| 1 | {{{ |
| 2 | OpenVPN Change Log |
| 3 | |
| 4 | Copyright (C) 2002-2011 OpenVPN Technologies, Inc. |
| 5 | |
| 6 | 2011.12.22 -- Version 2.2.2 |
| 7 | |
| 8 | David Sommerseth (1): |
| 9 | Only warn about non-tackled IPv6 packets once |
| 10 | |
| 11 | Gert Doering (3): |
| 12 | Add missing break between "case IPv4" and "case IPv6", leading to the |
| 13 | Bump tap driver version from 9.8 to 9.9 |
| 14 | Log error message and exit for "win32, tun mode, tap driver version 9.8" |
| 15 | |
| 16 | Samuli Seppänen (1): |
| 17 | Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch |
| 18 | |
| 19 | 2011.07.06 -- Version 2.2.1 |
| 20 | |
| 21 | David Sommerseth (3): |
| 22 | Don't define ENABLE_PUSH_PEER_INFO if SSL is not available |
| 23 | Fix compiling issues with pkcs11 when --disable-management is configured |
| 24 | Remove support for Linux 2.2 configuration fallback |
| 25 | |
| 26 | Gustavo Zacarias (1): |
| 27 | Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto |
| 28 | |
| 29 | Matthew L. Creech (1): |
| 30 | Fix 2.2.0 build failure when management interface disabled |
| 31 | |
| 32 | Robert Fischer (2): |
| 33 | Added info about --show-proxy-settings |
| 34 | Documented --x509-username-field option |
| 35 | |
| 36 | Samuli Seppänen (4): |
| 37 | Updated "easy-rsa" for OpenSSL 1.0.0 |
| 38 | Fixes to easy-rsa/2.0 |
| 39 | Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf |
| 40 | Fix a build-ca issue on Windows |
| 41 | |
| 42 | Simon Matter (1): |
| 43 | Fix issues with some older GCC compilers |
| 44 | |
| 45 | 2011.04.26 -- Version 2.2.0 |
| 46 | |
| 47 | David Sommerseth (4): |
| 48 | Fix the --client-cert-not-required feature |
| 49 | Change the default --tmp-dir path to a more suitable path |
| 50 | Improve the mysprintf() issue in openvpnserv.c |
| 51 | Add a simple comment regarding openvpn_snprintf() is duplicated |
| 52 | |
| 53 | Gert Doering (1): |
| 54 | Add more detailed explanation regarding the function of "--rdns-internal" |
| 55 | |
| 56 | Gisle Vanem (1): |
| 57 | Avoid re-defining uint32_t when using mingw compiler |
| 58 | |
| 59 | James Yonan (1): |
| 60 | Fixed bug in port-share that could cause port share process to crash |
| 61 | |
| 62 | Robert Fischer (2): |
| 63 | Update man page with info about --capath |
| 64 | Update man page with info about --connect-timeout |
| 65 | |
| 66 | Samuli Seppänen (6): |
| 67 | Add man page entry for --redirect-private |
| 68 | Change all CRLF linefeeds to LF linefeeds |
| 69 | Fix a bug in devcon source code handling |
| 70 | Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi |
| 71 | Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers |
| 72 | Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier |
| 73 | |
| 74 | chantra (1): |
| 75 | Clarify --tmp-dir option |
| 76 | |
| 77 | rf (2): |
| 78 | Update man page with info about --remote-random-hostname |
| 79 | Added man page entry for --management-client |
| 80 | |
| 81 | 2011.03.25 -- Version 2.2-RC2 |
| 82 | |
| 83 | Alon Bar-Lev (1): |
| 84 | Windows cross-compile cleanup |
| 85 | |
| 86 | David Sommerseth (2): |
| 87 | Open log files as text files on Windows |
| 88 | Clarify default value for the --inactive option. |
| 89 | |
| 90 | Gert Doering (1): |
| 91 | Implement IPv6 in TUN mode for Windows TAP driver. |
| 92 | |
| 93 | Samuli Seppänen (6): |
| 94 | Added support for prebuilt TAP-drivers. Automated embedding manifests. |
| 95 | Fixes to win/openvpn.nsi |
| 96 | Replaced config-win32.h with win/config.h.in |
| 97 | Updated INSTALL-win32.txt |
| 98 | Fixes to Makefile.am |
| 99 | Clarified --client-config-dir section on the man-page. |
| 100 | |
| 101 | Ville Skyttä (1): |
| 102 | Fix line continuation in chkconfig init script description. |
| 103 | |
| 104 | 2011.02.28 -- Version 2.2-RC |
| 105 | |
| 106 | David Sommerseth (3): |
| 107 | Make the --x509-username-field feature an opt-in feature |
| 108 | Fix compiler warning when compiling against OpenSSL 1.0.0 |
| 109 | Fix packaging of config-win32.h and service-win32/msvc.mak |
| 110 | |
| 111 | James Yonan (1): |
| 112 | Minor addition of logging info before and after execution of Windows net commands. |
| 113 | |
| 114 | Matthias Andree (1): |
| 115 | Change variadic macros to C99 style. |
| 116 | |
| 117 | Samuli Seppänen (15): |
