What's new in OpenVPN 2.6.10
Mar 21, 2024
- Security fixes:
- CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev
- CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLMSOFTWAREOpenVPNplugin_dir. Reported-by: Vladimir Tokarev
- CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in TapSharedSendPacket. Reported-by: Vladimir Tokarev
- New features:
- t_client.sh can now run pre-tests and skip a test block if needed (e.g. skip NTLM proxy tests if SSL library does not support MD4)
- User visible changes:
- Update copyright notices to 2024
- Bug fixes:
- Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (Github: #522)
- Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
- systemd unit files: remove obsolete syslog.target
- Documentation:
- remove license warnings about mbedTLS linking (README.mbedtls)
- update documentation references in systemd unit files
- sample config files: remove obsolete tls-*.conf files
- document that auth-user-pass may be inlined
- Windows MSI changes since 2.6.9:
- For the Windows-specific security fixes see above
- Built against OpenSSL 3.2.1
- Included tap6-windows driver updated to 9.27.0
- Security fix, see above
- Included ovpn-dco-win driver updated to 1.0.1
- Ensure we don't pass too large key size to CryptoNG. We do not consider this a security issue since the CryptoNG API handles this gracefully either way.
- Included openvpn-gui updated to 11.48.0.0
- Position tray tooltip above the taskbar
- Combine title and message in tray icon tip text
- Use a custom tooltip window for the tray icon
New in OpenVPN 2.6.9 (Feb 13, 2024)
- Security fixes:
- Windows Installer: fix CVE-2023-7235 where installing to a non-default directory could lead to a local privilege escalation. Reported by Will Dormann.
- New features:
- Add support for building with mbedTLS 3.x.x
- New option --force-tls-key-material-export to only accept clients that can do TLS keying material export to generate session keys (mostly an internal option to better deal with TLS 1.0 PRF failures).
- Windows: bump vcpkg-ports/pkcs11-helper to 1.30
- Log incoming SSL alerts in easier to understand form and move logging from --verb 8 to --verb 3.
- protocol_dump(): add support for printing --tls-crypt packets
- User visible changes:
- License change is now complete, and all code has been re-licensed under the new license (still GPLv2, but with new linking exception for Apache2 licensed code). See COPYING for details.
- Code that could not be re-licensed has been removed or rewritten.
- The original code for the --tls-export-cert feature has been removed (due to the re-licensing effort) and rewritten without looking at the original code. Feature-compatibility has been tested by other developers, looking at both old and new code and documentation, so there *should* not be a user-visible change here.
- IPv6 route addition/deletion are now logged on the same level (3) as for IPv4. Previously IPv6 was always logged at --verb 1.
- Better handling of TLS 1.0 PRF failures in the underlying SSL library (e.g. on some FIPS builds) - this is now reported on startup, and clients before 2.6.0 that can not use TLS EKM to generate key material are rejected by the server. Also, error messages are improved to see what exactly failed.
- Notable bug fixes:
- FreeBSD: for servers with multiple clients, reporting of peer traffic statistics would fail due to insufficient buffer space (Github: #487)
New in OpenVPN 2.6.8 (Nov 20, 2023)
- User visible changes:
- Windows: print warning if pushed options require DHCP (e.g. DOMAIN-SEARCH) and driver in use does not use DHCP (wintun, dco).
- Bug fixes:
- SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF state (Github #449) - the new sanity check function introduced in 2.6.7 sometimes tried to use a NULL pointer after an unsuccessful TLS handshake
- Windows: --dns option did not work when tap-windows6 driver was used, because internal flag for "apply DNS option to DHCP server" wasn't set (Github #447)
- Windows: fix status/log file permissions, caused by regression after changing to CMake build system (Github: #454, Trac: #1430)
- Windows: fix --chdir failures, also caused by error in CMake build system (Github #448)
New in OpenVPN 2.6.7 (Nov 10, 2023)
- Security Fixes:
- CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417)
- CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. Reported by Niccolo Belli and WIPocket (Github #400, #417).
- User visible changes:
- DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco.
- Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
- add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.
- add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).
- --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again)
- warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations)
- New features:
- DCO-WIN: get and log driver version (for easier debugging).
