Overview of changes in OpenVPN v2.3

OpenVPN 2.3.18

Antonio Quartulli (1):
      crypto: correct typ0 in error message

David Sommerseth (1):
      Preparing OpenVPN 2.3.18 release

Steffan Karger (2):
      Deprecate --ns-cert-type
      Fix bounds check in read_key()

Szilárd Pfeiffer (1):

OpenVPN 2.3.17

David Sommerseth (2):
      backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed
      auth-token with auth-nocache fix broke --disable-crypto builds

Gert Doering (3):
      Fix potential 1-byte overread in TCP option parsing.
      Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
      Preparing for release v2.3.17 (ChangeLog, version.m4, Changes.rst)

Guido Vranken (6):
      refactor my_strupr
      Fix 2 memory leaks in proxy authentication routine
      Fix memory leak in add_option() for option 'connection'
      Ensure option array p[] is always NULL-terminated
      Fix a null-pointer dereference in establish_http_proxy_passthru()
      Prevent two kinds of stack buffer OOB reads and a crash for invalid input data

Jérémie Courrèges-Anglas (2):
      Fix an unaligned access on OpenBSD/sparc64
      Missing include for socket-flags TCP_NODELAY on OpenBSD

Steffan Karger (4):
      openssl: fix overflow check for long --tls-cipher option
      Fix remote-triggerable memory leaks (CVE-2017-7521)
      Restrict --x509-alt-username extension types
      Fix potential double-free in --x509-alt-username (CVE-2017-7521)

OpenVPN 2.3.16

Antonio Quartulli (1):
      fix redirect-gateway behaviour when an IPv4 default route does not exist

Gert Doering (1):
      Preparing for release v2.3.16 (ChangeLog, version.m4)

Guido Vranken (1):
      Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)

Selva Nair (1):
      Check for errors in the return value of GetModuleFileNameW()

Steven McDonald (1):
      Fix gateway detection with OpenBSD routing domains

OpenVPN 2.3.15

David Sommerseth (6):
      dev-tools: Added script for updating copyright years in files
      Update copyrights
      docs: Further improve --reneg-bytes and SWEET32 information
      git: Merge .gitignore files into a single file
      Make --cipher/--auth none more explicit on the risks
      Prepare v2.3.15 release

Gert Doering (1):
      Document --proto udp6, tcp6, etc.

Julien Muchembled (1):
      Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

Steffan Karger (6):
      Add missing includes in error.h
      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
      Document that OpenVPN 2.3 does not check the CRL signature
      Introduce and use secure_memzero() to erase secrets
      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
      Don't assert out on receiving too-large control packets (CVE-2017-7478)

OpenVPN 2.3.14

Christian Hesse (1):
      update year in copyright message

David Sommerseth (2):
      man: Improve the --keepalive section
      Document the --auth-token option

Gert Doering (3):
      Repair topology subnet on FreeBSD 11
      Repair topology subnet on OpenBSD
      Preparing release of v2.3.14

Lev Stipakov (1):
      Drop recursively routed packets

Selva Nair (4):
      Support --block-outside-dns on multiple tunnels
      When parsing '--setenv opt xx ..' make sure a third parameter is present
      Map restart signals from event loop to SIGTERM during exit-notification wait
      Correctly state the default dhcp server address in man page

Steffan Karger (1):
      Clean up format_hex_ex()

OpenVPN 2.3.13

Arne Schwabe (2):
      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer

David Sommerseth (5): Make OpenVPN write PID file to avoid various sudo issues Add support for Kerberos/ksu Improve detection if the OpenVPN process did start during tests Add prepare/cleanup possibilties for each test case
      Preparing release of v2.3.13

Gert Doering (5):
      Do not abort t_client run if OpenVPN instance does not start.
      Fix t_client runs on OpenSolaris
      make t_client robust against sudoers misconfiguration
      add POSTINIT_CMD_suf to and sample config
      Fix --multihome for IPv6 on 64bit BSD systems.

Ilya Shipitsin (1):
      skip and if openvpn configured --disable-crypto

Lev Stipakov (2):
      Exclude peer-id from pulled options digest
      Fix compilation in pedantic mode

Samuli Seppänen (1):
      Automatically cache expected IPs for on the first run

Steffan Karger (6):
      Fix unittests for out-of-source builds
      Make gnu89 support explicit
      cleanup: remove code duplication in msg_test()
      Update cipher-related man page text
      Limit --reneg-bytes to 64MB when using small block ciphers
      Add a revoked cert to the sample keys

OpenVPN 2.3.12

Arne Schwabe (2):
      Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
      Move ASSERT so external-key with OpenSSL works again

David Sommerseth (5):
      Only build and run cmocka unit tests if its submodule is initialized
      Another fix related to unit test framework
      Remove NOP function and callers
      Revert "Drop recursively routed packets"
      Preparing release of v2.3.12

Dorian Harmans (1):
      Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Ivo Manca (1):
      Plug memory leak in mbedTLS backend

Jeffrey Cutter (1):
      Update contrib/pull-resolv-conf/client.up for no DOMAIN

Jens Neuhalfen (2):
      Add unit testing support via cmocka
      Add a test for auth-pam searchandreplace

Josh Cepek (1):
      Push an IPv6 CIDR mask used by the server, not the pool's size

Leon Klingele (1):
      Add link to bug tracker

Lev Stipakov (1):
      Drop recursively routed packets

Samuli Seppänen (2):
      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
      Clarify the fact that build instructions in README are for release tarballs

Selva Nair (4):
      Make error non-fatal while deleting address using netsh
      Make block-outside-dns work with persist-tun
      Ignore SIGUSR1/SIGHUP during exit notification
      Promptly close the netcmd_semaphore handle after use

Steffan Karger (4):
      Fix polarssl / mbedtls builds
      Don't limit max incoming message size based on c2->frame
      Fix '--cipher none --cipher' crash
      Discourage using 64-bit block ciphers

OpenVPN 2.3.11

Gert Doering (1):
      Preparing for release v2.3.11 (ChangeLog, version.m4)

James Yonan (1):
      Fixed port-share bug with DoS potential

Jens Neuhalfen (2):
      Make intent of utun device name validation clear
      Fix buffer overflow by user supplied data

Leonardo Basilio (1):
      Correctly report TCP connection timeout on windows.

Lev Stipakov (1):
      Report Windows bitness

Michael McConville (1):
      Fix undefined signed shift overflow

Niels Ole Salscheider (1):
      Fix build with libressl

Samuli Seppänen (1):
      Improve LZO, PAM and OpenSSL documentation

Selva Nair (2):
      Ensure input read using systemd-ask-password is null terminated
      Support reading the challenge-response from console

Steffan Karger (10):
      openssl: improve logging
      polarssl: improve logging
      Update manpage: OpenSSL might also need /dev/urandom inside chroot
      socks.c: fix check on get_user_pass() return value(s)
      hardening: add safe FD_SET() wrapper openvpn_fd_set()
      Fix memory leak in argv_extract_cmd_name()
      Replace MSG_TEST() macro for static inline msg_test()
      Restrict default TLS cipher list
      Various Changes.rst fixes

ValdikSS (3):
      Clarify mssfix documentation
      Clarify --block-outside-dns documentation
      Update --block-outside-dns to work on Windows Vista

OpenVPN 2.3.10

Gert Doering (2):
      Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
      Preparing for release v2.3.10 (ChangeLog, version.m4)

Jan Just Keijser (1):
      Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.

