Changes between Initial Version and Version 1 of ChangesInOpenvpn24


Ignore:
Timestamp:
10/20/16 12:14:04 (7 years ago)
Author:
Samuli Seppänen
Comment:

Add changelog for 2.4_alpha2

Legend:

Unmodified
Added
Removed
Modified
  • ChangesInOpenvpn24

    v1 v1  
     1= Overview of changes in OpenVPN v2.4 =
     2
     3An overview is available in [https://github.com/OpenVPN/openvpn/blob/master/Changes.rst Changes.rst]. Complete change logs below.
     4
     5== OpenVPN 2.4_alpha2 ==
     6
     7Changes since 2.3_beta1:
     8
     9{{{
     10Adriaan de Jong (2):
     11      Fixed a bug where PolarSSL gave an error when using an inline file tag.
     12      Fix --show-pkcs11-ids (Bug #239)
     13
     14Alexander Pyhalov (1):
     15      Default gateway can't be determined on illumos/Solaris platforms
     16
     17Alon Bar-Lev (1):
     18      pkcs11: use generic evp key instead of rsa
     19
     20Andris Kalnozols (3):
     21      Fix some typos in the man page.
     22      Do not upcase x509-username-field for mixed-case arguments.
     23      extract_x509_extension(): hide status message during normal operation.
     24
     25Arne Schwabe (100):
     26      Document man agent-external-key
     27      Options parsing demands unnecessary configuration if PKCS11 is used
     28      Error message if max-routes used incorrectly
     29      Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
     30      Remove dnsflags_to_socktype, it is not used anywhere
     31      Fix the proto is used inconsistently warning
     32      Remove dead code path and putenv functionality
     33      Remove unused function xor
     34      Move static prototype definition from header into c file
     35      Remove unused function no_tap_ifconfig
     36      Add the client id (CID) to the output of the status command
     37      Print client id only if compiled with man agent support. Otherwise     print an empty string.
     38      Allow routes to be set before opening tun, similar to ifconfig before opening tun
     39      Add ability to send/receive file descriptors via management interface
     40      Android platform specific changes.
     41      Emulate persist-tun on Android
     42      Document the Android implementation in OpenVPN
     43      Only print script warnings when a script is used. Remove stray mention of script-security system.
     44      Fix #ifdefs for P2MP_SERVER
     45      Move settings of user script into set_user_script function
     46      Move checking of script file access into set_user_script
     47      Fix another #ifdef/#if P2MP_SERVER
     48      PATCHv3 Remove unused variables or put them to the defines they are being used in
     49      Add support of utun devices under Mac OS X
     50      Add support to ignore specific options.
     51      Add a note what setenv opt does for OpenVPN < 2.3.3
     52      Implement custom HTTP header for http-proxy, and always send user-agent:
     53      Add reporting of UI version to basic push-peer-info set.
     54      Change the type of all ports in openvpn to const char* and let getaddrinfo resolve the port together with the hostname.
     55      Fix compile error in ssl_openssl introduced by polar external-management patch
     56      Simplify print_sockaddr_ex function, merge duplicate ipv4/ipv6 logic.
     57      Split the PROTO_UDP_xx options into AF_INET/AF_INET6 and PROTO_TCP/PROTO_UDP part.
     58      Fix two instances of asserting AF_INET
     59      Fix assertion when SIGUSR1 is received while getaddrinfo is successful
     60      Split link_socket_init_phase1 and link_socket_init_phase2 into     smaller more managable/readable functions. No functional changes
     61      Change proto_remote() function to return a constant string
     62      Remove the ip-remote-hint option.
     63      change the type of 'remote' to addrinfo*, and rename to 'remote_list'.
     64      When resolving fails print the error message from socket layer
     65      Implement dual stack client support for OpenVPN
     66      Move ASSERT so external-key with OpenSSL works again
     67      Implement listing on IPv4/IPv6 dual socket on all platform
     68      Add warning for using connection block variables after connection blocks
     69      Update IPv6 related readme files
     70      Introduce safety check for http proxy options
     71      Fix warning for max-routes: do not quit when parsing an old configuration. Format the message to be more like the other deprecated options