- print "peer temporary key details" in TLS handshake
- log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs#11 scenarios)
- add CMake build system for MinGW and MSVC builds
- remove old MSVC build system
- improve cmocka unit test building for Windows
New in OpenVPN 2.6.6 (Aug 18, 2023)
- User visible changes:
- OCC exit messages are now logged more visibly See GH #391.
- OpenSSL error messages are now logged with more details (for example, when loading a provider fails, which .so was tried, and why did it fail) See GH #361.
- print a more user-friendly message when tls-crypt-v2 client auth fails
- packaging now includes all documentation in the source tarball
- New features:
- set WINS server via interactive service - this adds support for "dhcp-option WINS 192.0.2.1" for DCO + wintun interfaces where no DHCP server is used. See GH #373.
New in OpenVPN 2.6.5 (Jun 19, 2023)
- tapctl (windows): generate driver-specific names (if using tapctl to create additional tap/wintun/dco devices, and not using --name). See GH #337.
- interactive service (windows): do not force target desktop for openvpn.exe - this has no impact for normal use, but enables running of OpenVPN in a scripted way when no user is logged on (for example, via task scheduler). See GH openvpn-gui#626
New in OpenVPN 2.6.4 (May 14, 2023)
- User visible changes:
- License amendment: all NEW commits fall under a modified license that explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for details. Existing code will fall under the new license as soon as all contributors have agreed to the change - work ongoing.
- New features:
- DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). This is the userland side, accepting a message from kernel, and initiating a TLS renegotiation. As of release, only implemented in FreeBSD kernel.
- Bug fixes:
- fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)
- fix compile error on TARGET_ANDROID
- fix typo in help text
- manpage updates (--topology)
- encoding of non-ASCII windows error messages in log + management fixed (use UTF8 "as for everything else", not ANSI codepages) (Github #319)
New in OpenVPN 2.6.3 (Apr 15, 2023)
- This is a small bugfix release.
New in OpenVPN 2.6.2 (Mar 28, 2023)
- implement byte counter statistics for DCO Linux (p2mp server and client)
- implement byte counter statistics for DCO Windows (client only)
- --dns server address ... now permits up to 8 v4 or v6 addresses
New in OpenVPN 2.6.1 (Mar 10, 2023)
- Dynamic TLS Crypt: When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations.
- CryptoAPI (Windows): support issuer name as a selector. Certificate selection string can now specify a partial issuer name string as
- "--cryptoapicert ISSUER:" where is matched as a substring of the issuer (CA) name in the certificate.
New in OpenVPN 2.6.0 (Feb 17, 2023)
- Data Channel Offload (DCO) kernel acceleration support for Windows, Linux, and FreeBSD.
- OpenSSL 3 support.
- Improved handling of tunnel MTU, including support for pushable MTU.
- Outdated cryptographic algorithms disabled by default, but there are options to override if necessary.
- Reworked TLS handshake, making OpenVPN immune to replay-packet state exhaustion attacks.
- Added --peer-fingerprint mode for a more simplistic certificate setup and verification.
- Added Pre-Logon Access Provider support to OpenVPN GUI for Windows.
- Improved protocol negotiation, leading to faster connection setup.
- Included openvpn-gui updated to 11.37.0.0. See CHANGES.rst.
- Updated easy-rsa3 bundled with the installer on Windows.
- Various bug fixes.
New in OpenVPN 2.5.9 (Feb 17, 2023)
- This is a small bugfix release.
New in OpenVPN 2.5.8 (Nov 4, 2022)
- This is mostly a bugfix release.
New in OpenVPN 2.5.7 (May 31, 2022)
- New features:
- Limited OpenSSL 3.0 support:
- OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies on the compatiblity layer and full OpenSSL 3.0 support is coming with OpenVPN 2.6. Only features that impact usage directly have been backported:
- --tls-cert-profile insecure has been added to allow selecting the lowest OpenSSL security level (not recommended, use only if you must).
- OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option --providers allows loading the legacy provider to renable these algorithms. Most notably, reading of many PKCS#12 files encrypted with the RC2 algorithm fails unless --providers legacy default is configured.
- The OpenSSL engine feature --engine is not enabled by default anymore if OpenSSL 3.0 is detected.
- print OpenSSL error stack if decoding PKCS12 file fails
- User-visible Changes:
- windows vcpkg building includes pkcs11-helper 1.29 now
- add MSVC build options to harden windows binaries (HW-enforced stack protection, SHA256 object hashes, SDL).
