wiki:ChangesInOpenvpn23

Version 2 (modified by David Sommerseth, 12 years ago) (diff)

Misc updates and corrections

Overview of changes in OpenVPN v2.3

This release includes a large number of new features:

  • Complete IPv6 support, both transport and payload
  • Optional PolarSSL support (build time configuration)
  • Improved plug-in API (v3) which can more easily be expanded in the future: Includes support for direct access to X.509 certificate data in plug-ins
    • New build-time configuration option: --enable-lzo-stub - Clients tell the server if they support LZO or not, and server can automatically disable LZO for that client.
  • New options / updated options
    • --stale-routes-check: remove routes that haven't had activity recently
    • --client-nat: one-to-one NAT to avoid IP address conflicts between local and remote networks
    • --extra-certs: certificates which completes the CA chain, without trusting these certificates
    • --verify-hash: Fingerprint matching on level-1 certificates
    • --memstats: Write live usage stats to memory mapped binary files
    • --crl-verify directory mode: file names in this dir which matching the serial numbers are treated as a revoked certificate. These files itself may be empty, as it is only done a match against the file name.
  • Management interface improvements
    • New option --management-external-key: Load RSA keys via management interface
    • New option --management-up-down: notify management interface on tunnel up/down events
    • New management command for servers: client-kill
    • New management command for clients: auth-token provides a feature to avoid storing passwords in memory and use a temporary token as an alternative to passing the password.
    • New management command for clients: remote which can override the configured --remote options

Many enhancements are also included:

  • Management command for server, status, can report username for each connected user (requires status log version >= 2)
  • UTF-8 support for certificate fields
  • Windows UTF-8 support: Filenames may now contain wide characters and environment variables handled as UCS-2 characters
  • Fixed client issues with DHCP Router option extraction/deletion with layer 2 DHCP proxies.
  • Added "on-link" routes on Linux. This solves --redirect-gateway issues where routes are set up with devices instead of IP addresses
  • Several configuration options are now supported inside <connection> blocks
  • Add extv3 X509 field support to --x509-username-field
  • Several man page updates

A few changes have been made which may affect existing installations:

  • 'echo' options will no longer be written to log files and will only be available via the management interface.
  • The certificate strings have changed syntax to the new standard provided newer OpenSSL APIs. Earlier the format was:

/CN=Common Name/O=Organisation/L=Location

The new format will look like:

CN=Common Name, O=Organisation, L=Location

This change impacts plug-ins, scripts and --tls-remote which parses these certificate strings.