| 118 | Added ENABLE_PASSWORD_SAVE to config-win32.h |
| 119 | Added a nmake makefile for openvpnserv.exe building |
| 120 | Moved TAP-driver version info to version.m4. Cleaned up win/settings.in. |
| 121 | Added helper functionality to win/wb.py |
| 122 | Added support for viewing config-win32.h paramters to win/show.py |
| 123 | Added comments and made small modifications to win/msvc.mak.in |
| 124 | Added command-line switch to win/build_all.py to skip TAP driver building |
| 125 | Added configure.h and version.m4 variable parsing to win/config.py |
| 126 | Added openvpnserv.exe building to win/build.py |
| 127 | Added comments to win/build_ddk.py |
| 128 | Several modifications to win/make_dist.py to allow building the NSI installer |
| 129 | Copied install-win32/setpath.nsi to win/setpath.nsi |
| 130 | Added first version of NSI installer script to win/openvpn.nsi |
| 131 | Changes to buildsystem patchset |
| 132 | Temporary snprintf-related fix to service-win32/openvpnserv.c |
| 133 | |
| 134 | 2010.11.25 -- Version 2.2-beta5 |
| 135 | |
| 136 | Samuli Seppänen (1): |
| 137 | Fixed an issue causing a build failure with MS Visual Studio 2008. |
| 138 | |
| 139 | 2010.11.18 -- Version 2.2-beta4 |
| 140 | |
| 141 | David Sommerseth (10): |
| 142 | Clarified --explicit-exit-notify man page entry |
| 143 | Clean-up: Remove pthread and mutex locking code |
| 144 | Clean-up: Remove more dead and inactive code paths |
| 145 | Clean-up: Removing useless code - hash related functions |
| 146 | Use stricter snprintf() formatting in socks_username_password_auth() (v3) |
| 147 | Fix compiler warnings about not used dummy() functions |
| 148 | Fixed potential misinterpretation of boolean logic |
| 149 | Only add some functions when really needed |
| 150 | Removed functions not being used anywhere |
| 151 | Merged add_bypass_address() and add_host_route_if_nonlocal() |
| 152 | |
| 153 | Gert Doering (3): |
| 154 | Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa . |
| 155 | Make "topology subnet" work on Solaris |
| 156 | Improved man page entry for script_type |
| 157 | |
| 158 | James Yonan (5): |
| 159 | Fixed initialization bug in route_list_add_default_gateway (Gert Doering). |
| 160 | Implement challenge/response authentication support in client mode |
| 161 | Make base64.h have the same conditional compilation expression as base64.c. |
| 162 | Fixed compiling issues when using --disable-crypto |
| 163 | In verify_callback, the subject var should be freed by OPENSSL_free, not free |
| 164 | |
| 165 | Jesse Young (1): |
| 166 | Remove hardcoded path to resolvconf |
| 167 | |
| 168 | Lars Hupel (1): |
| 169 | Add HTTP/1.1 Host header |
| 170 | |
| 171 | Pierre Bourdon (1): |
| 172 | Adding support for SOCKS plain text authentication |
| 173 | |
| 174 | Samuli Seppänen (2): |
| 175 | Added check for variable CONFIGURE_DEFINES into options.c |
| 176 | Added command-line option parser and an unsigned build option to build_all.py |
| 177 | |
| 178 | |
| 179 | 2010.08.21 -- Version 2.2-beta3 |
| 180 | |
| 181 | |
| 182 | * Attempt to fix issue where domake-win build system was not properly |
| 183 | signing drivers and .exe files. |
| 184 | |
| 185 | Added win/tap_span.py for building multiple versions of the TAP driver |
| 186 | and tapinstall binaries using different DDK versions to span from Win2K |
| 187 | to Win7 and beyond. |
| 188 | |
| 189 | * Community patches |
| 190 | |
| 191 | David Sommerseth (2): |
| 192 | |
| 193 | Test framework improvment - Do not FAIL if t_client.rc is missing |
| 194 | More t_client.sh updates - exit with SKIP when we want to skip |
| 195 | |
| 196 | Gert Doering (4): |
| 197 | |
| 198 | Fix compile problems on NetBSD and OpenBSD |
| 199 | Fix compile time problems on OpenBSD for good |
| 200 | full "VPN client connect" test framework for OpenVPN |
| 201 | Build t_client.sh by configure at run-time. |
| 202 | |
| 203 | chantra (1): |
| 204 | |
| 205 | Fixes openssl-1.0.0 compilation warning |
| 206 | |
| 207 | 2010.08.16 -- Version 2.2-beta2 |
| 208 | |
| 209 | |
| 210 | * Windows security issue: |
| 211 | |
| 212 | Fixed potential local privilege escalation vulnerability in |
| 213 | Windows service. The Windows service did not properly quote the |
| 214 | executable filename passed to CreateService. A local attacker |