- Bugfixes:
- fix omission of cipher-negotiation.rst in tarballs
- fix errno handling on Windows (Windows has different classes of error codes, GetLastError() and C runtime errno, these should now be handled correctly)
- fix PATH_MAX build failure in auth-pam.c
- fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
- fix overlong path names, leading to missing pkcs11-helper patch in tarball
New in OpenVPN 2.5.6 (Mar 16, 2022)
- New features:
- new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple parallel plugins that succeed/fail in direct/deferred mode
- various build improvements (github actions etc)
- upgrade pkcs11-helper to release 1.28.4
- Bugfixes:
- CVE-2022-0547 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
- If openvpn is configured with multiple authentication plugins and more than one plugin tries to do deferred authentication, the result is not well-defined - creating a possible authentication bypass.
- In this situation the server process will now abort itself with a clear log message. Only one plugin is allowed to do deferred authentication.
- Fix "--mtu-disc maybe|yes" on Linux
- Due to configure/syshead.h/#ifdef confusion, the code in question was not compiled-in since a long time. Fixed. Trac: #1452
- Fix $common_name variable passed to scripts when username-as-common-name is in effect.
- This was not consistently set - sometimes, OpenVPN exported the username, sometimes the common name from the client cert. Fixed. Trac: #1434
- Fix potential memory leaks in add_route() and add_route_ipv6().
- Apply connect-retry backoff only to one side of the connection in p2p mode. Without that fix/enhancement, two sides could end up only sending packets when the other end is not ready. Trac: #1010, #1384
- remove unused sitnl.h file
- clean up msvc build files, remove unused MSVC build .bat files
- repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
- due to integer overflow, this ended up being "0" on Linux, but on Windows with MSVC it ends up being "always 2 Gbyte", both not doing what is requested. Trac: #1448
- repair handling of EC certificates on Windows with pkcs11-helper
- (wrong compile-time defines for OpenSSL 1.1.1)
- Documentation:
- documentation improvements related to DynDNS. Trac: #1417
- clean up documentation for --proto and related options
- rebuild rst docs if input files change (proper dependency handling)
New in OpenVPN 2.5.5 (Dec 15, 2021)
- User-visible Changes:
- SWEET32/64bit cipher deprecation change was postponed to 2.7
- Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud.
- require EC support in windows builds (this means it's no longer possible to build a Windows OpenVPN binary with an OpenSSL lib without EC support)
- New features:
- Windows build: use CFG and Spectre mitigations on MSVC builds
- bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%SSLopenssl.cfg (typically: c:program filesopenvpnSSLopenssl.cfg) if it exists.
- This is important for some hardware tokens which need special OpenSSL config for correct operation. Trac #1296
- Bugfixes:
- Windows build: enable EKM
- Windows build: improve various vcpkg related build issues
- Windows build: fix regression related to non-writeable status files (Trac #1430)
- Windows build: fix regression that broke OpenSSL EC support
- Windows build: fix "product version" display (2.5..4 -> 2.5.4)
- Windows build: fix regression preventing use of PKCS12 files
- improve "make check" to notice if "openvpn --show-cipher" crashes
- improve argv unit tests
- ensure unit tests work with mbedTLS builds without BF-CBC ciphers
- include "--push-remove" in the output of "openvpn --help"
- fix error in iptables syntax in example firewall.sh script
- fix "resolvconf -p" invocation in example "up" script
- fix "common_name" environment for script calls when "--username-as-common-name" is in effect (Trac #1434)
- Documentation:
- move "push-peer-info" documentation from "server options" to "client" (where it belongs)
- correct "foreign_option_{n}" typo in manpage
- update IRC information in CONTRIBUTING.rst (libera.chat)
- README.down-root: fix plugin module name
New in OpenVPN 2.5.4 (Oct 6, 2021)
- Bugfixes:
- fix prompting for password on windows console if stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/adm64 when released.