     72      Fix connecting to localhost on Android
     73      Move the initialization of the environment to the top so c2.es is initialized
     74      Workaround broken Android 4.4 VpnService API for persist-tun mode
     75      Implement an easy parsable log output that allows access to flags of the log message
     76      Introduce an option to resolve dns names in advance for --remote, --local and --http-proxy
     77      Fix for server selecting address family
     78      Don't show the connection profile store in options->ce if there is a connection_list defined.
     79      Add gateway and device to android control messages
     80      Clean up of socket code.
     81      Fix assert when using port-share
     82      Work around Solaris getaddrinfo() returing ai_protocol=0
     83      Fix man page and OSCP script: tls_serial_{n} is decimal
     84      Remove ENABLE_BUFFER_LIST
     85      Fix server routes not working in topology subnet with --server [v3]
     86      Always enable http-proxy and socks-proxy
     87      Remove deprecated --max-routes option from manual
     88      Add documentation for PERSIST_TUN_ACTION (Android specific)
     89      Remove possibility of using --tls-auth with non OpenVPN Static key files
     90      Remove unused function sock_addr_set
     91      Document the default for tls-cipher.
     92      Report missing end-tags of inline files as errors
     93      Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
     94      Show extra-certs in current parameters, fix clang warning and logic error in preresolve
     95      Remove unused function h_errno_msg
     96      Add support for requesting the fd again to rebind to the next interface.
     97      Don't redirect the gateway on Android even if requested
     98      Fix loglevel of protect socket message
     99      Extend network-change command to allow reprotecting on the same network (for short connection losses)
     100      Use pseudo gw as default gw on Android as a workaround for not being able to read /proc/net/route
     101      Remove #ifdefs for client nat support.
     102      Do not install a host route for the VPN on Android
     103      Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
     104      Do not set the buffer size by default but rely on the operation system default.
     105      Start Changes.rst that lists changes in 2.4.0
     106      Remove --enable-password-save option
     107      Reflect enable-password-save change in documentation
     108      Also remove second instance of enable-password-save in the man page
     109      Detect config lines that are too long and give a warning/error
     110      Implement the compression V2 data format for stub and lz4.
     111      Fix assert when comp is called with unknown algorithm, always call comp init method
     112      Ignore stamp-h2 we generate during build process
     113      Implement inlining of crl files
     114      Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
     115      Remove http-proxy-timeout, socks timeout and set default of server-poll-timeout to 120s
     116      Add documentation for http-proxy-user-pass option
     117      Remove http-proxy-retry and socks-proxy-retry.
     118      Update android documentation to match source code
     119      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
     120      Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set
     121      Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)
     122      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
     123      Enable TCP non-linear packet ID
     124      Change the hold command to communicate the time that OpenVPN would wait to the UI.
     125      Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
     126
     127Boris Lytochkin (1):
     128      Log serial number of revoked certificate
     129
     130Christian Hesse (1):
     131      fix build with automake 1.13(.1)
     132
     133Christian Niessner (1):
     134      Fix corner case in NTLM authentication (trac #172)
     135
     136Christos Trochalakis (1):
     137      Adjust server-ipv6 documentation
     138
     139Cristian Rodriguez (1):
     140      Use SSL_MODE_RELEASE_BUFFERS if available
     141
     142Daniel Hahler (1):
     143      options: fix option check for "plugin"
     144
     145Daniel Kubec (4):
     146      Added support for TLS Keying Material Exporters [RFC-5705]
     147      Added document for TLS Keying Material Exporters [RFC-5705]
     148      sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in
     149      Fix buffer size parameter for exported keying material.
     150
     151David Sommerseth (45):
     152      Make git ignore some more files
     153      Remove the support for using system() when executing external programs or scripts
     154      Fix double-free issue in pf_destroy_context()
     155      Reset the version.m4 version for the master branch
     156      Avoid recursion in virtual_output_callback_func()
     157      The get_default_gateway() function uses warn() instead of msg()
     158      Improve the git revision tracking
     159      man page: Update man page about the tls_digest_{n} environment variable
     160      Remove the --disable-eurephia configure option
     161      plugin: Extend the plug-in v3 API to identify the SSL implementation used
     162      autoconf: Fix typo
     163      t_client.sh: Check for fping/fping6 availability
     164      t_client.sh: Write errors to stderr and document requirements
     165      t_client.sh: Add prepare/cleanup possibilties for each test case
     166      Fix file checks when --chroot is being used
     167      Adjusted autotools files to build more cleanly on newer autoconf/automake versions
     168      Improve error reporting on file access to --client-config-dir and --ccd-exclusive
     169      Don't let openvpn_popen() keep zombies around
     170      Don't try to use systemd-ask-password if it is not available
     171      Clean up the pipe closing in openvpn_popen()
     172      Add systemd unit file for OpenVPN
     173      systemd: Use systemd functions to consider systemd availability
     174      systemd: Reworked the systemd unit file to handle server and client configs better
     175      autotools: Fix wrong ./configure help screen default values
     176      down-root plugin: Replaced system() calls with execve()
     177      down-root: Improve error messages
     178      plugin, down-root: Fix compiler warnings
     179      sockets: Remove the limitation of --tcp-nodelay to be server-only
     180      plugins, down-root: Code style clean-up
     181      Provide compile time OpenVPN version information to plug-ins
     182      Provide OpenVPN runtime version information to plug-ins
     183      Avoid partial authentication state when using --disabled in CCD configs
     184      Only build and run cmocka unit tests if its submodule is initialized
     185      Another fix related to unit test framework
     186      Remove NOP function and callers
     187      Revert "Drop recursively routed packets"
     188      Fix client connection instant timeout
     189      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
     190      t_client.sh: Add support for Kerberos/ksu
     191      t_client.sh: Improve detection if the OpenVPN process did start during tests
     192      Rework the user input interface to make it more modular
     193      Re-implement the systemd support using the new query user API
     194      systemd: Do not mask usernames when querying for it via systemd-ask-password
     195      Move memcmp_constant_time() to crypto.h
     196      Update .mailmap to unify and clean up odd names and e-mail addresses
     197
     198David Woodhouse (2):
     199      pkcs11: Load p11-kit-proxy.so module by default
     200      Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
     201
     202Davide Brini (2):
     203      Provide more accurate warning message
     204      Document authfile for socks server
     205
     206Dmitrij Tejblum (1):