Lev Stipakov (1):
      Repair IPv6 netsh calls if Win XP is detected

Phillip Smith (1):
      Use and to improve clarity of documentation

Steffan Karger (6):
      Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
      Upgrade OpenVPN 2.3 to PolarSSL 1.3
      Warn user if their certificate has expired
      Make assert_failed() print the failed condition
      cleanup: get rid of httpdigest.c type warnings
      Fix regression in setups without a client certificate

Yegor Yefremov (1):
      polarssl: fix unreachable code

OpenVPN 2.3.9

OpenVPN 2.3.9 contains the following changes:

Arne Schwabe (7):
      Show extra-certs in current parameters.
      Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
      Do not set the buffer size by default but rely on the operation system default.
      Remove --enable-password-save option
      Reflect enable-password-save change in documentation
      Also remove second instance of enable-password-save in the man page
      Detect config lines that are too long and give a warning/error

Boris Lytochkin (1):
      Log serial number of revoked certificate

Christos Trochalakis (1):
      Adjust server-ipv6 documentation

David Sommerseth (1):
      Avoid partial authentication state when using --disabled in CCD configs

Fish (1):
      Make "block-outside-dns" option platform agnostic

Gert Doering (8):
      Un-break --auth-user-pass on windows
      Replace unaligned 16bit access to TCP MSS value with bytewise access
      Repair test_local_addr() on WIN32
      Fix possible heap overflow on read accessing getaddrinfo() result.
      Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
      remove unused gc_arena in FreeBSD close_tun()
      Fix isatty() check for good.
      Preparing for release v2.3.9 (ChangeLog, version.m4)

Heiko Hund (1):
      put virtual IPv6 addresses into env

Lev Stipakov (5):
      Use adapter index instead of name for windows IPv6 interface config
      Client-side part for server restart notification
      Use adapter index for add/delete_route_ipv6
      Pass adapter index to up/down scripts
      Fix VS2013 compilation

Lukasz Kutyla (1):
      Fix privilege drop if first connection attempt fails

Michal Ludvig (1):
      Support for username-only auth file.

Samuli Seppänen (2):
      Add CONTRIBUTING.rst
      Updates to Changes.rst

Selva Nair (4):
      Fix termination when windows suspends/sleeps
      Do not hard-code windows systemroot in env_block
      Handle ctrl-C and ctrl-break events on Windows
      Unbreak read username password from management

Steffan Karger (11):
      Replace strdup() calls for string_alloc() calls
      Check return value of ms_error_text()
      Increase control channel packet size for faster handshakes
      hardening: add insurance to exit on a failed ASSERT()
      Fix memory leak in auth-pam plugin
      Fix (potential) memory leak in init_route_list()
      Fix unintialized variable in plugin_vlog()
      Add macro to ensure we exit on fatal errors
      Fix memory leak in add_option() by simplifying get_ipv6_addr
      openssl: properly check return value of RAND_bytes()
      Fix rand_bytes return value checking

ValdikSS (1):
      Add Windows DNS Leak fix using WFP ('block-outside-dns')

janjust (1):
      Fix "White space before end tags can break the config parser"

OpenVPN 2.3.8

OpenVPN 2.3.8 contains the following changes:

Arne Schwabe (2):
      Report missing endtags of inline files as warnings
      Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit

Gert Doering (3):
      Produce a meaningful error message if --daemon gets in the way of asking for passwords.
      Document --daemon changes and consequences (--askpass, --auth-nocache).
      Preparing for release v2.3.8 (ChangeLog, version.m4)

Holger Kummert (1):
      Del ipv6 addr on close of linux tun interface

James Geboski (1):
      Fix --askpass not allowing for password input via stdin

Steffan Karger (5):
      write pid file immediately after daemonizing
      Make __func__ work with Visual Studio too
      fix regression: query password before becoming daemon
      Fix using management interface to get passwords.
      Fix overflow check in openvpn_decrypt()

The OpenVPN 2.3.8 source packages and Windows installers contain one additional fix:

Gert Doering (1):
      Un-break --auth-user-pass on windows

This means that custom Windows builds should be based on 2.3.8 source packages or on the "release/2.3" branch instead of the "v2.3.8" tag in Git.

OpenVPN 2.3.7

Alexander Pyhalov (1):
      Default gateway can't be determined on illumos/Solaris platforms

Arne Schwabe (1):
      Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4

David Sommerseth (6):
      autotools: Fix wrong ./configure help screen default values
      down-root plugin: Replaced system() calls with execve()
      down-root: Improve error messages
      plugin, down-root: Fix compiler warnings
      sockets: Remove the limitation of --tcp-nodelay to be server-only
      plugins, down-root: Code style clean-up

David Woodhouse (2):
      pkcs11: Load module by default
      Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present

Felix Janda (1):
      Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary

Gert Doering (18):
      New approach to handle peer-id related changes to link-mtu (2.3 version)
      Fix incorrect use of get_ipv6_addr() for iroute options.
      Print helpful error message on --mktun/--rmtun if not available.
      explain effect of --topology subnet on --ifconfig
      Add note about file permissions and --crl-verify to manpage.
      repair --dev null breakage caused by db950be85d37
      assume res_init() is always there.
      Correct note about DNS randomization in openvpn.8
      Disallow usage of --server-poll-timeout in --secret key mode.
      slightly enhance documentation about --cipher
      Enforce "serial-tests" behaviour for tests/Makefile
      Revert "Enforce "serial-tests" behaviour for tests/Makefile"
      On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
      Use hack to apply serial_test AM option only if supported.
      Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
      Move res_init() call to inner openvpn_getaddrinfo() loop
      Fix FreeBSD ifconfig for topology subnet tunnels.
      Preparing for release v2.3.7 (ChangeLog, version.m4)

Guy Yur (1):
      Fix --redirect-private in --dev tap mode.

Jan Just Keijser (1):
      include ifconfig_ environment variables in --up-restart env set

Jonathan K. Bullard (1):
      Fix null pointer dereference in options.c

Lev Stipakov (1):
      Fix mssfix default value in connection_list context

Matthias Andree (1):
      Manual page update for Re-enabled TLS version negotiation.