Full list of changes

Adriaan de Jong (127):
      Added Doxygen doxyfile
      Changed configure to accept --with-ssl-type=openssl
      Refactored to rand_bytes for OpenSSL-independency
      Refactored OpenSSL-specific constants
      Refactored maximum cipher and hmac length constants
      Refactored show_available_* functions
      Refactored SSL_clear_error()
      Refactored crypto initialisation functions
      Refactored DES key manipulation functions
      Refactored NTLM DES key generation
      Refactored message digest type functions
      Refactored message digest functions
      Refactored HMAC functions
      Refactored cipher key types
      Refactored cipher functions
      Added PRNG doxygen
      Refactored: Moved crypto.h inline functions to end of file
      Removed stale OpenSSL defines from crypto.h
      Added a check for Openssl or PolarSSL defines
      Refactored: Added stubs for new files
      Refactored SSL initialisation functions
      Refactored TLS_PRF to new hmac and md primitives
      Refactored tls_show_available_ciphers
      Refactored get_highest_preference_tls_cipher
      Refactored root SSL context initialisation
      Refactored new external key code
      Refactored DH paramater loading
      Refactored root TLS option settings
      Refactored PKCS#12 key loading
      Refactored PKCS#11 loading
      Refactored windows cert loading
      Refactored load certificate functions
      Refactored private key loading code
      Refactored external key loading from management
      Refactored CA and extra certs code
      Refactored cipher restriction code
      Refactored tls_options, key_state, and key_source data structures
      Refactored initalisation of key_states
      Refactored key_state free code
      Refactored print_details
      Refactored key_state read code (including bio_read())
      Refactored key_state write functions
      Refactored: Moved BIO debug functions to OpenSSL backend
      Refactored: removed ks and ks_lame macro for clarity
      Refactored: moved write_empty_string function back
      Refactored Doxygen for tls_multi functions
      Migrated data structures needed by verification functions to ssl_common.h
      Refactored client_config_dir_exclusive function
      Refactored certificate hash lock checks
      Refactored common name locking functions
      Refactored username and password authentication code
      Add some extra comments
      Refactored: split verify_callback into two parts
      Added function to extract and verify the subject from a certificate
      Added function to verify and extract the username
      Refactored: removed global x509_username_field
      Refactored: separated environment setup during verification
      Refactored: Netscape certificate type verification
      Refactored key usage verification code
      Refactored EKU verification
      Refactored tls-remote checking
      Refactored tls-verify-plugin code
      Refactored tls-verify script code
      Refactored CRL checks
      Minor cleanup in verify_cert:
      Refactored: Moved verify_cert to ssl_verify
      Cleaned up ssl.h
      Refactored: made M_SSL dependent on USE_OPENSSL
      Refactored: renamed X509 functions from verify_*
      Separated OpenSSL-specific parts of the PKCS#11 driver
      Modified base64 code in preparation for PolarSSL merge
      Final cleanup before PolarSSL addition:
      Refactored X509 track feature to be contained within the openssl backend
      Added PolarSSL support:
      Fixed a missing include in ssl_backend.h
      Fixed a bug in the hash generation in ssl_verify_openssl.c
      Added SHA_DIGEST_SIZE definition
      Changed PolarSSL crypto backend to support v0.99-pre5
      Updated ssl_polarssl.c to work with 0.99-pre5
      Fixed a compilation warning for size_t key sizes
      Added a warning that the PolarSSL library does not support pkcs12 files.
      Added warning that --capath is not available with PolarSSL
      Disable CryptoAPI when not using OpenSSL, and document that fact.
      Removed support for management external keys in PolarSSL
      Removed stray X509_free from ssl.c
      Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
      Added an extra define to allow building without PKCS#11
      Added SSL library to title string
      Disabled X.509 track and username selection for PolarSSL
      Hardening: periodically reset the PRNG's nonce value
      Fixes for the plugin system:
      Further improvements to plugin support:
      Fixed an unintentional change in the options calculated key size.
      Moved print messages back to generic crypto.c from cipher backends
      Moved HMAC prints back to main crypto module
      Added back checks for ks->authenticated in verify_user_pass
      Moved gc_new and gc_free to begin end of function
      Fixed a bug in the return value of ssl_verify when pre_verify failed
      Unified verification function return values:
      Removed a stray Fox-IT tag
      Fixed a typo: print the subject instead of the serial for verification errors
      Made SSL_CIPHER const in print_details, to fix warning
      Moved to PolarSSL 1.0.0:
      Added missing #ifdef to allow --disable-managent to work again
      Fixed disabling crypto and SSL
      Got rid of a few magic numbers in ntlm.c
      Removed obsolete des_cblock and des_keyschedule
      Further removal of des_old.h based calls
      Fixed missing comma in plugin.h
      Moved prng_uninit out of crypto_uninit_lib
      Moved CryptoAPI header include to the ssl_openssl.c
      Reordered functions to ensure warning-free Windows build
      Added options to switch between OpenSSL and PolarSSL and PKCS11...
      Moved from strsep to strtok, for Windows compatibility
      Minor cleanup to enable warning-free Windows build:
      Fixed a typo when initialising cryptoapi certs
      Minor code cleanup: cleaned up error handling in verify_cert.
      Moved out of memory prototype to error.h, as the definition is in error.c
      Removed support for calling gc_malloc with a NULL gc_arena struct

      (The follwing patches from Adriaan was mistakenly merged with
       the wrong commit author in the git tree)
      Doxygen: Added data channel crypto docs
      Added control channel crypto docs
      Added compression docs
      Added reliability layer documentation
      Added memory management documentation
      Added data channel fragmentation docs
      Added main/control docs
      Moved doxygen-specific files to a separate directory