     207      Fix is_ipv6 in case of tap interface.
     208
     209Dorian Harmans (1):
     210      Add CHACHA20-POLY1305 ciphersuite IANA name translations.
     211
     212Felix Janda (1):
     213      Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
     214
     215Fish (1):
     216      Add lz4 support to MSVC.
     217
     218Gert Doering (112):
     219      Implement --mssfix handling for IPv6 packets.
     220      Fix option inconsistency warnings about "proto" and "tun-ipv6"
     221      Fix parameter type for IP_TOS setsockopt on non-Linux systems.
     222      Fix client crash on double PUSH_REPLY.
     223      Update README.IPv6 to match what is in 2.3.0
     224      Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
     225      Permit pool size of /64.../112 for ifconfig-ipv6-pool
     226      Add MIN() compatibility macro
     227      Fix directly connected routes for "topology subnet" on Solaris.
     228      Print "Virtual IPv6 Address" on management interface queries [v4]
     229      Use constrain_int() instead of MIN()+syshead.c compat definition - v2.
     230      Fix NULL-pointer crash in route_list_add_vpn_gateway().
     231      Fix usage of 'compression ...' from global config.
     232      Make push-peer-info visible in "normal" per-instance environment.
     233      Fix problem with UDP tunneling due to mishandled pktinfo structures.
     234      Improve documentation and help text for --route-ipv6.
     235      Fix argument type warning introduced by http extra proxy header patch.
     236      Fix IPv6 examples in t_client.rc-sample
     237      Fix slow memory drain on each client renegotiation.
     238      t_client.sh: ignore fields from "ip -6 route show" output that distort results.
     239      Fix IPv6_V6ONLY logic.
     240      Implement LZ4 compression.
     241      Provide LZ4 sources in src/compat/ and use if no system lz4 library found.
     242      Document "lz4" argument to "compress" config option.
     243      Make code and documentation for --remote-random-hostname consistent.
     244      Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
     245      remove some 'unused variable' warnings
     246      Cleanup ir6->netbits handling.
     247      Document issue with --chroot, /dev/urandom and PolarSSL.
     248      Rename 'struct route' to 'struct route_ipv4'
     249      Replace copied structure elements with including <net/route.h>
     250      Add "test-driver" and "compile" to .gitignore
     251      Fix crash when using --inetd.
     252      IPv6 address/route delete fix for Win8
     253      Add SSL library version reporting.
     254      Minor t_client.sh cleanups
     255      Repair --multihome on FreeBSD for IPv4 sockets.
     256      Rewrite manpage section about --multihome
     257      More IPv6-related updates to the openvpn man page.
     258      Conditionalize calls to print_default_gateway on !ENABLE_SMALL
     259      Merge get_default_gateway() implementation for all 4+1 BSD variants.
     260      Drop incoming fe80:: packets silently now.
     261      Recognize AIX, define TARGET_AIX
     262      Add tap driver initialization and ifconfig for AIX.
     263      implement adding/deleting routes on AIX, for IPv4 and IPv6
     264      Make t_client.sh work on AIX.
     265      Fix t_lpback.sh platform-dependent failures
     266      Call init script helpers with explicit path (./)
     267      Fix windows build on older mingw versions.
     268      New approach to handle peer-id related changes to link-mtu.
     269      Print remote IPv4 address on a dual-stack v6 socket in IPv4 format
     270      Fix incorrect use of get_ipv6_addr() for iroute options.
     271      Remove count_netmask_bits(), convert users to use netmask_to_netbits2()
     272      Fix leftover 'if (false) ;' statements
     273      Print helpful error message on --mktun/--rmtun if not available.
     274      explain effect of --topology subnet on --ifconfig
     275      Add note about file permissions and --crl-verify to manpage.
     276      repair --dev null breakage caused by db950be85d37
     277      assume res_init() is always there.