Mike Gilbert (1):
      Include systemd units in the source tarball (make dist)

Robert Fischer (1):
      Updated manpage for --rport and --lport

Samuli Seppänen (2):
      Properly escape dashes on the man-page
      Improve documentation in --script-security section of the man-page

Steffan Karger (14):
      Really fix '--cipher none' regression
      Update doxygen (a bit)
      Set tls-version-max to 1.1 if cryptoapicert is used
      Account for peer-id in frame size calculation
      Disable SSL compression
      Fix frame size calculation for non-CBC modes.
      Allow for CN/username of 64 characters (fixes off-by-one)
      Remove unneeded parameter 'first_time' from possibly_become_daemon()
      Re-enable TLS version negotiation by default
      Remove size limit for files inlined in config
      Improve --tls-cipher and --show-tls man page description
      Re-read auth-user-pass file on (re)connect if required
      Clarify --capath option in manpage
      Call daemon() before initializing crypto library

OpenVPN 2.3.6

David Sommerseth (1):
      systemd: Reworked the systemd unit file to handle server and client configs better

Gert Doering (2):
      Add client-only support for peer-id.
      Preparing for release v2.3.6 (ChangeLog, version.m4)

Samuli Seppänen (1):
      Fix to --shaper documentation on the man-page

Steffan Karger (4):
      Fix assertion error when using --cipher none
      Add --tls-version-max
      Modernize sample keys and sample configs
      Drop too-short control channel packets instead of asserting out.

OpenVPN 2.3.5

Andris Kalnozols (2):
      Fix some typos in the man page.
      Do not upcase x509-username-field for mixed-case arguments.

Arne Schwabe (1):
      Fix server routes not working in topology subnet with --server [v3]

David Sommerseth (4):
      Improve error reporting on file access to --client-config-dir and --ccd-exclusive
      Don't let openvpn_popen() keep zombies around
      Add systemd unit file for OpenVPN
      systemd: Use systemd functions to consider systemd availability

Gert Doering (4):
      Drop incoming fe80:: packets silently now.
      Fix platform-dependent failures
      Call init script helpers with explicit path (./)
      Preparing for release v2.3.5 (ChangeLog, version.m4)

Heiko Hund (1):
      refine assertion to allow other modes than CBC

Hubert Kario (2):
      ocsp_check - signature verification and cert staus results are separate
      ocsp_check - double check if ocsp didn't report any errors in execution

James Bekkema (1):
      Fix socket-flag/TCP_NODELAY on Mac OS X

James Yonan (6):
      Fixed several instances of declarations after statements.
      In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
      Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
      MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
      Define PATH_SEPARATOR for MSVC builds.
      Fixed some compile issues with show_library_versions()

Jann Horn (1):
      Remove quadratic complexity from openvpn_base64_decode()

Mike Gilbert (1):
      Add configure check for the path to systemd-ask-password

Philipp Hagemeister (2):
      Add topology in sample server configuration file
      Implement on-link route adding for iproute2

Samuel Thibault (1):
      Ensure that client-connect files are always deleted

Steffan Karger (13):
      Remove function without effect (cipher_ok() always returned true).
      Remove unneeded wrapper functions in crypto_openssl.c
      Fix bug that incorrectly refuses oid representation eku's in polar builds
      Update README.polarssl
      Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
      Add proper check for crypto modes (CBC or OFB/CFB)
      Improve --show-ciphers to show if a cipher can be used in static key mode
      Extend t_lpback tests to test all ciphers reported by --show-ciphers
      Don't exit daemon if opening or parsing the CRL fails.
      Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
      Fix regression with password protected private keys (polarssl)
      ssl_polarssl.c: fix includes and make casts explicit
      Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

TDivine (1):
      Fix "code=995" bug with windows NDIS6 tap driver.

OpenVPN 2.3.4

Arne Schwabe (1):
      Fix man page and OSCP script: tls_serial_{n} is decimal

Dmitrij Tejblum (1):
      Fix is_ipv6 in case of tap interface.

Gert Doering (8):
      IPv6 address/route delete fix for Win8
      Add SSL library version reporting.
      Minor cleanups
      Repair --multihome on FreeBSD for IPv4 sockets.
      Rewrite manpage section about --multihome
      More IPv6-related updates to the openvpn man page.
      Conditionalize calls to print_default_gateway on !ENABLE_SMALL
      Preparing for release v2.3.4 (ChangeLog, version.m4)

James Yonan (2):
      Use native strtoull() with MSVC 2013.
      When tls-version-min is unspecified, revert to original versioning approach.

Steffan Karger (4):
      Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
      Fix to also use decimal for stdout verification.
      Fix build system to accept non-system crypto library locations for plugins.
      Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

Yawning Angel (1):
      Fix SOCKSv5 method selection

kangsterizer (1):
      Fix typo in sample build script to use LDFLAGS

OpenVPN 2.3.3

Alon Bar-Lev (1):
      pkcs11: use generic evp key instead of rsa

Arne Schwabe (8):
      Add support of utun devices under Mac OS X
      Add support to ignore specific options.
      Add a note what setenv opt does for OpenVPN < 2.3.3
      Add reporting of UI version to basic push-peer-info set.
      Fix compile error in ssl_openssl introduced by polar external-management patch
      Fix assertion when SIGUSR1 is received while getaddrinfo is successful
      Add warning for using connection block variables after connection blocks
      Introduce safety check for http proxy options

David Sommerseth (5):
      man page: Update man page about the tls_digest_{n} environment variable
      Remove the --disable-eurephia configure option
      plugin: Extend the plug-in v3 API to identify the SSL implementation used
      autoconf: Fix typo
      Fix file checks when --chroot is being used

Davide Brini (1):
      Document authfile for socks server

Gert Doering (9):
      Fix IPv6 examples in t_client.rc-sample
      Fix slow memory drain on each client renegotiation. ignore fields from "ip -6 route show" output that distort results.
      Make code and documentation for --remote-random-hostname consistent.
      Document issue with --chroot, /dev/urandom and PolarSSL.
      Rename 'struct route' to 'struct route_ipv4'
      Replace copied structure elements with including <net/route.h>
      Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions

Heikki Hannikainen (1):
      Always load intermediate certificates from a PKCS#12 file

Heiko Hund (2):
      Support non-ASCII TAP adapter names on Windows
      Support non-ASCII characters in Windows tmp path

James Yonan (3):

      TLS version negotiation
      Added "setenv opt" directive prefix.
      Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Jens Wagner (1):
      Fix spurious ignoring of pushed config options (trac#349).

Joachim Schipper (3):
      Refactor tls_ctx_use_external_private_key()
      --management-external-key for PolarSSL
      external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids

Josh Cepek (2):
      Correct error text when no Windows TAP device is present
      Require a 1.2.x PolarSSL version

Klee Dienes (1):
      tls_ctx_load_ca: Improve certificate error messages

Max Muster (1):
      Remove duplicate cipher entries from TLS translation table.

Peter Sagerson (1):
      Fix configure interaction with static OpenSSL libraries

Steffan Karger (7):
      Do not pass struct tls_session* as void* in key_state_ssl_init().
      Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
      Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
      Also update TLSv1_method() calls in support code to SSLv23_method() calls.
      Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
      If --tls-cipher is supplied, make --show-tls parse the list.
      Add openssl-specific common cipher list names to ssl.c.

Tamas TEVESZ (1):
      Add support for client-cert-not-required for PolarSSL.

