Changes between Initial Version and Version 1 of ChangesInOpenvpn21


Ignore:
Timestamp:
07/24/14 13:37:53 (3 years ago)
Author:
samuli
Comment:

Migrated content from http://openvpn.net/index.php/open-source/documentation/change-log/changelog-21.html

Legend:

Unmodified
Added
Removed
Modified
  • ChangesInOpenvpn21

    v1 v1  
     1{{{
     2OpenVPN Change Log
     3Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <
     4 sales@openvpn.net>
     5
     62010.11.09 -- Version 2.1.4
     7
     8* Fix problem with special case route targets ('remote_host')
     9  The init_route() function will leave &netlist untouched for
     10  get_special_addr() routes ("remote_host" being one of them).
     11  netlist is on stack,  contains random garbage, and
     12  netlist.len will not be 0 - thus, random stack data is copied from
     13  netlist.data[] until the route_list is full.
     14  Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.
     15
     16
     172010.08.20 -- Version 2.1.3
     18
     19* Windows build fixes
     20  Attempt to fix issue where domake-win build system was not properly
     21  signing drivers and .exe files.  This change is only affecting the
     22  Windows build scripts and not the OpenVPN code base.
     23
     242010.08.09 -- Version 2.1.2
     25
     26* Windows security issue:
     27  Fixed potential local privilege escalation vulnerability in
     28  Windows service. The Windows service did not properly quote the
     29  executable filename passed to CreateService.  A local attacker
     30  with write access to the root directory C:\ could create an
     31  executable that would be run with the same privilege level as
     32  the OpenVPN Windows service.  However, since non-Administrative
     33  users normally lack write permission on C:\, this vulnerability
     34  is generally not exploitable except on older versions of Windows
     35  (such as Win2K) where the default permissions on C:\ would allow
     36  any user to create files there.
     37  Credit:  Scott Laurie, MWR InfoSecurity
     38
     39* Added Python-based based alternative build system for Windows using
     40  Visual Studio 2008 (in win directory).
     41
     42* When aborting in a non-graceful way, try to execute do_close_tun in
     43  init.c prior to daemon exit to ensure that the tun/tap interface is
     44  closed and any added routes are deleted.
     45
     46* Fixed an issue where AUTH_FAILED was not being properly delivered
     47  to the client when a bad password is given for mid-session reauth,
     48  causing the connection to fail without an error indication.
     49
     50* Don't advance to the next connection profile on AUTH_FAILED errors.
     51
     52* Fixed an issue in the Management Interface that could cause
     53  a process hang with 100% CPU utilization in --management-client
     54  mode if the management interface client disconnected at the
     55  point where credentials are queried.
     56
     57* Fixed an issue where if reneg-sec was set to 0 on the client,
     58  so that the server-side value would take precedence,
     59  the auth_deferred_expire_window function would incorrectly
     60  return a window period of 0 seconds.  In this case, the
     61  correct window period should be the handshake window
     62  period.
     63
     64* Modified ">PASSWORD:Verification Failed" management interface
     65  notification to include a client reason string:
     66
     67    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
     68
     69* Enable exponential backoff in reliability layer
     70  retransmits.
     71
     72* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
     73  socket is created rather than waiting until after connect/listen.
     74
     75* Management interface performance optimizations:
     76
     77  1. Added env-filter MI command to perform filtering on env vars
     78     passed through as a part of --management-client-auth
     79
     80  2. man_write will now try to aggregate output into larger blocks
     81     (up to 1024 bytes) for more efficient i/o
     82
     83* Fixed minor issue in Windows TAP driver DEBUG builds
     84  where non-null-terminated unicode strings were being
     85  printed incorrectly.
     86
     87* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
     88  was not being compiled in.
     89
     90* Proxy improvements:
     91
     92  Improved the ability of http-auth "auto" flag to dynamically detect
     93  the auth method required by the proxy.
     94
     95  Added http-auth "auto-nct" flag to reject weak proxy auth methods.
     96
     97  Added HTTP proxy digest authentication method.
     98
     99  Removed extraneous openvpn_sleep calls from proxy.c.
     100
     101* Implemented http-proxy-override and http-proxy-fallback directives to make it
     102  easier for OpenVPN client UIs to start a pre-existing client config file with
     103  proxy options, or to adaptively fall back to a proxy connection if a direct
     104  connection fails.
     105
     106* Implemented a key/value auth channel from client to server.
     107
     108* Fixed issue where bad creds provided by the management interface
     109  for HTTP Proxy Basic Authentication would go into an infinite
     110  retry-fail loop instead of requerying the management interface for
     111  new creds.
     112
     113* Added support for MSVC debugging of openvpn.exe in settings.in:
     114
     115  # Build debugging version of openvpn.exe
     116  !define PRODUCT_OPENVPN_DEBUG
     117
     118* Implemented multi-address DNS expansion on the network field of route
     119  commands.
     120
     121  When only a single IP address is desired from a multi-address DNS
     122  expansion, use the first address rather than a random selection.
     123
     124* Added --register-dns option for Windows.
     125
     126  Fixed some issues on Windows with --log, subprocess creation
     127  for command execution, and stdout/stderr redirection.
     128
     129* Fixed an issue where application payload transmissions on the
     130  TLS control channel (such as AUTH_FAILED) that occur during
     131  or immediately after a TLS renegotiation might be dropped.
     132
     133* Added warning about tls-remote option in man page.
     134
     1352009.12.11 -- Version 2.1.1
     136
     137* Fixed some breakage in openvpn.spec (which is required to build an
     138  RPM distribution) where it was referencing a non-existent
     139  subdirectory in the tarball, causing it to fail (patch from
     140  David Sommerseth).
     141
     1422009.12.11 -- Version 2.1.0
     143
     144* Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
     145  (1) Fail gracefully rather than segfault if calloc returns NULL.
