Laptop" and a Name of "james".
     433* Added --no-name-remapping option to allow Common Name, X509 Subject,
     434  and username strings to include any printable character including
     435  space, but excluding control characters such as tab, newline, and
     436  carriage-return (this is important for compatibility with external
     437  authentication systems).
     439  As a related change, added --status-version 3 format (and "status 3"
     440  in the management interface) which uses the version 2 format except
     441  that tabs are used as delimiters instead of commas so that there
     442  is no ambiguity when parsing a Common Name that contains a comma.
     444  Also, save X509 Subject fields to environment, using the naming
     445  convention:
     447  X509_{cert_depth}_{name}={value}
     449  This is to avoid ambiguities when parsing out the X509 subject string
     450  since "/" characters could potentially be used in the common name.
     452* Fixed some ifconfig-pool issues that precluded it from being combined
     453  with --server directive.
     455  Now, for example, we can configure thusly:
     457    server nopool
     458    ifconfig-pool
     460  to have ifconfig-pool manage only a subset
     461  of the VPN subnet.
     463* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
     464  config file syntax checking to allow directives for future OpenVPN
     465  versions to be ignored.
     4672008.10.07 -- Version 2.1_rc13
     469* Bundled OpenSSL 0.9.8i with Windows installer.
     471* Management interface can now listen on a unix
     472  domain socket, for example:
     474    management /tmp/openvpn unix
     476  Also added management-client-user and management-client-group
     477  directives to control which processes are allowed to connect
     478  to the socket.
     480* Copyright change to OpenVPN Technologies, Inc.
     4822008.09.23 -- Version 2.1_rc12
     484* Patched so that the new script becomes
     485  part of the tarball (Matthias Andree).
     487* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
     488  was incorrectly expecting the lladdr parameter to be an IP address
     489  when it is actually a MAC address (HoverHell).
     4912008.09.14 -- Version 2.1_rc11
     493* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
     494  to fail if UDP packets are dropped.
     4962008.09.10 -- Version 2.1_rc10
     498* Added "--server-bridge" (without parameters) to enable
     499  DHCP proxy mode:  Configure server mode for ethernet
     500  bridging using a DHCP-proxy, where clients talk to the
     501  OpenVPN server-side DHCP server to receive their IP address
     502  allocation and DNS server addresses.
     504* Added "--route-gateway dhcp", to enable the extraction
     505  of the gateway address from a DHCP negotiation with the
     506  OpenVPN server-side LAN.
     508* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
     509  on Windows.  If the bypass IP address is or,
     510  ignore it.
     512* Warn when ethernet bridging that the IP address of the bridge adapter
     513  is probably not the same address that the LAN adapter was set to
     514  previously.
     516* When running as a server, warn if the LAN network address is
     517  the all-popular 192.168.[0|1].x, since this condition commonly
     518  leads to subnet conflicts down the road.
     520* Primarily on the client, check for subnet conflicts between
     521  the local LAN and the VPN subnet.
     523* Added a 'netmask' parameter to get_default_gateway, to return
     524  the netmask of the adapter containing the default gateway.
     525  Only implemented on Windows so far.  Other platforms will
     526  return  Currently the netmask information is
     527  only used to warn about subnet conflicts.
     529* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
     530  and USE_SSL flags are enabled (Alon Bar-Lev).
     532* Updated openvpn/ (used by "make check") to conform to new
     533  --script-security rules.  Also adds retrying if the addresses are in
     534  use (Matthias Andree).
     536* Fixed build issue with ./configure --disable-socks --disable-http.
     538* Fixed separate compile errors in options.c and ntlm.c that occur
     539  on strict C compilers (such as old versions of gcc) that require
     540  that C variable declarations occur at the start of a {} block,
     541  not in the middle.
     543* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
     544  the new implementation of extract_x509_field_ssl depends on.
     546* LZO compression buffer overflow errors will now invalidate
     547  the packet rather than trigger a fatal assertion.
     549* Fixed minor compile issue in ntlm.c (mid-block declaration).
     551* Added --allow-pull-fqdn option which allows client to pull DNS names
     552  from server (rather than only IP address) for --ifconfig, --route, and
     553  --route-gateway.  OpenVPN versions 2.1_rc7 and earlier allowed DNS names
     554  for these options to be pulled and translated to IP addresses by default.