Thomas Veerman (1):
      Fix "." in description of utun.

OpenVPN 2.3.2

Arne Schwabe (3):
      Only print script warnings when a script is used. Remove stray mention of script-security system.
      Move settings of user script into set_user_script function
      Move checking of script file access into set_user_script

Davide Brini (1):
      Provide more accurate warning message

Gert Doering (3):
      Fix NULL-pointer crash in route_list_add_vpn_gateway().
      Fix problem with UDP tunneling due to mishandled pktinfo structures.
      Preparing for v2.3.2 (ChangeLog, version.m4)

James Yonan (1):
      Always push basic set of peer info values to server.

Jan Just Keijser (1):
      make 'explicit-exit-notify' pullable again

Josh Cepek (2):
      Fix proto tcp6 for server & non-P2MP modes
      Fix Windows script execution when called from script hooks

Steffan Karger (2):
      Fixed tls-cipher translation bug in openssl-build
      Fixed usage of stale define USE_SSL to ENABLE_SSL

svimik (1):
      Fix segfault when enabling pf plug-ins

OpenVPN 2.3.1

Arne Schwabe (4):
      Remove dead code path and putenv functionality
      Remove unused function xor
      Move static prototype definition from header into c file
      Remove unused function no_tap_ifconfig

Christian Hesse (1):
      fix build with automake 1.13(.1)

Christian Niessner (1):
      Fix corner case in NTLM authentication (trac #172)

Gert Doering (6):
      Update README.IPv6 to match what is in 2.3.0
      Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
      Permit pool size of /64.../112 for ifconfig-ipv6-pool
      Add MIN() compatibility macro
      Fix directly connected routes for "topology subnet" on Solaris.
      Preparing for v2.3.1 (ChangeLog, version.m4)

Heiko Hund (5):
      close more file descriptors on exec
      Ignore UTF-8 byte order mark
      reintroduce --no-name-remapping option
      make --tls-remote compatible with pre 2.3 configs
      add new option for X.509 name verification

Jan Just Keijser (1):
      man page patch for missing options

Josh Cepek (2):
      Fix parameter listing in non-debug builds at verb 4
      (updated) [PATCH] Warn when using verb levels >=7 without debug

Matthias Andree (1):
      Enable TCP_NODELAY configuration on FreeBSD.

Samuli Seppänen (4):
      Removed ChangeLog.IPv6
      Added cross-compilation information INSTALL-win32.txt
      Updated README
      Cleaned up and updated INSTALL

Steffan Karger (7):
      PolarSSL-1.2 support
      Improve PolarSSL key_state_read_{cipher, plain}text messages
      Improve verify_callback messages
      Config compatibility patch. Added translate_cipher_name.
      Switch to IANA names for TLS ciphers.
      Fixed autoconf script to properly detect missing pkcs11 with polarssl.
      Use constant time memcmp when comparing HMACs in openvpn_decrypt.

OpenVPN 2.3.0

This release fixes two bugs present in 2.3-rc2 and earlier:

David Sommerseth (1):
      Preparing for v2.3.0

Gert Doering (2):
      Fix parameter type for IP_TOS setsockopt on non-Linux systems.
      Fix client crash on double PUSH_REPLY.

It includes major changes compared to latest 2.2.x ("oldstable") release:

  • Full IPv6 support
  • SSL layer modularised, enabling easier implementation for other SSL libraries
  • PolarSSL support as a drop-in replacement for OpenSSL
  • New plug-in API providing direct certificate access, improved logging API and easier to extend in the future
  • Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP'
  • New feature: --management-external-key - to provide access to the encryption keys via the management interface
  • New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins
  • New feature: --client-nat support
  • New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling
  • New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback)
  • New feature: --stale-routes-check, which cleans up the internal routing table
  • New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name
  • Improved client-kill management interface command
  • Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins
  • Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation
  • More options can now be used inside <connection> blocks
  • Completely new build system, enabling easier cross-compilation and Windows builds
  • Much of the code has been better documented
  • Many documentation updates
  • Plenty of bug fixes and other code clean-ups

OpenVPN 2.3_rc2

Adriaan de Jong (1):
      Fix --show-pkcs11-ids (Bug #239)

Arne Schwabe (4):
      Error message if max-routes used incorrectly
      Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
      Remove dnsflags_to_socktype, it is not used anywhere
      Fix the proto is used inconsistently warning

David Sommerseth (4):
      Fix double-free issue in pf_destroy_context()
      The get_default_gateway() function uses warn() instead of msg()
      Avoid recursion in virtual_output_callback_func()
      Preparing for v2.3_rc2

Gert Doering (2):
      Implement --mssfix handling for IPv6 packets.
      Fix option inconsistency warnings about "proto" and "tun-ipv6"

Joachim Schipper (2):
      doc/management-notes.txt: fix typo
      Fix typo in ./configure message

OpenVPN 2.3_rc1

Adriaan de Jong (1):
      Fixed a bug where PolarSSL gave an error when using an inline file tag.

Arne Schwabe (2):
      Document man agent-external-key
      Options parsing demands unnecessary configuration if PKCS11 is used

David Sommerseth (3):
      Make git ignore some more files
      Remove the support for using system() when executing external programs or scripts
      Preparing for v2.3_rc1

Heiko Hund (2):
      Fix display of plugin hook types
      Support UTF-8 --client-config-dir

Kenneth Rose (1):
      Fix v3 plugins to support returning values back to OpenVPN.

OpenVPN 2.3_beta1

Arne Schwabe (7):
      Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used
      Merge almost identical create_socket_tcp and create_socket_tcp6
      Document the inlining of files in openvpn and document key-direction
      Merge getaddr_multi and getaddr6 into one function
      Document --management-client and --management-signal a bit better
      Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen.
      Add checks for external-key-managements

David Sommerseth (1):
      Fix reconnect issues when --push and UDP is used on the server

Gert Doering (4):
      Reduce --version string detail about IPv6 to just "[IPv6]".
      Put actual OpenVPN command line on top of corresponding log file.
      Keep pre-existing tun/tap devices around on *BSD
      make "ipv6 ifconfig" on linux compatible with busybox ifconfig

Heiko Hund (6):
      fix regression with --http-proxy[-*] options
      add x_msg_va() log function
      add API for plug-ins to write to openvpn log
      remove stale _openssl_get_subject() prototype
      remove unused flag SSLF_NO_NAME_REMAPPING
      Add --compat-names option

OpenVPN 2.3-alpha3

This release fixes a major problem in "tap server" mode (Trac #216), adds support for querying proxy information via the management interface and fixes some smaller issues. In addition, the Windows installer comes with tap-windows-9.9.2 (fixes the "DHCP NAK bomb on Windows 7" bug, Trac #97) and openvpn-gui-1.0.5.

