diff options
Diffstat (limited to 'openvpn/ChangeLog')
-rw-r--r-- | openvpn/ChangeLog | 2232 |
1 files changed, 0 insertions, 2232 deletions
diff --git a/openvpn/ChangeLog b/openvpn/ChangeLog deleted file mode 100644 index 0989b39..0000000 --- a/openvpn/ChangeLog +++ /dev/null @@ -1,2232 +0,0 @@ -OpenVPN -Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> - -$Id: ChangeLog 1330 2006-10-01 11:45:06Z james $ - -2006.10.01 -- Version 2.0.9 - -* Windows installer updated with OpenSSL 0.9.7l DLLs to fix - published vulnerabilities. - -* Fixed TAP-Win32 bug that caused BSOD on Windows Vista - (Henry Nestler). The TAP-Win32 driver has now been - upgraded to version 8.4. - -2006.09.12 -- Version 2.0.8 - -* Windows installer updated with OpenSSL 0.9.7k DLLs to fix - RSA Signature Forgery (CVE-2006-4339). -* No changes to OpenVPN source code between 2.0.7 and 2.0.8. - -2006.04.12 -- Version 2.0.7 - -* Code added in 2.0.6-rc1 to extend byte counters - to 64 bits caused a bug in the Windows version which has now - been fixed. The bug could cause intermittent crashes. - -2006.04.05 -- Version 2.0.6 - -* Security Vulnerability affecting OpenVPN 2.0 through 2.0.5. - An OpenVPN client connecting to a - malicious or compromised server could potentially receive - "setenv" configuration directives from the server which could - cause arbitrary code execution on the client via a LD_PRELOAD - attack. A successful attack appears to require that (a) the - client has agreed to allow the server to push configuration - directives to it by including "pull" or the macro "client" in - its configuration file, (b) the client configuration file uses - a scripting directive such as "up" or "down", (c) the client - succesfully authenticates the server, (d) the server is - malicious or has been compromised and is under the control of - the attacker, and (e) the attacker has at least some level of - pre-existing control over files on the client (this might be - accomplished by having the server respond to a client web - request with a specially crafted file). Credit: Hendrik Weimer. - CVE-2006-1629. - - The fix is to disallow "setenv" to be pushed to clients from - the server. For those who need this capability, OpenVPN - 2.1 supports a new "setenv-safe" directive which is free - of this vulnerability. - -* When deleting routes under Linux, use the route metric - as a differentiator to ensure that the route teardown - process only deletes the identical route which was originally - added via the "route" directive (Roy Marples). - -* Fix the t_cltsrv.sh file in FreeBSD 4 jails - (Matthias Andree, Dirk Meyer, Vasil Dimov). - -* Extended tun device configure code to support ethernet - bridging on NetBSD (Emmanuel Kasper). - -2006.01.03 -- Version 2.0.6-rc1 - -* Fixed bug where "make check" inside a FreeBSD "jail" - would never complete (Matthias Andree). -* Fixed bug where --server directive in --dev tap mode - claimed that it would support subnets of /30 or less - but actually would only accept /29 or less. -* Extend byte counters to 64 bits (M. van Cuijk). -* Fixed bug in acinclude.m4 where capability of compiler - to handle zero-length arrays in structs is tested - (David Stipp). -* Fixed typo in manage.c where inline function declaration - was declared without the "static" keyword (David Stipp). -* Removed redundant base64 code. -* Better sanity checking of --server and --server-bridge - IP pool ranges, so as not to hit the assertion at - pool.c:119 (2.0.5). -* Fixed bug where --daemon and --management-query-passwords - used together would cause OpenVPN to block prior to - daemonization. -* Fixed client/server race condition which could occur - when --auth-retry interact is set and the initially - provided auth-user-pass credentials are incorrect, - forcing a username/password re-query. -* Fixed bug where if --daemon and --management-hold are - used together, --user or --group options would be ignored. - -2005.11.02 -- Version 2.0.5 - -* Fixed bug in Linux get_default_gateway function - introduced in 2.0.4, which would cause redirect-gateway - on Linux clients to fail. -* Restored easy-rsa/2.0 tree (backported from 2.1 beta - series) which accidentally disappeared in - 2.0.2 -> 2.0.4 transition. - -2005.11.01 -- Version 2.0.4 - -* Security fix -- Affects non-Windows OpenVPN clients of - version 2.0 or higher which connect to a malicious or - compromised server. A format string vulnerability - in the foreign_option function in options.c could - potentially allow a malicious or compromised server - to execute arbitrary code on the client. Only - non-Windows clients are affected. The vulnerability - only exists if (a) the client's TLS negotiation with - the server succeeds, (b) the server is malicious or - has been compromised such that it is configured to - push a maliciously crafted options string to the client, - and (c) the client indicates its willingness to accept - pushed options from the server by having "pull" or - "client" in its configuration file (Credit: Vade79). - CVE-2005-3393 -* Security fix -- Potential DoS vulnerability on the - server in TCP mode. If the TCP server accept() call - returns an error status, the resulting exception handler - may attempt to indirect through a NULL pointer, causing - a segfault. Affects all OpenVPN 2.0 versions. - CVE-2005-3409 -* Fix attempt of assertion at multi.c:1586 (note that - this precise line number will vary across different - versions of OpenVPN). -* Added ".PHONY: plugin" to Makefile.am to work around - "make dist" issue. -* Fixed double fork issue that occurs when --management-hold - is used. -* Moved TUN/TAP read/write log messages from --verb 8 to 6. -* Warn when multiple clients having the same common name or - username usurp each other when --duplicate-cn is not used. -* Modified Windows and Linux versions of get_default_gateway - to return the route with the smallest metric - if multiple 0.0.0.0/0.0.0.0 entries are present. - -2005.09.25 -- Version 2.0.3-rc1 - -* openvpn_plugin_abort_v1 function wasn't being properly - registered on Windows. -* Fixed a bug where --mode server --proto tcp-server --cipher none - operation could cause tunnel packet truncation. - -2005.08.25 -- Version 2.0.2 - -* No change from 2.0.2-rc1. - -2005.08.24 -- Version 2.0.2-rc1 - -* Fixed regression bug in Win32 installer, introduced in 2.0.1, - which incorrectly set OpenVPN service to autostart. -* Don't package source code zip file in Windows installer - in order to reduce the size of the installer. The source - zip file can always be downloaded separately if needed. -* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD - version of get_default_gateway. Allocated socket for route - manipulation is never freed so number of mbufs continuously - grow and exhaust system resources after a while (Jaroslav Klaus). -* Fixed bug where "--proto tcp-server --mode p2p --management - host port" would cause the management port to not respond until - the OpenVPN peer connects. -* Modified pkitool script to be /bin/sh compatible (Johnny Lam). - -2005.08.16 -- Version 2.0.1 - -* Security Fix -- DoS attack against server when run with "verb 0" and - without "tls-auth". If a client connection to the server fails - certificate verification, the OpenSSL error queue is not properly - flushed, which can result in another unrelated client instance on the - server seeing the error and responding to it, resulting in disconnection - of the unrelated client (CAN-2005-2531). -* Security Fix -- DoS attack against server by authenticated client. - This bug presents a potential DoS attack vector against the server - which can only be initiated by a connected and authenticated client. - If the client sends a packet which fails to decrypt on the server, - the OpenSSL error queue is not properly flushed, which can result in - another unrelated client instance on the server seeing the error and - responding to it, resulting in disconnection of the unrelated client - (CAN-2005-2532). Credit: Mike Ireton. -* Security Fix -- DoS attack against server by authenticated client. - A malicious client in "dev tap" ethernet bridging mode could - theoretically flood the server with packets appearing to come from - hundreds of thousands of different MAC addresses, causing the OpenVPN - process to deplete system virtual memory as it expands its internal - routing table. A --max-routes-per-client directive has been added - (default=256) to limit the maximum number of routes in OpenVPN's - internal routing table which can be associated with a given client - (CAN-2005-2533). -* Security Fix -- DoS attack against server by authenticated client. - If two or more client machines try to connect to the server at the - same time via TCP, using the same client certificate, and when - --duplicate-cn is not enabled on the server, a race condition can - crash the server with "Assertion failed at mtcp.c:411" - (CAN-2005-2534). -* Fixed server bug where under certain circumstances, the client instance - object deletion function would try to delete iroutes which had never been - added in the first place, triggering "Assertion failed at mroute.c:349". -* Added --auth-retry option to prevent auth errors from being fatal - on the client side, and to permit username/password requeries in case - of error. Also controllable via new "auth-retry" management interface - command. See man page for more info. -* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 -* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' - would fail to build. -* Implement "make check" to perform loopback tests (Matthias Andree). - -2005.07.21 -- Version 2.0.1-rc7 - -* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree). -* Include linux/types.h before checking for linux/errqueue.h (Matthias - Andree). - -2005.07.15 -- Version 2.0.1-rc6 - -* Commented out "user nobody" and "group nobody" in sample - client/server config files. -* Allow '@' character to be used in --client-config-dir - file names. - -2005.07.04 -- Version 2.0.1-rc5 - -* Windows version will log a for-further-info URL when - initialization sequence is completed with errors. -* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile - to control whether auth-pam plugin links to PAM via - dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing - behavior should be preserved. DLOPEN_PAM=0 is the preferred - setting to link via -lpam, but DLOPEN_PAM=1 works around - a bug in SuSE 9.1 (and possibly other distros as well) - where the PAM modules are not linked with -lpam. See - thread on openvpn-devel for more discussion about this - patch (Simon Perreault). - -2005.06.15 -- Version 2.0.1-rc4 - -* Support LZO 2.00, including changes to configure script to - autodetect LZO version. - -2005.06.12 -- Version 2.0.1-rc3 - -* Fixed a bug which caused standard file handles to not be closed - after daemonization when --plugin and --daemon are used together, - and if the plugin initialization function forks (as does auth-pam - and down-root) (Simon Perreault). -* Added client-side up/down scripts in contrib/pull-resolv-conf - for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS" - on Linux/Unix systems (Jesse Adelman). -* Fixed bug where if client-connect scripts/plugins were cascaded, - and one (but not all) of them returned an error status, there might - be cases where for an individual script/plugin, client-connect was - called but not client-disconnect. The goal of this fix is to - ensure that if client-connect is called on a given client instance, - then client-disconnect will definitely be called. A potential - complication of this fix is that when client-connect functions are - cascaded, it's possible that the client-disconnect function would - be called in cases where the related client-connect function returned - an error status. This fix should not alter OpenVPN behavior when - scripts/plugins are not cascaded. -* Changed the hard-to-reproduce "Assertion failed at fragment.c:312" - fatal error to a warning: "FRAG: outgoing buffer is not empty". - Need more info on how to reproduce this one. -* When --duplicate-cn is used, the --ifconfig-pool allocation - algorithm will now allocate the first available IP address. -* When --daemon and --management-hold are used together, - OpenVPN will daemonize before it enters the management hold state. - -2005.05.16 -- Version 2.0.1-rc2 - -* Modified vendor test in openvpn.spec file to match against - "Mandrakesoft" in addition to "MandrakeSoft". -* Using --iroute in a --client-config-dir file while in --dev tap - mode is not currently supported and will produce a warning - message. Fixed bug where in certain cases, in addition to - generating a warning message, this combination of options - would also produce a fatal assertion in mroute.c. -* Pass --auth-user-pass username to server-side plugin without - performing any string remapping (plugins, unlike scripts, - don't get any security benefit from string remapping). - This is intended to fix an issue with openvpn-auth-pam/pam_winbind - where backslash characters in a username ('\') were being remapped - to underscore ('_'). -* Updated OpenSSL DLLs in Windows build to 0.9.7g. -* Documented --explicit-exit-notify in man page. -* --explicit-exit-notify seconds parameter defaults to 1 if - unspecified. - -2005.04.30 -- Version 2.0.1-rc1 - -* Fixed bug where certain kinds of fatal errors after - initialization (such as port in use) would leave plugin - processes (such as openvpn-auth-pam) still running. -* Added optional openvpn_plugin_abort_v1 plugin function for - closing initialized plugin objects in the event of a fatal - error by main OpenVPN process. -* When the --remote list is > 1, and --resolv-retry is not - specified (meaning that it defaults to "infinite"), apply the - infinite timeout to the --remote list as a whole, but try each - list item only once before moving on to the next item. -* Added new --syslog directive which redirects output - to syslog without requiring the use of the --daemon or --inetd - directives. -* Added openvpn.spec option to allow RPM to be built with support - for passwords read from a file: - rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' - -2005.04.17 -- Version 2.0 - -* Fixed minor options string typo in options.c. - -2005.04.10 -- Version 2.0-rc21 - -* Change license description from "GPL Version 2 or (at your - option) any later version" to just "GPL Version 2". - -2005.04.04 -- Version 2.0-rc20 - -* Dag Wieers has put together an OpenVPN/LZO binary RPM set with - excellent distro/version coverage for RH/EL/Fedora, though - using his own SPEC. I modified openvpn.spec to follow some of - the same conventions such as putting sample scripts and doc - files in %doc rather than /usr/share/openvpn. -* Minor change to init scripts to run the user-defined script - /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN - configs are started, and to run /etc/openvpn/openvpn-shutdown - after all OpenVPN configs have been stopped. The - openvpn-startup script can be used for stuff like - insmod tun.o, setting up firewall rules, or starting - ethernet bridges. - -2005.03.29 -- Version 2.0-rc19 - -* Omit additions of routes where the network and - gateway are equal and the netmask is 255.255.255.255. - This can come up if you are using both - server/ifconfig-pool and client-config-dir with - ifconfig-push static addresses for some subset of clients - which directly reference the server IP address as the - remote endpoint. - -2005.03.28 -- Version 2.0-rc18 - -* Packaged Windows installer with OpenSSL 0.9.7f. -* Built Windows installer with NSIS 2.06. - -2005.03.12 -- Version 2.0-rc17 - -* "MANAGEMENT: CMD" log file output will now only occur - at --verb 7 or greater. -* Added an optional name/value configuration list to - the openvpn-auth-pam plugin module argument list. See - plugin/auth-pam/README for documentation. This is necessary - in order for openvpn-auth-pam to work with queries generated - by arbitrary PAM modules. -* In both auth-pam and down-root plugins, in the forked process, - a read error on the parent process socket is no longer fatal. -* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'. - A conditional test of the vendor has been added to - Require the appropriately named 'lzo' (liblzo1 / lzo). - (Tom Walsh - http://openhardware.net) - - -2005.02.20 -- Version 2.0-rc16 - -* Fixed bug introduced in rc13 where Windows service wrapper - would be installed with a startup type of Automatic. - This fix restores the previous behavior of installing - with a startup type of Manual. - -2005.02.19 -- Version 2.0-rc15 - -* Added warning when --keepalive is not used in a server - configuration. -* Don't include OpenSSL md4.h file if we are not building - NTLM proxy support (Waldemar Brodkorb). -* Added easy-rsa/build-key-pkcs12 and - easy-rsa/Windows/build-key-pkcs12.bat scripts - (Mathias Sundman). - -2005.02.16 -- Version 2.0-rc14 - -* Fixed small memory leak that occurs when --crl-verify - is used. -* Upgraded Windows installer and .nsi script to NSIS 2.05 - (Mathias Sundman). -* Changed #include backslash usage in cryptoapi.c to use - forward slashes instead (Gisle Vanem). -* Created easy-rsa/revoke-full to handle revocations in - a single step: (a) revoke crt, (b) regenerate CRL, and - (c) verify that revocation succeeded. -* Renamed easy-rsa/Windows/revoke-key to revoke-full so - that both *nix and Windows scripts are equivalent. - -2005.02.11 -- Version 2.0-rc13 - -* Improve human-readability of local/remote options - diff, when inconsistencies are present. -* For Windows easy-rsa, distribute vars.bat.sample and - openssl.cnf.sample, then copy them to their normal - filenames (without the .sample) when init-config.bat - is run. This is to prevent OpenVPN upgrades from - wiping out vars.bat and openssl.cnf edits. -* Modified service wrapper (Windows) to use a - case-insensitive search when scanning for .ovpn files - in \Program Files\OpenVPN\config. Prior versions - required an all-lower-case .ovpn file extension. -* Miscellaneous service wrapper code cleanup. -* If --user/--group is used on Windows, treat it - as a no-op with a warning (this makes it easier to - distribute the same client config file to Windows - and *nix users). -* Warn if --ifconfig-pool-persist is used with - --duplicate-cn. - -2005.02.05 -- Version 2.0-rc12 - -* Removed some debugging code inadvertently included - in rc11 which would print the --auth-user-pass - username/password provided by clients in the server - logfile. -* Client code for cycling through --remote list will - retry the last address which successfully authenticated - before moving on through the list. -* Windows installer will now install sample configuration - files in \Program Files\OpenVPN\sample-configs as well - as generate a start menu shortcut to this directory. -* Minor type change in buffer.[ch] to work around char-type - ambiguity bug. Caused management interface lock-ups on - ARM when building with armv4b-hardhat-linux-gcc 2.95.3. - -2005.02.03 -- Version 2.0-rc11 - -* Windows installer will now install easy-rsa directory - in \Program Files\OpenVPN -* Allow syslog facility to be controlled at compile time, - e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern). -* Changed certain shell scripts in distribution to use - #!/bin/sh rather than #!/bin/bash for better portability. -* If --ifconfig-pool-persist seconds parameter is 0, treat - persist file as an allocation of fixed IP addresses - (previous versions took IP-to-common-name associations - from this list as hints, not mandatory static allocations). -* Fixed bug on *nix where if --auth-user-pass and --log - were used together, the username prompt would be sent to - the log file rather than /dev/tty. -* Spurious text in openvpn.8 detected by doclifter - (Eric S. Raymond). -* Call closelog later on daemon kill so that process - exit message is written to syslog. - -2005.01.27 -- Version 2.0-rc10 - -* When ./configure is run with plugins enabled (the default), - check whether or not dlopen exists in libc before testing - for libdl. This is to fix an issue on FreeBSD and possibly - other OSes which bundle libdl functions in libc. -* On Windows, filter initial WSAEINVAL warning which occurs - on the initial read attempt of an unbound socket. -* The easy-rsa scripts build-key, build-key-pass, and - build-key-server will now chmod the .key file - to 0600. This is in addition to the fact the generated - keys directory has always been similarly protected - (Pete Harlan). - -2005.01.23 -- Version 2.0-rc9 - -* Fixed error "ROUTE: route addition failed using - CreateIpForwardEntry ..." on Windows when --redirect-gateway - is used over a RRAS internet link. -* When using --route-method exe on Windows, include the - gateway parameter on route delete commands (Mathias Sundman). -* Try not to do a hard reset (i.e. SIGHUP) when two - SIGUSR1 signals are received in close succession. -* If the push list tries to grow beyond its buffer capacity, - the resulting error will be non-fatal. -* To increase the push list capacity (must be done on both - client and server), increase TLS_CHANNEL_BUF_SIZE in - common.h (default=1024). - -2005.01.15 -- Version 2.0-rc8 - -* Fixed bug introduced in rc7 where options error - "--auth-user-pass requires --pull" might occur even - if --pull was correctly specified. -* Changed management interface code to bind once - to TCP socket, rather than rebinding after every - client disconnect. -* Added "disable" directive for client-config-dir - files. -* Windows binary install is now distributed with - OpenSSL 0.9.7e. -* Query the management interface for --http-proxy - username/password if authfile is set to "stdin". -* Added current OpenVPN version number to "Unrecognized - option or missing parameter" error message. -* Added "-extensions server" to "openssl req" command - in easy-rsa/build-key-server (Nir Yeffet). - -2005.01.10 -- Version 2.0-rc7 - -* Fixed bug in management interface which could cause - 100% CPU utilization in --proto tcp-server mode - on all *nix OSes except for Linux 2.6. -* --ifconfig-push now accepts DNS names as well as - IP addresses. -* Added sanity check errors when --pull or - --auth-user-pass is used in an incorrect mode. -* Updated man page entries for --client-connect and - --ifconfig-push. -* Added "String Types and Remapping" section to man - page to consisely document the way which OpenVPN - may convert certain types of characters in strings - to ('_'). -* Modified bridging description in HOWTO to emphasize - the fact that bridging allows Windows file and print - sharing without a WINS server (Charles Duffy). - -2004.12.20 -- Version 2.0-rc6 - -* Improved checking for epoll support in ./configure - to fix false positive on RH9 (Jan Just Keijser). -* Made the "MULTI TCP: I/O wait required blocking in - multi_tcp_action, action=7" error nonfatal and replaced - with "MULTI: Outgoing TUN queue full, dropped packet". - So far the issue only seems to occur on Linux 2.2 - in --mode server --proto tcp mode. It occurs when - the TUN/TAP driver locks up and refuses to accept - new packet writes for a second or