Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of ChangesInOpenvpn21

Timestamp:: 07/24/14 13:37:53 (10 years ago)
Author:: Samuli Seppänen
Comment:: Migrated content from http://openvpn.net/index.php/open-source/documentation/change-log/changelog-21.html

Legend:

: Unmodified
: Added
: Removed
: Modified

ChangesInOpenvpn21

                       v1
+{{{
+OpenVPN Change Log
+Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <
+ sales@openvpn.net>
+.11.09 -- Version 2.1.4
+* Fix problem with special case route targets ('remote_host')
+  The init_route() function will leave &netlist untouched for
+  get_special_addr() routes ("remote_host" being one of them).
+  netlist is on stack,  contains random garbage, and
+  netlist.len will not be 0 - thus, random stack data is copied from
+  netlist.data[] until the route_list is full.
+  Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.
+.08.20 -- Version 2.1.3
+* Windows build fixes
+  Attempt to fix issue where domake-win build system was not properly
+  signing drivers and .exe files.  This change is only affecting the
+  Windows build scripts and not the OpenVPN code base.
+.08.09 -- Version 2.1.2
+* Windows security issue:
+  Fixed potential local privilege escalation vulnerability in
+  Windows service. The Windows service did not properly quote the
+  executable filename passed to CreateService.  A local attacker
+  with write access to the root directory C:\ could create an
+  executable that would be run with the same privilege level as
+  the OpenVPN Windows service.  However, since non-Administrative
+  users normally lack write permission on C:\, this vulnerability
+  is generally not exploitable except on older versions of Windows
+  (such as Win2K) where the default permissions on C:\ would allow
+  any user to create files there.
+  Credit:  Scott Laurie, MWR InfoSecurity
+* Added Python-based based alternative build system for Windows using
+  Visual Studio 2008 (in win directory).
+* When aborting in a non-graceful way, try to execute do_close_tun in
+  init.c prior to daemon exit to ensure that the tun/tap interface is
+  closed and any added routes are deleted.
+* Fixed an issue where AUTH_FAILED was not being properly delivered
+  to the client when a bad password is given for mid-session reauth,
+  causing the connection to fail without an error indication.
+* Don't advance to the next connection profile on AUTH_FAILED errors.
+* Fixed an issue in the Management Interface that could cause
+  a process hang with 100% CPU utilization in --management-client
+  mode if the management interface client disconnected at the
+  point where credentials are queried.
+* Fixed an issue where if reneg-sec was set to 0 on the client,
+  so that the server-side value would take precedence,
+  the auth_deferred_expire_window function would incorrectly
+  return a window period of 0 seconds.  In this case, the
+  correct window period should be the handshake window
+  period.
+* Modified ">PASSWORD:Verification Failed" management interface
+  notification to include a client reason string:
+    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
+* Enable exponential backoff in reliability layer
+  retransmits.
+* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
+  socket is created rather than waiting until after connect/listen.
+* Management interface performance optimizations:
+. Added env-filter MI command to perform filtering on env vars
+     passed through as a part of --management-client-auth
+. man_write will now try to aggregate output into larger blocks
+     (up to 1024 bytes) for more efficient i/o
+* Fixed minor issue in Windows TAP driver DEBUG builds
+  where non-null-terminated unicode strings were being
+  printed incorrectly.
+* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
+  was not being compiled in.
+* Proxy improvements:
+  Improved the ability of http-auth "auto" flag to dynamically detect
+  the auth method required by the proxy.
+  Added http-auth "auto-nct" flag to reject weak proxy auth methods.
+  Added HTTP proxy digest authentication method.
+  Removed extraneous openvpn_sleep calls from proxy.c.
+* Implemented http-proxy-override and http-proxy-fallback directives to make it
+  easier for OpenVPN client UIs to start a pre-existing client config file with
+  proxy options, or to adaptively fall back to a proxy connection if a direct
+  connection fails.
+* Implemented a key/value auth channel from client to server.
+* Fixed issue where bad creds provided by the management interface
+  for HTTP Proxy Basic Authentication would go into an infinite
+  retry-fail loop instead of requerying the management interface for
+  new creds.
+* Added support for MSVC debugging of openvpn.exe in settings.in:
+  # Build debugging version of openvpn.exe
+  !define PRODUCT_OPENVPN_DEBUG
+* Implemented multi-address DNS expansion on the network field of route
+  commands.
+  When only a single IP address is desired from a multi-address DNS
+  expansion, use the first address rather than a random selection.
+* Added --register-dns option for Windows.
+  Fixed some issues on Windows with --log, subprocess creation
+  for command execution, and stdout/stderr redirection.
+* Fixed an issue where application payload transmissions on the
+  TLS control channel (such as AUTH_FAILED) that occur during
+  or immediately after a TLS renegotiation might be dropped.
+* Added warning about tls-remote option in man page.
+.12.11 -- Version 2.1.1
+* Fixed some breakage in openvpn.spec (which is required to build an
+  RPM distribution) where it was referencing a non-existent
+  subdirectory in the tarball, causing it to fail (patch from
+  David Sommerseth).
+.12.11 -- Version 2.1.0
+* Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
+  (1) Fail gracefully rather than segfault if calloc returns NULL.