     278      Correct note about DNS randomization in openvpn.8
     279      Disallow usage of --server-poll-timeout in --secret key mode.
     280      slightly enhance documentation about --cipher
     281      Enforce "serial-tests" behaviour for tests/Makefile
     282      Revert "Enforce "serial-tests" behaviour for tests/Makefile"
     283      On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
     284      Use configure.ac hack to apply serial_test AM option only if supported.
     285      Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
     286      Move res_init() call to inner openvpn_getaddrinfo() loop
     287      Fix FreeBSD ifconfig for topology subnet tunnels.
     288      Produce a meaningful error message if --daemon gets in the way of asking for passwords.
     289      Document --daemon changes and consequences (--askpass, --auth-nocache).
     290      Fix build on OpenSolaris (non-gmake)
     291      Un-break --auth-user-pass on windows
     292      refactor struct route_ipv6, bring in line with struct route_ipv4 again
     293      refactor struct route_ipv6_list, bring in line with struct route_list again
     294      Add route_ipv6_gateway* data structures for rgi6 support.
     295      Create basic infrastructure for IPv6 default gateway handling / redirection.
     296      Make client delay less before sending PUSH_REQUEST
     297      get_default_gateway_ipv6(): Linux / Netlink implementation.
     298      Implement handling of overlapping IPv6 routes with IPv6 remote VPN server address
     299      Implement '--redirect-gateway ipv6'
     300      get_default_gateway_ipv6(): *BSD / MacOS / Solaris PF_ROUTE implementation
     301      Fix IPv6 host routes to LAN gateway on OpenSolaris
     302      Replace unaligned 16bit access to TCP MSS value with bytewise access
     303      Repair test_local_addr() on WIN32
     304      Add custom check for inet_pton()/inet_ntop() on MinGW/WIN32
     305      get_default_gateway_ipv6(): Win32 implementation using GetBestRoute2()
     306      Remove support for snappy compression.
     307      Fix info.af == AF_UNSPEC case for server with --mtu-disc
     308      Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
     309      remove unused gc_arena in FreeBSD close_tun()
     310      Un-break compilation on *BSD
     311      Fix isatty() check for good.
     312      Fix openserv/validate.o linking issues on mingw.
     313      Fix library order in -lmbedtls test.
     314      Implement push-remove option to selectively remove pushed options.
     315      Upgrade bundled compat-lz4 to upstream release r131.
     316      Change --enable-pedantic to use -std=c99 and not -ansi (C90).
     317      Fix problems with NCP and --inetd.
     318      Do not abort t_client run if OpenVPN instance does not start.
     319      Fix IP_PKTINFO related compilation failure on NetBSD 7.0
     320      Show compile-time variant for --multihome in --version output.
     321      Fix win32 building with C99 mode
     322      Fix t_client runs on OpenSolaris
     323      make t_client robust against sudoers misconfiguration
     324      add POSTINIT_CMD_suf to t_client.sh and sample config
     325      Fix --multihome for IPv6 on 64bit BSD systems.
     326      Enable -D_SVR4_2 for compilation on Solaris
     327      Revert "Enable -D_SVR4_2 for compilation on Solaris"
     328      Enable -D_XPG4_2 for compilation on Solaris
     329      Preparing for release v2.4_alpha1 (ChangeLog, version.m4)
     330      Preparing for release v2.4_alpha2 (ChangeLog, version.m4)
     331
     332Guy Yur (1):
     333      Fix --redirect-private in --dev tap mode.
     334
     335Heikki Hannikainen (1):
     336      Always load intermediate certificates from a PKCS#12 file
     337
     338Heiko Hund (20):
     339      Fix display of plugin hook types
     340      Support UTF-8 --client-config-dir
     341      close more file descriptors on exec
     342      Ignore UTF-8 byte order mark
     343      reintroduce --no-name-remapping option
     344      make --tls-remote compatible with pre 2.3 configs
     345      add new option for X.509 name verification
     346      Support non-ASCII TAP adapter names on Windows
     347      Support non-ASCII characters in Windows tmp path
     348      make sure sa_family_t is defined
     349      convert struct signal_info element
     350      grow route lists dynamically
     351      fix route struct name
     352      refine assertion to allow other modes than CBC
     353      Fix compilation on Windows
     354      fix warnings on Windows
     355      extend management interface command "state"
     356      put virtual IPv6 addresses into env
     357      interactive service v3
     358      Windows: do_ifconfig() after open_tun()
     359
     360Holger Kummert (1):
     361      Del ipv6 addr on close of linux tun interface
     362
     363Hubert Kario (2):
     364      ocsp_check - signature verification and cert staus results are separate
     365      ocsp_check - double check if ocsp didn't report any errors in execution
     366
     367Ilya Shipitsin (3):
     368      initial travis-ci support
     369      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
     370      enable "--disable-crypto" build configuration for travis
     371
     372Ivo Manca (1):
     373      Plug memory leak in mbedTLS backend
     374
     375James Bekkema (1):
     376      Fix socket-flag/TCP_NODELAY on Mac OS X
     377
     378James Geboski (1):
     379      Fix --askpass not allowing for password input via stdin
     380
     381James Yonan (14):
     382      Added support for the Snappy compression algorithm
     383      Always push basic set of peer info values to server.
     384      TLS version negotiation
     385      Added "setenv opt" directive prefix.  If present, and if the     directive that follows is recognized, it will be processed     as if the "setenv opt" prefix was absent.  If present and if     the directive that follows is not recognized, the directive     will be ignored rather than cause a fatal error.