Byron Ellacott (1):
      autoconf fixes for building on OSX

David Sommerseth (50):
      Provide 'dev_type' environment variable to plug-ins and script hooks
      Define the new openvpn_plugin_{open,func}_v3() API
      Implement the core v3 plug-in function calls.
      Extend the v3 plug-in API to send over X509 certificates
      Added a simple plug-in demonstrating the v3 plug-in API.
      Separate the general plug-in version constant and v3 plug-in structs version
      Use a version-less version identifier on the master branch
      Fix the --client-cert-not-required feature
      Change the default --tmp-dir path to a more suitable path
      Improve the mysprintf() issue in openvpnserv.c
      Add a simple comment regarding openvpn_snprintf() is duplicated
      Merge branch 'feat_ipv6_transport'
      Merge branch 'feat_ipv6_payload'
      Merge branch 'svn-branch-2.1' into merge
      Solved hidden merge conflicts between master and svn-branch-2.1
      Fix const declarations in plug-in v3 structs
      Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'
      Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
      Fix compiling issues with pkcs11 when --disable-management is configured
      Remove support for Linux 2.2 configuration fallback
      Revert "Add new openssl.cnf to easy-rsa/Windows"
      Merge remote branch SVN 2.1 into the git tree
      Merge branch 'svn-merger'
      Fix Microsoft Visual Studio incompatibility in plugin.c
      Fixed compile issues on FreeBSD and Solaris
      Fix PolarSSL and --pkcs12 option issues
      Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
      Make '--win-sys env' default
      Do some file/directory tests before really starting openvpn
      Fix bug after removing Linux 2.2 support
      Don't look for 'stdin' file when using --auth-user-pass
      Fix compiling with --disable-crypto and/or --disable-ssl
      Fix a couple of issues in openvpn_execve()
      Move away from openvpn_basename() over to platform provided basename()
      Enable access() when building in Visual Studio
      New Windows build fixes
      Fix compilation errors on Linux platforms without SO_MARK
      autotools ./configure don't like compat.h
      Fix pool logging when IPv6 is not enabled
      Don't check for file presence on inline files
      Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook
      Enhance the error handling in _openssl_get_subject()
      Fix assert() situations where gc_malloc() is called without a gc_arena object
      Fix compile issues when plug-ins are disabled.
      Remove --show-gateway if debug info is not enabled (--disable-debug)
      Fix compile issues with status.c
      Connection entry {tun,link}_mtu_defined not set correctly
      Makefile.am referenced a now non-existing config-win32.h
      Makefile.am was missing ssl_common.h
      Revamp check_file_access() checks in stdin scenarios

Davide Guerri (1):
      New feauture: Add --stale-routes-check

Frank de Brabander (1):
      Fixed wrong return type of cipher_kt_mode

Frederic Crozat (1):
      Add support to forward console query to systemd

Gert Doering (45):
      Add more detailed explanation regarding the function of "--rdns-internal"
      Enable IPv6 Payload in OpenVPN p2mp tun server mode.  20100104-1 release.
      remove NOTES file from commit - private scribbling
      NetBSD fixes - on 4.0 and up, use multi-af mode.
      new feature: "ifconfig-ipv6-push" (from ccd/ config)
      add some TODOs to TODO.IPv6
      undo accidential duplication of existing "--iroute" line in the help text
      basic documentation of IPv6 related options and their syntax
      Enable IPv6 Payload in OpenVPN p2mp tun server mode.
      remove NOTES file from commit - private scribbling
      env_block(): if PATH is not set, add standard PATH setting to env
      add IPv6 route add / route delete code for windows (using "netsh")
      - Win32 IPv6 ifconfig support, using "netsh" calls
      drop "book ipv6" from open_tun() and tuncfg() prototypes
      document recent changes and open TODOs, adapt --version info, tag release
      Win32: set next-hop for IPv6 routes according to TUN/TAP mode
      when deleting a route on win32, also add gateway address
      WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7
      revert unconditionally-enabling of setenv_es() logging
      implement IPv6 ifconfig + route setup/deletion on OpenBSD
      full "VPN client connect" test framework for OpenVPN t_client.rc-sample
      renamed t_client.sh to t_client.sh.in
      2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8
      correct URL for "more information about IPv6 patch is *here*"
      bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet"
      bump IPv6 version number (openvpn --version) to 20100922-1
      Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces
      rebased to 2.2RC2 (beta 2.2 branch)
      Windows IPv6 cleanup - properly remove IPv6 routes and interface config
      For all accesses to "struct route_list * rl", check first that rl is non-NULL
      Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
      Platform cleanup for NetBSD
      Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block
      add missing break between "case IPv4" and "case IPv6"
      bump tap driver version from 9.8 to 9.9
      log error message and exit for "win32, tun mode, tap driver version 9.8"
      work around inet_ntop/inet_pton problems for MSVC builds on WinXP
      Fix build-up of duplicate IPv6 routes on reconnect.
      Fix list-overrun checks in copy_route_[ipv6_]option_list()
      add "print test titles" and "use sudo" functionality to t_client.rc
      Platform cleanup for FreeBSD
      Implement IPv6 interface config with non-/64 prefix lengths.
      Fix RUN_SUDO functionality for t_client.sh
      Document IPv6-related environment variables.
      Platform cleanup for OpenBSD