+  (2) The openvpn_plugin_abort_v1 function can potentially be called
+  with handle == NULL.  Add code to detect this case, and if  so, avoid
+  dereferencing pointers derived from handle  (Thanks to David
+  Sommerseth for finding this bug).
+* Documented "multihome" option in the man page.
+.11.20 -- Version 2.1_rc22
+* Fixed a client-side bug on Windows that occurred when the
+  "dhcp-pre-release" or "dhcp-renew" options were combined with
+  "route-gateway dhcp".  The release/renew would not occur
+  because the Windows DHCP renew function is blocking and
+  therefore must be called from another process or thread
+  so as not to stall the tunnel.
+* Added a hard failure when peer provides a certificate chain
+  with depth > 16.  Previously, a warning was issued.
+.11.12 -- Version 2.1_rc21
+* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
+  CVE-2009-3555.  Note that OpenVPN has never relied on the session
+  renegotiation capabilities that are built into the SSL/TLS protocol,
+  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
+  completely) will not adversely affect OpenVPN mid-session SSL/TLS
+  renegotation or any other OpenVPN capabilities.
+* Added additional session renegotiation hardening.  OpenVPN has always
+  required that mid-session renegotiations build up a new SSL/TLS
+  session from scratch.  While the client certificate common name is
+  already locked against changes in mid-session TLS renegotiations, we
+  now extend this locking to the auth-user-pass username as well as all
+  certificate content in the full client certificate chain.
+.10.01 -- Version 2.1_rc20
+* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
+  redirect-gateway option by itself, without any extra parameters,
+  would cause the option to be ignored.
+* Fixed build problem when ./configure --disable-server is used.
+* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
+* Added --remote-random-hostname option.
+* Added "load-stats" management interface command to get global server
+  load statistics.
+* Added new ./configure flags:
+  --disable-def-auth      Disable deferred authentication
+  --disable-pf            Disable internal packet filter
+* Added "setcon" directive for interoperability with SELinux (Sebastien
+  Raveau).
+* Optimized PUSH_REQUEST handshake sequence to shave several seconds
+  off of a typical client connection initiation.
+* The maximum number of "route" directives (specified in the config
+  file or pulled from a server) can now be configured via the new
+  "max-routes" directive.
+* Eliminated the limitation on the number of options that can be pushed
+  to clients, including routes.  Previously, all pushed options needed
+  to fit within a 1024 byte options string.
+* Added --server-poll-timeout option : when polling possible remote
+  servers to connect to in a round-robin fashion, spend no more than
+  n seconds waiting for a response before trying the next server.
+* Added the ability for the server to provide a custom reason string
+  when an AUTH_FAILED message is returned to the client.  This
+  string can be set by the server-side managment interface and read
+  by the client-side management interface.
+* client-kill management interface command, when issued on server, will
+  now send a RESTART message to client.
+  This feature is intended to make UDP clients respond the same as TCP
+  clients in the case where the server issues a RESTART message in
+  order to force the client to reconnect and pull a new options/route
+  list.
+.07.16 -- Version 2.1_rc19
+* In Windows TAP driver, refactor DHCP/ARP packet injection code to
+  use a DPC (deferred procedure call) to defer packet injection until
+  IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
+  in the context of AdapterTransmit.  This is an attempt to reduce kernel
+  stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
+  observed on Vista.  Updated TAP driver version number to 9.6.
+* In configure.ac, use datadir instead of datarootdir for compatibility
+  with <autoconf-2.60.
+.06.07 -- Version 2.1_rc18
+* Fixed compile error on ./configure --enable-small
+* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
+  does not build on Windows on non-MINGW32.
+.05.30 -- Version 2.1_rc17
+* Reduce the debug level (--verb) at which received management interface
+  commands are echoed from 7 to 3.  Passwords will be filtered.
+* Fixed race condition in management interface recv code on
+  Windows, where sending a set of several commands to the
+  management interface in quick succession might cause the
+  latter commands in the set to be ignored.
+* Increased management interface input command buffer size
+  from 256 to 1024 bytes.
+* Minor tweaks to Windows build system.
+* Added "redirect-private" option which allows private subnets
+  to be pushed to the client in such a way that they don't accidently
+  obscure critical local addresses such as the DHCP server address and
+  DNS server addresses.
+* Added new 'autolocal' redirect-gateway flag.  When enabled, the OpenVPN
+  client will examine the routing table and determine whether (a) the
+  OpenVPN server is reachable via a locally connected interface, or (b)
+  traffic to the server must be forwarded through the default router.
+  Only add a special bypass route for the OpenVPN server if (b) is true.
+  If (a) is true, behave as if the 'local' flag is specified, and do not
+  add a bypass route.
+  The new 'autolocal' flag depends on the non-portable test_local_addr()
+  function in route.c, which is currently only implemented for Windows.
+  The 'autolocal' flag will act as a no-op on platforms that have not
+  yet defined a test_local_addr() function.
+* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
+  more option content to be pushed from server to client).
+* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
+  levels <=3) a common and usually innocuous warning.
+* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
+  functionality (Alon Bar-Lev).
+* Fixed bug where the remote_X environmental variables were not being
+  set correctly when the 'local' option is specifed.