     146  (2) The openvpn_plugin_abort_v1 function can potentially be called
     147  with handle == NULL.  Add code to detect this case, and if  so, avoid
     148  dereferencing pointers derived from handle  (Thanks to David
     149  Sommerseth for finding this bug).
     150
     151* Documented "multihome" option in the man page.
     152
     1532009.11.20 -- Version 2.1_rc22
     154
     155* Fixed a client-side bug on Windows that occurred when the
     156  "dhcp-pre-release" or "dhcp-renew" options were combined with
     157  "route-gateway dhcp".  The release/renew would not occur
     158  because the Windows DHCP renew function is blocking and
     159  therefore must be called from another process or thread
     160  so as not to stall the tunnel.
     161
     162* Added a hard failure when peer provides a certificate chain
     163  with depth > 16.  Previously, a warning was issued.
     164
     1652009.11.12 -- Version 2.1_rc21
     166
     167* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
     168  CVE-2009-3555.  Note that OpenVPN has never relied on the session
     169  renegotiation capabilities that are built into the SSL/TLS protocol,
     170  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
     171  completely) will not adversely affect OpenVPN mid-session SSL/TLS
     172  renegotation or any other OpenVPN capabilities.
     173
     174* Added additional session renegotiation hardening.  OpenVPN has always
     175  required that mid-session renegotiations build up a new SSL/TLS
     176  session from scratch.  While the client certificate common name is
     177  already locked against changes in mid-session TLS renegotiations, we
     178  now extend this locking to the auth-user-pass username as well as all
     179  certificate content in the full client certificate chain.
     180
     1812009.10.01 -- Version 2.1_rc20
     182
     183* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
     184  redirect-gateway option by itself, without any extra parameters,
     185  would cause the option to be ignored.
     186
     187* Fixed build problem when ./configure --disable-server is used.
     188
     189* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
     190
     191* Added --remote-random-hostname option.
     192
     193* Added "load-stats" management interface command to get global server
     194  load statistics.
     195
     196* Added new ./configure flags:
     197
     198  --disable-def-auth      Disable deferred authentication
     199  --disable-pf            Disable internal packet filter
     200
     201* Added "setcon" directive for interoperability with SELinux (Sebastien
     202  Raveau).
     203
     204* Optimized PUSH_REQUEST handshake sequence to shave several seconds
     205  off of a typical client connection initiation.
     206
     207* The maximum number of "route" directives (specified in the config
     208  file or pulled from a server) can now be configured via the new
     209  "max-routes" directive.
     210
     211* Eliminated the limitation on the number of options that can be pushed
     212  to clients, including routes.  Previously, all pushed options needed
     213  to fit within a 1024 byte options string.
     214
     215* Added --server-poll-timeout option : when polling possible remote
     216  servers to connect to in a round-robin fashion, spend no more than
     217  n seconds waiting for a response before trying the next server.
     218
     219* Added the ability for the server to provide a custom reason string
     220  when an AUTH_FAILED message is returned to the client.  This
     221  string can be set by the server-side managment interface and read
     222  by the client-side management interface.
     223
     224* client-kill management interface command, when issued on server, will
     225  now send a RESTART message to client.
     226  This feature is intended to make UDP clients respond the same as TCP
     227  clients in the case where the server issues a RESTART message in
     228  order to force the client to reconnect and pull a new options/route
     229  list.
     230
     2312009.07.16 -- Version 2.1_rc19
     232
     233* In Windows TAP driver, refactor DHCP/ARP packet injection code to
     234  use a DPC (deferred procedure call) to defer packet injection until
     235  IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
     236  in the context of AdapterTransmit.  This is an attempt to reduce kernel
     237  stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
     238  observed on Vista.  Updated TAP driver version number to 9.6.
     239
     240* In configure.ac, use datadir instead of datarootdir for compatibility
     241  with <autoconf-2.60.
     242
     2432009.06.07 -- Version 2.1_rc18
     244
     245* Fixed compile error on ./configure --enable-small
     246
     247* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
     248  does not build on Windows on non-MINGW32.
     249
     2502009.05.30 -- Version 2.1_rc17
     251
     252* Reduce the debug level (--verb) at which received management interface
     253  commands are echoed from 7 to 3.  Passwords will be filtered.
     254
     255* Fixed race condition in management interface recv code on
     256  Windows, where sending a set of several commands to the
     257  management interface in quick succession might cause the
     258  latter commands in the set to be ignored.
     259
     260* Increased management interface input command buffer size
     261  from 256 to 1024 bytes.
     262
     263* Minor tweaks to Windows build system.
     264
     265* Added "redirect-private" option which allows private subnets
     266  to be pushed to the client in such a way that they don't accidently
     267  obscure critical local addresses such as the DHCP server address and
     268  DNS server addresses.
     269
     270* Added new 'autolocal' redirect-gateway flag.  When enabled, the OpenVPN
     271  client will examine the routing table and determine whether (a) the
     272  OpenVPN server is reachable via a locally connected interface, or (b)
     273  traffic to the server must be forwarded through the default router.
     274  Only add a special bypass route for the OpenVPN server if (b) is true.
     275  If (a) is true, behave as if the 'local' flag is specified, and do not
     276  add a bypass route.
     277
     278  The new 'autolocal' flag depends on the non-portable test_local_addr()
     279  function in route.c, which is currently only implemented for Windows.
     280  The 'autolocal' flag will act as a no-op on platforms that have not
     281  yet defined a test_local_addr() function.
     282
     283* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
     284  more option content to be pushed from server to client).
     285
     286* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
     287  levels <=3) a common and usually innocuous warning.
     288
     289* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
     290  functionality (Alon Bar-Lev).
     291
     292* Fixed bug where the remote_X environmental variables were not being
     293  set correctly when the 'local' option is specifed.