Gisle Vanem (1):
      Avoid re-defining uint32_t when using mingw compiler

Gustavo Zacarias (1):
      Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto

Heiko Hund (16):
      add .gitignore to official repository
      remove function is_proto_tcp()
      remove legacy code to query IE proxy information
      lowercase include header name in syshead.h
      define IN6_ARE_ADDR_EQUAL macro for WIN32
      add --mark option to set SO_MARK sockopt
      Windows UTF-8 input/output
      UTF-8 X.509 distinguished names
      set Windows environment variables as UCS-2
      handle Windows unicode paths
      replace check for TARGET_WIN32 with WIN32
      do not use mode_t on Windows
      use the underscore version of stat on Windows
      make MSVC link against shell32 as well
      move variable declaration to top of function
      define access mode flag X_OK as 0 on Windows

Igor Novgorodov (1):
      The code blocks enabled by ENABLE_CLIENT_CR depends on management

James Yonan (57):
      Added "management-external-key" option.
      Minor addition of logging info before and after execution of Windows net commands.
      Misc fixes to r6708.
      Added --x509-track option.
      * added --management-up-down option to allow management interface to be notified of tunnel up/down events.
      Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled.
      Implemented get_default_gateway_mac_addr for Mac OS X
      Fixes to r6925.
      Properly handle certificate serial numbers > 32 bits.
      Added "client-nat" option for stateless, one-to-one NAT on the client side.
      Renamed branch to reflect that it is no longer beta.
      env_filter_match now includes the serial number of all certs
      Fixed issue where a client might receive multiple push replies from a server
      Fixed bug introduced in r7031 that might cause this error message:
      Extended "client-kill" management interface command (server-side)
      Client will now try to reconnect if no push reply received within handshake-window seconds.
      Version 2.1.3n
      Fixed compiling issues when using --disable-crypto
      Added "management-external-key" option.
      Misc fixes to r6708.
      win/sign.py now accepts an optional tap-dir argument.
      Added "auth-token" client directive
      Added ./configure --enable-osxipconfig option for Mac OS X
      Added more packet ID debug info at debug level 3 for debugging false positive packet replays.
      Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions
      Fixed bug in port-share that could cause port share process to crash
      For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure
      Version 2.1.3t
      Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option.
      Added 'dir' flag to "crl-verify" (see man page for info).
      Added new "extra-certs" and "verify-hash" options
      Fixed compile issues on Windows.
      Added --enable-lzo-stub configure option to build an OpenVPN client without LZO
      Added optional journal directory argument to "port-share" directive
      Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity.
      env_filter_match now includes the serial number of all certs in chain
      Added support for static challenge/response protocol.
      r7316 fixes.
      Added redirect-gateway block-local flag, with support for Linux, Mac OS X
      Extended x509-track to allow SHA1 certificate hash to be extracted
      Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive.
      Version 2.1.5.
      Fixed MSVC compile error related to r7408.
      Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data.
      Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars.
      Changed CC_PRINT character class to allow UTF-8 chars.
      Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3.
      Fixed issue where redirect-gateway block-local code was not correctly calculating...
      CC_PRINT character class now allows any 8-bit character value >= 32.
      "status" management interface command (version >= 2) will now include the username for each connected user.
      Minor fix to CC_PRINT char class
      Fixed management interface bug where >FATAL notifications were not being output properly
      Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3.
      Added "memstats" option to maintain real-time operating stats in a memory-mapped file.
      Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy:
      Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode.
      Added support for "on-link" routes on Linux client