- fix setting MAC address on TAP adapters (--lladdr) to use sitnl (was overlooked, and still used "ifconfig" calls)
- various improvements for man page building (rst2man/rst2html etc)
- minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on at least one platform strictly checking this)
- fix minor memory leak under certain conditions in add_route() and add_route_ipv6()
- User-visible Changes:
- documentation improvements
- copyright updates where needed
- better error reporting when win32 console access fails
- New features:
- also build man page on Windows builds
New in OpenVPN 2.5.3 (Jun 17, 2021)
- Bugfixes:
- CVE-2121-3606 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
- OpenVPN windows builds could possibly load OpenSSL Config files from world writeable locations, thus posing a security risk to OpenVPN.
- As a fix, disable OpenSSL config loading completely on Windows.
- disable connect-retry backoff for p2p (--secret) instances (Trac #1010, #1384)
- fix build with mbedtls w/o SSL renegotiation support
- Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
- MSI installers: properly schedule reboot in the end of installation
- fix small memory leak in free_key_ctx for auth_token
- User-visible Changes:
- update copyright messages in files and --version output
- New features:
- add --auth-token-user option (for --auth-token deployments without --auth-user-pass in client config)
- improve MSVC building for Windows
- official MSI installers will now contain arm64 drivers and binaries (x86, amd64, arm64)
New in OpenVPN 2.5.2 (Apr 21, 2021)
- Bugfixes:
- CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
- This bug allows - under very specific circumstances - to trick a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup.
- In combination with "--auth-gen-token" or an user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
- restore pushed "ping" settings correctly on a SIGUSR1 restart
- avoid generating unecessary mbed debug messages - this is actually a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448 ED curves - mbedTLS crashes on preparing debug infos that we do not actually need unless running with "--verb 8"
- do not print inlined (...) Diffie Hellman parameters to log file
- fix Linux/SITNL default route lookup in case of multiple routing tables with more than one default route present (always use "main table" for now)
- Fix CRL file handling in combination with chroot
- User-visible Changes:
- OpenVPN will now refuse to start if CRL file is not present at startup time. At "reload time" absense of the CRL file is still OK (and the in memory copy is used) but at startup it is now considered an error.
- New features:
- printing of the TLS ciphers negotiated has been extended, especially displaying TLS 1.3 and EC certificates more correctly.
New in OpenVPN 2.5.1 (Apr 21, 2021)
- New features:
- "echo msg" support, to enable the server to pushed messages that are then displayed by the client-side GUI. See doc/gui-notes.txt and doc/management-notes.txt.
- Supported by the Windows GUI shipped in 2.5.1, not yet supported by Tunnelblick and the Android GUI.
- User-visible Changes:
- make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers to set the "openvpn packet filter", and returns a failure when requested to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized structure members. Since PF is going away in 2.6.0, this is just turning the crash into a well-defined program abort, and no further effort has been spent in rewriting the PF plugin error handling (see trac #1377).
- Documentation:
- rework sample-plugins/defer/simple.c - this is an extensive rewrite of the plugin to bring code quality to acceptable standards and add documentation on the various plugin API aspects. Since it's just example code, filed under "Documentation", not under "Bugfix".
- various man page improvements.
- clarify --block-ipv6 intent and direction
- Bugfixes:
- fix installation of openvpn.8 manpage on systems without docutils.
- Windows: fix DNS search list setup for domains with "-" chars.
- Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
- Windows: Skip DHCP renew with Wintun adapter (Wintun does not support DHCP, so this was just causing an - harmless - error and needless delay).
- Windows: Remove 1 second delay before running netsh - speeds up interface init for wintun setups not using the interactive service.
- Windows: Fix too early argv freeing when registering DNS - this would cause a client side crash on Windows if register-dns is used, and the interactive service is not used.
- Android: Zero initialise msghdr prior to calling sendmesg.
- Fix line number reporting on config file errors after segments (see Trac #1325).
- Fix port-share option with TLS-Crypt v2.
- tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise dropping privs on the server would fail.
- tls-crypt-v2: fix server memory leak (about 600 bytes per connecting client with tls-crypt-v2)
- rework handling of server-pushed --auth-token in combination with --auth-nocache on reconnection / TLS renegotiation events. This used to "forget" to update new incoming token after a reconnection event (leading to failure to reauth some time later) and now works in all tested cases.