     555  Now --allow-pull-fqdn will be explicitly required on the client to enable
     556  DNS-name-to-IP-address translation of pulled options.
     558* 2.1_rc8 and earlier did implicit shell expansion on script
     559  arguments since all scripts were called by system().
     560  The security hardening changes made to 2.1_rc9 no longer
     561  use system(), but rather use the safer execve or CreateProcess
     562  system calls.  The security hardening also introduced a
     563  backward incompatibility with 2.1_rc8 and earlier in that
     564  script parameters were no longer shell-expanded, so
     565  for example:
     567    client-connect "docc CLIENT-CONNECT"
     569  would fail to work because execve would try to execute
     570  a script called "docc CLIENT-CONNECT" instead of "docc"
     571  with "CLIENT-CONNECT" as the first argument.
     573  This patch fixes the issue, bringing the script argument
     574  semantics back to pre 2.1_rc9 behavior in order to preserve
     575  backward compatibility while still using execve or CreateProcess
     576  to execute the script/executable.
     578* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
     579  to more closely conform to RFC 3696:
     581  (1) DNS name length must not exceed 255 characters
     583  (2) DNS name characters must be limited to alphanumeric,
     584      dash ('-'), and dot ('.')
     586* Fixed bug in intra-session TLS key rollover that was introduced with
     587  deferred authentication features in 2.1_rc8.
     5892008.07.31 -- Version 2.1_rc9
     591* Security Fix -- affects non-Windows OpenVPN clients running
     592  OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
     593  vulnerable nor are any versions of the OpenVPN server vulnerable).
     594  An OpenVPN client connecting to a malicious or compromised
     595  server could potentially receive an "lladdr" or "iproute" configuration
     596  directive from the server which could cause arbitrary code execution on
     597  the client. A successful attack requires that (a) the client has agreed
     598  to allow the server to push configuration directives to it by including
     599  "pull" or the macro "client" in its configuration file, (b) the client
     600  successfully authenticates the server, (c) the server is malicious or has
     601  been compromised and is under the control of the attacker, and (d) the
     602  client is running a non-Windows OS.  Credit: David Wagner.
     603  CVE-2008-3459
     605* Miscellaneous defensive programming changes to multiple
     606  areas of the code.  In particular, use of the system() call
     607  for calling executables such as ifconfig, route, and
     608  user-defined scripts has been completely revamped in favor
     609  of execve() on unix and CreateProcess() on Windows.
     611* In Windows build, package a statically linked openssl.exe to work around
     612  observed instabilities in the dynamic build since the migration to
     613  OpenSSL 0.9.8h.
     6152008.06.11 -- Version 2.1_rc8
     617* Added client authentication and packet filtering capability
     618  to management interface.  In addition, allow OpenVPN plugins
     619  to take advantage of deferred authentication and packet
     620  filtering capability.
     622* Added support for client-side connection profiles.
     624* Fixed unbounded memory growth bug in environmental variable
     625  code that could have caused long-running OpenVPN sessions
     626  with many TLS renegotiations to incrementally
     627  increase memory usage over time.
     629* Windows release now packages openssl-0.9.8h.
     631* Build system changes -- allow building on Windows using
     632  autoconf/automake scripts (Alon Bar-Lev).
     634* Changes to Windows build system to make it easier to do
     635  partial builds, with a reduced set of prerequisites,
     636  where only a subset of OpenVPN installer
     637  components are built.  See ./domake-win comments.
     639* Cleanup IP address for persistence interfaces for tap and also
     640  using ifconfig, gentoo#209055 (Alon Bar-Lev).
     642* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
     644* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
     646* Added new OpenVPN icon and installer graphic.
     648* Minor pkitool changes.
     650* Added --pkcs11-id-management option, which will cause OpenVPN to
     651  query the management interface via the new NEED-STR asynchronous
     652  notification query to get additional PKCS#11 options (Alon Bar-Lev).
     654* Added NEED-STR management interface asynchronous query and
     655  "needstr" management interface command to respond to the query
     656  (Alon Bar-Lev).
     658* Added Dragonfly BSD support (Francis-Gudin).
     660* Quote device names before passing to up/down script (Josh Cepek).