     386      MSVC fixes
     387      Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
     388      Use native strtoull() with MSVC 2013.
     389      Define PATH_SEPARATOR for MSVC builds.
     390      Fixed some compile issues with show_library_versions()
     391      Added flags parameter to format_hex_ex.
     392      Extended x509-track for OpenSSL to report SHA1 fingerprint.
     393      Fixed port-share bug with DoS potential
     394      Added directive to specify HTTP proxy credentials in config.
     395      Bind to local socket before dropping privileges
     396
     397Jan Just Keijser (6):
     398      man page patch for missing options
     399      make 'explicit-exit-notify' pullable again
     400      include ifconfig_ environment variables in --up-restart env set
     401      Fix "White space before end tags can break the config parser"
     402      Author: Jan Just Keijser <janjust@nikhef.nl>
     403      Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
     404
     405Jann Horn (1):
     406      Remove quadratic complexity from openvpn_base64_decode()
     407
     408Jeffrey Cutter (1):
     409      Update contrib/pull-resolv-conf/client.up for no DOMAIN
     410
     411Jens Neuhalfen (6):
     412      Make intent of utun device name validation clear
     413      Fix buffer overflow by user supplied data
     414      ignore the local config file t_client.rc in git
     415      Prevent integration test timeout bc. of sudo
     416      Add unit testing support via cmocka
     417      Add a test for auth-pam searchandreplace
     418
     419Jens Wagner (1):
     420      Fix spurious ignoring of pushed config options (trac#349).
     421
     422Jesse Glick (1):
     423      Allow use of NetBeans without saving nbproject/ directory.
     424
     425Joachim Schipper (5):
     426      doc/management-notes.txt: fix typo
     427      Fix typo in ./configure message
     428      Refactor tls_ctx_use_external_private_key()
     429      --management-external-key for PolarSSL
     430      external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
     431
     432Jonathan K. Bullard (3):
     433      Fix mismatch of fprintf format specifier and argument type
     434      Fix null pointer dereference in options.c
     435      Fail if options have extra parameters [v2]
     436
     437Josh Cepek (7):
     438      Fix parameter listing in non-debug builds at verb 4
     439      (updated) [PATCH] Warn when using verb levels >=7 without debug
     440      Fix proto tcp6 for server & non-P2MP modes
     441      Fix Windows script execution when called from script hooks
     442      Correct error text when no Windows TAP device is present
     443      Require a 1.2.x PolarSSL version
     444      Push an IPv6 CIDR mask used by the server, not the pool's size
     445
     446Julien Muchembled (1):
     447      Fix --mtu-disc option with IPv6 transport
     448
     449Kenneth Rose (1):
     450      Fix v3 plugins to support returning values back to OpenVPN.
     451
     452Klee Dienes (1):
     453      tls_ctx_load_ca: Improve certificate error messages
     454
     455Leon Klingele (1):
     456      Add link to bug tracker
     457
     458Leonardo Basilio (1):
     459      Correctly report TCP connection timeout on windows.
     460
     461Lev Stipakov (26):
     462      Peer-id patch v7
     463      Add the peer-id to the output of the status command
     464      Prevent memory drain for long lasting floating sessions
     465      Disallow lameduck's float to an address taken by another client
     466      Fix NULL dereferencing
     467      Fix mssfix default value in connection_list context
     468      This fixes MSVS 2013 compilation.
     469      Continuation of MSVS fixes
     470      Fast recovery when host is in unreachable network
     471      Fix compilation error with --disable-crypto
     472      Send push reply right after async auth complete
     473      Fix compilation with --disable-server
     474      Refine float logging
     475      Generate openvpn-plugin.h for MSVC build
     476      Replace variable length array with malloc
     477      Use adapter index instead of name for windows IPv6 interface config
     478      Notify clients about server's exit/restart
     479      Use adapter index for add/delete_route_ipv6
     480      Pass adapter index to up/down scripts
     481      Detecting and logging Windows versions
     482      Report Windows bitness
     483      Fix "implicit declaration" compiler warning
     484      Drop recursively routed packets
     485      Support for disabled peer-id
     486      Exclude peer-id from pulled options digest
     487      Use separate list for per-client push options
     488
     489Lukasz Kutyla (1):
     490      Fix privilege drop if first connection attempt fails
     491
     492Matthias Andree (1):