more. -* Fixed bug where if a --client-config-dir file tried - to include another file using "config", and if that - include failed, OpenVPN would abort with a fatal - error. Now such inclusion failures will be logged - but are no longer fatal. -* Global changes to the way that packet buffer alignment - is handled. Previously we didn't care about alignment - and took care, when handling 16 and 32 bit words - in buffers, to always use alignment-safe transfers. - This approach appears to be inadequate on some - architectures such as alpha. The new approach is - to initialize packet buffers in a way that anticipates - how component structures will be allocated within - them, to maintain correct alignment. -* Added --dhcp-option DISABLE-NBT to disable NetBIOS - over TCP (Jan Just Keijser). -* Added --http-proxy-option directive for controlling - miscellaneous HTTP proxy options. -* Management state will no longer transition to "WAIT" - during TLS renegotiations. - -2004.12.16 -- Version 2.0-rc5 - -* The --client-config-dir option will now try to open - a default file called "DEFAULT" if no file matching - the common name of the incoming client was found. -* The --client-connect script/plugin can now veto client - authentication by returning a failure code. -* The --learn-address script/plugin can now prevent a - client-instance/address association from being learned - by returning a failure code. -* Changed RPM group in .spec file to Applications/Internet. - -2004.12.14 -- Version 2.0-rc4 - -* SuSE only -- Fixed interaction between openvpn.spec and - suse/openvpn.init where the .spec file was writing the - OpenVPN binary to a different location than where the - .init script was referencing it (Stefan Engel). -* Solaris only -- Split Solaris ifconfig command into two - parts (Jan Just Keijser). -* Some cleanup in add_option(). -* Better error checking on input dotted quad IP addresses. -* Verify that --push argument is quoted, if there is - more than one. -* More miscellaneous option sanity checks. - -2004.12.13 -- Version 2.0-rc3 - -* On Windows, when --log or --log-append is used, - save the original stderr for username and password - prompts. -* Fixed a bug introduced in the late 2.0 betas where - if a "verb" parameter >= 16 was used, it would be - ignored and the actual verb level would remain at 1. -* Fixed a bug mostly seen on OS X where --management-hold - or --management-query-passwords would cause the management - interface to be unresponsive to incoming client connections. -* Trigger an options error if one of the management-modifying - options is used without "management" itself. - -2004.12.12 -- Version 2.0-rc2 - -* Amplified warnings in documentation about possible - man-in-the-middle attack when clients do not properly - verify server certificate. Changes to easy-rsa README, - FAQ, HOWTO, man page, and sample client config file. -* Added a warning message if --tls-client or --client - is used without also specifying one of either - --ns-cert-type, --tls-remote, or --tls-verify. -* status_open() fixes for MSVC builds (Blaine Fleming). -* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared" - compiler error which has been reported on some platforms. -* The openvpn.spec file for rpmbuild has several - new build-time options. See comments in the file. -* Plugins are now built and packaged in the RPM and - will be saved in /usr/share/openvpn/plugin/lib. -* Added --management-hold directive to start OpenVPN - in a hibernating state until released by the - management interface. Also added "hold" command - to the management interface. - -2004.12.07 -- Version 2.0-rc1 - -* openvpn.spec workaround for SuSE confusion regarding - /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel). - -2004.12.05 -- Version 2.0-beta20 - -* The ability to read --askpass and --auth-user-pass - passwords from a file has been disabled by default. - To re-enable, use ./configure --enable-password-save. -* Added additional pre-connected states to management - interface. See management/management-notes.txt - for more info. -* State history is now recorded by the management - interface, and the "state" command now works like - the log or echo commands. -* State history and real-time state change notifications - are now prepended with an integer unix timestamp. -* Added --http-proxy-timeout option, previously - the timeout was hardcoded to 5 seconds. - -2004.12.02 -- Version 2.0-beta19 - -* Fixed bug in management interface line termination - where output lines incorrectly contained a \00 char - after the customary \0d \0a. -* Fixed bug introduced in beta18 where Windows version - would segfault on options errors. -* Fixed bug in management interface where an empty - quoted string ("") entered as a parameter would cause - a segfault. -* Fixed bug where --resolv-retry was not working - properly with multiple --remote hosts. -* Added additional ./configure options to reduce - executable size for embedded applications. - See ./configure --help. - -2004.11.28 -- Version 2.0-beta18 - -* Added management interface. See new --management-* - options or the full management interface documentation - in management/management-notes.txt in the tarball. - Management interface inclusion can be disabled by - ./configure --disable-management. -* Added two new plugin modules: auth-pam and down-root. - Auth-pam supports pam-based authentication using a - split privilege execution model, while down-root enables - a down script to be executed with root privileges, even - when --user/--group is used to drop root privileges. - See the plugin directory in the tarball for READMEs, - source code, and Makefiles. -* Plugin developers should note that some changes were - made to the plugin interface since beta17. See - openvpn-plugin.h for details. - Plugin interface inclusion can be disabled with - ./configure --disable-plugins -* Added easy-rsa/build-key-server script which will - build a certificate with with nsCertType=server. -* Added --ns-cert-type option for verification - of nsCertType field in peer certificate. -* If --fragment n is specified and --mssfix is specified - without a parameter, default --mssfix to n. This restores - the 1.6 behavior when using --mssfix without a parameter. -* Fixed SSL context initialization bug introduced in beta14 - where this error might occur on restarts: "Cannot load - certificate chain ... PEM_read_bio:no start line". - -2004.11.11 -- Version 2.0-beta17 - -* Changed default port number to 1194 per IANA official - port number assignment. -* Added --plugin directive which allows compiled - modules to intercept script callbacks. See - plugin folder in tarball for more info. -* Fixed bug introduced in beta12 where --key-method 1 - authentications which should have succeeded would fail. -* Ignore SIGUSR1 during DNS resolution. -* Added SuSE support to openvpn.spec (Umberto Nicoletti). -* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna' - Runestig). - -2004.11.07 -- Version 2.0-beta16 - -* Modified sample-scripts/auth-pam.pl to get username - and password from OpenVPN via a file rather than - via environmental variables. -* Added bytes_sent and bytes_received environmental - variables to be set prior to client-disconnect script. -* Changed client virtual IP derivation precedence: - (1) use --ifconfig-push directive from --client-connect - script, (2) use --ifconfig-push directive from - --client-config-dir, and (3) use --ifconfig-pool - address. -* If a --client-config-dir file specifies --ifconfig-push, - it will be visible to the --client-connect-script in - the ifconfig_pool_remote_ip environmental variable. -* For tun-style tunnels, the ifconfig_pool_local_ip - environmental variable will be set, while for - tap-style tunnels, the ifconfig_pool_netmask variable - will be set. -* Added intelligence to autoconf script to test - compiler for the accepted form of zero-length arrays. -* Fixed a bug introduced in beta12 where --ip-win32 - netsh would fail if --dev-node was not explicitly - specified. -* --ip-win32 netsh will now work on hidden adapters. -* Fix attempt of "Assertion failed at crypto.c:149". - This assertion has also been reported on 1.x with a - slightly different line number. The fix is twofold: - (1) In previous releases, --mtu-test may trigger this - assertion -- this bug has been fixed. (2) If something - else causes the assertion to be thrown, don't panic, - just output a nonfatal warning to the log and drop - the packet which generated the error. -* Support TAP interfaces on Mac OS X (Waldemar Brodkorb). -* Added --echo directive. -* Added --auth-nocache directive. - -2004.10.28 -- Version 2.0-beta15 - -* Changed environmental variable character classes - so that names must consist of alphanumeric or - underbar chars and values must consist of printable - characters. Illegal chars will be deleted. - Versions prior to 2.0-beta12 were more restrictive - and would map spaces to '.'. -* On Windows, when the TAP adapter fails to - initialize with the correct IP address, output - "Initialization Sequence Completed with Errors" - to the console or log file. -* Added a warning when user/group/chroot is used - without persist-tun and persist-key. -* Added cryptoapi.[ch] to tarball and source zip. -* --tls-remote option now works with common name - prefixes as well as with the full X509 subject - string. This is a useful alternative to using - a CRL on the client. -* common names associated with a static - --ifconfig-push setting will no longer leave - any state in the --ifconfig-pool-persist file. -* Hard TLS errors (TLS handshake failed) will now - trigger either a SIGUSR1 signal by default - or SIGTERM (if --tls-exit is specified). In TCP - mode, all TLS errors are considered to be hard. - In server mode, the signal will be local to the - client instance. -* Added method parameter to --auth-user-pass-verify - directive to select whether username/password - is passed to script via environment or a temporary - file. -* Added --status-version option to control format - of --status file. The --mode server - --status-version 2 format now includes a line - type token, the virtual IP address is shown - in the client list (even in --dev tap mode), - and the integer time_t value is shown anywhere - an ascii-formatted time/date is also shown. -* Added --remap-usr1 directive which can be used - to control whether internally or externally - generated SIGUSR1 signals are remapped to - SIGHUP (restart without persisting state) or - SIGTERM (exit). -* When running as a Windows service (using - --service option), check the exit event before - and after reading one line of input from - stdin, when reading username/password info. -* For developers: Extended the --gremlin function - to better stress-test the new 2.0 features, - added Valgrind support on Linux and Dmalloc - support on Windows. - -2004.10.19 -- Version 2.0-beta14 - -* Fixed a bug introduced in Beta12 that would occur - if you use a --client-connect script without also - defining --tmp-dir. -* Fixed a bug introduced in Beta12 where a learn-address - script might segfault on the delete method. -* Added Crypto API support in Windows version via - the --cryptoapicert option (Peter 'Luna' Runestig). - -2004.10.18 -- Version 2.0-beta13 - -* Fixed an issue introduced in Beta12 where the private - key password would not be prompted for unless --askpass - was explicitly specified in the config. - -2004.10.17 -- Version 2.0-beta12 - -* Added support for username/password-based authentication. - Clients can now authentication themselves with the server - using either a certificate, a username/password, or both. - New directives: --auth-user-pass, --auth-user-pass-verify, - --client-cert-not-required, and --username-as-common-name. -* Added NTLM proxy patch (William Preston). -* Added --ifconfig-pool-linear server flag to allocate - individual tun addresses for clients rather than /30 - subnets (won't work with Windows clients). -* Modified --http-proxy code to cache username/password - across restarts. -* Modified --http-proxy code to read username/password - from the console when the auth file is given as "stdin". -* Modified --askpass to take an optional filename argument. -* --persist-tun and --persist-key now work in client mode - and can be pushed to clients as well. -* Added --ifconfig-pool-persist directive, to maintain - ifconfig-pool info in a file which is persistent across - daemon instantiations. -* --user and --group privilege downgrades as well as - --chroot now also work in client mode (the - dowgrade/chroot will be delayed until the initialization - sequence is completed). -* Added --show-engines standalone directive to show - available OpenSSL crypto accelerator engine support. -* --engine directive now accepts an optional engine-ID - parameter to control which engine is used. -* "Connection reset, restarting" log message now shows - which client is being reset. -* Added --dhcp-pre-release directive in Windows version. -* Second parm to --ip-win32 can be "default", e.g. - --ip-win32 dynamic default 60. -* Fixed documentation bug regarding environmental - variable settings for --ifconfig-pool IP addresses. - The correct environmental variable names are: - ifconfig_pool_local_ip and ifconfig_pool_remote_ip. -* ifconfig_pool_local_ip and ifconfig_pool_remote_ip - environmental variables are now passed to the - client-disconnect script. -* In server mode, environmental variables are now scoped - according to the client they are associated with, - to solve the problem of "crosstalk" between different - client's environmental variable sets. -* Added --down-pre flag to cause --down script to be - called before TUN/TAP close (rather than after). -* Added --tls-exit flag which will cause OpenVPN - to exit on any TLS errors. -* Don't push a route to a client if it exactly - matches an iroute (this lets you push routes to - all clients, and OpenVPN will automatically remove - the route from the route push list only for that client - which the route actually belongs to). -* Made '--resolv-retry infinite' the default. - --resolv-retry can be disabled by using a parameter of 0. -* For clients which plan to pull config info from server, - set an initial default ping-restart of 60 seconds. -* Optimized mute code to lessen the load on the processor - when messages are being muted at a higher frequency. -* Made route log messages non-mutable. -* Silence the Linux "No buffer space available" message. -* Added miscellaneous additional option sanity checks. -* Added Windows version of easy-rsa scripts in - easy-rsa/Windows directory (Andrew J. Richardson). -* Added NetBSD route patch (Ed Ravin). -* Added OpenBSD patch for TAP + --redirect-gateway - (Waldemar Brodkorb). -* Directives which prompt for a username and/or password - will now work with --daemon (OpenVPN will prompt - before forking). -* Warn if CRL is from a different issuer than the - issuer of the peer certificate (Bernhard Weisshuhn). -* Changed init script chkconfig parameters to start - OpenVPN daemon(s) before NFS. -* Bug fix attempt of "too many I/O wait events" which occurs - on OSes which prefer select() over poll() such as Mac OS X. -* Added --ccd-exclusive flag. This flag will require, as a - condition of authentication, that a connecting client has - a --client-config-dir file. -* TAP-Win32 open code will attempt to open a free adapter - if --dev-node is not specified (Mathias Sundman). -* Resequenced --nice and --chroot ordering so that --nice - occurs first. -* Added --suppress-timestamps flag (Charles Duffy). -* Source code changes to allow compilation by MSVC - (Peter 'Luna' Runestig). -* Added experimental --fast-io flag which optimizes - TUN/TAP/UDP writes on non-Windows systems. - -2004.08.18 -- Version 2.0-beta11 - -* Added --server, --server-bridge, --client, and - --keepalive helper directives. See client.conf - and server.conf in sample-config-files for sample - configurations which use the new directives. -* On Windows, added --route-method to control - whether IP Helper API or route.exe is used - to add/delete routes. -* On Windows, added a second parameter to - --route-delay to control the maximum time period - to wait for the TAP-Win32 adapter to come up - before adding routes. -* Fixed bug in Windows version where configurations - which omit --ifconfig might fail to recognize when - the TAP adapter is up. -* Proxy connection failures will now retry according - to the --connect-retry parameter. -* Fixed --dev null handling on Windows so that TLS - loopback test described in INSTALL file works - correctly on Windows. -* Added "Initialization Sequence Completed" message - after all initialization steps have been completed - and the VPN can be considered "up". -* Better sanity-checking on --ifconfig-pool parameters. -* Added --tcp-queue-limit option to control - TUN/TAP -> TCP socket overflow. -* --ifconfig-nowarn flag will now silence general - warnings about possible --ifconfig address - conflicts, including the warning about --ifconfig - and --remote addresses being in same /24 subnet. -* Fixed case where server mode did not correctly - identify certain types of ethernet multicast packets - (Marcel de Kogel). -* Added --explicit-exit-notify option (experimental). - -2004.08.02 -- Version 2.0-beta10 - -* Fixed possible reference after free of option strings - after a restart, bug was introduced in beta8. -* Fixed segfault at route.c:919 in the beta9 - Windows version that was being caused by indirection - through a NULL pointer. -* Mistakenly built debug version of TAP-Win32 driver - for beta9. Beta10 has correct release build. - -2004.07.30 -- Version 2.0-beta9 - -* Fixed --route issue on Windows that was introduced with - the new beta8 route implementation based on the - IP Helper API. - -2004.07.27 -- Version 2.0-beta8 - -* Added TCP support in server mode. -* Added PKCS #12 support (Mathias Sundman). -* Added patch to make revoke-crt and make-crl work - seamlessly within the easy-rsa environment (Jan Kiszka). -* Modified --mode server ethernet bridge code to forward - special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX. -* Added --dhcp-renew and --dhcp-release flags to Windows - version. Normally DHCP renewal and release on the TAP - adapter occurs automatically under Windows, however - if you set the TAP-Win32 adapter Media Status property - to "Always Connected", you may need these flags. -* Added --show-net standalone flag to Windows version to - show OpenVPN's view of the system adapter and routing - tables. -* Added --show-net-up flag to Windows version to output - the system routing table and network adapter list to - the log file after the TAP-Win32 adapter has been brought - up and any routes have been added. -* Modified Windows version to add routes using the IP Helper - API rather than by calling route.exe. -* Fixed bug where --route-up script was not being called - if no --route options were specified. -* Added --mute-replay-warnings to suppress packet replay - warnings. This is a common false alarm on WiFi nets. -* Added "def1" flag to --redirect-gateway option to override - the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 - rather than 0.0.0.0/0. This has the benefit of overriding - but not wiping out the original default gateway. - (Thanks to Jim Carter for pointing out this idea). -* You can now run OpenVPN with a single config file argument. - For example, you can now say "openvpn config.conf" - rather than "openvpn --config config.conf". -* On Windows, made --route and --route-delay more adaptive - with respect to waiting for interfaces referenced by the - route destination to come up. Routes added by --route - should now be added as soon as the interface comes up, - rather than after an obligatory 10 second delay. The - way this works internally is that --route-delay now - defaults to 0 on Windows. Previous versions would - wait for --route-delay seconds then add the routes. - This version will wait --route-delay seconds and then - test the routing table at one second intervals for the - next 30 seconds and will not add the routes until they - can be added without errors. -* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by - default on TCP/UDP socket in light of reports that this - action can have undesirable global side effects on the - MTU settings of other adapters. These parameters can - still be set, but you need to explicitly specify - --sndbuf and/or --rcvbuf. -* Added --max-clients option to limit the maximum number - of simultaneously connected clients in server mode. -* Added error message to illuminate shell escape gotcha when - single backslashes are used in Windows path names. -* Added optional netmask parm to --ifconfig-pool. -* Fixed bug where http-proxy connect retry attempts were - incorrectly going to the remote OpenVPN server, - not to the HTTP proxy server. - -2004.06.29 -- Version 2.0-beta7 - -* Fixed bug in link_socket_verify_incoming_addr() which - under certain circumstances could have caused --float - behavior even if --float was not specified. -* --tls-auth option now works with --mode server. - All clients and the server should use the same - --tls-auth key when operating in client/server mode. -* Added --engine option to make use of OpenSSL-supported - crypto acceleration hardware. -* Fixed some high verbosity print format size issues - in event.c for 64 bit platforms (Janne Johansson). -* Made failure to open --log or --log-append file - a non-fatal error. - -2004.06.23 -- Version 2.0-beta6 - -* Fixed Windows installer to intelligently put - up a reboot dialog only if tapinstall tells - us that it's really necessary. -* Fixed "Assertion failed at fragment.c:309" - bug when --mode server and --fragment are used - together. -* Ignore HUP, USR1, and USR2 signals during - initialization. Prior versions would abort. -* Fixed bug on OS X: "Assertion failed at event.c:406". -* Added --service option to Windows version, for use - when OpenVPN is being programmatically instantiated - by another process (see man page for info). -* --log and --log-append options now work on Windows. -* Update OpenBSD INSTALL notes (Janne Johansson). -* Enable multicast on tun interface when running on - OpenBSD (Pavlin Radoslavov). -* Fixed recent --test-crypto breakage, where options - such as --cipher were not being parsed correctly. -* Modified options compatibility string by removing - ifconfig substring if it is empty. Incremented - options compatibility string version number to 4. -* Fixed typo in --tls-timeout option parsing - (Mikael Lonnroth). - -2004.06.13 -- Version 2.0-beta5 - -* Fixed rare --mode server crash that could occur - if data was being routed to a client at - high bandwidth at the precise moment that the - client instance object on the server was being - deleted. -* Fixed issue on machines which have epoll.h and - the epoll_create glibc call defined, but which - don't actually implement epoll in the kernel. - OpenVPN will now gracefully fall back to the - poll API in this case. -* Fixed Windows bug which would cause the following - error in a --mode server --dev tap configuration: - "resource