| 215 | with write access to the root directory C:\ could create an |
| 216 | executable that would be run with the same privilege level as |
| 217 | the OpenVPN Windows service. However, since non-Administrative |
| 218 | users normally lack write permission on C:\, this vulnerability |
| 219 | is generally not exploitable except on older versions of Windows |
| 220 | (such as Win2K) where the default permissions on C:\ would allow |
| 221 | any user to create files there. |
| 222 | |
| 223 | Credit: Scott Laurie, MWR InfoSecurity |
| 224 | |
| 225 | * Added Python-based based alternative build system for Windows using |
| 226 | Visual Studio 2008 (in win directory). |
| 227 | |
| 228 | * Fixed compiler warning in ssl.c when compiling with --enable-strict |
| 229 | |
| 230 | 2010.08.10 -- Version 2.2-beta1 |
| 231 | |
| 232 | * When aborting in a non-graceful way, try to execute do_close_tun in |
| 233 | init.c prior to daemon exit to ensure that the tun/tap interface is |
| 234 | closed and any added routes are deleted. |
| 235 | |
| 236 | * Fixed an issue where AUTH_FAILED was not being properly delivered |
| 237 | to the client when a bad password is given for mid-session reauth, |
| 238 | causing the connection to fail without an error indication. |
| 239 | |
| 240 | * Don't advance to the next connection profile on AUTH_FAILED errors. |
| 241 | |
| 242 | * Fixed an issue in the Management Interface that could cause |
| 243 | a process hang with 100% CPU utilization in --management-client |
| 244 | mode if the management interface client disconnected at the |
| 245 | point where credentials are queried. |
| 246 | |
| 247 | * Fixed an issue where if reneg-sec was set to 0 on the client, |
| 248 | so that the server-side value would take precedence, |
| 249 | the auth_deferred_expire_window function would incorrectly |
| 250 | return a window period of 0 seconds. In this case, the |
| 251 | correct window period should be the handshake window |
| 252 | period. |
| 253 | |
| 254 | * Modified ">PASSWORD:Verification Failed" management interface |
| 255 | notification to include a client reason string: |
| 256 | |
| 257 | >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] |
| 258 | |
| 259 | * Enable exponential backoff in reliability layer |
| 260 | retransmits. |
| 261 | |
| 262 | * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after |
| 263 | socket is created rather than waiting until after connect/listen. |
| 264 | |
| 265 | * Management interface performance optimizations: |
| 266 | |
| 267 | 1. Added env-filter MI command to perform filtering on env vars |
| 268 | passed through as a part of --management-client-auth |
| 269 | |
| 270 | 2. man_write will now try to aggregate output into larger blocks |
| 271 | (up to 1024 bytes) for more efficient i/o |
| 272 | |
| 273 | * Fixed minor issue in Windows TAP driver DEBUG builds |
| 274 | where non-null-terminated unicode strings were being |
| 275 | printed incorrectly. |
| 276 | |
| 277 | |
| 278 | * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support |
| 279 | was not being compiled in. |
| 280 | |
| 281 | * Proxy improvements: |
| 282 | |
| 283 | Improved the ability of http-auth "auto" flag to dynamically detect |
| 284 | the auth method required by the proxy. |
| 285 | |
| 286 | Added http-auth "auto-nct" flag to reject weak proxy auth methods. |
| 287 | |
| 288 | Added HTTP proxy digest authentication method. |
| 289 | |
| 290 | Removed extraneous openvpn_sleep calls from proxy.c. |
| 291 | |
| 292 | * Implemented http-proxy-override and http-proxy-fallback directives to make it |
| 293 | easier for OpenVPN client UIs to start a pre-existing client config file with |
| 294 | proxy options, or to adaptively fall back to a proxy connection if a direct |
| 295 | connection fails. |
| 296 | |
| 297 | * Implemented a key/value auth channel from client to server. |
| 298 | |
| 299 | * Fixed issue where bad creds provided by the management interface |
| 300 | for HTTP Proxy Basic Authentication would go into an infinite |
| 301 | retry-fail loop instead of requerying the management interface for |
| 302 | new creds. |
| 303 | |
| 304 | * Added support for MSVC debugging of openvpn.exe in settings.in: |
| 305 | |
| 306 | # Build debugging version of openvpn.exe |