     294
     2952009.05.17 -- Version 2.1_rc16
     296
     297* Windows installer changes:
     298
     299  1. ifdefed out the check Windows version code which is causing
     300  problems on Windows 7
     301
     302  2. don't define SF_SELECTED if it is already defined
     303
     304  3. Use LZMA instead of BZIP2 compression for better compression
     305
     306  4. Upgraded OpenSSL to 0.9.8k
     307
     308* Added the ability to read the configuration file
     309  from stdin, when "stdin" is given as the config
     310  file name.
     311
     312* Allow "management-client" directive to be used
     313  with unix domain sockets.
     314
     315* Added errors-to-stderr option.  When enabled, fatal errors
     316  that result in the termination of the daemon will be written
     317  to stderr.
     318
     319* Added optional "nogw" (no gateway) flag to --server-bridge
     320  to inhibit the pushing of the route-gateway parameter to
     321  clients.
     322
     323* Added new management interface command "pid" to show the
     324  process ID of the current OpenVPN process (Angelo Laub).
     325
     326* Fixed issue where SIGUSR1 restarts would fail if private
     327  key was specified as an inline file.
     328
     329* Added daemon_start_time and daemon_pid environmental variables.
     330
     331* In management interface, added new ">CLIENT:ESTABLISHED" notification.
     332
     333* Build fixes:
     334
     335  1. Fixed some issues with C++ style comments that leaked into the code.
     336
     337  2. Updated configure.ac to work on MinGW64.
     338
     339  3. Updated common.h types for _WIN64.
     340
     341  4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
     342     compilers.
     343
     344  5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
     345     OpenVPNCryptAcquireCertificatePrivateKey to work around
     346     a symbol conflict in MinGW-5.1.4.
     347
     3482008.11.19 -- Version 2.1_rc15
     349
     350* Fixed issue introduced in 2.1_rc14 that may cause a
     351  segfault when a --plugin module is used.
     352
     353* Added server-side --opt-verify option: clients that connect
     354  with options that are incompatible with those of the server
     355  will be disconnected (without this option, incompatible
     356  clients would trigger a warning message in the server log
     357  but would not be disconnected).
     358
     359* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
     360  flag on the server as well as pushes it to connecting clients.
     361
     362* Minor options check fix: --no-name-remapping is a
     363  server-only option and should therefore generate an
     364  error when used on the client.
     365
     366* Added --prng option to control PRNG (pseudo-random
     367  number generator) parameters.  In previous OpenVPN
     368  versions, the PRNG was hardcoded to use the SHA1
     369  hash.  Now any OpenSSL hash may be used.  This is
     370  part of an effort to remove hardcoded references to
     371  a specific cipher or cryptographic hash algorithm.
     372
     373* Cleaned up man page synopsis.
     374
     3752008.11.16 -- Version 2.1_rc14
     376
     377* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
     378  with the goal of fixing a build issue on Fedora 9 that was
     379  introduced in 2.1_rc13.
     380
     381* Added additional method parameter to --script-security to preserve
     382  backward compatibility with system() call semantics used in OpenVPN
     383  2.1_rc8 and earlier.  To preserve backward compatibility use:
     384
     385    script-security 3 system
     386
     387* Added additional warning messages about --script-security 2
     388  or higher being required to execute user-defined scripts or
     389  executables.
     390
     391* Windows build system changes:
     392
     393  Modified Windows domake-win build system to write all openvpn.nsi
     394  input files to gen, so that gen can be disconnected from
     395  the rest of the source tree and makensis openvpn.nsi will
     396  still function correctly.
     397
     398  Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
     399  (commented out by default).
     400
     401  Added optional files SAMPCONF_CONF2 (second sample configuration
     402  file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
     403  build system, and may be defined in settings.in.
     404
     405* Extended Management Interface "bytecount" command
     406  to work when OpenVPN is running as a server.
     407  Documented Management Interface "bytecount" command in
     408  management/management-notes.txt.
     409
     410* Fixed informational message in ssl.c to properly indicate
     411  deferred authentication.
     412
     413* Added server-side --auth-user-pass-optional directive, to allow
     414  connections by clients that do not specify a username/password, when a
     415  user-defined authentication script/module is in place (via
     416  --auth-user-pass-verify, --management-client-auth, or a plugin module).
     417
     418* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
     419
     420  Calling scripts can set the KEY_NAME environmental variable to set
     421  the "name" X509 subject field in generated certificates.
     422
     423  Modified pkitool to allow flexibility in separating the Common Name
     424  convention from the cert/key filename convention.
     425
     426  For example:
     427
     428  KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
     429
     430  will create a client certificate/key pair of james.crt/james.key
     431  having a Common Name of "James's Laptop" and a Name of "james".
     432
     433* Added --no-name-remapping option to allow Common Name, X509 Subject,
     434  and username strings to include any printable character including
     435  space, but excluding control characters such as tab, newline, and
     436  carriage-return (this is important for compatibility with external
     437  authentication systems).
     438
     439  As a related change, added --status-version 3 format (and "status 3"
     440  in the management interface) which uses the version 2 format except
     441  that tabs are used as delimiters instead of commas so that there
     442  is no ambiguity when parsing a Common Name that contains a comma.
     443
     444  Also, save X509 Subject fields to environment, using the naming
     445  convention:
     446
     447  X509_{cert_depth}_{name}={value}
     448
     449  This is to avoid ambiguities when parsing out the X509 subject string
     450  since "/" characters could potentially be used in the common name.
     451
     452* Fixed some ifconfig-pool issues that precluded it from being combined
     453  with --server directive.
     454
     455  Now, for example, we can configure thusly:
     456
     457    server 10.8.0.0 255.255.255.0 nopool
     458    ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
     459
     460  to have ifconfig-pool manage only a subset
     461  of the VPN subnet.
     462
     463* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
     464  config file syntax checking to allow directives for future OpenVPN
     465  versions to be ignored.
     466
     4672008.10.07 -- Version 2.1_rc13
     468
     469* Bundled OpenSSL 0.9.8i with Windows installer.