Full list of changes

2012.07.20 -- Version 2.3_alpha3
Arne Schwabe (1):
      Fix compiling with --disable-management

Gert Doering (1):
      Repair "tap server" mode brokenness caused by <stdbool.h> fallout

Heiko Hund (4):
      make non-blocking connect work on Windows
      don't treat socket related errors special anymore
      remove unused show_connection_list debug function
      add option --management-query-proxy

OpenVPN 2.3-alpha2

The largest change in OpenVPN 2.3-alpha2 is the split into several subprojects:

  • openvpn (the core project)
  • tap-windows (Windows TAP-driver)
  • easy-rsa (PKI management package)
  • openvpn-build (external buildsystem)
    • "generic": cross-compile on *NIX platforms (e.g. Linux -> Windows)
    • "msvc": build using MSVC on Windows
    • "windows-nsis": generate Windows installers on *NIX

These changes have resulted in a number of user-visible changes:

  • Separate 32- and 64-bit installers for Windows (see INSTALL-win32.txt)
  • Old "domake-win" and Python-based buildsystems have been removed
  • "easy-rsa" and "tap-windows" removed from the OpenVPN Git tree
  • All Windows executables and libraries cross-compiled with mingw_w64 and signed
  • Rewrite of the openvpn autotools buildsystem

In addition, there a number of changes not related to the above:

  • Many bugfixes
  • Stabilized the PolarSSL support
  • Enabled IPv6 support on OSX
  • General code cleanup
  • Improved UTF-8 support in Windows

Full list of changes

tag v2.3_alpha2
Tagger: David Sommerseth <>
Date:   Fri Jun 29 10:36:38 2012 +0200

2012.06.29 -- Version 2.3_alpha2
Adriaan de Jong (11):
      Fixed off-by-one in serial length calculation
      Migrated x509_get_subject to use of the garbage collector
      Migrated x509_get_serial to use the garbage collector
      Migrated x509_get_sha1_hash to use the garbage collector
      Ensure sys/un.h autoconf detection includes sys/socket.h
      Added support for new PolarSSL 1.1 RNG
      Added a configuration option to enable prediction resistance in the PolarSSL random number generator.
      Removed support for PolarSSL < 1.1
      Updated README.polarssl with build system changes.
      Removed stray "Fox-IT hardening" string.

Alon Bar-Lev (94):
      build: version should not contain '-'
      package: rpm: strip should be handled by package management
      cleanup: options.c: remove redundant include
      cleanup: remove C++ warnings
      cleanup: win32.c: wrong printf format
      cleanup: remove redundant ';'
      cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
      cleanup: tun.c: fix incorrect option in message (ip-win32)
      cleanup: memcmp.c: remove unused source
      fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
      build: correct place to alter WINVER is at build system
      Update .gitignore
      build: handle printf style format in mingw
      build: rename plugin directory to plugins
      build: plugins: properly use CC, CFLAGS and LDFLAGS
      build: we need the sample.ovpn in future
      Remove install-win32
      Remove easy-rsa
      Remove tap-win32
      cleanup: rename tap-windows function from win32 to win
      build: remove windows specific build system
      build: split acinclude.m4 into m4/*
      build: m4/ax_varargs.m4: cleanup
      build: m4/ax_emptyarray.m4: cleanup
      build: m4/ax_socklen_t.m4: cleanup
      build: autotools: first pass of trivial autotools changes
      build: autoconf: remove OPENVPN_ADD_LIBS useless macro
      build: remove awk and non-standard autoconf output processing
      build: standard directory layout
      build: add libtool + windows resources for executables
      build: autoconf: commands as environment
      build: libdl usage
      build: properly detect and use socket libs
      build: autoconf: minor cleanups
      build: proper selinux detection and usage
      build: distribute pkg.m4
      build: proper pkcs11-helper detection and usage
      build: properly process lzo-stub
      build: proper lzo detection and usage
      build: proper crypto detection and usage
      build: autoconf: update defaults for options
      build: win-msvc: msbuild format
      build: move out config.h include from syshead
      build: split out compat
      build: move gettimeofday() emulation to compat
      build: move daemon() emulation into compat
      build: move inet_ntop(), inet_pton() emulation into compat
      cleanup: move console related function into its own module
      build: move wrappers into platform module
      build: windows: install to allow installer read version
      build: distribute samples in windows
      build: use tap-windows.h as external dependency
      build: ax_varargs.m4: fixups
      build: autoconf: misc sockets fixups
      build: enable lzo by default
      build: windows: set vendor to openvpn project + cleanups
      build: assume dlfcn is available on all supported platforms
      build: openbsd: detect netinet/ip.h correctly
      build: tap: search for tap header
      build: msvc: upgrade to Visual Studio 2010 + fixups
      Enable pedantic in windows compilation
      cleanup: flags should not be bool
      cleanup: avoid using ~0 - generic
      cleanup: avoid using ~0 - ipv6
      cleanup: avoid using ~0 - netmask
      cleanup: avoid using ~0 - windows
      cleanup: gc usage
      build: fix some statement left from conversion
      build: properly detect netinet/ip.h structs
      build: properly detect TUNSETPERSIST
      cleanup: plugin: support C++ plugin
      cleanup: remove C++ comments
      cleanup: add .gitattributes to control eol style explicitly
      crash: packet_id_debug_print: sl may be null
      build: use stdbool.h if available
      build: fix typo in --enable-save-password
      build: windows: convert resources to UTF-8
      build: check minimum polarssl version
      cleanup: update .gitignore
      cleanup: spec: make space/tab consistent
      build: spec: we support openssl >= 0.9.7
      build: insall README* document using build system
      build: detect sys/wait.h required for *bsd
      build: add git revision to --version output if build from git repository
      build: cleanup: yet another forgotten brackets
      build: update INSTALL to recent changes
      build: support platforms that does not need explicit tun headers
      build: do not support <polarssl-1.1.0
      build: add --with-special-build to provide special build string
      cleanup: pkcs11.c: resolve wanings
      build: integrate plugins build into core build
      build: plugins: set defaults based on platform
      cleanup: windows: convert argv (UCS-2 to UTF-8) at earliest
      build: msvc: chdir with change drive to script location

Arne Schwabe (7):
      Add the query to the error message.
      Explain that route-nopull also causes the client to ignore dhcp options.
      Add the name of the context where option is not allowed to the error message.
      Only use tmpdir if tmp_dir is really used.
      Completely remove ancient IANA port warning.
      Remove ENABLE_INLINE_FILES conditionals
      Remove ENABLE_CONNECTIONS ifdefs

David Sommerseth (5):
      Clean-up: Presume that Linux is always IPv6 capable at build time
      Simplify check_cmd_access() function
      Change version to indicate the master branch is not a version
      Some filesystems don't like ':', which is a path 'make dist' would use
      Remove two unused functions

Frank de Brabander (1):
      Fix reported compile issues on OSX 10.6.8

Gert Doering (10):
      repair test after build system revolution iproute2 script fixes - fix for iproute2, print summary line
      Implement search for "first free" tun/tap device on Solaris
      cleanup and redefine metric handling for IPv6 routes
      remove "*option" element in "struct route_ipv6"
      Remove warning about explicit support for IPv6 support not provided MacOS X
      Add missing pieces to IPv6 route gateway handling.
      Update TODO.IPv6 list
      Remove #include "config.h" from ssl_polarssl.h