     662* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
     663  prevent structure padding from causing an incorrect length
     664  to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
     665  platforms.
     667* On systems that support res_init, always call it
     668  before calling gethostbyname to ensure that
     669  resolver configuration state is current.
     671* Added NTLMv2 proxy support (Miroslav Zajic).
     673* Fixed an issue in extract_x509_field_ssl where the extraction
     674  would fail on the first field of the subject name, such as
     675  the common name in:  /CN=foo/emailAddress=
     678* Made "Linux ip addr del failed" error nonfatal.
     680* Amplified --client-cert-not-required warning.
     682* Added #pragma pack to proto.h.
     6842008.01.29 -- Version 2.1_rc7
     686* Added a few extra files that exist in the svn repo but were
     687  not being copied into the tarball by make dist.
     689* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
     6912008.01.24 -- Version 2.1_rc6
     693* Fixed options checking bug introduced in rc5 where legitimate configuration
     694  files might elicit the error: "Options error: Parameter pkcs11_private_mode
     695  can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
     696  is also specified."
     6982008.01.23 -- Version 2.1_rc5
     700* Fixed Win2K TAP driver bug that was introduced by Vista fixes,
     701  incremented driver version to 9.4.
     703* Windows build system changes:
     705  Incremented included OpenSSL version to openssl-0.9.7m.
     707  Updated openssl.patch for openssl-0.9.7m and added some
     708  brief usage comments to the head of the patch.
     710  Added for building the pkcs11-helper
     711  library.
     713  Integrated inclusion of pkcs11-helper into Windows build
     714  system.
     716  Upgraded TAP build scripts to use WDK 6001.17121
     717  (Windows 2008 Server pre-RTM).
     719* Windows installer changes:
     721  Clean up the start menu folder.
     723  Allow for a site-specific sample configuration file and keys
     724  to be included in a custom installer (see SAMPCONF macros
     725  in
     727  New icon (temporary).
     729* Added "forget-passwords" command to the management interface
     730  (Alon Bar-Lev).
     732* Added --management-signal option to signal SIGUSR1 when the
     733  management interface disconnects (Alon Bar-Lev).
     735* Modified command line and config file parser to allow
     736  quoted strings using single quotes ('') (Alon Bar-Lev).
     738* Use pkcs11-helper as external library, can be downloaded from
     739 (Alon Bar-Lev).
     741* Fixed interim memory growth issue in TCP connect loop where
     742  "TCP: connect to %s failed, will try again in %d seconds: %s"
     743  is output.
     745* Fixed bug in epoll driver in event.c, where the lack of a
     746  handler for EPOLLHUP could cause 99% CPU usage.
     748* Defined ALLOW_NON_CBC_CIPHERS for people who don't
     749  want to use a CBC cipher for OpenVPN's data channel.
     751* Added PLUGIN_LIBDIR preprocessor string to prepend a default
     752  plugin directory to the dlopen search list when the user
     753  specifies the basename of the plugin only (Marius Tomaschewski).
     755* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
     756  to allow forward slash characters ("/") in the X509 common name
     757  (Pavel Shramov).
     759* Allow OpenVPN to run completely unprivileged under Linux
     760  by allowing openvpn --mktun to be used with --user and --group
     761  to set the UID/GID of the tun device node.  Also added --iproute
     762  option to allow an alternative command to be executed in place
     763  of the default iproute2 command (Alon Bar-Lev).
     765* Fixed --disable-iproute2 in ./configure to actually disable
     766  iproute2 usage (Alon Bar-Lev).
     768* Added --management-forget-disconnect option -- forget
     769  passwords when management session disconnects (Alon Bar-Lev).
     7712007.04.25 -- Version 2.1_rc4
     773* Worked out remaining issues with TAP driver signing
     774  on Vista x64.  OpenVPN will now run on Vista x64
     775  with driver signing enforcement enabled.
     777* Fixed 64-bit portability bug in time_string function
     778  (Thomas Habets).
     7802007.04.22 -- Version 2.1_rc3
     782* Additional fixes to TAP driver for Windows x64.  Driver
     783  now runs successfully on Vista x64 if driver signing
     784  enforcement is disabled.