     493      Enable TCP_NODELAY configuration on FreeBSD.
     494
     495Max Muster (1):
     496      Remove duplicate cipher entries from TLS translation table.
     497
     498Michael McConville (1):
     499      Fix undefined signed shift overflow
     500
     501Michal Ludvig (1):
     502      Support for username-only auth file.
     503
     504Mike Gilbert (2):
     505      Add configure check for the path to systemd-ask-password
     506      Include systemd units in the source tarball (make dist)
     507
     508Niels Ole Salscheider (1):
     509      Fix build with libressl
     510
     511Peter Sagerson (1):
     512      Fix configure interaction with static OpenSSL libraries
     513
     514Philipp Hagemeister (2):
     515      Add topology in sample server configuration file
     516      Implement on-link route adding for iproute2
     517
     518Phillip Smith (1):
     519      Use bob.example.com and alice.example.com to improve clarity of documentation
     520
     521Robert Fischer (1):
     522      Updated manpage for --rport and --lport
     523
     524Samuel Thibault (1):
     525      Ensure that client-connect files are always deleted
     526
     527Samuli Seppänen (15):
     528      Removed ChangeLog.IPv6
     529      Added cross-compilation information INSTALL-win32.txt
     530      Updated README
     531      Cleaned up and updated INSTALL
     532      Fix to --shaper documentation on the man-page
     533      Properly escape dashes on the man-page
     534      Improve documentation in --script-security section of the man-page
     535      Add CONTRIBUTING.rst
     536      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
     537      Clarify the fact that build instructions in README are for release tarballs
     538      Mention tap-windows6 in INSTALL file
     539      Use an up-to-date easy-rsa URL on the man-page
     540      Clarify which Windows versions require which TUN/TAP driver
     541      Deprecate the automatic part of openvpnserv.exe in favor of openvpnserv2.exe
     542      Automatically cache expected IPs for t_client.sh on the first run
     543
     544Selva Nair (26):
     545      Fix termination when windows suspends/sleeps
     546      Do not hard-code windows systemroot in env_block
     547      Handle ctrl-C and ctrl-break events on Windows
     548      Unbreak read username password from management
     549      Restrict options/configs for startup through interactive service
     550      Send stdout and stderr of OpenVPN started by interactive service to NUL
     551      Handle localized Administrators group name in windows
     552      Fix interactive service ignoring stop command if openvpn is running
     553      Use appropriate buffer size for WideCharToMultiByte output in interactive.c
     554      Refactor and move the block-outside-dns code to a new file (block_dns.[ch])
     555      Add support for block-outside-dns through the interactive service
     556      Ensure input read using systemd-ask-password is null terminated
     557      Support reading the challenge-response from console
     558      Make error non-fatal while deleting address using netsh
     559      Add support for register-dns through interactive service
     560      Fix handling of out of memory error in interactive service
     561      Fix the comparison of pull options hash on restart
     562      Set WFP engine handle to NULL in win_wfp_uninit()
     563      Make block-outside-dns work with persist-tun
     564      Add an option to filter options received from server
     565      Ignore SIGUSR1/SIGHUP during exit notification
     566      Fix management-external-cert option parsing error
     567      Return process id of openvpn from interactive service to client
     568      Exponentially back off on repeated connect retries
     569      Promptly close the netcmd_semaphore handle after use
     570      Avoid format specifier %zu for Windows compatibility
     571
     572Steffan Karger (181):
     573      PolarSSL-1.2 support
     574      Improve PolarSSL key_state_read_{cipher, plain}text messages
     575      Improve verify_callback messages
     576      Config compatibility patch. Added translate_cipher_name.
     577      Switch to IANA names for TLS ciphers.
     578      Fixed autoconf script to properly detect missing pkcs11 with polarssl.
     579      Use constant time memcmp when comparing HMACs in openvpn_decrypt.
     580      Fixed tls-cipher translation bug in openssl-build
     581      Fixed usage of stale define USE_SSL to ENABLE_SSL
     582      Do not pass struct tls_session* as void* in key_state_ssl_init().
     583      Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
     584      Also update TLSv1_method() calls in support code to SSLv23_method() calls.
     585      Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
     586      If --tls-cipher is supplied, make --show-tls parse the list.
     587      Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.
     588      Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.