+.05.17 -- Version 2.1_rc16
+* Windows installer changes:
+. ifdefed out the check Windows version code which is causing
+  problems on Windows 7
+. don't define SF_SELECTED if it is already defined
+. Use LZMA instead of BZIP2 compression for better compression
+. Upgraded OpenSSL to 0.9.8k
+* Added the ability to read the configuration file
+  from stdin, when "stdin" is given as the config
+  file name.
+* Allow "management-client" directive to be used
+  with unix domain sockets.
+* Added errors-to-stderr option.  When enabled, fatal errors
+  that result in the termination of the daemon will be written
+  to stderr.
+* Added optional "nogw" (no gateway) flag to --server-bridge
+  to inhibit the pushing of the route-gateway parameter to
+  clients.
+* Added new management interface command "pid" to show the
+  process ID of the current OpenVPN process (Angelo Laub).
+* Fixed issue where SIGUSR1 restarts would fail if private
+  key was specified as an inline file.
+* Added daemon_start_time and daemon_pid environmental variables.
+* In management interface, added new ">CLIENT:ESTABLISHED" notification.
+* Build fixes:
+. Fixed some issues with C++ style comments that leaked into the code.
+. Updated configure.ac to work on MinGW64.
+. Updated common.h types for _WIN64.
+. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
+     compilers.
+. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
+     OpenVPNCryptAcquireCertificatePrivateKey to work around
+     a symbol conflict in MinGW-5.1.4.
+.11.19 -- Version 2.1_rc15
+* Fixed issue introduced in 2.1_rc14 that may cause a
+  segfault when a --plugin module is used.
+* Added server-side --opt-verify option: clients that connect
+  with options that are incompatible with those of the server
+  will be disconnected (without this option, incompatible
+  clients would trigger a warning message in the server log
+  but would not be disconnected).
+* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
+  flag on the server as well as pushes it to connecting clients.
+* Minor options check fix: --no-name-remapping is a
+  server-only option and should therefore generate an
+  error when used on the client.
+* Added --prng option to control PRNG (pseudo-random
+  number generator) parameters.  In previous OpenVPN
+  versions, the PRNG was hardcoded to use the SHA1
+  hash.  Now any OpenSSL hash may be used.  This is
+  part of an effort to remove hardcoded references to
+  a specific cipher or cryptographic hash algorithm.
+* Cleaned up man page synopsis.
+.11.16 -- Version 2.1_rc14
+* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
+  with the goal of fixing a build issue on Fedora 9 that was
+  introduced in 2.1_rc13.
+* Added additional method parameter to --script-security to preserve
+  backward compatibility with system() call semantics used in OpenVPN
+.1_rc8 and earlier.  To preserve backward compatibility use:
+    script-security 3 system
+* Added additional warning messages about --script-security 2
+  or higher being required to execute user-defined scripts or
+  executables.
+* Windows build system changes:
+  Modified Windows domake-win build system to write all openvpn.nsi
+  input files to gen, so that gen can be disconnected from
+  the rest of the source tree and makensis openvpn.nsi will
+  still function correctly.
+  Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
+  (commented out by default).
+  Added optional files SAMPCONF_CONF2 (second sample configuration
+  file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
+  build system, and may be defined in settings.in.
+* Extended Management Interface "bytecount" command
+  to work when OpenVPN is running as a server.
+  Documented Management Interface "bytecount" command in
+  management/management-notes.txt.
+* Fixed informational message in ssl.c to properly indicate
+  deferred authentication.
+* Added server-side --auth-user-pass-optional directive, to allow
+  connections by clients that do not specify a username/password, when a
+  user-defined authentication script/module is in place (via
+  --auth-user-pass-verify, --management-client-auth, or a plugin module).
+* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
+  Calling scripts can set the KEY_NAME environmental variable to set
+  the "name" X509 subject field in generated certificates.
+  Modified pkitool to allow flexibility in separating the Common Name
+  convention from the cert/key filename convention.
+  For example:
+  KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
+  will create a client certificate/key pair of james.crt/james.key
+  having a Common Name of "James's Laptop" and a Name of "james".
+* Added --no-name-remapping option to allow Common Name, X509 Subject,
+  and username strings to include any printable character including
+  space, but excluding control characters such as tab, newline, and
+  carriage-return (this is important for compatibility with external
+  authentication systems).
+  As a related change, added --status-version 3 format (and "status 3"
+  in the management interface) which uses the version 2 format except
+  that tabs are used as delimiters instead of commas so that there
+  is no ambiguity when parsing a Common Name that contains a comma.
+  Also, save X509 Subject fields to environment, using the naming
+  convention:
+  X509_{cert_depth}_{name}={value}
+  This is to avoid ambiguities when parsing out the X509 subject string
+  since "/" characters could potentially be used in the common name.
+* Fixed some ifconfig-pool issues that precluded it from being combined
+  with --server directive.
+  Now, for example, we can configure thusly:
+    server 10.8.0.0 255.255.255.0 nopool
+    ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
+  to have ifconfig-pool manage only a subset
+  of the VPN subnet.
+* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
+  config file syntax checking to allow directives for future OpenVPN
+  versions to be ignored.
+.10.07 -- Version 2.1_rc13
+* Bundled OpenSSL 0.9.8i with Windows installer.
+* Management interface can now listen on a unix
+  domain socket, for example:
+    management /tmp/openvpn unix
+  Also added management-client-user and management-client-group
+  directives to control which processes are allowed to connect
+  to the socket.