New in OpenVPN 2.5.0 (Oct 28, 2020)
- Faster connections:
- Connections setup is now much faster
- Crypto specific changes:
- ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
- Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
- Server-side improvements:
- HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
- Asynchronous (deferred) authentication support for auth-pam plugin
- Asynchronous (deferred) support for client-connect scripts and plugins
- Network-related changes:
- Support IPv4 configs with /31 netmasks now
- 802.1q VLAN support on TAP servers
- IPv6-only tunnels
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
New in OpenVPN 2.4.9 (Apr 17, 2020)
- User visible changes:
- OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623)
- Bug fixes:
- fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
- This can be used to disrupt service to a freshly connected client (no session keys negotiated yet). It can not be used to inject or steal VPN traffic. CVE-2020-11810, trac #1272).
- fix combination of async push (deferred auth) and NCP (trac #1259)
- Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228)
- Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
- mbedTLS: Make sure TLS session survives move (trac #880)
- Fix OpenSSL private key passphrase notices
- Fix building with --enable-async-push in FreeBSD (trac #1256)
- Fix broken fragmentation logic when using NCP (trac #1140)
New in OpenVPN 2.4.8 (Nov 1, 2019)
- New features:
- Support compiling with OpenSSL 1.1 without deprecated APIs
- handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
- User visible changes:
- do not abort when hitting the combination of "--pull-filter" and "--mode server" (this got hit when starting OpenVPN servers using the windows GUI which installs a pull-filter to force ip-win32)
- increase listen() backlog queue to 32 (improve response behaviour on openvpn servers using TCP that get portscanned)
- fix and enhance documentation (INSTALL, man page, ...)
- Bug fixes:
- the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as a workaround, force IPv4 in this case until a full implementation for IPv6-UDP-SOCKS can be made.
- fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
- fix building with LibreSSL
- do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in systemd environments)
- repair windows builds
- repair Darwin builds (remove -no-cpp-precomp flag)
New in OpenVPN 2.4.7 (Apr 24, 2019)
- New features:
- ifconfig-ipv6(-push): allow using hostnames (in place of IPv6 addresses)
- new option: --ciphersuites to select TLS 1.3 cipher suites (--cipher selects TLS 1.2 and earlier ciphers)
- enable dhcp on tap adapter using interactive service (previously this required a privileged netsh.exe call from OpenVPN)
- clarify and expand management interface documentation
- add Interactive Service developer documentation
- User visible changes:
- add message explaining early TLS client hello failure (if TLS 1.0 only clients try to connect to TLS 1.3 capable servers)
- --show-tls will now display TLS 1.3 and TLS 1.2 ciphers in separate lists (if built with OpenSSL 1.1.1+)
- don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' (unnecessary warnings, and will cause spurious warnings with tls-crypt-v2)
- bump version of openvpn plugin argument structs to 5
- plugin: Export base64 encode and decode functions
- man: add security considerations to --compress section
- Bug fixes:
- print port numbers (again) for incoming IPv4 connections received on a dual-stacked IPv6 socket. This got lost at some point during rewrite of the dual-stack code and proper printing of IPv4 addresses.
- fallback to password authentication when auth-token fails
- fix combination of --dev tap and --topology subnet across multiple platforms (BSDs, MacOS, and Solaris).
- fix Windows CryptoAPI usage for TLS 1.2 signatures
- fix option handling in combination with NCP negotiation and OCC (--opt-verify failure on reconnect if NCP modified options and server verified "original" vs. "modified" options)
- mbedtls: print warning if random personalisation fails
- fix subnet topology on NetBSD (2.4).
New in OpenVPN 2.4.6 (Apr 26, 2018)
- User visible changes:
- warn if the management interface is configured with a TCP port and no password is set (because it might be possible to interfere with OpenVPN operation by tricking other programs into connecting to the management interface and inject unwanted commands)
- Bug fixes:
- CVE-2018-9336: fix potential double-free() in the Interactive Service (Windows) on malformed input.