     470
     471* Management interface can now listen on a unix
     472  domain socket, for example:
     473
     474    management /tmp/openvpn unix
     475
     476  Also added management-client-user and management-client-group
     477  directives to control which processes are allowed to connect
     478  to the socket.
     479
     480* Copyright change to OpenVPN Technologies, Inc.
     481
     4822008.09.23 -- Version 2.1_rc12
     483
     484* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
     485  part of the tarball (Matthias Andree).
     486
     487* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
     488  was incorrectly expecting the lladdr parameter to be an IP address
     489  when it is actually a MAC address (HoverHell).
     490
     4912008.09.14 -- Version 2.1_rc11
     492
     493* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
     494  to fail if UDP packets are dropped.
     495
     4962008.09.10 -- Version 2.1_rc10
     497
     498* Added "--server-bridge" (without parameters) to enable
     499  DHCP proxy mode:  Configure server mode for ethernet
     500  bridging using a DHCP-proxy, where clients talk to the
     501  OpenVPN server-side DHCP server to receive their IP address
     502  allocation and DNS server addresses.
     503
     504* Added "--route-gateway dhcp", to enable the extraction
     505  of the gateway address from a DHCP negotiation with the
     506  OpenVPN server-side LAN.
     507
     508* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
     509  on Windows.  If the bypass IP address is 0.0.0.0 or 255.255.255.255,
     510  ignore it.
     511
     512* Warn when ethernet bridging that the IP address of the bridge adapter
     513  is probably not the same address that the LAN adapter was set to
     514  previously.
     515
     516* When running as a server, warn if the LAN network address is
     517  the all-popular 192.168.[0|1].x, since this condition commonly
     518  leads to subnet conflicts down the road.
     519
     520* Primarily on the client, check for subnet conflicts between
     521  the local LAN and the VPN subnet.
     522
     523* Added a 'netmask' parameter to get_default_gateway, to return
     524  the netmask of the adapter containing the default gateway.
     525  Only implemented on Windows so far.  Other platforms will
     526  return 255.255.255.0.  Currently the netmask information is
     527  only used to warn about subnet conflicts.
     528
     529* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
     530  and USE_SSL flags are enabled (Alon Bar-Lev).
     531
     532* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
     533  --script-security rules.  Also adds retrying if the addresses are in
     534  use (Matthias Andree).
     535
     536* Fixed build issue with ./configure --disable-socks --disable-http.
     537
     538* Fixed separate compile errors in options.c and ntlm.c that occur
     539  on strict C compilers (such as old versions of gcc) that require
     540  that C variable declarations occur at the start of a {} block,
     541  not in the middle.
     542
     543* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
     544  the new implementation of extract_x509_field_ssl depends on.
     545
     546* LZO compression buffer overflow errors will now invalidate
     547  the packet rather than trigger a fatal assertion.
     548
     549* Fixed minor compile issue in ntlm.c (mid-block declaration).
     550
     551* Added --allow-pull-fqdn option which allows client to pull DNS names
     552  from server (rather than only IP address) for --ifconfig, --route, and
     553  --route-gateway.  OpenVPN versions 2.1_rc7 and earlier allowed DNS names
     554  for these options to be pulled and translated to IP addresses by default.
     555  Now --allow-pull-fqdn will be explicitly required on the client to enable
     556  DNS-name-to-IP-address translation of pulled options.
     557
     558* 2.1_rc8 and earlier did implicit shell expansion on script
     559  arguments since all scripts were called by system().
     560  The security hardening changes made to 2.1_rc9 no longer
     561  use system(), but rather use the safer execve or CreateProcess
     562  system calls.  The security hardening also introduced a
     563  backward incompatibility with 2.1_rc8 and earlier in that
     564  script parameters were no longer shell-expanded, so
     565  for example:
     566
     567    client-connect "docc CLIENT-CONNECT"
     568
     569  would fail to work because execve would try to execute
     570  a script called "docc CLIENT-CONNECT" instead of "docc"
     571  with "CLIENT-CONNECT" as the first argument.
     572
     573  This patch fixes the issue, bringing the script argument
     574  semantics back to pre 2.1_rc9 behavior in order to preserve
     575  backward compatibility while still using execve or CreateProcess
     576  to execute the script/executable.
     577
     578* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
     579  to more closely conform to RFC 3696:
     580
     581  (1) DNS name length must not exceed 255 characters
     582
     583  (2) DNS name characters must be limited to alphanumeric,
     584      dash ('-'), and dot ('.')
     585
     586* Fixed bug in intra-session TLS key rollover that was introduced with
     587  deferred authentication features in 2.1_rc8.
     588
     5892008.07.31 -- Version 2.1_rc9
     590
     591* Security Fix -- affects non-Windows OpenVPN clients running
     592  OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
     593  vulnerable nor are any versions of the OpenVPN server vulnerable).
     594  An OpenVPN client connecting to a malicious or compromised
     595  server could potentially receive an "lladdr" or "iproute" configuration
     596  directive from the server which could cause arbitrary code execution on
     597  the client. A successful attack requires that (a) the client has agreed
     598  to allow the server to push configuration directives to it by including
     599  "pull" or the macro "client" in its configuration file, (b) the client
     600  successfully authenticates the server, (c) the server is malicious or has
     601  been compromised and is under the control of the attacker, and (d) the
     602  client is running a non-Windows OS.  Credit: David Wagner.
     603  CVE-2008-3459
     604
     605* Miscellaneous defensive programming changes to multiple
     606  areas of the code.  In particular, use of the system() call
     607  for calling executables such as ifconfig, route, and
     608  user-defined scripts has been completely revamped in favor
     609  of execve() on unix and CreateProcess() on Windows.
     610
     611* In Windows build, package a statically linked openssl.exe to work around
     612  observed instabilities in the dynamic build since the migration to
     613  OpenSSL 0.9.8h.
     614
     6152008.06.11 -- Version 2.1_rc8
     616
     617* Added client authentication and packet filtering capability
     618  to management interface.  In addition, allow OpenVPN plugins
     619  to take advantage of deferred authentication and packet
     620  filtering capability.