limit WSA_MAXIMUM_WAIT_EVENTS has been - exceeded". -* Added CRL (certificate revocation list) management - scripts to easy-rsa directory (Jon Bendtsen). -* Do a better job of getting the ifconfig component - of the options consistency check to work correctly - when --up-delay is used. -* De-inlined some functions which were too complex - to be inlined anyway with gcc. -* If a --dhcp-option option is pushed to a non-windows - client, the option will be saved in the client's - environment before the --up script is called, under - the name "foreign_option_{n}". -* Added --learn-address script (see man page) which - allows for firewall access through the VPN to be - controlled based on the client common name. -* In mode --server mode, when a client connects to - the server, the server will disconnect any - still-active clients which use the same common - name. Use --duplicate-cn flag to revert to - previous behavior of allowing multiple clients - to concurrently connect with the same common name. - -2004.06.08 -- Version 2.0-beta4 - -* Fixed issue with beta3 where Win32 service wrapper - was keying off of old TAP HWID as a dependency. To - ensure that the new service wrapper is correctly - installed, the Windows install script will uninstall - the old wrapper before installing the new one, - causing a reset of service properties. -* Fixed permissions issue on --status output file, - with default access permissions of owner read/write - only (default permissions can be changed of course with - chmod). - -2004.06.05 -- Version 2.0-beta3 - -* More changes to TAP-Win32 driver's INF file which - affects the placement of the driver in the Windows - device namespace. This is done to work around an - apparent bug in Windows when short HWIDs are used, - and will also ease the upgrade from 1.x to 2.0 by - reducing the chances that a reboot will be needed - on upgrade. Like beta2, this upgrade will - delete existing TAP-Win32 interfaces, and reinstall - a single new interface with default properties. -* Major rewrite of I/O event wait layer in the style - of libevent. This is a precursor to TCP support - in --mode server. -* New feature: --status. Outputs a SIGUSR2-like - status summary to a given file, updated once - per n seconds. The status file is comma delimited - for easy machine parsing. -* --ifconfig-pool now remembers common names and - will try to assign a consistent IP to a given - common name. Still to do: persist --ifconfig-pool - memory across restarts by saving state in file. -* Fixed bug in event timer queue which could cause - recurring timer events such as --ping to not - correctly schedule again after firing. This in - turn would cause spurrious ping restarts and possible - connection outages. Thanks to Denis Vlasenko for - tracking this down. -* Possible fix to reported bug where --daemon argument - was not printing to syslog correctly after restart. -* Fixed bug where pulling --route or --dhcp-option - directives from a server would problematically - interact with --persist-tun on the client. -* Updated contrib/multilevel-init.patch (Farkas Levente). -* Added RPM build option to .spec and .spec.in files - to optionally disable LZO inclusion (Ian Pilcher). -* The latest MingW runtime and headers define - 'ssize_t', so a patch is needed (Gisle Vanem). - -2004.05.14 -- Version 2.0-beta2 - -* Fixed signal handling bug in --mode server, where - SIGHUP and SIGUSR1 were treated as SIGTERM. -* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV". - Apparently the larger string may work around - a problem where the TAP adapter is sometimes missing - from the network connections panel, especially under - XP SP2. Also note that installing this upgrade will - uninstall any pre-existing TAP-Win32 adapters, and then - install a single new adapter, meaning that old adapter - properties will be lost. Thanks to Md5Chap for solving - this one. -* For --mode server --dev tap, the options --ifconfig and - --ifconfig-pool are now optional. This allows address - assignment via DHCP or use of a TAP VPN without - IP support, as has always been possible with 1.x. -* Fixed bug where --ifconfig may not work correctly on - Linux 2.2. -* Added 'local' flag to --redirect-gateway for use on - networks where both OpenVPN daemons are connected - to a shared subnet, such as wireless. - -2004.05.09 -- Version 2.0-beta1 - -* Unchanged from test29 except for version number - upgrade. - -2004.05.08 -- Version 2.0-test29 - -* Modified --dev-node on Windows to accept a TAP-Win32 - GUID name. In addition, --show-adapters will now - display the high-level name and GUID of each adapter. - This is an attempt to work around an issue in Windows - where sometimes the TAP-Win32 adapter installs correctly - but has no icon in the network connections control - panel. In such cases, being able to specify - --dev-node {TAP-GUID} can work around the missing icon. - -2004.05.07 -- Version 2.0-test28 - -* Fixed bug which could cause segfault on program - shutdown if --route and --persist-tun are used - together. - -2004.05.06 -- Version 2.0-test27 - -* Fixed bug in close_instance() which might cause - memory to be accessed after it had already been freed. -* Fixed bug in verify_callback() that might have - caused uninitialized data to be referenced. -* --iroute now allows full CIDR subnet routing. -* In "--mode server --dev tun" usage, source addresses - on VPN packets coming from a particular client must - be associated with that client in the OpenVPN internal - routing table. - -2004.04.28 -- Version 2.0-test26 - -* Optimized broadcast path in multi-client mode. -* Added socket buffer size options --rcvbuf & --sndbuf. -* Configure Linux tun/tap driver to use a more sensible - txqueuelen default. Also allow explicit setting - via --txqueuelen option (Harald Roelle). -* The --remote option now allows the port number - to be specified as the second parameter. If - unspecified, the port number defaults to the - --rport value. -* Multiple --remote options on the client can now be - specified for load balancing and failover. The - --remote-random flag can be used to initially randomize - the --remote list for basic load balancing. -* If a remote DNS name resolves to multiple DNS addresses, - one will be chosen by random as a kind of basic - load-balancing feature if --remote-random is used. -* Added --connect-freq option to control maximum - new connection frequency in multi-client mode. -* In multi-client mode, all syslog messages associated - with a specific client now include a client-ID prefix. -* For Windows, use a gettimeofday() function based - on QueryPerformanceCounter (Derek Burdick). -* Fixed bug in interaction between --key-method 2 - and DES ciphers, where dynamic keys would be generated - with bad parity and then be rejected. - -2004.04.17 -- Version 2.0-test24 - -* Reworked multi-client broadcast handling. - -2004.04.13 -- Version 2.0-test23 - -* Fixed bug in --dev tun --client-to-client routing. -* Fixed a potential deadlock in --pull. -* Fixed a problem with select() usage which could - cause a repeating sequence of "select : Invalid - argument (code=22)" - -2004.04.11 -- Version 2.0-test22 - -* Fixed bug where --mode server + --daemon was - prematurely closing syslog connection. -* Added support for --redirect-gateway on Mac OS X - (Jeremy Apple). -* Minor changes to TAP-Win32 driver based on feedback - from the NDISTest tool. - -2004.04.11 -- Version 2.0-test21 - -* Optimizations in multi-client server event loop. - -2004.04.10 -- Version 2.0-test20 - -* --mode server capability now works with either tun - or tap interfaces. When used with tap interfaces, - OpenVPN will internally bridge all client tap - interfaces with the server tap interface. -* Connecting clients can now have a client-specific - configuration on the server, based on the client - common name embedded in the client certificate. - See --client-config-dir and --client-connect. - These options can be used to configure client-specific - routes. -* Added an option --client-to-client that enables - internal client-to-client routing or bridging. - Otherwise, clients will only "see" the server, - not other connected clients. -* Fixed bug in route scheduling which would have caused - --mode server to not work on Windows in test18 - and test19 with the sample config file. -* Man page is up to date with all new options. -* OpenVPN 2.0 release notes on web site updated - with tap-style tunnel examples. - -2004.04.02 -- Version 2.0-test19 - -* Fixed bug where routes pushed from server were - not working correctly on Windows clients. -* Added Mac OS X route patch (Jeremy Apple). - -2004.03.30 -- Version 2.0-test18 - -* Minor fixes + Windows self-install modified - to use OpenSSL 0.9.7d. - -2004.03.29 -- Version 2.0-test17 - -* Fixed some bugs related to instance timeout and deletion. -* Extended --push/--pull option to support additional - option classes. - -2004.03.28 -- Version 2.0-test16 - -* Successful test of --mode udp-server, --push, - --pull, and --ifconfig-pool with server on - Linux 2.4 and clients on Linux and Windows. - -2004.03.25 -- Version 2.0-test15 - -* Implemented hash-table lookup of client instances - based either on remote UDP address/port or remote - ifconfig endpoint. -* Implemented a randomized binary tree based - scheduler for scalably scheduling a large number - of client instance events. Uses the treap - data structure and node rotation algorithm - to keep the tree balanced. -* Initial implementation of ifconfig-pool. -* Made --key-method 2 the default. - -2004.03.20 -- Version 2.0-test14 - -* Implemented --push and --pull. - -2004.03.20 -- Version 2.0-test13 - -* Reduced struct tls_multi and --single-session - memory footprint. -* Modified --single-session flag to be used - in multi-client UDP server client instances. - -2004.03.19 -- Version 2.0-test12 - -* Added the key multi-client UDP server options, - --mode, --push, --pull, and --ifconfig-pool. -* Revamped GC (garbage collection) code to not rely - on any global data. -* Modifications to thread.[ch] to allow a more - flexible thread model. - -2004.03.16 -- Version 2.0-test11 - -* Moved all timer code to interval.h, added new file - interval.c. -* Fixed missing include. - -2004.03.16 -- Version 2.0-test10 - -* More TAP-Win32 fixes. -* Initial debugging and testing of multi.[ch]. - -2004.03.14 -- Version 2.0-test9 - -* Branch merge with 1.6-rc3 -* More point-to-multipoint work in multi.[ch]. -* Major TAP-Win32 driver restructuring to use - NdisMRegisterDevice instead of - IoCreateDevice/IoCreateSymbolicLink. -* Changed TAP-Win32 symbolic links to use \DosDevices\Global\ - pathname prefix. -* In the majority of cases, TAP-Win32 should now be - able to install and uninstall on Win2K without requiring - a reboot. -* TAP-Win32 MAC address can now be explicitly set in the - adapter advanced properties page. - -2004.03.04 -- Version 2.0-test8 - -* Branch merge with 1.6-rc2. - -2004.03.03 -- Version 2.0-test7 - -* Branch merge with 1.6-rc1.2. - -2004.03.02 -- Version 2.0-test6 - -* Branch merge with 1.6-rc1. - -2004.03.02 -- Version 2.0-test5 - -* Move Socks5 UDP header append/remove to socks.c, and is - called from forward.c. -* Moved verify statics from ssl.c into struct tls_session. -* Wrote multi.[ch] to handle top level of point-to-multipoint - mode. -* Wrote some code to allow a struct link_socket in a child context - to be slaved to the parent context. -* Broke up packet read and process functions in forward.c - (from socket or tuntap) into separate functions for read - and process, so that point-to-point and point-to-multipoint can - share the same code. -* Expand TLS control channel to allow the passing of configuration - commands. -* Wrote mroute.