     786* The Windows Installer and TAP driver are now signed by
     787  OpenVPN Solutions LLC (in addition to the usual GnuPG
     788  signatures).
     790* Added OpenVPN GUI (Mathias Sundman version) as install
     791  option in Windows installer.
     793* Clean up configure on FreeBSD for recent autotool versions
     794  that require that all .h files have to be compiled.
     795  Also, FreeBSD install does not support GNU long options
     796  which the Makefile in easy-rsa/2.0 uses (not checked the
     797  others as we don't install those on Gentoo) (Roy Marples).
     799* Added additional scripts to easy-rsa/Windows for working
     800  with password-protected keys; also add -extensions server
     801  option when generating server cert via
     802  build-key-server-pass.bat (Daniel Zauft).
     8042007.02.27 -- Version 2.1_rc2
     806* auth-pam change:  link with -lpam rather
     807  than dlopen (Roy Marples).
     809* Prevent SIGUSR1 or SIGHUP from causing program
     810  exit from initial management hold.
     812* SO_REUSEADDR should not be set on Windows TCP sockets
     813  because it will cause bind to succeed on port conflicts.
     815* Added time_ascii, time_duration, and time_unix
     816  environmental variables for plugins and callback
     817  scripts.
     819* Fixed issue where OpenVPN does not apply the --txqueuelen option
     820  to persistent interfaces made with --mktun (Roy Marples).
     822* Attempt at rational signal handling when in the
     823  management hold state.  During management hold, ignore
     824  SIGUSR1/SIGHUP signals thrown with the "signal" command.
     825  Also, "signal" command will now apply remapping as
     826  specified with the --remap-usr1 option.
     827  When a signal entered using the "signal" command from a management
     828  hold is ignored, output: >HOLD:Waiting for hold release
     830* Fixed issue where struct env_set methods that
     831  change the value of an existing name=value pair
     832  would delay the freeing of the memory held by
     833  the previous name=value pair until the underlying
     834  client instance object is closed.
     835  This could cause a server that handles long-term
     836  client connections, resulting in many periodic calls
     837  to verify_callback, to needlessly grow the env_set
     838  memory allocation until the underlying client instance
     839  object is closed.
     841* Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
     842  to reflect the fact that Vista has blacklisted the tap0801.sys
     843  file name due to previous compatibility issues which have now
     844  been resolved.  TAP-Win32 major/minor version number is now 9/1.
     846* Windows installer will delete a previously installed
     847  tap0801.sys TAP driver before installing tap0901.sys.
     849* Added code to Windows installer to fail gracefully on 64 bit
     850  installs until 64-bit TAP driver issues can be resolved.
     852* Added code to Windows installer to fail gracefully on
     853  versions of Windows which are not explicitly supported.
     855* The Windows version will now use a default route-delay
     856  of 5 seconds to deal with an apparent routing table race
     857  condition on Vista.
     859* Worked around an incompatibility in the Windows Vista
     860  version of CreateIpForwardEntry as described in
     862  This issue would cause route additions using the
     863  IP Helper API to fail on Vista.
     865* On Windows, revert to "ip-win32 dynamic" as the default.
     8672006.10.31 -- Version 2.1_rc1
     869* Support recovery (return to hold) from signal at
     870  management password prompt.
     872* Added workaround for OpenSC PKCS#11 bug#108
     873  (Alon Bar-Lev).
     8752006.10.01 -- Version 2.1-beta16
     877* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
     878  published vulnerabilities.
     880* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
     881  (Henry Nestler).
     883* Autodetect 32/64 bit Windows in installer and install
     884  appropriate TAP driver (Mathias Sundman, Hypherion).
     886* Fixed bug in loopback self-test introduced
     887  in 2.1-beta15 where self test as invoked by
     888  "make check" would not properly exit after
     889  2 minutes (Paul Howarth).
     8912006.09.12 -- Version 2.1-beta15
     893* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
     894  RSA Signature Forgery (CVE-2006-4339).
     896* Fixed bug introduced with the --port-share directive
     897  (back in 2.1-beta9 which causes TLS soft resets
     898  (1 per hour by default) in TCP server mode to force
     899  a blockage of tunnel packets and later time-out and
     900  restart the connection.