+* Copyright change to OpenVPN Technologies, Inc.
+.09.23 -- Version 2.1_rc12
+* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
+  part of the tarball (Matthias Andree).
+* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
+  was incorrectly expecting the lladdr parameter to be an IP address
+  when it is actually a MAC address (HoverHell).
+.09.14 -- Version 2.1_rc11
+* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
+  to fail if UDP packets are dropped.
+.09.10 -- Version 2.1_rc10
+* Added "--server-bridge" (without parameters) to enable
+  DHCP proxy mode:  Configure server mode for ethernet
+  bridging using a DHCP-proxy, where clients talk to the
+  OpenVPN server-side DHCP server to receive their IP address
+  allocation and DNS server addresses.
+* Added "--route-gateway dhcp", to enable the extraction
+  of the gateway address from a DHCP negotiation with the
+  OpenVPN server-side LAN.
+* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
+  on Windows.  If the bypass IP address is 0.0.0.0 or 255.255.255.255,
+  ignore it.
+* Warn when ethernet bridging that the IP address of the bridge adapter
+  is probably not the same address that the LAN adapter was set to
+  previously.
+* When running as a server, warn if the LAN network address is
+  the all-popular 192.168.[0|1].x, since this condition commonly
+  leads to subnet conflicts down the road.
+* Primarily on the client, check for subnet conflicts between
+  the local LAN and the VPN subnet.
+* Added a 'netmask' parameter to get_default_gateway, to return
+  the netmask of the adapter containing the default gateway.
+  Only implemented on Windows so far.  Other platforms will
+  return 255.255.255.0.  Currently the netmask information is
+  only used to warn about subnet conflicts.
+* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
+  and USE_SSL flags are enabled (Alon Bar-Lev).
+* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
+  --script-security rules.  Also adds retrying if the addresses are in
+  use (Matthias Andree).
+* Fixed build issue with ./configure --disable-socks --disable-http.
+* Fixed separate compile errors in options.c and ntlm.c that occur
+  on strict C compilers (such as old versions of gcc) that require
+  that C variable declarations occur at the start of a {} block,
+  not in the middle.
+* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
+  the new implementation of extract_x509_field_ssl depends on.
+* LZO compression buffer overflow errors will now invalidate
+  the packet rather than trigger a fatal assertion.
+* Fixed minor compile issue in ntlm.c (mid-block declaration).
+* Added --allow-pull-fqdn option which allows client to pull DNS names
+  from server (rather than only IP address) for --ifconfig, --route, and
+  --route-gateway.  OpenVPN versions 2.1_rc7 and earlier allowed DNS names
+  for these options to be pulled and translated to IP addresses by default.
+  Now --allow-pull-fqdn will be explicitly required on the client to enable
+  DNS-name-to-IP-address translation of pulled options.
+* 2.1_rc8 and earlier did implicit shell expansion on script
+  arguments since all scripts were called by system().
+  The security hardening changes made to 2.1_rc9 no longer
+  use system(), but rather use the safer execve or CreateProcess
+  system calls.  The security hardening also introduced a
+  backward incompatibility with 2.1_rc8 and earlier in that
+  script parameters were no longer shell-expanded, so
+  for example:
+    client-connect "docc CLIENT-CONNECT"
+  would fail to work because execve would try to execute
+  a script called "docc CLIENT-CONNECT" instead of "docc"
+  with "CLIENT-CONNECT" as the first argument.
+  This patch fixes the issue, bringing the script argument
+  semantics back to pre 2.1_rc9 behavior in order to preserve
+  backward compatibility while still using execve or CreateProcess
+  to execute the script/executable.
+* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
+  to more closely conform to RFC 3696:
+  (1) DNS name length must not exceed 255 characters
+  (2) DNS name characters must be limited to alphanumeric,
+      dash ('-'), and dot ('.')
+* Fixed bug in intra-session TLS key rollover that was introduced with
+  deferred authentication features in 2.1_rc8.
+.07.31 -- Version 2.1_rc9
+* Security Fix -- affects non-Windows OpenVPN clients running
+  OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
+  vulnerable nor are any versions of the OpenVPN server vulnerable).
+  An OpenVPN client connecting to a malicious or compromised
+  server could potentially receive an "lladdr" or "iproute" configuration
+  directive from the server which could cause arbitrary code execution on
+  the client. A successful attack requires that (a) the client has agreed
+  to allow the server to push configuration directives to it by including
+  "pull" or the macro "client" in its configuration file, (b) the client
+  successfully authenticates the server, (c) the server is malicious or has
+  been compromised and is under the control of the attacker, and (d) the
+  client is running a non-Windows OS.  Credit: David Wagner.
+  CVE-2008-3459
+* Miscellaneous defensive programming changes to multiple
+  areas of the code.  In particular, use of the system() call
+  for calling executables such as ifconfig, route, and
+  user-defined scripts has been completely revamped in favor
+  of execve() on unix and CreateProcess() on Windows.
+* In Windows build, package a statically linked openssl.exe to work around
+  observed instabilities in the dynamic build since the migration to
+  OpenSSL 0.9.8h.
+.06.11 -- Version 2.1_rc8
+* Added client authentication and packet filtering capability
+  to management interface.  In addition, allow OpenVPN plugins
+  to take advantage of deferred authentication and packet
+  filtering capability.