     621
     622* Added support for client-side connection profiles.
     623
     624* Fixed unbounded memory growth bug in environmental variable
     625  code that could have caused long-running OpenVPN sessions
     626  with many TLS renegotiations to incrementally
     627  increase memory usage over time.
     628
     629* Windows release now packages openssl-0.9.8h.
     630
     631* Build system changes -- allow building on Windows using
     632  autoconf/automake scripts (Alon Bar-Lev).
     633
     634* Changes to Windows build system to make it easier to do
     635  partial builds, with a reduced set of prerequisites,
     636  where only a subset of OpenVPN installer
     637  components are built.  See ./domake-win comments.
     638
     639* Cleanup IP address for persistence interfaces for tap and also
     640  using ifconfig, gentoo#209055 (Alon Bar-Lev).
     641
     642* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
     643
     644* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
     645
     646* Added new OpenVPN icon and installer graphic.
     647
     648* Minor pkitool changes.
     649
     650* Added --pkcs11-id-management option, which will cause OpenVPN to
     651  query the management interface via the new NEED-STR asynchronous
     652  notification query to get additional PKCS#11 options (Alon Bar-Lev).
     653
     654* Added NEED-STR management interface asynchronous query and
     655  "needstr" management interface command to respond to the query
     656  (Alon Bar-Lev).
     657
     658* Added Dragonfly BSD support (Francis-Gudin).
     659
     660* Quote device names before passing to up/down script (Josh Cepek).
     661
     662* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
     663  prevent structure padding from causing an incorrect length
     664  to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
     665  platforms.
     666
     667* On systems that support res_init, always call it
     668  before calling gethostbyname to ensure that
     669  resolver configuration state is current.
     670
     671* Added NTLMv2 proxy support (Miroslav Zajic).
     672
     673* Fixed an issue in extract_x509_field_ssl where the extraction
     674  would fail on the first field of the subject name, such as
     675  the common name in:  /CN=foo/emailAddress=
     676 foo@bar.com
     677
     678* Made "Linux ip addr del failed" error nonfatal.
     679
     680* Amplified --client-cert-not-required warning.
     681
     682* Added #pragma pack to proto.h.
     683
     6842008.01.29 -- Version 2.1_rc7
     685
     686* Added a few extra files that exist in the svn repo but were
     687  not being copied into the tarball by make dist.
     688
     689* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
     690
     6912008.01.24 -- Version 2.1_rc6
     692
     693* Fixed options checking bug introduced in rc5 where legitimate configuration
     694  files might elicit the error: "Options error: Parameter pkcs11_private_mode
     695  can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
     696  is also specified."
     697       
     6982008.01.23 -- Version 2.1_rc5
     699
     700* Fixed Win2K TAP driver bug that was introduced by Vista fixes,
     701  incremented driver version to 9.4.
     702
     703* Windows build system changes:
     704
     705  Incremented included OpenSSL version to openssl-0.9.7m.
     706
     707  Updated openssl.patch for openssl-0.9.7m and added some
     708  brief usage comments to the head of the patch.
     709
     710  Added build-pkcs11-helper.sh for building the pkcs11-helper
     711  library.
     712
     713  Integrated inclusion of pkcs11-helper into Windows build
     714  system.
     715
     716  Upgraded TAP build scripts to use WDK 6001.17121
     717  (Windows 2008 Server pre-RTM).
     718
     719* Windows installer changes:
     720
     721  Clean up the start menu folder.
     722
     723  Allow for a site-specific sample configuration file and keys
     724  to be included in a custom installer (see SAMPCONF macros
     725  in settings.in).
     726
     727  New icon (temporary).
     728
     729* Added "forget-passwords" command to the management interface
     730  (Alon Bar-Lev).
     731
     732* Added --management-signal option to signal SIGUSR1 when the
     733  management interface disconnects (Alon Bar-Lev).
     734
     735* Modified command line and config file parser to allow
     736  quoted strings using single quotes ('') (Alon Bar-Lev).
     737
     738* Use pkcs11-helper as external library, can be downloaded from
     739  https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
     740
     741* Fixed interim memory growth issue in TCP connect loop where
     742  "TCP: connect to %s failed, will try again in %d seconds: %s"
     743  is output.
     744
     745* Fixed bug in epoll driver in event.c, where the lack of a
     746  handler for EPOLLHUP could cause 99% CPU usage.
     747
     748* Defined ALLOW_NON_CBC_CIPHERS for people who don't
     749  want to use a CBC cipher for OpenVPN's data channel.
     750
     751* Added PLUGIN_LIBDIR preprocessor string to prepend a default
     752  plugin directory to the dlopen search list when the user
     753  specifies the basename of the plugin only (Marius Tomaschewski).
     754
     755* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
     756  to allow forward slash characters ("/") in the X509 common name
     757  (Pavel Shramov).
     758
     759* Allow OpenVPN to run completely unprivileged under Linux
     760  by allowing openvpn --mktun to be used with --user and --group
     761  to set the UID/GID of the tun device node.  Also added --iproute
     762  option to allow an alternative command to be executed in place
     763  of the default iproute2 command (Alon Bar-Lev).
     764
     765* Fixed --disable-iproute2 in ./configure to actually disable
     766  iproute2 usage (Alon Bar-Lev).
     767
     768* Added --management-forget-disconnect option -- forget
     769  passwords when management session disconnects (Alon Bar-Lev).
     770       
     7712007.04.25 -- Version 2.1_rc4
     772
     773* Worked out remaining issues with TAP driver signing
     774  on Vista x64.  OpenVPN will now run on Vista x64
     775  with driver signing enforcement enabled.
     776
     777* Fixed 64-bit portability bug in time_string function
     778  (Thomas Habets).
     779
     7802007.04.22 -- Version 2.1_rc3
     781
     782* Additional fixes to TAP driver for Windows x64.  Driver
     783  now runs successfully on Vista x64 if driver signing
     784  enforcement is disabled.