     902* easy-rsa update (Alon Bar-Lev)
     903  Makefile (install) is now available so that
     904  distribs will be able to install it safely.
     906* PKCS#11 changes: (Alon Bar-Lev)
     907  - Modified ssl.c to not FATAL and return to init.c
     908    so auth-retry will work.
     909  - Modifed pkcs11-helper.c to fix some problem with
     910    multiple providers.
     911  - Added retry counter to PKCS#11 PIN hook.
     912  - Modified PKCS#11 PIN retry loop to return correct error
     913    code when PIN is incorrect.
     914  - Fix handling (ignoring) zero sized attributes.
     915  - Fix gcc-2 issues.
     916  - Fix openssl 0.9.6 (first version) issues.
     918* Minor fixes of lladdr (Alon Bar-Lev)
     919  Updated makefile.w32-vc to include lladdr.*, updated
     920  linkage libraries.
     921  Modified lladdr.c to be compiled under visual C.
     923* Added two new management states:
     924   OPENVPN_STATE_RESOLVE      -- DNS lookup
     925   OPENVPN_STATE_TCP_CONNECT  -- Connecting to TCP server
     927* Echo management state change to log.
     929* Minor syshead.h change for NetBSD to allow
     930  TCP_NODELAY flag to work.
     932* Modified --port-share code to remove the assumption that
     933  CMSG_SPACE always evaluates to a constant, to enable
     934  compilation on NetBSD and possibly other BSDs as well.
     936* Eliminated gcc 3.3.3 warnings on NetBSD
     937  when ./configure --enable-strict is used.
     939* Added optional minimum-number-of-bytes parameter
     940  to --inactive directive.
     9422006.04.13 -- Version 2.1-beta14
     944* Fixed Windows server bug in time backtrack handling code which
     945  could cause TLS negotiation failures on legitimate clients.
     947* Rewrote gettimeofday function for Windows to be
     948  simpler and more efficient.
     950* Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev).
     952* Added --route-metric option to set a default route metric
     953  for --route (Roy Marples).
     955* Added --lladdr option to specify the link layer (MAC) address
     956  for the tap interface on non-Windows platforms (Roy Marples).
     9582006.04.12 -- Version 2.1-beta13
     960* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
     961  to 64 bits caused a bug in the Windows version which has now
     962  been fixed.  The bug could cause intermittent crashes.
     9642006.04.05 -- Version 2.1-beta12
     966* Security Vulnerability -- An OpenVPN client connecting to a
     967  malicious or compromised server could potentially receive
     968  "setenv" configuration directives from the server which could
     969  cause arbitrary code execution on the client via a LD_PRELOAD
     970  attack.  A successful attack appears to require that (a) the
     971  client has agreed to allow the server to push configuration
     972  directives to it by including "pull" or the macro "client" in
     973  its configuration file, (b) the client configuration file uses
     974  a scripting directive such as "up" or "down", (c) the client
     975  succesfully authenticates the server, (d) the server is
     976  malicious or has been compromised and is under the control of
     977  the attacker, and (e) the attacker has at least some level of
     978  pre-existing control over files on the client (this might be
     979  accomplished by having the server respond to a client web request
     980  with a specially crafted file).  Credit: Hendrik Weimer.
     981  CVE-2006-1629.
     983  The fix is to disallow "setenv" to be pushed to clients from
     984  the server, and to add a new directive "setenv-safe" which is
     985  pushable from the server, but which appends "OPENVPN_" to the
     986  name of each remotely set environmental variable.
     988* "topology subnet" fix for FreeBSD (Benoit Bourdin).
     990* PKCS11 fixes (Alon Bar-Lev).  For full description:
     991  svn log -r990
     993* When deleting routes under Linux, use the route metric
     994  as a differentiator to ensure that the route teardown
     995  process only deletes the identical route which was originally
     996  added via the "route" directive (Roy Marples).
     998* Fix the file in FreeBSD 4 jails
     999  (Matthias Andree, Dirk Meyer, Vasil Dimov).
     1001* Extended tun device configure code to support ethernet
     1002  bridging on NetBSD (Emmanuel Kasper).
     10042006.02.19 -- Version 2.1-beta11
     1006* Fixed --port-share bug that caused premature closing
     1007  of proxied sessions.