+* Added support for client-side connection profiles.
+* Fixed unbounded memory growth bug in environmental variable
+  code that could have caused long-running OpenVPN sessions
+  with many TLS renegotiations to incrementally
+  increase memory usage over time.
+* Windows release now packages openssl-0.9.8h.
+* Build system changes -- allow building on Windows using
+  autoconf/automake scripts (Alon Bar-Lev).
+* Changes to Windows build system to make it easier to do
+  partial builds, with a reduced set of prerequisites,
+  where only a subset of OpenVPN installer
+  components are built.  See ./domake-win comments.
+* Cleanup IP address for persistence interfaces for tap and also
+  using ifconfig, gentoo#209055 (Alon Bar-Lev).
+* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
+* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
+* Added new OpenVPN icon and installer graphic.
+* Minor pkitool changes.
+* Added --pkcs11-id-management option, which will cause OpenVPN to
+  query the management interface via the new NEED-STR asynchronous
+  notification query to get additional PKCS#11 options (Alon Bar-Lev).
+* Added NEED-STR management interface asynchronous query and
+  "needstr" management interface command to respond to the query
+  (Alon Bar-Lev).
+* Added Dragonfly BSD support (Francis-Gudin).
+* Quote device names before passing to up/down script (Josh Cepek).
+* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
+  prevent structure padding from causing an incorrect length
+  to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
+  platforms.
+* On systems that support res_init, always call it
+  before calling gethostbyname to ensure that
+  resolver configuration state is current.
+* Added NTLMv2 proxy support (Miroslav Zajic).
+* Fixed an issue in extract_x509_field_ssl where the extraction
+  would fail on the first field of the subject name, such as
+  the common name in:  /CN=foo/emailAddress=
+ foo@bar.com
+* Made "Linux ip addr del failed" error nonfatal.
+* Amplified --client-cert-not-required warning.
+* Added #pragma pack to proto.h.
+.01.29 -- Version 2.1_rc7
+* Added a few extra files that exist in the svn repo but were
+  not being copied into the tarball by make dist.
+* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
+.01.24 -- Version 2.1_rc6
+* Fixed options checking bug introduced in rc5 where legitimate configuration
+  files might elicit the error: "Options error: Parameter pkcs11_private_mode
+  can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
+  is also specified."
+.01.23 -- Version 2.1_rc5
+* Fixed Win2K TAP driver bug that was introduced by Vista fixes,
+  incremented driver version to 9.4.
+* Windows build system changes:
+  Incremented included OpenSSL version to openssl-0.9.7m.
+  Updated openssl.patch for openssl-0.9.7m and added some
+  brief usage comments to the head of the patch.
+  Added build-pkcs11-helper.sh for building the pkcs11-helper
+  library.
+  Integrated inclusion of pkcs11-helper into Windows build
+  system.
+  Upgraded TAP build scripts to use WDK 6001.17121
+  (Windows 2008 Server pre-RTM).
+* Windows installer changes:
+  Clean up the start menu folder.
+  Allow for a site-specific sample configuration file and keys
+  to be included in a custom installer (see SAMPCONF macros
+  in settings.in).
+  New icon (temporary).
+* Added "forget-passwords" command to the management interface
+  (Alon Bar-Lev).
+* Added --management-signal option to signal SIGUSR1 when the
+  management interface disconnects (Alon Bar-Lev).
+* Modified command line and config file parser to allow
+  quoted strings using single quotes ('') (Alon Bar-Lev).
+* Use pkcs11-helper as external library, can be downloaded from
+  https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
+* Fixed interim memory growth issue in TCP connect loop where
+  "TCP: connect to %s failed, will try again in %d seconds: %s"
+  is output.
+* Fixed bug in epoll driver in event.c, where the lack of a
+  handler for EPOLLHUP could cause 99% CPU usage.
+* Defined ALLOW_NON_CBC_CIPHERS for people who don't
+  want to use a CBC cipher for OpenVPN's data channel.
+* Added PLUGIN_LIBDIR preprocessor string to prepend a default
+  plugin directory to the dlopen search list when the user
+  specifies the basename of the plugin only (Marius Tomaschewski).
+* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
+  to allow forward slash characters ("/") in the X509 common name
+  (Pavel Shramov).
+* Allow OpenVPN to run completely unprivileged under Linux
+  by allowing openvpn --mktun to be used with --user and --group
+  to set the UID/GID of the tun device node.  Also added --iproute
+  option to allow an alternative command to be executed in place
+  of the default iproute2 command (Alon Bar-Lev).
+* Fixed --disable-iproute2 in ./configure to actually disable
+  iproute2 usage (Alon Bar-Lev).
+* Added --management-forget-disconnect option -- forget
+  passwords when management session disconnects (Alon Bar-Lev).
+.04.25 -- Version 2.1_rc4
+* Worked out remaining issues with TAP driver signing
+  on Vista x64.  OpenVPN will now run on Vista x64
+  with driver signing enforcement enabled.
+* Fixed 64-bit portability bug in time_string function
+  (Thomas Habets).
+.04.22 -- Version 2.1_rc3
+* Additional fixes to TAP driver for Windows x64.  Driver
+  now runs successfully on Vista x64 if driver signing
+  enforcement is disabled.