[ch] to handle internal packet routing for - point-to-multipoint mode. - -2004.02.22 -- Version 2.0-test3 - -* Initial work on UDP multi-client server. -* Branch merge of 1.6-beta7 - -2004.02.14 -- Version 2.0-test2 - -* Refactorization of openvpn.c into openvpn.[ch] - init.[ch] forward.[ch] forward-inline.h - occ.[ch] occ-inline.h ping.[ch] ping-inline.h - sig.[ch]. Created a master per-tunnel - struct context in openvpn.h. -* Branch merge of 1.6-beta6.2 - -2003.11.06 -- Version 2.0-test1 - -* Initial testbed for 2.0. - -2004.05.09 -- Version 1.6.0 - -* Unchanged from 1.6-rc4 except for version number - upgrade. - -2004.04.01 -- Version 1.6-rc4 - -* Made minor customizations to devcon and - renamed as tapinstall.exe for Windows version. -* Fixed "storage size of `iv' isn't known" build - problem on FreeBSD. -* OpenSSL 0.9.7d bundled with Windows self-install. - -2004.03.13 -- Version 1.6-rc3 - -* Minor Windows fixes for --ip-win32 dynamic, relating to - the way the TAP-Win32 driver responds to a DHCP request - from the Windows DHCP client. -* The net_gateway environmental variable wasn't being - set correctly for called scripts (Paul Zuber). -* Added code to determine the default gateway on FreeBSD, - allowing the --redirect-gateway option to work - (Juan Rodriguez Hervella). - -2004.03.04 -- Version 1.6-rc2 - -* Fixed bug in Windows version where the NetBIOS node-type - DHCP option might have been passed even if it was not - specified. -* Fixed bug in Windows version introduced in 1.6-rc1, where - DHCP timeout would be set to 0 seconds if --ifconfig option - was used and --ip-win32 option was not explicitly specified. -* Added some new --dhcp-option types for Windows version. - -2004.03.02 -- Version 1.6-rc1 - -* For Windows, make "--ip-win32 dynamic" the default. -* For Windows, make "--route-delay 10" the default - unless --ip-win32 dynamic is not used or --route-delay - is explicitly specified. -* L_TLS mutex could have been left in a locked state - for certain kinds of TLS errors. - -2004.02.22 -- Version 1.6-beta7 - -* Allow scheduling priority increase (--nice) together - with UID/GID downgrade (--user/--group). -* Code that causes SIGUSR1 restart on TLS errors in TCP - mode was not activated in pthread builds. -* Save the certificate serial number in an environmental - variable called tls_serial_{n} prior to calling the - --tls-verify script. n is the current cert chain level. -* Added NetBSD IPv6 tunnel capability (also requires - a kernel patch) (Horst Laschinsky). -* Fixed bug in checking the return value of the nice() - function (Ian Pilcher). -* Bug fix in new FreeBSD IPv6 over TUN code which was - originally added in 1.6-beta5 (Nathanael Rensen). -* More Socks5 fixes -- extended the struct frame - infrastructure to accomodate proxy-based encapsulation - overhead. -* Added --dhcp-option to Windows version for setting - adapter properties such as WINS & DNS servers. -* Use a default route-delay of 5 seconds when - --ip-win32 dynamic is specified (only applicable when - --route-delay is not explicitly specified). -* Added "log_append" registry variable to control - whether the OpenVPN service wrapper on Windows - opens log files in append (log_append="1") or - truncate (log_append="0") mode. The default - is truncate. - -2004.02.05 -- Version 1.6-beta6 - -* UDP over Socks5 fix to accomodate Socks5 encapsulation - overhead (Christof Meerwald). -* Minor --ip-win32 dynamic tweaks (use long lease time, - invalidate existing lease with DHCPNAK). - -2004.02.01 -- Version 1.6-beta5 - -* Added Socks5 proxy support (Christof Meerwald). -* IPv6 tun support for FreeBSD (Thomas Glanzmann). -* Special TAP-Win32 debug mode for Windows self-install that was - enabled in beta4 is now turned off. -* Added some new Solaris notes to INSTALL (Koen Maris). -* More work on --ip-win32 dynamic. - -2004.01.27 -- Version 1.6-beta4 - -* For this beta, the Windows self-install is a debug version - and will run slower -- use only for testing. -* Reverted the --ip-win32 default back to 'ipapi' - from 'dynamic'. -* Added the offset parameter to '--ip-win32 dynamic' which - can be used to control the address of the masqueraded - DHCP server which replies to Windows DHCP requests. -* Added a wait/nowait option to --inetd (nowait can only - be used with TCP sockets, TLS authentication, and over - a bridged configuration -- see FAQ for more info) - (Stefan `Sec` Zehl). -* Added a build-time capability where TAP-Win32 driver - debug messages can be output by OpenVPN at --verb 6 - or higher. - -2004.01.20 -- Version 1.6-beta2 - -* Added ./configure --enable-iproute2 flag which - uses iproute2 instead of route + ifconfig -- - this is necessary for the LEAF Linux distro - (Martin Hejl). -* Added renewal-time and rebind-time to set of - DHCP options returned by the TAP-Win32 driver when - "--ip-win32 dynamic" is used. - -2004.01.14 -- Version 1.6-beta1 - -* Fixed --proxy bug that sometimes caused plaintext - control info generated by the proxy prior to http - CONNECT method establishment to be incorrectly - parsed as OpenVPN data. -* For Windows version, implemented the - "--ip-win32 dynamic" method and made it the default. - This method sets the TAP-Win32 adapter IP address - and netmask by replying to the kernel's DHCP queries. - See the man page for more detailed info. -* Added --connect-retry parameter which controls - the time interval (in seconds) between connect() - retries when --proto tcp-client is used. Previously, - this value was hardcoded to 5 seconds, and still - defaults as such. -* --resolv-retry can now be used with a parameter - of "infinite" to retry indefinitely. -* Added SSL_CTX_use_certificate_chain_file() to ssl.c - for support of multi-level certificate chains - (Sten Kalenda). -* Fixed --tls-auth incompatibility with 1.4.x and earlier - versions of OpenVPN when the passphrase file is an - OpenVPN static key file (as generated by --genkey). -* Added shell-escape support in config files using - the backslash character ("\") so that (for example) - double quotes can be passed to the shell. -* Added "contrib" subdirectory on tarball, source zip, - and CVS containing user-submitted contributions. -* Added an optional patch to the Redhat init script to - allow the configuration file directory to be a - multi-level directory hierarchy (Farkas Levente). - See contrib/multilevel-init.patch -* Added some scripts and documentation on using - Linux "fwmark" iptables rules to enable - fine-grained routing control over the VPN - (Sean Reifschneider, <jafo@tummy.com>). - See contrib/openvpn-fwmarkroute-1.00 - -2003.11.20 -- Version 1.5.0 - -* Minor documentation changes. - -2003.11.04 -- Version 1.5-beta14 - -* Fixed build problem with ./configure --disable-ssl - that was reported on Debian woody. -* Fixed bug where --redirect-gateway could not be used - together with --resolv-retry. - -2003.11.03 -- Version 1.5-beta13 - -* Added CRL (certificate revocation list) capability using - --crl-verify option (Stefano Bracalenti). -* Added --replay-window option for variable replay-protection - window sizes. -* Fixed --fragment bug which might have caused certain large - packets to be sent unfragmented. -* Modified --secret and --tls-auth to permit different cipher and - HMAC keys to be used for each data flow direction. Also - increased static key file size generated by --genkey from - 1024 to 2048 bits, where 512 bits each are reserved for - send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward - and backward compatibility is maintained. See --secret option - documentation on the man page for more info. -* Added --tls-remote option (Teemu Kiviniemi). -* Fixed --tls-cipher documention regarding correct delimiter - usage (Teemu Kiviniemi). -* Added --key-method option for selecting alternative data - channel key negotiation methods. Method 1 is the default. - Method 2 has been added (see man page for more info). -* Added French translation of HOWTO to web site - (Guillaume Lehmann). -* Fixed problem caused by late resolver library load on - certain platforms when --resolv-retry and --chroot are - used together (Teemu Kiviniemi). -* In TCP mode, all decryption or TLS errors will abort the current - connection (this is not done in UDP mode because UDP is - "connectionless"). -* Fixed a TCP client reconnect bug that only occurs on the - BSDs, where connect() fails with an invalid argument. This - bug was partially (but not completely) fixed in beta7. -* Added "route_net_gateway" environmental variable which contains - the pre-existing default gateway address from the routing table - (there's no standard API for getting the default gateway, so - right now this feature only works on Windows or Linux). -* Renamed the "route_default_gateway" enviromental variable to - "route_vpn_gateway" -- this is the remote VPN endpoint. -* The special keywords vpn_gateway, net_gateway, and remote_host - can now be used for the network or gateway components of the - --route option. See the man page for more info. -* Added the --redirect-gateway option to configure the VPN - as the default gateway (implemented on Linux and Windows only). -* Added the --http-proxy option with basic authentication - support for use in TCP client mode. Successfully tested - using Squid as the HTTP proxy, with and without authentication. - -2003.10.12 -- Version 1.5-beta12 - -* Fixed Linux-only bug in --mktun and --rmtun which was - introduced around beta8 or so, which would cause - an error such as "I don't recognize device tun0 as a - tun or tap device1". -* Added --ifconfig-nowarn option to disable options - consistency warnings about --ifconfig parameters. -* Don't allow any kind of sequence number backtracking or - message reordering when in TCP mode. -* Changed beta naming convention to use '_' (underscore) - rather than '-' (dash) to pacify rpmbuild. - -2003.10.08 -- Version 1.5-beta11 - -* Modified code in the Windows version which sets the IP address - and netmask of the TAP-Win32 adapter using the IP Helper API. - Most of the changes involve better error recovery when - the IP Helper API returns an error status. See the - manual page entry on --ip-win32 for more info. - -2003.10.08 -- Version 1.5-beta10 - -* Added getpass() function for Windows version so that --askpass - option works correctly (Stefano Bracalenti). -* Added reboot advisory to end of Win32 install script. -* Changed crypto code to use pseudo-random IVs rather than - carrying forward the IV state from the previous packet. - This is in response to item 2 in the following document: - http://www.openssl.org/~bodo/tls-cbc.txt which points - out weaknesses in TLS's use of the same IV carryforward - approach. This change does not break protocol compatibility - with previous versions of OpenVPN. -* Made a change to the crypto replay protection code to also - protect against certain kinds of packet reordering attacks. - This change does not break protocol compatibility with - previous versions of OpenVPN. -* Added --ip-win32 option to provide several choices for - setting the IP address on the TAP-Win32 adapter. -* #ifdefed out non-CBC crypto modes by default. -* Added --up-delay option to delay TUN/TAP open and --up script - execution until after connection establishment. This option - replaces the earlier windows-only option --tap-delay. - -2003.10.01 -- Version 1.5-beta9 - -* Fixed --route-noexec bug where option was