Heiko Hund (3):
      remove wrapper code for Windows CryptoAPI function
      fix warnings in event.c when building for win32-64
      remove the --auto-proxy option from openvpn

Igor Novgorodov (1):
      Remove calls to OpenSSL when building with --disable-ssl

Jonathan K. Bullard (2):
      Fix file access checks on commands
      Clarified the docs and help screen about what a 'cmd' is

Samuli Seppänen (1):
      Added notes about upgrading from 2.3-alpha1 and earlier to INSTALL-win32.txt
Version: GnuPG v1.4.11 (GNU/Linux)


OpenVPN 2.3-alpha1

This release includes a large number of new features:

  • Complete IPv6 support, both transport and payload
  • Optional PolarSSL support (build time configuration)
  • Improved plug-in API (v3) which can more easily be expanded in the future. Includes support for direct access to X.509 certificate data in plug-ins
  • New build-time configuration option: --enable-lzo-stub - Clients tell the server if they support LZO or not, and server can automatically disable LZO for that client.
  • New OpenVPN-GUI
  • New options / updated options
    • --stale-routes-check: remove routes that haven't had activity recently
    • --client-nat: one-to-one NAT to avoid IP address conflicts between local and remote networks
    • --extra-certs: certificates which completes the CA chain, without trusting these certificates
    • --verify-hash: Fingerprint matching on level-1 certificates
    • --memstats: Write live usage stats to memory mapped binary files
    • --crl-verify directory mode: file names in this dir which matching the serial numbers are treated as a revoked certificate. These files itself may be empty, as it is only done a match against the file name.
  • Management interface improvements
    • New option --management-external-key: Load RSA keys via management interface
    • New option --management-up-down: notify management interface on tunnel up/down events
    • New management command for servers: client-kill
    • New management command for clients: auth-token provides a feature to avoid storing passwords in memory and use a temporary token as an alternative to passing the password.
    • New management command for clients: remote which can override the configured --remote options

Many enhancements are also included:

  • Management command for server, status, can report username for each connected user (requires status log version >= 2)
  • UTF-8 support for certificate fields
  • Windows UTF-8 support: Filenames may now contain wide characters and environment variables handled as UCS-2 characters
  • Fixed client issues with DHCP Router option extraction/deletion with layer 2 DHCP proxies.
  • Added "on-link" routes on Linux. This solves --redirect-gateway issues where routes are set up with devices instead of IP addresses
  • Several configuration options are now supported inside <connection> blocks
  • Add extv3 X509 field support to --x509-username-field
  • Several man page updates

A few changes have been made which may affect existing installations:

  • 'echo' options will no longer be written to log files and will only be available via the management interface.
  • The certificate strings have changed syntax to the new standard provided newer OpenSSL APIs. Earlier the format was:

/CN=Common Name/O=Organisation/L=Location

The new format will look like:

CN=Common Name, O=Organisation, L=Location

This change impacts plug-ins, scripts and --tls-remote which parses these certificate strings.

Full list of changes

Adriaan de Jong (127):
      Added Doxygen doxyfile
      Changed configure to accept --with-ssl-type=openssl
      Refactored to rand_bytes for OpenSSL-independency
      Refactored OpenSSL-specific constants
      Refactored maximum cipher and hmac length constants
      Refactored show_available_* functions
      Refactored SSL_clear_error()
      Refactored crypto initialisation functions
      Refactored DES key manipulation functions
      Refactored NTLM DES key generation
      Refactored message digest type functions
      Refactored message digest functions
      Refactored HMAC functions
      Refactored cipher key types
      Refactored cipher functions
      Added PRNG doxygen
      Refactored: Moved crypto.h inline functions to end of file
      Removed stale OpenSSL defines from crypto.h
      Added a check for Openssl or PolarSSL defines
      Refactored: Added stubs for new files
      Refactored SSL initialisation functions
      Refactored TLS_PRF to new hmac and md primitives
      Refactored tls_show_available_ciphers
      Refactored get_highest_preference_tls_cipher
      Refactored root SSL context initialisation
      Refactored new external key code
      Refactored DH paramater loading
      Refactored root TLS option settings
      Refactored PKCS#12 key loading
      Refactored PKCS#11 loading
      Refactored windows cert loading
      Refactored load certificate functions
      Refactored private key loading code
      Refactored external key loading from management
      Refactored CA and extra certs code
      Refactored cipher restriction code
      Refactored tls_options, key_state, and key_source data structures
      Refactored initalisation of key_states
      Refactored key_state free code
      Refactored print_details
      Refactored key_state read code (including bio_read())
      Refactored key_state write functions
      Refactored: Moved BIO debug functions to OpenSSL backend
      Refactored: removed ks and ks_lame macro for clarity
      Refactored: moved write_empty_string function back
      Refactored Doxygen for tls_multi functions
      Migrated data structures needed by verification functions to ssl_common.h
      Refactored client_config_dir_exclusive function
      Refactored certificate hash lock checks
      Refactored common name locking functions
      Refactored username and password authentication code
      Add some extra comments
      Refactored: split verify_callback into two parts
      Added function to extract and verify the subject from a certificate
      Added function to verify and extract the username
      Refactored: removed global x509_username_field
      Refactored: separated environment setup during verification
      Refactored: Netscape certificate type verification
      Refactored key usage verification code
      Refactored EKU verification
      Refactored tls-remote checking
      Refactored tls-verify-plugin code
      Refactored tls-verify script code
      Refactored CRL checks
      Minor cleanup in verify_cert:
      Refactored: Moved verify_cert to ssl_verify
      Cleaned up ssl.h
      Refactored: made M_SSL dependent on USE_OPENSSL
      Refactored: renamed X509 functions from verify_*
      Separated OpenSSL-specific parts of the PKCS#11 driver
      Modified base64 code in preparation for PolarSSL merge
      Final cleanup before PolarSSL addition:
      Refactored X509 track feature to be contained within the openssl backend
      Added PolarSSL support:
      Fixed a missing include in ssl_backend.h
      Fixed a bug in the hash generation in ssl_verify_openssl.c
      Added SHA_DIGEST_SIZE definition
      Changed PolarSSL crypto backend to support v0.99-pre5
      Updated ssl_polarssl.c to work with 0.99-pre5
      Fixed a compilation warning for size_t key sizes
      Added a warning that the PolarSSL library does not support pkcs12 files.
      Added warning that --capath is not available with PolarSSL
      Disable CryptoAPI when not using OpenSSL, and document that fact.
      Removed support for management external keys in PolarSSL
      Removed stray X509_free from ssl.c
      Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
      Added an extra define to allow building without PKCS#11
      Added SSL library to title string
      Disabled X.509 track and username selection for PolarSSL
      Hardening: periodically reset the PRNG's nonce value
      Fixes for the plugin system:
      Further improvements to plugin support:
      Fixed an unintentional change in the options calculated key size.
      Moved print messages back to generic crypto.c from cipher backends
      Moved HMAC prints back to main crypto module
      Added back checks for ks->authenticated in verify_user_pass
      Moved gc_new and gc_free to begin end of function
      Fixed a bug in the return value of ssl_verify when pre_verify failed
      Unified verification function return values:
      Removed a stray Fox-IT tag
      Fixed a typo: print the subject instead of the serial for verification errors
      Made SSL_CIPHER const in print_details, to fix warning
      Moved to PolarSSL 1.0.0:
      Added missing #ifdef to allow --disable-managent to work again
      Fixed disabling crypto and SSL
      Got rid of a few magic numbers in ntlm.c
      Removed obsolete des_cblock and des_keyschedule
      Further removal of des_old.h based calls
      Fixed missing comma in plugin.h
      Moved prng_uninit out of crypto_uninit_lib
      Moved CryptoAPI header include to the ssl_openssl.c
      Reordered functions to ensure warning-free Windows build
      Added options to switch between OpenSSL and PolarSSL and PKCS11...
      Moved from strsep to strtok, for Windows compatibility
      Minor cleanup to enable warning-free Windows build:
      Fixed a typo when initialising cryptoapi certs
      Minor code cleanup: cleaned up error handling in verify_cert.
      Moved out of memory prototype to error.h, as the definition is in error.c
      Removed support for calling gc_malloc with a NULL gc_arena struct