+* The Windows Installer and TAP driver are now signed by
+  OpenVPN Solutions LLC (in addition to the usual GnuPG
+  signatures).
+* Added OpenVPN GUI (Mathias Sundman version) as install
+  option in Windows installer.
+* Clean up configure on FreeBSD for recent autotool versions
+  that require that all .h files have to be compiled.
+  Also, FreeBSD install does not support GNU long options
+  which the Makefile in easy-rsa/2.0 uses (not checked the
+  others as we don't install those on Gentoo) (Roy Marples).
+* Added additional scripts to easy-rsa/Windows for working
+  with password-protected keys; also add -extensions server
+  option when generating server cert via
+  build-key-server-pass.bat (Daniel Zauft).
+.02.27 -- Version 2.1_rc2
+* auth-pam change:  link with -lpam rather
+  than dlopen (Roy Marples).
+* Prevent SIGUSR1 or SIGHUP from causing program
+  exit from initial management hold.
+* SO_REUSEADDR should not be set on Windows TCP sockets
+  because it will cause bind to succeed on port conflicts.
+* Added time_ascii, time_duration, and time_unix
+  environmental variables for plugins and callback
+  scripts.
+* Fixed issue where OpenVPN does not apply the --txqueuelen option
+  to persistent interfaces made with --mktun (Roy Marples).
+* Attempt at rational signal handling when in the
+  management hold state.  During management hold, ignore
+  SIGUSR1/SIGHUP signals thrown with the "signal" command.
+  Also, "signal" command will now apply remapping as
+  specified with the --remap-usr1 option.
+  When a signal entered using the "signal" command from a management
+  hold is ignored, output: >HOLD:Waiting for hold release
+* Fixed issue where struct env_set methods that
+  change the value of an existing name=value pair
+  would delay the freeing of the memory held by
+  the previous name=value pair until the underlying
+  client instance object is closed.
+  This could cause a server that handles long-term
+  client connections, resulting in many periodic calls
+  to verify_callback, to needlessly grow the env_set
+  memory allocation until the underlying client instance
+  object is closed.
+* Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
+  to reflect the fact that Vista has blacklisted the tap0801.sys
+  file name due to previous compatibility issues which have now
+  been resolved.  TAP-Win32 major/minor version number is now 9/1.
+* Windows installer will delete a previously installed
+  tap0801.sys TAP driver before installing tap0901.sys.
+* Added code to Windows installer to fail gracefully on 64 bit
+  installs until 64-bit TAP driver issues can be resolved.
+* Added code to Windows installer to fail gracefully on
+  versions of Windows which are not explicitly supported.
+* The Windows version will now use a default route-delay
+  of 5 seconds to deal with an apparent routing table race
+  condition on Vista.
+* Worked around an incompatibility in the Windows Vista
+  version of CreateIpForwardEntry as described in
+  http://www.nynaeve.net/?p=59
+  This issue would cause route additions using the
+  IP Helper API to fail on Vista.
+* On Windows, revert to "ip-win32 dynamic" as the default.
+.10.31 -- Version 2.1_rc1
+* Support recovery (return to hold) from signal at
+  management password prompt.
+* Added workaround for OpenSC PKCS#11 bug#108
+  (Alon Bar-Lev).
+.10.01 -- Version 2.1-beta16
+* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
+  published vulnerabilities.
+* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
+  (Henry Nestler).
+* Autodetect 32/64 bit Windows in installer and install
+  appropriate TAP driver (Mathias Sundman, Hypherion).
+* Fixed bug in loopback self-test introduced
+  in 2.1-beta15 where self test as invoked by
+  "make check" would not properly exit after
+minutes (Paul Howarth).
+.09.12 -- Version 2.1-beta15
+* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
+  RSA Signature Forgery (CVE-2006-4339).
+* Fixed bug introduced with the --port-share directive
+  (back in 2.1-beta9 which causes TLS soft resets
+  (1 per hour by default) in TCP server mode to force
+  a blockage of tunnel packets and later time-out and
+  restart the connection.
+* easy-rsa update (Alon Bar-Lev)
+  Makefile (install) is now available so that
+  distribs will be able to install it safely.
+* PKCS#11 changes: (Alon Bar-Lev)
+  - Modified ssl.c to not FATAL and return to init.c
+    so auth-retry will work.
+  - Modifed pkcs11-helper.c to fix some problem with
+    multiple providers.
+  - Added retry counter to PKCS#11 PIN hook.
+  - Modified PKCS#11 PIN retry loop to return correct error
+    code when PIN is incorrect.
+  - Fix handling (ignoring) zero sized attributes.
+  - Fix gcc-2 issues.
+  - Fix openssl 0.9.6 (first version) issues.
+* Minor fixes of lladdr (Alon Bar-Lev)
+  Updated makefile.w32-vc to include lladdr.*, updated
+  linkage libraries.
+  Modified lladdr.c to be compiled under visual C.
+* Added two new management states:
+   OPENVPN_STATE_RESOLVE      -- DNS lookup
+   OPENVPN_STATE_TCP_CONNECT  -- Connecting to TCP server
+* Echo management state change to log.
+* Minor syshead.h change for NetBSD to allow
+  TCP_NODELAY flag to work.