not parsed correctly. -* Complain if --dev tun is specified without --ifconfig on Windows. -* Fixed bug where TCP connections on windows would sometimes cause - an assertion failure. -* Added a new flag to TAP-Win32 advanced properties that allows one - to set the adapter to be always "connected" even when an OpenVPN - process doesn't have it open. The default behavior is to report - a media status of connected only when an OpenVPN process has the - adapter open. -* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c - DLLs in response to an OpenSSL security advisory. - -2003.09.30 -- Version 1.5-beta8 - -* Extended the --ifconfig option to work on tap devices as well - as tun devices. -* Implemented the --ifconfig option for Windows, by calling the - netsh tool. -* By default, do an "arp -d *" on Windows after TAP-Win32 open to - refresh the MAC cache. This behaviour can be disabled with - --no-arp-del. -* On Windows, allow the --dev-node parameter (which specifies - the name of the TAP-Win32 adapter) to be omitted in cases where - there is a single TAP-Win32 adapter on the system which can be - assumed to be the default. -* Modified the diagnostic --verb 5 debugging level to print 'R' - for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, - and 'w' for TUN/TAP write. -* Conditionalize OpenBSD read_tun and write_tun based on tun or tap - mode. -* Added IPv6 tun support to OpenBSD (Thomas Glanzmann). -* Make the --enable-mtu-dynamic ./configure option enabled by - default. -* Deprecated the --mtu-dynamic run-time option, in favor of - --fragment. -* DNS names can now be used as --ifconfig parameters. -* Significant work on TAP-Win32 driver to bring up to SMP standards. -* On Windows, fixed dangling IRP problem if TAP-Win32 driver is - unloaded or disabled, while a user-space process has it open. -* On Windows, if --tun-mtu is not specified, it will be read from - the TAP-Win32 driver via ioctl. -* On Windows, added TAP-Win32 driver status info to "F2" keyboard - signal (only when run from a console window). -* Added --mssfix option to control TCP MSS size (YANO Hirokuni). -* Renamed --mtu-dynamic option to --fragment to more accurately - reflect its function. Fragment accepts a single parameter which - is the upper limit on acceptable UDP packet size. -* Changed default --tun-mtu-extra parameter to 32 from 64. -* Eliminated reference to malloc.o in configure.ac. -* Added tun device emulation to the TAP-Win32 driver. -* Added --route and related options. -* Added init script for SuSE Linux (Frank Plohmann). -* Extended option consistency check between peers to function - in all crypto modes, including static-key and cleartext modes. - Previously only TLS mode was supported. Disable with - --disable-occ. -* Overall, increased the amount of configuration option sanity - checking, especially of networking parameters. -* Added --mtu-test option for empirical MTU measurement. -* Added Windows-only option --tap-delay to not set the TAP-Win32 - adapter media state to 'connected' until TCP/UDP connection - establishment with peer. -* Slightly modified --route/--route-delay semantics so that when - --route is given without --route-delay, routes are added - immediately after tun/tap device open. When --route-delay is - specified, routes will be added n seconds after connection - initiation, where n is the --route-delay parameter (which - can be set to 0). -* Made TCP framing error into a non-fatal error that triggers a - connection reset. - -2003.08.28 -- Version 1.5-beta7 - -* Fixed bug that caused OpenVPN not to respond to exit/restart - signals when --resolv-retry is used and a local or remote DNS - name cannot be resolved. -* Exported a series of environmental variables with useful - info for scripts. See man page for more info. Based - on a suggestion by Anthony Ciaravalo. -* Moved TCP/UDP socket bind to a point in the initialization - before the --up script gets called. This is desirable - because (a) a socket bind failure will happen before - daemonization, allowing an error status code to be returned - to the shell and (b) the possibility is eliminated of a - socket bind failure causing the --up script to be run - but not the --down script. This change has a side effect - that --resolv-retry will no longer work with --local. -* Fixed bug where if an OpenVPN TCP server went down and back - up again, Solaris or FreeBSD clients would fail to reconnect - to it. -* Fixed bug that prevented OpenVPN from being run by - inetd/xinetd in TCP mode. -* Added --log and --log-append options for logging messages to - a file. -* On Windows, check that the current user is a member of the - Administrator group before attempting install or uninstall. - -2003.08.16 -- Version 1.5-beta6 - -* Fixed TAP-Win32 driver to properly increment the Rx/Tx count. - -2003.08.14 -- Version 1.5-beta5 - -* Added user-configurability of the TAP-Win32 adapter MTU - through the adapter advanced properties page. -* Added Windows Service support. -* On Windows, added file association and right-clickability - for .ovpn files (OpenVPN config files). - -2003.08.05 -- Version 1.5-beta4 - -* Extra refinements and error checking added to Windows - NSIS install script. - -2003.08.05 -- Version 1.5-beta3 - -* Added md5.h include to crypto.c to fix build problem on - OpenBSD. -* Created a Win32 installer using NSIS. -* Removed DelService command from TAP-Win32 INF file. It appears - to be not necessary and it interfered with the ability to - uninstall and reinstall the driver without needing to reboot. -* On Windows version, added "addtap" and "deltapall" batch - files to add and delete TAP-Win32 adapter instances. - -2003.07.31 -- Version 1.5-beta2 - -* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted - in Windows ASCII so it's easier to click and view. -* Added postscript and PDF versions of the HOWTO to the web - site (C R Zamana). -* Merged Michael Clarke's stability patch into TAP-Win32 - driver which appears to fix the suspend/resume driver bug - and significantly improve driver stability. -* Added Christof Meerwald's Media Status patch to the - TAP-Win32 driver which shows the TAP adapter to be - disconnected when OpenVPN is not running. -* Moved socket connect and TCP server listen code to a later - point in openvpn() function so that the TCP server listen - state is entered after daemonization. -* Added keyboard shortcuts to simulate signals in the Windows - version, see the window title bar for descriptions. - -2003.07.24 -- Version 1.5-beta1 - -* Added TCP support via the new --proto option. -* Renamed udp-centric options such as --udp-mtu to - --link-mtu (old option names preserved for compatibility). -* Ported to Windows 2000 + XP using mingw and a TAP driver - derived from the Cipe-Win32 project by Damion K. Wilson. -* Added --show-adapters flag for windows version. -* Reworked the SSL/TLS packet acknowledge code to better - handle certain corner cases. -* Turned off the default enabling of IP forwarding in the - sample-scripts/openvpn.init script for Redhat. - Forwarding can be enabled by users in their --up scripts - or firewall config. -* Added --up-restart option based on suggestion from Sean - Reifschneider. -* If --dev tap or --dev-type tap is specified, --tun-mtu - defaults to 1500 and --tun-mtu-extra defaults to 64. -* Enabled --verb 5 debugging mode that prints 'R' and 'W' - for each packet read or write on the TCP/UDP socket. - -2003.08.04 -- Version 1.4.3 - -* Added md5.h include to crypto.c - to fix build problem on OpenBSD. - -2003.07.15 -- Version 1.4.2 - -* Removed adaptive bandwidth from - --mtu-dynamic -- its absence appears - to work better than its existence (1.4.1.2). -* Minor changes to --shaper to fix long - retransmit timeouts at low bandwidth - (1.4.1.2). -* Added LOG_RW flag to openvpn.h for - debugging (1.4.1.2). -* Silenced spurious configure warnings (1.4.1.2). -* Backed out --dev-name patch, modified --dev - to offer equivalent functionality (1.4.1.4). -* Added an optional parameter to --daemon and - --inetd to support the passing of a custom - program name to the system logger (1.4.1.5). -* Add compiled-in options to the program title - (1.4.1.5). -* Coded the beginnings of a WIN32 port (1.4.1.5). -* Succeeded in porting to Win32 Mingw environment - and running loopback tests (1.4.1.6). Still - need a kernel driver for full Win32 - functionality. -* Fixed a bug in error.h where - HAVE_CPP_VARARG_MACRO_GCC was misspelled. - This would have caused a significant slowdown - of OpenVPN when built by compilers that - lack ISO C99 vararg macros (1.4.1.6). -* Created an init script for Gentoo Linux - in ./gentoo directory (1.4.1.6). - -2003.05.15 -- Version 1.4.1 - -* Modified the Linux 2.4 TUN/TAP open code to - fall back to the 2.2 TUN/TAP interface if the - open or ioctl fails. -* Fixed bug when --verb is set to 0 and non-fatal - socket errors occur, causing 100% CPU utilization. - Occurs on platorms where - EXTENDED_SOCKET_ERROR_CAPABILITY is defined, - such as Linux 2.4. -* Fixed typo in tun.c that was preventing - OpenBSD build. -* Added --enable-mtu-dynamic configure option - to enable --mtu-dynamic experimental option. - -2003.05.07 -- Version 1.4.0 - -* Added --replay-persist feature to allow replay - protection across sessions. -* Fixed bug where --ifconfig could not be used - with --tun-mtu. -* Added --tun-mtu-extra parameter to deal with - the situation where a read on a TUN/TAP device - returns more data than the device's MTU size. -* Fixed bug where some IPv6 support code for - Linux was not being properly ifdefed out for - Linux 2.2, causing compile errors. -* Added OPENVPN_EXIT_STATUS_x codes to - openvpn.h to control which status value - openvpn returns to its caller (such as - a shell or inetd/xinetd) for various conditions. -* Added OPENVPN_DEBUG_COMMAND_LINE flag to - openvpn.h to allow debugging in situations - where stdout, stderr, and syslog cannot be used - for message output, such as when OpenVPN is - instantiated by inetd/xinetd. -* Removed owner-execute permission from file - created by static key generator (Herbert Xu - and Alberto Gonzalez Iniesta). -* Added --passtos option to allow IPv4 TOS bits - to be passed from TUN/TAP input packets to - the outgoing UDP socket (Craig Knox). -* Added code to prevent open socket file descriptors - from being accessible to called scripts. -* Added --dev-name option (Christian Lademann). -* Added --mtu-disc option for manual control - over MTU options. -* Show OS MTU value on UDP socket write failures - (linux only). -* Numerous build system and portability - fixes (Matthias Andree). -* Added better sensing of compiler support for - variable argument macros, including (a) gcc - style, (b) ISO C 1999 style, and (c) no support. -* Removed generated files from CVS. Note INSTALL - file for new CVS build commands. -* Changed certain internal symbol names - for C standards compliance. -* Added TUN/TAP open code to cycle dynamically - through unit numbers until it finds a free - unit (based on code from Thomas Gielfeldt - and VTun). -* Added dynamic MTU and fragmenting infrastructure - (Experimental). Rebuild with FRAGMENT_ENABLE - defined to enable. -* Minor changes to SSL/TLS negotiation, use - exponential backoff on retransmits, and use - a smaller MTU size (note that no protocol - changes have been made which would break - compatibility with 1.3.x). -* Added --enable-strict-options flag - to ./configure. This option will cause - a more strict check for options compatibility - between peers when SSL/TLS negotiation is used, - but should