     785       
     786* The Windows Installer and TAP driver are now signed by
     787  OpenVPN Solutions LLC (in addition to the usual GnuPG
     788  signatures).
     789
     790* Added OpenVPN GUI (Mathias Sundman version) as install
     791  option in Windows installer.
     792
     793* Clean up configure on FreeBSD for recent autotool versions
     794  that require that all .h files have to be compiled.
     795  Also, FreeBSD install does not support GNU long options
     796  which the Makefile in easy-rsa/2.0 uses (not checked the
     797  others as we don't install those on Gentoo) (Roy Marples).
     798
     799* Added additional scripts to easy-rsa/Windows for working
     800  with password-protected keys; also add -extensions server
     801  option when generating server cert via
     802  build-key-server-pass.bat (Daniel Zauft).
     803       
     8042007.02.27 -- Version 2.1_rc2
     805
     806* auth-pam change:  link with -lpam rather
     807  than dlopen (Roy Marples).
     808
     809* Prevent SIGUSR1 or SIGHUP from causing program
     810  exit from initial management hold.
     811
     812* SO_REUSEADDR should not be set on Windows TCP sockets
     813  because it will cause bind to succeed on port conflicts.
     814
     815* Added time_ascii, time_duration, and time_unix
     816  environmental variables for plugins and callback
     817  scripts.
     818
     819* Fixed issue where OpenVPN does not apply the --txqueuelen option
     820  to persistent interfaces made with --mktun (Roy Marples).
     821
     822* Attempt at rational signal handling when in the
     823  management hold state.  During management hold, ignore
     824  SIGUSR1/SIGHUP signals thrown with the "signal" command.
     825  Also, "signal" command will now apply remapping as
     826  specified with the --remap-usr1 option.
     827  When a signal entered using the "signal" command from a management
     828  hold is ignored, output: >HOLD:Waiting for hold release
     829
     830* Fixed issue where struct env_set methods that
     831  change the value of an existing name=value pair
     832  would delay the freeing of the memory held by
     833  the previous name=value pair until the underlying
     834  client instance object is closed.
     835  This could cause a server that handles long-term
     836  client connections, resulting in many periodic calls
     837  to verify_callback, to needlessly grow the env_set
     838  memory allocation until the underlying client instance
     839  object is closed.
     840
     841* Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
     842  to reflect the fact that Vista has blacklisted the tap0801.sys
     843  file name due to previous compatibility issues which have now
     844  been resolved.  TAP-Win32 major/minor version number is now 9/1.
     845
     846* Windows installer will delete a previously installed
     847  tap0801.sys TAP driver before installing tap0901.sys.
     848
     849* Added code to Windows installer to fail gracefully on 64 bit
     850  installs until 64-bit TAP driver issues can be resolved.
     851
     852* Added code to Windows installer to fail gracefully on
     853  versions of Windows which are not explicitly supported.
     854
     855* The Windows version will now use a default route-delay
     856  of 5 seconds to deal with an apparent routing table race
     857  condition on Vista.
     858
     859* Worked around an incompatibility in the Windows Vista
     860  version of CreateIpForwardEntry as described in
     861  http://www.nynaeve.net/?p=59
     862  This issue would cause route additions using the
     863  IP Helper API to fail on Vista.
     864
     865* On Windows, revert to "ip-win32 dynamic" as the default.
     866
     8672006.10.31 -- Version 2.1_rc1
     868
     869* Support recovery (return to hold) from signal at
     870  management password prompt.
     871
     872* Added workaround for OpenSC PKCS#11 bug#108
     873  (Alon Bar-Lev).
     874
     8752006.10.01 -- Version 2.1-beta16
     876
     877* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
     878  published vulnerabilities.
     879
     880* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
     881  (Henry Nestler).
     882       
     883* Autodetect 32/64 bit Windows in installer and install
     884  appropriate TAP driver (Mathias Sundman, Hypherion).
     885       
     886* Fixed bug in loopback self-test introduced
     887  in 2.1-beta15 where self test as invoked by
     888  "make check" would not properly exit after
     889  2 minutes (Paul Howarth).
     890
     8912006.09.12 -- Version 2.1-beta15
     892
     893* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
     894  RSA Signature Forgery (CVE-2006-4339).
     895
     896* Fixed bug introduced with the --port-share directive
     897  (back in 2.1-beta9 which causes TLS soft resets
     898  (1 per hour by default) in TCP server mode to force
     899  a blockage of tunnel packets and later time-out and
     900  restart the connection.
     901
     902* easy-rsa update (Alon Bar-Lev)
     903  Makefile (install) is now available so that
     904  distribs will be able to install it safely.
     905
     906* PKCS#11 changes: (Alon Bar-Lev)
     907  - Modified ssl.c to not FATAL and return to init.c
     908    so auth-retry will work.
     909  - Modifed pkcs11-helper.c to fix some problem with
     910    multiple providers.
     911  - Added retry counter to PKCS#11 PIN hook.
     912  - Modified PKCS#11 PIN retry loop to return correct error
     913    code when PIN is incorrect.
     914  - Fix handling (ignoring) zero sized attributes.
     915  - Fix gcc-2 issues.
     916  - Fix openssl 0.9.6 (first version) issues.
     917
     918* Minor fixes of lladdr (Alon Bar-Lev)
     919  Updated makefile.w32-vc to include lladdr.*, updated
     920  linkage libraries.
     921  Modified lladdr.c to be compiled under visual C.
     922
     923* Added two new management states:
     924   OPENVPN_STATE_RESOLVE      -- DNS lookup
     925   OPENVPN_STATE_TCP_CONNECT  -- Connecting to TCP server
     926
     927* Echo management state change to log.
     928
     929* Minor syshead.h change for NetBSD to allow
     930  TCP_NODELAY flag to work.
     931
     932* Modified --port-share code to remove the assumption that
     933  CMSG_SPACE always evaluates to a constant, to enable
     934  compilation on NetBSD and possibly other BSDs as well.