+* Modified --port-share code to remove the assumption that
+  CMSG_SPACE always evaluates to a constant, to enable
+  compilation on NetBSD and possibly other BSDs as well.
+* Eliminated gcc 3.3.3 warnings on NetBSD
+  when ./configure --enable-strict is used.
+* Added optional minimum-number-of-bytes parameter
+  to --inactive directive.
+.04.13 -- Version 2.1-beta14
+* Fixed Windows server bug in time backtrack handling code which
+  could cause TLS negotiation failures on legitimate clients.
+* Rewrote gettimeofday function for Windows to be
+  simpler and more efficient.
+* Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev).
+* Added --route-metric option to set a default route metric
+  for --route (Roy Marples).
+* Added --lladdr option to specify the link layer (MAC) address
+  for the tap interface on non-Windows platforms (Roy Marples).
+.04.12 -- Version 2.1-beta13
+* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
+  to 64 bits caused a bug in the Windows version which has now
+  been fixed.  The bug could cause intermittent crashes.
+.04.05 -- Version 2.1-beta12
+* Security Vulnerability -- An OpenVPN client connecting to a
+  malicious or compromised server could potentially receive
+  "setenv" configuration directives from the server which could
+  cause arbitrary code execution on the client via a LD_PRELOAD
+  attack.  A successful attack appears to require that (a) the
+  client has agreed to allow the server to push configuration
+  directives to it by including "pull" or the macro "client" in
+  its configuration file, (b) the client configuration file uses
+  a scripting directive such as "up" or "down", (c) the client
+  succesfully authenticates the server, (d) the server is
+  malicious or has been compromised and is under the control of
+  the attacker, and (e) the attacker has at least some level of
+  pre-existing control over files on the client (this might be
+  accomplished by having the server respond to a client web request
+  with a specially crafted file).  Credit: Hendrik Weimer.
+  CVE-2006-1629.
+  The fix is to disallow "setenv" to be pushed to clients from
+  the server, and to add a new directive "setenv-safe" which is
+  pushable from the server, but which appends "OPENVPN_" to the
+  name of each remotely set environmental variable.
+* "topology subnet" fix for FreeBSD (Benoit Bourdin).
+* PKCS11 fixes (Alon Bar-Lev).  For full description:
+  svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
+* When deleting routes under Linux, use the route metric
+  as a differentiator to ensure that the route teardown
+  process only deletes the identical route which was originally
+  added via the "route" directive (Roy Marples).
+* Fix the t_cltsrv.sh file in FreeBSD 4 jails
+  (Matthias Andree, Dirk Meyer, Vasil Dimov).
+* Extended tun device configure code to support ethernet
+  bridging on NetBSD (Emmanuel Kasper).
+.02.19 -- Version 2.1-beta11
+* Fixed --port-share bug that caused premature closing
+  of proxied sessions.
+.02.17 -- Version 2.1-beta10
+* Fixed --port-share breakage introduced in 2.1-beta9.
+.02.16 -- Version 2.1-beta9
+* Added --port-share option for allowing OpenVPN and HTTPS
+  server to share the same port number.
+* Added --management-client option to connect as a client
+  to management GUI app rather than be connected to as a
+  server.
+* Added "bytecount" command to management interface.
+* --remote-cert-tls fixes (Alon Bar-Lev).
+.01.03 -- Version 2.1-beta8
+* --remap-usr1 will now also remap signals thrown during
+  initialization.
+* Added --connect-timeout option to control the timeout
+  on TCP client connection attempts (doesn't work on all
+  OSes).  This patch also makes OpenVPN signalable during
+  TCP connection attempts.
+* Fixed bug in acinclude.m4 where capability of compiler
+  to handle zero-length arrays in structs is tested
+  (David Stipp).
+* Fixed typo in manage.c where inline function declaration
+  was declared without the "static" keyword (David Stipp).
+* Patch to support --topology subnet on Mac OS X (Mathias Sundman).
+* Added --auto-proxy directive to auto-detect HTTP or SOCKS
+  proxy settings (currently Windows only).
+* Removed redundant base64 code.
+* Better sanity checking of --server and --server-bridge
+  IP pool ranges, so as not to hit the assertion at
+  pool.c:119 (2.0.5).
+* Fixed bug where --daemon and --management-query-passwords
+  used together would cause OpenVPN to block prior to
+  daemonization.
+* Fixed client/server race condition which could occur
+  when --auth-retry interact is set and the initially
+  provided auth-user-pass credentials are incorrect,
+  forcing a username/password re-query.
+* Fixed bug where if --daemon and --management-hold are
+  used together, --user or --group options would be ignored.
+* --ip-win32 adaptive is now the default.
+* --ip-win32 netsh (or --ip-win32 adaptive when in netsh
+  mode) can now set DNS/WINS addresses on the TAP-Win32
+  adapter.
+* Added new option --route-method adaptive (Win32)
+  which tries IP helper API first, then falls back to
+  route.exe.
+* Made --route-method adaptive the default.
+.11.12 -- Version 2.1-beta7
+* Allow blank passwords to be passed via the management
+  interface.
+* Fixed bug where "make check" inside a FreeBSD "jail"
+  would never complete (Matthias Andree).
+* Fixed bug where --server directive in --dev tap mode
+  claimed that it would support subnets of /30 or less
+  but actually would only accept /29 or less.