Jan Just Keijser (1):
      Made some options connection-entry specific

Joe Patterson (1):
      common_name passing in auth_pam plugin

JuanJo Ciarlante (40):
      * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch
      * created getaddr6(), use it from resolve_remote()
      * migrated all getaddrinfo() to getaddr6
      * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,
      * support --disable-ipv6 build properly:
      * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket
      * added README.ipv6.txt
      * fixed win32 non-ipv6 build
      * ipv6 on win32 "milestone": 1st snapshot that passes all unittests
      * document ipv6 milestone status
      * doc update w/unittests results
      * make possible to x-compile openvpn/win32 in Linux
      * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6.
      * renamed README.ipv6{.txt,}
      * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist
      * init.c: document the ENABLE_MANAGEMENT place to work on
      * init.c: small in-doc tweaks
      * fix multi-tcp crash (corrected assertion)
      * TODO.ipv6 update
      * socket.c: better buf logic in print_sockaddr_ex
      * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)
      * doc updates
      * openbsd: no IFF_MULTICAST, #ifdef around it
      * no new funcionality, just small cleanups
      * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints
      * polished redirect-gateway (ipv4 on ipv6 endpoints) support
      * updated doc
      * fix --disable-ipv6 build
      * doc updates
      * rebased to v2.1.1 release
      * undo mroute.c changes related to ipv6 payload
      * fix --multihome for ipv4
      * fix --multihome for ipv6
      * ipv6-0.4.14: fix xinetd usage
      * ipv6-0.4.15: add --multihome support to xBSD
      * ipv6-0.4.15b: rebase over openvpn-testing-master
      * ipv6-0.4.16: fix mingw32 build
      * make ipv6_payload compile under windowze
      USE_PF_INET6 by default for v2.3
      fix ipv6 compilation under macosx >= 1070 - v3

Markus Koetter (1):
      Add extv3 X509 field support to --x509-username-field

Matthew L. Creech (1):
      Fix 2.2.0 build failure when management interface disabled

Matthias Andree (1):
      Skip rather than fail test in addressless FreeBSD jails.

Robert Fischer (8):
      Update man page with info about --capath
      Update man page with info about --connect-timeout
      Added info about --show-proxy-settings
      Documented --x509-username-field option
      Documented --errors-to-stderr option
      Documented --push-peer-info option
      Update man page with info about --remote-random-hostname
      Added man page entry for --management-client

Samuli Seppänen (19):
      Add man page entry for --redirect-private
      Change all CRLF linefeeds to LF linefeeds
      Fix a bug in devcon source code handling
      Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
      Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers
      Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
      Fix a build-ca issue on Windows
      Add new openssl.cnf to easy-rsa/Windows
      Updated "easy-rsa" for OpenSSL 1.0.0
      Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
      Fixes to easy-rsa/2.0
      Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
      Fixed a number of fatal build errors on Visual Studio 2008
      Fix a Visual Studio 2008 build issue in socket.c
      Additional Visual Studio 2008 build fixes to tun.c
      Fixed a typo in win32.h that prevented building with Visual Studio
      Fixed a regression causing VS2008/Python build failure
      Fix a Visual Studio 2008 build error in tun.c
      Fix a Visual Studio 2008 build error in options.c

Simon Matter (1):
      Fix issues with some older GCC compilers

Stefan Hellermann (2):
      plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
      Fixed typo in plugin.h

chantra (1):
      Clarify --tmp-dir option

smos (1):
      Change the netsh.exe command from "add" to "set".