      (The follwing patches from Adriaan was mistakenly merged with
       the wrong commit author in the git tree)
      Doxygen: Added data channel crypto docs
      Added control channel crypto docs
      Added compression docs
      Added reliability layer documentation
      Added memory management documentation
      Added data channel fragmentation docs
      Added main/control docs
      Moved doxygen-specific files to a separate directory

Byron Ellacott (1):
      autoconf fixes for building on OSX

David Sommerseth (50):
      Provide 'dev_type' environment variable to plug-ins and script hooks
      Define the new openvpn_plugin_{open,func}_v3() API
      Implement the core v3 plug-in function calls.
      Extend the v3 plug-in API to send over X509 certificates
      Added a simple plug-in demonstrating the v3 plug-in API.
      Separate the general plug-in version constant and v3 plug-in structs version
      Use a version-less version identifier on the master branch
      Fix the --client-cert-not-required feature
      Change the default --tmp-dir path to a more suitable path
      Improve the mysprintf() issue in openvpnserv.c
      Add a simple comment regarding openvpn_snprintf() is duplicated
      Merge branch 'feat_ipv6_transport'
      Merge branch 'feat_ipv6_payload'
      Merge branch 'svn-branch-2.1' into merge
      Solved hidden merge conflicts between master and svn-branch-2.1
      Fix const declarations in plug-in v3 structs
      Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'
      Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
      Fix compiling issues with pkcs11 when --disable-management is configured
      Remove support for Linux 2.2 configuration fallback
      Revert "Add new openssl.cnf to easy-rsa/Windows"
      Merge remote branch SVN 2.1 into the git tree
      Merge branch 'svn-merger'
      Fix Microsoft Visual Studio incompatibility in plugin.c
      Fixed compile issues on FreeBSD and Solaris
      Fix PolarSSL and --pkcs12 option issues
      Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
      Make '--win-sys env' default
      Do some file/directory tests before really starting openvpn
      Fix bug after removing Linux 2.2 support
      Don't look for 'stdin' file when using --auth-user-pass
      Fix compiling with --disable-crypto and/or --disable-ssl
      Fix a couple of issues in openvpn_execve()
      Move away from openvpn_basename() over to platform provided basename()
      Enable access() when building in Visual Studio
      New Windows build fixes
      Fix compilation errors on Linux platforms without SO_MARK
      autotools ./configure don't like compat.h
      Fix pool logging when IPv6 is not enabled
      Don't check for file presence on inline files
      Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook
      Enhance the error handling in _openssl_get_subject()
      Fix assert() situations where gc_malloc() is called without a gc_arena object
      Fix compile issues when plug-ins are disabled.
      Remove --show-gateway if debug info is not enabled (--disable-debug)
      Fix compile issues with status.c
      Connection entry {tun,link}_mtu_defined not set correctly referenced a now non-existing config-win32.h was missing ssl_common.h
      Revamp check_file_access() checks in stdin scenarios

Davide Guerri (1):
      New feauture: Add --stale-routes-check

Frank de Brabander (1):
      Fixed wrong return type of cipher_kt_mode

Frederic Crozat (1):
      Add support to forward console query to systemd

Gert Doering (45):
      Add more detailed explanation regarding the function of "--rdns-internal"
      Enable IPv6 Payload in OpenVPN p2mp tun server mode.  20100104-1 release.
      remove NOTES file from commit - private scribbling
      NetBSD fixes - on 4.0 and up, use multi-af mode.
      new feature: "ifconfig-ipv6-push" (from ccd/ config)
      add some TODOs to TODO.IPv6
      undo accidential duplication of existing "--iroute" line in the help text
      basic documentation of IPv6 related options and their syntax
      Enable IPv6 Payload in OpenVPN p2mp tun server mode.
      remove NOTES file from commit - private scribbling
      env_block(): if PATH is not set, add standard PATH setting to env
      add IPv6 route add / route delete code for windows (using "netsh")
      - Win32 IPv6 ifconfig support, using "netsh" calls
      drop "book ipv6" from open_tun() and tuncfg() prototypes
      document recent changes and open TODOs, adapt --version info, tag release
      Win32: set next-hop for IPv6 routes according to TUN/TAP mode
      when deleting a route on win32, also add gateway address
      WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7
      revert unconditionally-enabling of setenv_es() logging
      implement IPv6 ifconfig + route setup/deletion on OpenBSD
      full "VPN client connect" test framework for OpenVPN t_client.rc-sample
      renamed to
      2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8
      correct URL for "more information about IPv6 patch is *here*"
      bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet"
      bump IPv6 version number (openvpn --version) to 20100922-1
      Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces
      rebased to 2.2RC2 (beta 2.2 branch)
      Windows IPv6 cleanup - properly remove IPv6 routes and interface config
      For all accesses to "struct route_list * rl", check first that rl is non-NULL
      Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
      Platform cleanup for NetBSD
      Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block
      add missing break between "case IPv4" and "case IPv6"
      bump tap driver version from 9.8 to 9.9
      log error message and exit for "win32, tun mode, tap driver version 9.8"
      work around inet_ntop/inet_pton problems for MSVC builds on WinXP
      Fix build-up of duplicate IPv6 routes on reconnect.
      Fix list-overrun checks in copy_route_[ipv6_]option_list()
      add "print test titles" and "use sudo" functionality to t_client.rc
      Platform cleanup for FreeBSD
      Implement IPv6 interface config with non-/64 prefix lengths.
      Fix RUN_SUDO functionality for
      Document IPv6-related environment variables.
      Platform cleanup for OpenBSD