     589      Disable export ciphers by default for OpenSSL builds.
     590      Fix compiler warning for unused result of write()
     591      Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
     592      Fix compiler warnings in ssl_polarssl.c
     593      Bump minimum OpenSSL version to 0.9.8
     594      Add openssl-specific common cipher list names to ssl.c.
     595      Disable unsupported TLS cipher modes by default, cleans --show-tls output.
     596      configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL
     597      configure.ac: use CPPFLAGS for SSL_OP_NO_TICKET check
     598      Upgrade to PolarSSL 1.3
     599      Improve error reporting during key/cert loading with PolarSSL.
     600      Update openvpn-plugin.h for PolarSSL 1.3.
     601      Add support for elliptic curve diffie-hellmann key exchange (ECDH)
     602      Add an elliptic curve testing cert chain to the sample keys
     603      Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
     604      Fix OCSP_check.sh to also use decimal for stdout verification.
     605      Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
     606      Fix build system to accept non-system crypto library locations for plugins.
     607      Remove function without effect (cipher_ok() always returned true).
     608      Remove unneeded wrapper functions in crypto_openssl.c
     609      Remove unneeded defines (were needed for pre-0.9.7 OpenSSL).
     610      Fix merge error in a6c573d, the ssl ctx is now abstracted.
     611      Use generic openvpn_x509_cert_t in ssl_verify_polarssl.c
     612      Fix ssl.c, ssl_verify_* includes
     613      Move #include "ssl_verify.h" from ssl.h to the source files that need it.
     614      Remove dependency on manage.h from ssl_verify.h
     615      Remove unused variable 'proxy' from socket_restart_pause()
     616      Add (default disabled) --enable-werror option to configure
     617      Fix --disable-ssl builds, were broken by cleanup in 63dc03d.
     618      configure.ac: fix SSL_OP_NO_TICKET check
     619      Fix bug that incorrectly refuses oid representation eku's in polar builds
     620      Update README.polarssl
     621      cleanup: remove #if 0'ed function initiate_untrusted_session() from ssl.c.
     622      Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
     623      Add proper check for crypto modes (CBC or OFB/CFB)
     624      Improve --show-ciphers to show if a cipher can be used in static key mode
     625      Extend t_lpback tests to test all ciphers reported by --show-ciphers
     626      Don't issue warning for 'translate to self' tls-ciphers
     627      Don't exit daemon if opening or parsing the CRL fails.
     628      Define dummy SSL_OP_NO_TICKET flag if not present in OpenSSL.
     629      Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
     630      Fix some unintialized variable warnings
     631      Fix clang warning in options.c
     632      Fix compiler warnings in ssl_polarssl.c.
     633      Fix regression with password protected private keys (polarssl)
     634      Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
     635      Fix assertion error when using --cipher none
     636      Add --tls-version-max
     637      Modernize sample keys and sample configs
     638      Drop too-short control channel packets instead of asserting out.
     639      Really fix '--cipher none' regression
     640      Update doxygen (a bit)
     641      Set tls-version-max to 1.1 if cryptoapicert is used
     642      openssl: add crypto_msg(), to easily log openssl errors
     643      openssl: add more descriptive message for 'no shared cipher' error
     644      Remove ENABLE_SSL define (and --disable-ssl configure option)
     645      openssl: use crypto_msg(), get rid of openssl-specific code in error.c
     646      Add option to disable Diffie Hellman key exchange by setting '--dh none'
     647      Account for peer-id in frame size calculation
     648      Disable SSL compression
     649      Use tls-auth in sample config files
     650      Fix frame size calculation for non-CBC modes.
     651      Get rid of old OpenSSL workarounds.
     652      polarssl: make sure to always null-terminate the cn
     653      Allow for CN/username of 64 characters (fixes off-by-one)
     654      Change float log message to include common name, if available.
     655      Remove unneeded parameter 'first_time' from possibly_become_daemon()
     656      Remove size limit for files inlined in config
     657      polarssl: remove code duplication in key_state_write_plaintext{, _const}()