only be used when both OpenVPN peers - are of the same version. -* Reorganization of debugging levels. -* Added a workaround in configure.ac for - default SSL header location on Linux - to fix RH9 build problem. -* Fixed potential deadlock when pthread support - is used on OSes that allocate a small socketpair() - message buffer. -* Fixed openvpn.init to be sh compliant - (Bishop Clark). -* Changed --daemon to wait until all - initialization is finished before becoming a - daemon, for the benefit of initialization - scripts that want a useful return status from - the openvpn command. -* Made openvpn.init script more robust, including - positive indication of initialization errors - in the openvpn daemon and better sanity checks. -* Changed --chroot to wait until initialization - is finished before calling chroot(), and allow - the use of --user and --group with --chroot. -* When syslog logging is enabled (--daemon or - --inetd), set stdin/stdout/stderr to point - to /dev/null. -* For inetd instantiations, dup socket descriptor - to a >2 value. -* Fixed bug in verify-cn script, where test would - incorrectly fail if CN=x was the last component - of the X509 composite string (Anonymous). -* Added Markus F.X.J. Oberhumer's special - license exception to COPYING. - -2002.10.23 -- Version 1.3.2 - -* Added SSL_CTX_set_client_CA_list call - to follow the canonical form for TLS initialization - recommended by the OpenSSL docs. This change allows - better support for intermediate CAs and has no impact - on security. -* Added build-inter script to easy-rsa package, to - facilitate the generation of intermediate CAs. -* Ported to NetBSD (Dimitri Goldin). -* Fixed minor bug in easy-rsa/sign-req. It refers to - openssl.cnf file, instead of $KEY_CONFIG, like all - other scripts (Ernesto Baschny). -* Added --days 3650 to the root CA generation command - in the HOWTO to override the woefully small 30 day - default (Dominik 'Aeneas' Schnitzer). -* Fixed bug where --ping-restart would sometimes - not re-resolve remote DNS hostname. -* Added --tun-ipv6 option and related infrastructure - support for IPv6 over tun. -* Added IPv6 over tun support for Linux (Aaron Sethman). -* Added FreeBSD 4.1.1+ TUN/TAP driver notes to - INSTALL (Matthias Andree). -* Added inetd/xinetd support (--inetd) including - documentation in the HOWTO. -* Added "Important Note on the use of commercial certificate - authorities (CAs) with OpenVPN" to HOWTO based on - issues raised on the openvpn-users list. - -2002.07.10 -- Version 1.3.1 - -* Fixed bug in openvpn.spec and openvpn.init - which caused RPM upgrade to fail. - -2002.07.10 -- Version 1.3.0 - -* Added --dev-node option to allow explicit selection of - tun/tap device node. -* Removed mlockall call from child thread, as it doesn't - appear to be necessary (child thread inherits mlockall - state from parent). -* Added --ping-timer-rem which causes timer for --ping-exit - and --ping-restart not to run unless we have a remote IP - address. -* Added condrestart to openvpn.init and openvpn.spec - (Bishop Clark). -* Added --ifconfig case for FreeBSD (Matthias Andree). -* Call openlog with facility=LOG_DAEMON (Matthias Andree). -* Changed LOG_INFO messages to LOG_NOTICE. -* Added warning when key files are group/others accessible. -* Added --single-session flag for TLS mode. -* Fixed bug where --writepid would segfault if used with - an invalid filename. -* Fixed bug where --ipchange status message was formatted - incorrectly. -* Print more concise error message when system() call - fails. -* Added --disable-occ option. -* Added --local, --remote, and --ifconfig options sanity - check. -* Changed default UDP MTU to 1300 and TUN/TAP MTU to - 1300. -* Successfully tested with OpenSSL 0.9.7 Beta 2. -* Broke out debug level definitions to errlevel.h -* Minor documentation and web site changes. -* All changes maintain protocol compatibility - with OpenVPN versions since 1.1.0, however default - MTU changes will require setting the MTU explicitly - by command line option, if you want 1.3.0 to - communicate with previous versions. - -2002.06.12 -- Version 1.2.1 - -* Added --ping-restart option to restart - connection on ping timeout using SIGUSR1 - logic (Matthias Andree). -* Added --persist-tun, --persist-key, - --persist-local-ip, and --persist-remote-ip - options for finer-grained control over SIGUSR1 - and --ping-restart restarts. To - replicate previous SIGUSR1 functionality, - use --persist-remote-ip. -* Changed residual IV fetching code to take - IV from tail of ciphertext. -* Added check to make sure that CFB or OFB - cipher modes are only used with SSL/TLS - authentication mode, and added a caveat - to INSTALL. -* Changed signal handling during initialization - (including re-initialization during restarts) - to exit on SIGTERM or SIGINT and ignore other - signals which would ordinarily be caught. -* Added --resolv-retry option to allow - retries on hostname resolution. -* Expanded the --float option to also - allow dynamic changes in source port number - on incoming datagrams. -* Added --mute option to limit repetitive - logging of similar message types. -* Added --group option to downgrade GID - after initialization. -* Try to set ifconfig path automatically - in configure. -* Added --ifconfig code for Mac OS X - (Christoph Pfisterer). -* Moved "Peer Connection Initiated" message - to --verb level 1. -* Successfully tested with - OpenSSL 0.9.7 Beta 1 and AES cipher. -* Added RPM notes to INSTALL. -* Added ACX_PTHREAD (from the autoconf - macro archive) to configure.ac - to figure out the right pthread - options for a given platform. -* Broke out macro definitions from - configure.ac to acinclude.m4. -* Minor changes to docs and HOWTO. -* All changes maintain protocol compatibility - with OpenVPN versions since 1.1.0. - -2002.05.22 -- Version 1.2.0 - -* Added configuration file support via - the --config option. -* Added pthread support to improve latency. - With pthread support, OpenVPN - will offload CPU-intensive tasks such as RSA - key number crunching to a background thread - to improve tunnel packet forwarding - latency. pthread support can be enabled - with the --enable-pthread configure option. - Pthread support is currently available - only for Linux and Solaris. -* Added --dev-type option so that tun/tap - device names don't need to begin with - "tun" or "tap". -* Added --writepid option to write main - process ID to a file. -* Numerous portability fixes to ease - porting to other OSes including changing - all network types to uint8_t and uint32_t, - and not assuming that time_t is 32 bits. -* Backported to OpenSSL 0.9.5. -* Ported to Solaris. -* Finished OpenBSD port except for - pthread support. -* Added initialization script: - sample-scripts/openvpn.init - (Douglas Keller) -* Ported to Mac OS X (Christoph Pfisterer). -* Improved resilience to DoS attacks when - TLS mode is used without --remote or - --tls-auth, or when --float is used - with --remote. Note however that the best - defense against DoS attacks in TLS mode - is to use --tls-auth. -* Eliminated automake/autoconf dependency - for non-developers. -* Ported configure.in to configure.ac - and autoconf 2.50+. -* SIGHUP signal now causes OpenVPN to restart - and re-read command line and or config file, - in conformance with canonical daemon behaviour. -* SIGUSR1 now does what SIGHUP did in - version 1.1.1 and earlier -- close and reopen - the UDP socket for use when DHCP changes - host's IP address and preserve most recently - authenticated peer address without rereading - config file. -* SIGUSR2 added -- outputs current statistics, - including compression statistics. -* All changes maintain protocol compatibility - with 1.1.1 and 1.1.0. - -2002.04.22 -- Version 1.1.1 - -* Added --ifconfig option to automatically configure - TUN device. -* Added inactivity disconnect (--inactive - and --ping-exit options). -* Added --ping option to keep stateful firewalls - from timing out. -* Added sanity check to command line parser to - err if any TLS options are used in non-TLS mode. -* Fixed build problem with compiler environments that - define printf as a macro. -* Fixed build problem on linux systems that have - an integrated TUN/TAP driver but lack the persistent - tunnel feature (TUNSETPERSIST). Some linux kernels - >= 2.4.0 and < 2.4.7 fall into this category. -* Changed all calls to EVP_CipherInit to use explicit - encrypt/decrypt mode in order to fix problem with - IDEA-CBC and AES-256-CBC ciphers. -* Minor changes to control channel transmit limiter - algorithm to fix problem where TLS control channel - might not renegotiate within the default 60 second window. -* Simplified man page examples by taking advantage - of the new --ifconfig option. -* Minor changes to configure.in to check more - rigourously for OpenSSL 0.9.6 or greater. -* Put back openvpn.spec, eliminated - openvpn.spec.in. -* Modified openvpn.spec to reflect new automake-based - build environment (Bishop Clark). -* Other documentation changes. -* Added --test-crypto option for debugging. -* Added "missing" and "mkinstalldirs" automake - support files. - - -2002.04.09 -- Version 1.1.0 - -* Strengthened replay protection and IV handling, - extending it fully to both static key and - TLS dynamic key exchange modes. -* Added --mlock option to disable paging and ensure that key - material and tunnel data is never paged to disk. -* Added optional traffic shaping feature to cap the maximum - data rate of the tunnel. -* Converted to automake (The Platypus Brothers 2002-04-01). -* Ported to OpenBSD by Janne Johansson. -* Added --tun-af-inet option to work around an incompatibility - between Linux and BSD tun drivers. -* Sequence number-based replay protection using the - IPSec sliding window model is now the default, - disable with --no-replay. -* Explicit IV is now the default, disable with --no-iv. -* Disabled all cipher modes except CBC, CFB, and OFB. -* In CBC mode, use explicit IV and carry forward residuals, - using IPSec model. -* In CFB/OFB mode, IV is timestamp, sequence number. -* Eliminated --packet-id, --timestamp, and max-delta parameter to - the --tls-auth option as they are now supplanted by improved - replay code which is enabled by default. -* Eliminated --rand-iv as it is now obsolete with improved - IV code. -* Eliminated --reneg-err option as it increases vulnerability - to DoS attacks. -* Added weak key check for DES ciphers. -* --tls-freq option is no longer specified on the command line, - instead it now inherits its parameter from the - --tls-timeout option. -* Fixed bug that would try to free memory on exit that was - never malloced if --comp-lzo was not specified. -* Errata fixed in the man page examples: "test-ca" should be - "tmp-ca". -* Updated manual page. -* Preliminary work in porting to OpenSSL 0.9.7. -* Changed license to allowing linking with OpenSSL. - -2002.03.29 -- Version 1.0.3 - -* Fixed a problem in configure with library ordering on the - command line. - -2002.03.28 -- Version 1.0.2 - -* Improved the efficiency of the inner event loop. -* Fixed a minor bug with timeout handling. -* Improved the build system to build on RH 6.2 through 7.2. -* Added an openvpn.spec file for RPM builders (Bishop Clark). - -2002.03.23 -- Version 1.0 - -* Added TLS-based authentication and key exchange. -* Added gremlin mode to stress test. -* Wrote man page. - -2001.12.26 -- Version 0.91 - -* Added any choice of cipher or HMAC digest. - -2001.5.13 -- Version 0.90 - -* Initial release. -* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. |