+* Extend byte counters to 64 bits (M. van Cuijk).
+* Fixed bug in Linux get_default_gateway function
+  introduced in 2.0.4, which would cause redirect-gateway
+  on Linux clients to fail.
+* Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
+  be compatible with 2.0.x distribution.
+* Documented --route-nopull.
+* Documented --ip-win32 adaptive.
+* Windows build now linked with LZO2.
+* Allow ca, cert, key, and dh files to be specified
+  inline via XML-like syntax without needing to
+  reference an explicit file.
+  For example:
+  <ca>
+        data here...
+  </ca>
+* Allow plugin and push directives to have multi-line
+  parameter lists such as:
+  <plugin>
+    my-plugin.so
+    parm1
+    parm2
+  </plugin>
+* Added connect-retry-max option (Alon Bar-Lev).
+* Fixed problems where signals thrown during initialization
+  were not returning to a management-hold state.
+* Added a backtrack-hardened system time algorithm.
+* Added --remote-cert-ku, --remote-cert-eku, and
+  --remote-cert-tls options for verifying certificate
+  attributes (Alon Bar-Lev).
+* For Windows, reverted --ip-win32 default back to "dynamic".
+  To use new adaptive mode, set explicitly.
+.11.01 -- Version 2.1-beta6
+* Security fix (merged from 2.0.4) -- Affects non-Windows
+  OpenVPN clients of version 2.0 or higher which connect to
+  a malicious or compromised server.  A format string
+  vulnerability in the foreign_option function in options.c
+  could potentially allow a malicious or compromised server
+  to execute arbitrary code on the client.  Only
+  non-Windows clients are affected.  The vulnerability
+  only exists if (a) the client's TLS negotiation with
+  the server succeeds, (b) the server is malicious or
+  has been compromised such that it is configured to
+  push a maliciously crafted options string to the client,
+  and (c) the client indicates its willingness to accept
+  pushed options from the server by having "pull" or
+  "client" in its configuration file (Credit: Vade79).
+  CVE-2005-3393
+* Security fix -- (merged from 2.0.4) Potential DoS
+  vulnerability on the server in TCP mode.  If the TCP
+  server accept() call returns an error status, the resulting
+  exception handler may attempt to indirect through a NULL
+  pointer, causing a segfault.  Affects all OpenVPN 2.0 versions.
+  CVE-2005-3409
+* Fix attempt of assertion at multi.c:1586 (note that
+  this precise line number will vary across different
+  versions of OpenVPN).
+* Windows reliability changes:
+  (a) Added code to make sure that the local PATH environmental
+      variable points to the Windows system32 directory.
+  (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
+      and then fails over to 'netsh' if the DHCP negotiation fails.
+  (c) Made --ip-win32 adaptive the default.
+* More PKCS#11 additions/changes (Alon Bar-Lev).
+* Added ".PHONY: plugin" to Makefile.am to work around
+  "make dist" issue.
+* Fixed double fork issue that occurs when --management-hold
+  is used.
+* Moved TUN/TAP read/write log messages from --verb 8 to 6.
+* Warn when multiple clients having the same common name or
+  username usurp each other when --duplicate-cn is not used.
+* Modified Windows and Linux versions of get_default_gateway
+  to return the route with the smallest metric
+  if multiple 0.0.0.0/0.0.0.0 entries are present.
+* Added ">NEED-OK" alert and "needok" command to management
+  interface to provide a general interface for sending
+  alerts to the end-user.  Used by the PKCS#11 code
+  to send Token Insertion Requests to the user.
+* Added actual remote address used to the ">STATE" alert
+  in the management interface (Rolf Fokkens).
+.10.17 -- Version 2.1-beta4
+* Fixed bug introduced in 2.1-beta3 where management
+  socket bind would fail.
+* --capath fix in ssl.c (Zhuang Yuyao).
+* Added ".PHONY: plugin" to Makefile.am, reverted
+  location of "plugin" directory (thanks to
+  Matthias Andree for figuring this out).
+.10.16 -- Version 2.1-beta3
+* Added PKCS#11 support (Alon Bar-Lev).
+* Enable the use of --ca together with --pkcs12.  If --ca is
+  used at the same time as --pkcs12, the CA certificate is loaded
+  from the file specified by --ca regardless if the pkcs12 file
+  contains a CA cert or not (Mathias Sundman).
+* Merged --capath patch (Thomas Noel).
+* Merged --multihome patch.
+* Added --bind option for TCP client connections (Ewan Bhamrah
+  Harley).
+* Moved "plugin" directory to "plugins" to deal with strange
+  automake problem that ended up being also fixable with
+  ".PHONY: plugin" in Makefile.am.
+.10.13 -- Version 2.1-beta2
+* Made --sndbuf and --rcvbuf pushable.
+.10.01 -- Version 2.1-beta1
+* Made LZO setting pushable.
+* Renamed sample-keys/tmp-ca.crt to ca.crt.
+* Fixed bug where remove_iroutes_from_push_route_list
+  was missing routes if those routes had
+  an implied netmask (by omission) of 255.255.255.255.
+* Merged with 2.0.3-rc1
+* easy-rsa/2.0 moved to easy-rsa
+* old easy-rsa moved to easy-rsa/1.0
+}}}