     658      Improve --tls-cipher and --show-tls man page description
     659      polarssl: disable 1/n-1 record splitting
     660      cleanup: remove md5 helper functions
     661      Re-read auth-user-pass file on (re)connect if required
     662      Clarify --capath option in manpage
     663      Call daemon() before initializing crypto library
     664      write pid file immediately after daemonizing
     665      Increase control channel packet size for faster handshakes
     666      Make __func__ work with Visual Studio too
     667      fix regression: query password before becoming daemon
     668      Fix using management interface to get passwords.
     669      reintroduce md5_digest wrapper struct to fix gcc warnings
     670      Fix out-of-tree builds; openvpn-plugin.h should be in AC_CONFIG_HEADERS
     671      Fix overflow check in openvpn_decrypt()
     672      Replace strdup() calls for string_alloc() calls
     673      Check return value of ms_error_text()
     674      polarssl: add easy logging for PolarSSL errors
     675      polarssl: Improve PolarSSL logging
     676      openssl: be less verbose about cipher translation errors
     677      hardening: add insurance to exit on a failed ASSERT()
     678      Fix memory leak in auth-pam plugin
     679      openssl: remove usage of OPENSSL_malloc() from show_available_curves
     680      polarssl: fix --client-cert-not-required
     681      polarssl: add --verify-client-cert optional support
     682      Fix (potential) memory leak in init_route_list()
     683      Add macro to ensure we exit on fatal errors
     684      polarssl: also allocate PKCS#11 certificate object on demand
     685      polarssl: don't use deprecated functions anymore
     686      polarssl: require >= 1.3.8
     687      Fix memory leak in add_option() by simplifying get_ipv6_addr
     688      remove nonsense const specifier in nonfatal() return value
     689      openssl: properly check return value of RAND_bytes()
     690      Fix rand_bytes return value checking
     691      Fix openssl builds with custom-built library: specify most-dependent first
     692      Support duplicate x509 field values in environment
     693      Warn user if their certificate has expired
     694      Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2
     695      Make assert_failed() print the failed condition
     696      cleanup: get rid of httpdigest.c type warnings
     697      Fix regression in setups without a client certificate
     698      polarssl: actually use polarssl debug logging
     699      polarssl: optimize polar_ok() for non-errors
     700      Update manpage: OpenSSL might also need /dev/urandom inside chroot
     701      polarssl: use wrappers to access md_info_t member functions
     702      polarssl: remove now redundant 128-bit blowfish key override
     703      socks.c: fix check on get_user_pass() return value(s)
     704      configure.ac: simplify crypto library configuration
     705      configure.ac: fix polarssl autodetection
     706      Allow NULL argument in cipher_ctx_get_cipher_kt()
     707      Remove reuse of key_type during init of data channel auth and tls-auth
     708      Move crypto_options into key_state and stop using context in SSL-mode.
     709      Move key_ctx_bi into crypto_options
     710      Move packet_id into crypto_options
     711      Change openvpn_encrypt() to append to work buffer only
     712      Create separate function for replay check
     713      Add AEAD cipher support (GCM)
     714      Add cipher name translation for OpenSSL.
     715      Add preliminary server-side support for negotiable crypto parameters
     716      Minor AEAD patch cleanup
     717      Clean up get_tls_handhake_key()
     718      Fix OCSP_check.sh
     719      Make AEAD modes work with OpenSSL 1.0.1-1.0.1c
     720      hardening: add safe FD_SET() wrapper openvpn_fd_set()
     721      Only include aead encrypt/decrypt functions if AEAD modes are supported
     722      Fix potential null-pointer dereference
     723      Fix memory leak in argv_extract_cmd_name()
     724      Replace MSG_TEST() macro for static inline msg_test()
     725      fixup: change init_key_type() param name in declaration too
     726      Further restrict default cipher list
     727      PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint.
     728      Implemented x509-track for PolarSSL.
     729      Migrate to mbed TLS 2.x
     730      Rename files with 'polarssl' in the name to 'mbedtls'
     731      configure.ac: link to all mbed TLS libs during library detection
     732      mbedtls: check that private key and certificate match on start
     733      mbedtls: improve error reporting in tls verify callback
     734      Remove trailing newline from verify callback error messages
     735      Don't limit max incoming message size based on c2->frame
     736      cleanup: remove alloc_buffers argument from multi_top_init()
     737      mbedtls: don't set debug threshold if compiled without MBEDTLS_DEBUG_C
     738      Add client-side support for cipher negotiation
     739      Add options to restrict cipher negotiation
     740      Add server-side support for cipher negotiation
     741      Allow ncp-disable and ncp-ciphers to be specified in ccd files
     742      Fix '--cipher none --cipher' crash
     743      Discourage using 64-bit block ciphers
     744      Fix unittests for out-of-source builds
     745      Fix --mssfix when using NCP
     746      Drop gnu89/c89 support, switch to c99
     747      cleanup: remove code duplication in msg_test()
     748      Add SHA256 fingerprint support
     749      Make sure options->ciphername and options->authname are always defined
     750      Update cipher-related man page text
     751      Fix duplicate PUSH_REPLY options
     752      Check --ncp-ciphers list on startup
     753      Fix use-after-free bug in prepare_push_reply()
     754
     755TDivine (1):
     756      Fix "code=995" bug with windows NDIS6 tap driver.
     757
     758Tamas TEVESZ (1):
     759      Add support for client-cert-not-required for PolarSSL.
     760
     761Thomas Veerman (2):
     762      Fix "." in description of utun.
     763      Update expiry date in management event loop
     764
     765ValdikSS (4):
     766      Add Windows DNS Leak fix using WFP ('block-outside-dns')
     767      Clarify mssfix documentation
     768      Clarify --block-outside-dns documentation
     769      Update --block-outside-dns to work on Windows Vista
     770
     771Vasily Kulikov (1):
     772      Mac OS X Keychain management client
     773
     774Yawning Angel (1):
     775      Fix SOCKSv5 method selection
     776
     777Yegor Yefremov (3):
     778      socket: remove duplicate expression
     779      polarssl: fix unreachable code
     780      cert_data: fix memory leak
     781
     782kangsterizer (1):
     783      Fix typo in sample build script to use LDFLAGS
     784
     785svimik (1):
     786      Fix segfault when enabling pf plug-ins
     787}}}