     935
     936* Eliminated gcc 3.3.3 warnings on NetBSD
     937  when ./configure --enable-strict is used.
     938
     939* Added optional minimum-number-of-bytes parameter
     940  to --inactive directive.
     941
     9422006.04.13 -- Version 2.1-beta14
     943
     944* Fixed Windows server bug in time backtrack handling code which
     945  could cause TLS negotiation failures on legitimate clients.
     946       
     947* Rewrote gettimeofday function for Windows to be
     948  simpler and more efficient.
     949       
     950* Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev).
     951
     952* Added --route-metric option to set a default route metric
     953  for --route (Roy Marples).
     954
     955* Added --lladdr option to specify the link layer (MAC) address
     956  for the tap interface on non-Windows platforms (Roy Marples).
     957
     9582006.04.12 -- Version 2.1-beta13
     959
     960* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
     961  to 64 bits caused a bug in the Windows version which has now
     962  been fixed.  The bug could cause intermittent crashes.
     963       
     9642006.04.05 -- Version 2.1-beta12
     965
     966* Security Vulnerability -- An OpenVPN client connecting to a
     967  malicious or compromised server could potentially receive
     968  "setenv" configuration directives from the server which could
     969  cause arbitrary code execution on the client via a LD_PRELOAD
     970  attack.  A successful attack appears to require that (a) the
     971  client has agreed to allow the server to push configuration
     972  directives to it by including "pull" or the macro "client" in
     973  its configuration file, (b) the client configuration file uses
     974  a scripting directive such as "up" or "down", (c) the client
     975  succesfully authenticates the server, (d) the server is
     976  malicious or has been compromised and is under the control of
     977  the attacker, and (e) the attacker has at least some level of
     978  pre-existing control over files on the client (this might be
     979  accomplished by having the server respond to a client web request
     980  with a specially crafted file).  Credit: Hendrik Weimer.
     981  CVE-2006-1629.
     982
     983  The fix is to disallow "setenv" to be pushed to clients from
     984  the server, and to add a new directive "setenv-safe" which is
     985  pushable from the server, but which appends "OPENVPN_" to the
     986  name of each remotely set environmental variable.
     987
     988* "topology subnet" fix for FreeBSD (Benoit Bourdin).
     989
     990* PKCS11 fixes (Alon Bar-Lev).  For full description:
     991  svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
     992       
     993* When deleting routes under Linux, use the route metric
     994  as a differentiator to ensure that the route teardown
     995  process only deletes the identical route which was originally
     996  added via the "route" directive (Roy Marples).
     997
     998* Fix the t_cltsrv.sh file in FreeBSD 4 jails
     999  (Matthias Andree, Dirk Meyer, Vasil Dimov).
     1000
     1001* Extended tun device configure code to support ethernet
     1002  bridging on NetBSD (Emmanuel Kasper).
     1003
     10042006.02.19 -- Version 2.1-beta11
     1005
     1006* Fixed --port-share bug that caused premature closing
     1007  of proxied sessions.
     1008
     10092006.02.17 -- Version 2.1-beta10
     1010
     1011* Fixed --port-share breakage introduced in 2.1-beta9.
     1012
     10132006.02.16 -- Version 2.1-beta9
     1014
     1015* Added --port-share option for allowing OpenVPN and HTTPS
     1016  server to share the same port number.
     1017* Added --management-client option to connect as a client
     1018  to management GUI app rather than be connected to as a
     1019  server.
     1020* Added "bytecount" command to management interface.
     1021* --remote-cert-tls fixes (Alon Bar-Lev).
     1022
     10232006.01.03 -- Version 2.1-beta8
     1024
     1025* --remap-usr1 will now also remap signals thrown during
     1026  initialization.
     1027* Added --connect-timeout option to control the timeout
     1028  on TCP client connection attempts (doesn't work on all
     1029  OSes).  This patch also makes OpenVPN signalable during
     1030  TCP connection attempts.
     1031* Fixed bug in acinclude.m4 where capability of compiler
     1032  to handle zero-length arrays in structs is tested
     1033  (David Stipp).
     1034* Fixed typo in manage.c where inline function declaration
     1035  was declared without the "static" keyword (David Stipp).
     1036* Patch to support --topology subnet on Mac OS X (Mathias Sundman).
     1037* Added --auto-proxy directive to auto-detect HTTP or SOCKS
     1038  proxy settings (currently Windows only).
     1039* Removed redundant base64 code.
     1040* Better sanity checking of --server and --server-bridge
     1041  IP pool ranges, so as not to hit the assertion at
     1042  pool.c:119 (2.0.5).
     1043* Fixed bug where --daemon and --management-query-passwords
     1044  used together would cause OpenVPN to block prior to
     1045  daemonization.
     1046* Fixed client/server race condition which could occur
     1047  when --auth-retry interact is set and the initially
     1048  provided auth-user-pass credentials are incorrect,
     1049  forcing a username/password re-query.
     1050* Fixed bug where if --daemon and --management-hold are
     1051  used together, --user or --group options would be ignored.
     1052* --ip-win32 adaptive is now the default.
     1053* --ip-win32 netsh (or --ip-win32 adaptive when in netsh
     1054  mode) can now set DNS/WINS addresses on the TAP-Win32
     1055  adapter.
     1056* Added new option --route-method adaptive (Win32)
     1057  which tries IP helper API first, then falls back to
     1058  route.exe.
     1059* Made --route-method adaptive the default.
     1060       
     10612005.11.12 -- Version 2.1-beta7
     1062
     1063* Allow blank passwords to be passed via the management
     1064  interface.
     1065* Fixed bug where "make check" inside a FreeBSD "jail"
     1066  would never complete (Matthias Andree).
     1067* Fixed bug where --server directive in --dev tap mode
     1068  claimed that it would support subnets of /30 or less
     1069  but actually would only accept /29 or less.