Gisle Vanem (1):
      Avoid re-defining uint32_t when using mingw compiler

Gustavo Zacarias (1):
      Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto

Heiko Hund (16):
      add .gitignore to official repository
      remove function is_proto_tcp()
      remove legacy code to query IE proxy information
      lowercase include header name in syshead.h
      define IN6_ARE_ADDR_EQUAL macro for WIN32
      add --mark option to set SO_MARK sockopt
      Windows UTF-8 input/output
      UTF-8 X.509 distinguished names
      set Windows environment variables as UCS-2
      handle Windows unicode paths
      replace check for TARGET_WIN32 with WIN32
      do not use mode_t on Windows
      use the underscore version of stat on Windows
      make MSVC link against shell32 as well
      move variable declaration to top of function
      define access mode flag X_OK as 0 on Windows

Igor Novgorodov (1):
      The code blocks enabled by ENABLE_CLIENT_CR depends on management

James Yonan (57):
      Added "management-external-key" option.
      Minor addition of logging info before and after execution of Windows net commands.
      Misc fixes to r6708.
      Added --x509-track option.
      * added --management-up-down option to allow management interface to be notified of tunnel up/down events.
      Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled.
      Implemented get_default_gateway_mac_addr for Mac OS X
      Fixes to r6925.
      Properly handle certificate serial numbers > 32 bits.
      Added "client-nat" option for stateless, one-to-one NAT on the client side.
      Renamed branch to reflect that it is no longer beta.
      env_filter_match now includes the serial number of all certs
      Fixed issue where a client might receive multiple push replies from a server
      Fixed bug introduced in r7031 that might cause this error message:
      Extended "client-kill" management interface command (server-side)
      Client will now try to reconnect if no push reply received within handshake-window seconds.
      Version 2.1.3n
      Fixed compiling issues when using --disable-crypto
      Added "management-external-key" option.
      Misc fixes to r6708.
      win/ now accepts an optional tap-dir argument.
      Added "auth-token" client directive
      Added ./configure --enable-osxipconfig option for Mac OS X
      Added more packet ID debug info at debug level 3 for debugging false positive packet replays.
      Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions
      Fixed bug in port-share that could cause port share process to crash
      For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure
      Version 2.1.3t
      Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option.
      Added 'dir' flag to "crl-verify" (see man page for info).
      Added new "extra-certs" and "verify-hash" options
      Fixed compile issues on Windows.
      Added --enable-lzo-stub configure option to build an OpenVPN client without LZO
      Added optional journal directory argument to "port-share" directive
      Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity.
      env_filter_match now includes the serial number of all certs in chain
      Added support for static challenge/response protocol.
      r7316 fixes.
      Added redirect-gateway block-local flag, with support for Linux, Mac OS X
      Extended x509-track to allow SHA1 certificate hash to be extracted
      Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive.
      Version 2.1.5.
      Fixed MSVC compile error related to r7408.
      Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data.
      Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars.
      Changed CC_PRINT character class to allow UTF-8 chars.
      Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3.
      Fixed issue where redirect-gateway block-local code was not correctly calculating...
      CC_PRINT character class now allows any 8-bit character value >= 32.
      "status" management interface command (version >= 2) will now include the username for each connected user.
      Minor fix to CC_PRINT char class
      Fixed management interface bug where >FATAL notifications were not being output properly
      Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3.
      Added "memstats" option to maintain real-time operating stats in a memory-mapped file.
      Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy:
      Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode.
      Added support for "on-link" routes on Linux client

Jan Just Keijser (1):
      Made some options connection-entry specific

Joe Patterson (1):
      common_name passing in auth_pam plugin

JuanJo Ciarlante (40):
      * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch
      * created getaddr6(), use it from resolve_remote()
      * migrated all getaddrinfo() to getaddr6
      * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,
      * support --disable-ipv6 build properly:
      * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket
      * added README.ipv6.txt
      * fixed win32 non-ipv6 build
      * ipv6 on win32 "milestone": 1st snapshot that passes all unittests
      * document ipv6 milestone status
      * doc update w/unittests results
      * make possible to x-compile openvpn/win32 in Linux
      * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6.
      * renamed README.ipv6{.txt,}
      * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist
      * init.c: document the ENABLE_MANAGEMENT place to work on
      * init.c: small in-doc tweaks
      * fix multi-tcp crash (corrected assertion)
      * TODO.ipv6 update
      * socket.c: better buf logic in print_sockaddr_ex
      * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)
      * doc updates
      * openbsd: no IFF_MULTICAST, #ifdef around it
      * no new funcionality, just small cleanups
      * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints
      * polished redirect-gateway (ipv4 on ipv6 endpoints) support
      * updated doc
      * fix --disable-ipv6 build
      * doc updates
      * rebased to v2.1.1 release
      * undo mroute.c changes related to ipv6 payload
      * fix --multihome for ipv4
      * fix --multihome for ipv6
      * ipv6-0.4.14: fix xinetd usage
      * ipv6-0.4.15: add --multihome support to xBSD
      * ipv6-0.4.15b: rebase over openvpn-testing-master
      * ipv6-0.4.16: fix mingw32 build
      * make ipv6_payload compile under windowze
      USE_PF_INET6 by default for v2.3
      fix ipv6 compilation under macosx >= 1070 - v3

Markus Koetter (1):
      Add extv3 X509 field support to --x509-username-field

Matthew L. Creech (1):
      Fix 2.2.0 build failure when management interface disabled

Matthias Andree (1):
      Skip rather than fail test in addressless FreeBSD jails.

Robert Fischer (8):
      Update man page with info about --capath
      Update man page with info about --connect-timeout
      Added info about --show-proxy-settings
      Documented --x509-username-field option
      Documented --errors-to-stderr option
      Documented --push-peer-info option
      Update man page with info about --remote-random-hostname
      Added man page entry for --management-client

Samuli Seppänen (19):
      Add man page entry for --redirect-private
      Change all CRLF linefeeds to LF linefeeds
      Fix a bug in devcon source code handling
      Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
      Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers
      Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
      Fix a build-ca issue on Windows
      Add new openssl.cnf to easy-rsa/Windows
      Updated "easy-rsa" for OpenSSL 1.0.0
      Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
      Fixes to easy-rsa/2.0
      Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
      Fixed a number of fatal build errors on Visual Studio 2008
      Fix a Visual Studio 2008 build issue in socket.c
      Additional Visual Studio 2008 build fixes to tun.c
      Fixed a typo in win32.h that prevented building with Visual Studio
      Fixed a regression causing VS2008/Python build failure
      Fix a Visual Studio 2008 build error in tun.c
      Fix a Visual Studio 2008 build error in options.c

Simon Matter (1):
      Fix issues with some older GCC compilers

Stefan Hellermann (2):
      plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
      Fixed typo in plugin.h

chantra (1):
      Clarify --tmp-dir option

smos (1):
      Change the netsh.exe command from "add" to "set".
Last modified 7 years ago Last modified on 09/26/17 11:47:43