     10092006.02.17 -- Version 2.1-beta10
     1011* Fixed --port-share breakage introduced in 2.1-beta9.
     10132006.02.16 -- Version 2.1-beta9
     1015* Added --port-share option for allowing OpenVPN and HTTPS
     1016  server to share the same port number.
     1017* Added --management-client option to connect as a client
     1018  to management GUI app rather than be connected to as a
     1019  server.
     1020* Added "bytecount" command to management interface.
     1021* --remote-cert-tls fixes (Alon Bar-Lev).
     10232006.01.03 -- Version 2.1-beta8
     1025* --remap-usr1 will now also remap signals thrown during
     1026  initialization.
     1027* Added --connect-timeout option to control the timeout
     1028  on TCP client connection attempts (doesn't work on all
     1029  OSes).  This patch also makes OpenVPN signalable during
     1030  TCP connection attempts.
     1031* Fixed bug in acinclude.m4 where capability of compiler
     1032  to handle zero-length arrays in structs is tested
     1033  (David Stipp).
     1034* Fixed typo in manage.c where inline function declaration
     1035  was declared without the "static" keyword (David Stipp).
     1036* Patch to support --topology subnet on Mac OS X (Mathias Sundman).
     1037* Added --auto-proxy directive to auto-detect HTTP or SOCKS
     1038  proxy settings (currently Windows only).
     1039* Removed redundant base64 code.
     1040* Better sanity checking of --server and --server-bridge
     1041  IP pool ranges, so as not to hit the assertion at
     1042  pool.c:119 (2.0.5).
     1043* Fixed bug where --daemon and --management-query-passwords
     1044  used together would cause OpenVPN to block prior to
     1045  daemonization.
     1046* Fixed client/server race condition which could occur
     1047  when --auth-retry interact is set and the initially
     1048  provided auth-user-pass credentials are incorrect,
     1049  forcing a username/password re-query.
     1050* Fixed bug where if --daemon and --management-hold are
     1051  used together, --user or --group options would be ignored.
     1052* --ip-win32 adaptive is now the default.
     1053* --ip-win32 netsh (or --ip-win32 adaptive when in netsh
     1054  mode) can now set DNS/WINS addresses on the TAP-Win32
     1055  adapter.
     1056* Added new option --route-method adaptive (Win32)
     1057  which tries IP helper API first, then falls back to
     1058  route.exe.
     1059* Made --route-method adaptive the default.
     10612005.11.12 -- Version 2.1-beta7
     1063* Allow blank passwords to be passed via the management
     1064  interface.
     1065* Fixed bug where "make check" inside a FreeBSD "jail"
     1066  would never complete (Matthias Andree).
     1067* Fixed bug where --server directive in --dev tap mode
     1068  claimed that it would support subnets of /30 or less
     1069  but actually would only accept /29 or less.
     1070* Extend byte counters to 64 bits (M. van Cuijk).
     1071* Fixed bug in Linux get_default_gateway function
     1072  introduced in 2.0.4, which would cause redirect-gateway
     1073  on Linux clients to fail.
     1074* Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
     1075  be compatible with 2.0.x distribution.
     1076* Documented --route-nopull.
     1077* Documented --ip-win32 adaptive.
     1078* Windows build now linked with LZO2.
     1079* Allow ca, cert, key, and dh files to be specified
     1080  inline via XML-like syntax without needing to
     1081  reference an explicit file.
     1082  For example:
     1083  <ca>
     1084        data here...
     1085  </ca>
     1086* Allow plugin and push directives to have multi-line
     1087  parameter lists such as:
     1088  <plugin>
     1090    parm1
     1091    parm2
     1092  </plugin>
     1093* Added connect-retry-max option (Alon Bar-Lev).
     1094* Fixed problems where signals thrown during initialization
     1095  were not returning to a management-hold state.
     1096* Added a backtrack-hardened system time algorithm.
     1097* Added --remote-cert-ku, --remote-cert-eku, and
     1098  --remote-cert-tls options for verifying certificate
     1099  attributes (Alon Bar-Lev).
     1100* For Windows, reverted --ip-win32 default back to "dynamic".