     1070* Extend byte counters to 64 bits (M. van Cuijk).
     1071* Fixed bug in Linux get_default_gateway function
     1072  introduced in 2.0.4, which would cause redirect-gateway
     1073  on Linux clients to fail.
     1074* Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
     1075  be compatible with 2.0.x distribution.
     1076* Documented --route-nopull.
     1077* Documented --ip-win32 adaptive.
     1078* Windows build now linked with LZO2.
     1079* Allow ca, cert, key, and dh files to be specified
     1080  inline via XML-like syntax without needing to
     1081  reference an explicit file.
     1082  For example:
     1083  <ca>
     1084        data here...
     1085  </ca>
     1086* Allow plugin and push directives to have multi-line
     1087  parameter lists such as:
     1088  <plugin>
     1089    my-plugin.so
     1090    parm1
     1091    parm2
     1092  </plugin>
     1093* Added connect-retry-max option (Alon Bar-Lev).
     1094* Fixed problems where signals thrown during initialization
     1095  were not returning to a management-hold state.
     1096* Added a backtrack-hardened system time algorithm.
     1097* Added --remote-cert-ku, --remote-cert-eku, and
     1098  --remote-cert-tls options for verifying certificate
     1099  attributes (Alon Bar-Lev).
     1100* For Windows, reverted --ip-win32 default back to "dynamic".
     1101  To use new adaptive mode, set explicitly.
     1102       
     11032005.11.01 -- Version 2.1-beta6
     1104
     1105* Security fix (merged from 2.0.4) -- Affects non-Windows
     1106  OpenVPN clients of version 2.0 or higher which connect to
     1107  a malicious or compromised server.  A format string
     1108  vulnerability in the foreign_option function in options.c
     1109  could potentially allow a malicious or compromised server
     1110  to execute arbitrary code on the client.  Only
     1111  non-Windows clients are affected.  The vulnerability
     1112  only exists if (a) the client's TLS negotiation with
     1113  the server succeeds, (b) the server is malicious or
     1114  has been compromised such that it is configured to
     1115  push a maliciously crafted options string to the client,
     1116  and (c) the client indicates its willingness to accept
     1117  pushed options from the server by having "pull" or
     1118  "client" in its configuration file (Credit: Vade79).
     1119  CVE-2005-3393
     1120* Security fix -- (merged from 2.0.4) Potential DoS
     1121  vulnerability on the server in TCP mode.  If the TCP
     1122  server accept() call returns an error status, the resulting
     1123  exception handler may attempt to indirect through a NULL
     1124  pointer, causing a segfault.  Affects all OpenVPN 2.0 versions.
     1125  CVE-2005-3409
     1126* Fix attempt of assertion at multi.c:1586 (note that
     1127  this precise line number will vary across different
     1128  versions of OpenVPN).
     1129* Windows reliability changes:
     1130  (a) Added code to make sure that the local PATH environmental
     1131      variable points to the Windows system32 directory.
     1132  (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
     1133      and then fails over to 'netsh' if the DHCP negotiation fails.
     1134  (c) Made --ip-win32 adaptive the default.
     1135* More PKCS#11 additions/changes (Alon Bar-Lev).
     1136* Added ".PHONY: plugin" to Makefile.am to work around
     1137  "make dist" issue.
     1138* Fixed double fork issue that occurs when --management-hold
     1139  is used.
     1140* Moved TUN/TAP read/write log messages from --verb 8 to 6.
     1141* Warn when multiple clients having the same common name or
     1142  username usurp each other when --duplicate-cn is not used.
     1143* Modified Windows and Linux versions of get_default_gateway
     1144  to return the route with the smallest metric
     1145  if multiple 0.0.0.0/0.0.0.0 entries are present.
     1146* Added ">NEED-OK" alert and "needok" command to management
     1147  interface to provide a general interface for sending
     1148  alerts to the end-user.  Used by the PKCS#11 code
     1149  to send Token Insertion Requests to the user.
     1150* Added actual remote address used to the ">STATE" alert
     1151  in the management interface (Rolf Fokkens).
     1152
     11532005.10.17 -- Version 2.1-beta4
     1154
     1155* Fixed bug introduced in 2.1-beta3 where management
     1156  socket bind would fail.
     1157* --capath fix in ssl.c (Zhuang Yuyao).
     1158* Added ".PHONY: plugin" to Makefile.am, reverted
     1159  location of "plugin" directory (thanks to
     1160  Matthias Andree for figuring this out).
     1161       
     11622005.10.16 -- Version 2.1-beta3
     1163
     1164* Added PKCS#11 support (Alon Bar-Lev).
     1165* Enable the use of --ca together with --pkcs12.  If --ca is
     1166  used at the same time as --pkcs12, the CA certificate is loaded
     1167  from the file specified by --ca regardless if the pkcs12 file
     1168  contains a CA cert or not (Mathias Sundman).
     1169* Merged --capath patch (Thomas Noel).
     1170* Merged --multihome patch.
     1171* Added --bind option for TCP client connections (Ewan Bhamrah
     1172  Harley).
     1173* Moved "plugin" directory to "plugins" to deal with strange
     1174  automake problem that ended up being also fixable with
     1175  ".PHONY: plugin" in Makefile.am.
     1176
     11772005.10.13 -- Version 2.1-beta2
     1178
     1179* Made --sndbuf and --rcvbuf pushable.
     1180
     11812005.10.01 -- Version 2.1-beta1
     1182
     1183* Made LZO setting pushable.
     1184* Renamed sample-keys/tmp-ca.crt to ca.crt.
     1185* Fixed bug where remove_iroutes_from_push_route_list
     1186  was missing routes if those routes had
     1187  an implied netmask (by omission) of 255.255.255.255.
     1188* Merged with 2.0.3-rc1
     1189* easy-rsa/2.0 moved to easy-rsa
     1190* old easy-rsa moved to easy-rsa/1.0
     1191}}}