| 307 | !define PRODUCT_OPENVPN_DEBUG |
| 308 | |
| 309 | * Implemented multi-address DNS expansion on the network field of route |
| 310 | commands. |
| 311 | |
| 312 | When only a single IP address is desired from a multi-address DNS |
| 313 | expansion, use the first address rather than a random selection. |
| 314 | |
| 315 | * Added --register-dns option for Windows. |
| 316 | |
| 317 | Fixed some issues on Windows with --log, subprocess creation |
| 318 | for command execution, and stdout/stderr redirection. |
| 319 | |
| 320 | * Fixed an issue where application payload transmissions on the |
| 321 | TLS control channel (such as AUTH_FAILED) that occur during |
| 322 | or immediately after a TLS renegotiation might be dropped. |
| 323 | |
| 324 | * Added warning about tls-remote option in man page. |
| 325 | |
| 326 | * Community patches (from openvpn-testing.git tree) |
| 327 | |
| 328 | Alberto Gonzalez Iniesta (1): |
| 329 | Debian patch: Fix spelling in log message |
| 330 | |
| 331 | Dan Nelson (1): |
| 332 | bash->bourne script cleanup |
| 333 | |
| 334 | Daniel Johnson (1): |
| 335 | auth-pam plugin update: Support DOMAIN+USERNAME in config |
| 336 | |
| 337 | David Sommerseth (22): |
| 338 | Reworked the eurephia patch for inclusion to the openvpn-testing tree |
| 339 | Added mapping files from SVN commit ID to more descriptive commit IDs. |
| 340 | verb 5 logging wrongly reports received bytes |
| 341 | On TARGET_LINUX define _GNU_SOURCE if not defined |
| 342 | Fix autotools cross-compiling support |
| 343 | Add comile time information/settings from ./configure to --version |
| 344 | Make use of counter_type instead of int when counting bytes and network packets |
| 345 | Updated the man page to reflect the behavioural change of create_temp_file() |
| 346 | Removed no longer needed delete_file() call |
| 347 | Fixed potential NULL pointer issue |
| 348 | Fix dependency checking for configure.h (v2) |
| 349 | Make use of automake CLEANFILES variable instead of clean-local rule |
| 350 | Don't add compile time information if --enable-small is used |
| 351 | Harden create_temp_filename() (version 2) |
| 352 | Renamed all calls to create_temp_filename() |
| 353 | Updated the man page to reflect the behavioural change of create_temp_file() |
| 354 | Removed no longer needed delete_file() call |
| 355 | Avoid repetition of "this config may cache passwords in memory" (v2) |
| 356 | Revamped the script-security warning logging (version 2) |
| 357 | Fixed client hang when server don't PUSH (aka the NO_SOUP_FOR_YOU patch) |
| 358 | Solved hidden merge conflict between changes in feat_misc and bugfix2.1 |
| 359 | Fix multiple configured scripts conflicts issue (version 2) |
| 360 | |
| 361 | Davide Brini (6): |
| 362 | OCSP_check.sh: new check logic |
| 363 | The man page does not mention that the default value of "mssfix" is 1450. |
| 364 | Enhance contrib/pull-resolv-conf/client.{up,down} scripts |
| 365 | Fix missing /bin/bash -> /bin/sh |
| 366 | Fix certificate serial number export |
| 367 | Exclude ping and control packets from activity |
| 368 | |
| 369 | Emilien Mantel (2): |
| 370 | Choose a different field in X509 to be username |
| 371 | Fixed static defined length check to use sizeof() |
| 372 | |
| 373 | Enrico Scholz (1): |
| 374 | Allow 'lport 0' setup for random port binding |
| 375 | |
| 376 | Fabian Knittel (1): |
| 377 | ssl.c: fix use of openvpn_run_script()'s return value |
| 378 | |
| 379 | Gert Doering (3): |
| 380 | remove duplicate code in FREEBSD+DRAGONFLY system-dependent ifconfig |
| 381 | Implement IPv6 in TUN mode for Windows TAP driver. |
| 382 | fix date format mistake in PRODUCT_TAP_RELDATE (Peter Stuge) |
| 383 | |
| 384 | Jan Brinkmann (1): |
| 385 | The man page needs dash escaping in UTF-8 environments |
| 386 | |
| 387 | Karl O. Pinc (2): |
| 388 | Change verify-cn so cn is no longer hardcoded in openvpn's config file |
| 389 | Several updates to openvpn.8 (man page updates) |
| 390 | |
| 391 | Mathieu GIANNECCHINI (1): |
| 392 | enhance tls-verify possibility |
| 393 | |
| 394 | Wil Cooley (1): |
| 395 | pkitool lacks expected option "--help" |
| 396 | |
| 397 | chantra (2): |
| 398 | Handle non standard subnets in PF grammar |
| 399 | Fix errors in openvpn-plugin.h documentation |
| 400 | }}} |