     1101  To use new adaptive mode, set explicitly.
     11032005.11.01 -- Version 2.1-beta6
     1105* Security fix (merged from 2.0.4) -- Affects non-Windows
     1106  OpenVPN clients of version 2.0 or higher which connect to
     1107  a malicious or compromised server.  A format string
     1108  vulnerability in the foreign_option function in options.c
     1109  could potentially allow a malicious or compromised server
     1110  to execute arbitrary code on the client.  Only
     1111  non-Windows clients are affected.  The vulnerability
     1112  only exists if (a) the client's TLS negotiation with
     1113  the server succeeds, (b) the server is malicious or
     1114  has been compromised such that it is configured to
     1115  push a maliciously crafted options string to the client,
     1116  and (c) the client indicates its willingness to accept
     1117  pushed options from the server by having "pull" or
     1118  "client" in its configuration file (Credit: Vade79).
     1119  CVE-2005-3393
     1120* Security fix -- (merged from 2.0.4) Potential DoS
     1121  vulnerability on the server in TCP mode.  If the TCP
     1122  server accept() call returns an error status, the resulting
     1123  exception handler may attempt to indirect through a NULL
     1124  pointer, causing a segfault.  Affects all OpenVPN 2.0 versions.
     1125  CVE-2005-3409
     1126* Fix attempt of assertion at multi.c:1586 (note that
     1127  this precise line number will vary across different
     1128  versions of OpenVPN).
     1129* Windows reliability changes:
     1130  (a) Added code to make sure that the local PATH environmental
     1131      variable points to the Windows system32 directory.
     1132  (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
     1133      and then fails over to 'netsh' if the DHCP negotiation fails.
     1134  (c) Made --ip-win32 adaptive the default.
     1135* More PKCS#11 additions/changes (Alon Bar-Lev).
     1136* Added ".PHONY: plugin" to to work around
     1137  "make dist" issue.
     1138* Fixed double fork issue that occurs when --management-hold
     1139  is used.
     1140* Moved TUN/TAP read/write log messages from --verb 8 to 6.
     1141* Warn when multiple clients having the same common name or
     1142  username usurp each other when --duplicate-cn is not used.
     1143* Modified Windows and Linux versions of get_default_gateway
     1144  to return the route with the smallest metric
     1145  if multiple entries are present.
     1146* Added ">NEED-OK" alert and "needok" command to management
     1147  interface to provide a general interface for sending
     1148  alerts to the end-user.  Used by the PKCS#11 code
     1149  to send Token Insertion Requests to the user.
     1150* Added actual remote address used to the ">STATE" alert
     1151  in the management interface (Rolf Fokkens).
     11532005.10.17 -- Version 2.1-beta4
     1155* Fixed bug introduced in 2.1-beta3 where management
     1156  socket bind would fail.
     1157* --capath fix in ssl.c (Zhuang Yuyao).
     1158* Added ".PHONY: plugin" to, reverted
     1159  location of "plugin" directory (thanks to
     1160  Matthias Andree for figuring this out).
     11622005.10.16 -- Version 2.1-beta3
     1164* Added PKCS#11 support (Alon Bar-Lev).
     1165* Enable the use of --ca together with --pkcs12.  If --ca is
     1166  used at the same time as --pkcs12, the CA certificate is loaded
     1167  from the file specified by --ca regardless if the pkcs12 file
     1168  contains a CA cert or not (Mathias Sundman).
     1169* Merged --capath patch (Thomas Noel).
     1170* Merged --multihome patch.
     1171* Added --bind option for TCP client connections (Ewan Bhamrah
     1172  Harley).
     1173* Moved "plugin" directory to "plugins" to deal with strange
     1174  automake problem that ended up being also fixable with
     1175  ".PHONY: plugin" in
     11772005.10.13 -- Version 2.1-beta2
     1179* Made --sndbuf and --rcvbuf pushable.
     11812005.10.01 -- Version 2.1-beta1
     1183* Made LZO setting pushable.
     1184* Renamed sample-keys/tmp-ca.crt to ca.crt.
     1185* Fixed bug where remove_iroutes_from_push_route_list
     1186  was missing routes if those routes had
     1187  an implied netmask (by omission) of
     1188* Merged with 2.0.3-rc1
     1189* easy-rsa/2.0 moved to easy-rsa
     1190* old easy-rsa moved to easy-rsa/1.0