- avoid possible integer overflow in wakeup computation (trac #922)
- improve handling of incoming packet bursts for control channel data
- fix compilation with older OpenSSL versions that were broken in 2.4.5
- Windows + interactive Service: delete the IPv6 route to the "connected" network on tun close
New in OpenVPN 2.4.5 (Mar 5, 2018)
- reload HTTP proxy credentials when moving to the next connection profile
- Allow learning iroutes with network made up of all 0s (only if netbits < 8)
- mbedtls: fix typ0 in comment
- manpage: fix simple typ0
- Treat dhcp-option DNS6 and DNS identical
- show the right string for key-direction
- Fix typo in error message: "optione" -> "option"
- lz4: Fix confused version check
- lz4: Fix broken builds when pkg-config is not present but system library is
- Remove references to keychain-mcd in Changes.rst
- lz4: Rebase compat-lz4 against upstream v1.7.5
- systemd: Add and ship README.systemd
- Update copyright to include 2018 plus company name change
- man: Add .TQ groff support macro
- man: Reword --management to prefer unix sockets over TCP
- OpenSSL: check EVP_PKEY key types before returning the pkey
- Remove warning on pushed tun-ipv6 option.
- Fix removal of on-link prefix on windows with netsh
- Preparing for release v2.4.5 (ChangeLog, version.m4, Changes.rst)
- travis-ci: add brew cache, remove ccache
- travis-ci: modify openssl build script to support openssl-1.1.0
- autoconf: Fix engine checks for openssl 1.1
- Cast time_t to long long in order to print it.
- Fix build with LibreSSL
- Check whether in pull_mode before warning about previous connection blocks
- Avoid illegal memory access when malformed data is read from the pipe
- Fix missing check for return value of malloc'd buffer
- Return NULL if GetAdaptersInfo fails
- Use RSA_meth_free instead of free
- Bring cryptoapi.c upto speed with openssl 1.1
- Add SSL_CTX_get_max_proto_version() not in openssl 1.0
- TLS v1.2 support for cryptoapicert -- RSA only
- Refactor get_interface_metric to return metric and auto flag separately
- Ensure strings read from registry are null-terminated
- Make most registry values optional
- Use lowest metric interface when multiple interfaces match a route
- Adapt to RegGetValue brokenness in Windows 7
- Fix format spec errors in Windows builds
- Local functions are not supported in MSVC. Bummer.
- Mixing wide and regular strings in concatenations is not allowed in MSVC.
- RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
- Simplify iphlpapi.dll API calls
- Fix local #include to use quoted form
- Document ">PASSWORD:Auth-Token" real-time message
- Fix typo in "verb" command examples
- Uniform swprintf() across MinGW and MSVC compilers
- MSVC meta files added to .gitignore list
- openvpnserv: Add support for multi-instances
- Document missing OpenVPN states
- make struct key * argument of init_key_ctx const
- buffer_list_aggregate_separator(): add unit tests
- Add --tls-cert-profile option.
- Use P_DATA_V2 for server->client packets too
- Fix memory leak in buffer unit tests
- buffer_list_aggregate_separator(): update list size after aggregating
- buffer_list_aggregate_separator(): don't exceed max_len
- buffer_list_aggregate_separator(): prevent 0-byte malloc
- Fix types around buffer_list_push(_data)
- ssl_openssl: fix compiler warning by removing getbio() wrapper
- travis: use clang's -fsanitize=address to catch more bugs
- Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
- Add support for TLS 1.3 in --tls-version-{min, max}
- Plug memory leak if push is interrupted
- Fix format errors when cross-compiling for Windows
- Log pre-handshake packet drops using D_MULTI_DROPPED
- Enable stricter compiler warnings by default
- Get rid of ax_check_compile_flag.m4
- mbedtls: don't use API deprecated in mbed 2.7
- Warn if tls-version-max < tls-version-min
- Don't throw fatal errors from create_temp_file()
- Fix '--bind ipv6only'
New in OpenVPN 2.4.4 (Sep 27, 2017)
- crypto: correct typ0 in error message
- use M_ERRNO instead of explicitly printing errno
- don't print errno twice
- ntlm: avoid useless cast
- ntlm: unwrap multiple function calls
- route: improve error message
- management: preserve wait_for_push field when asking for user/pass
- tls-crypt: avoid warnings when --disable-crypto is used
- ntlm: convert binary buffers to uint8_t *
- ntlm: restyle compressed multiple function calls
- ntlm: improve code style and readability
- OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
- make function declarations C99 compliant
- remove unused functions
- use NULL instead of 0 when assigning pointers
- add missing static attribute to functions
- ntlm: avoid breaking anti-aliasing rules
- remove the --disable-multi config switch
- rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
- route: avoid definition of unused variables in certain configurations
- fix a couple of typ0s in comments and strings
- fragment.c: simplify boolean expression
- tcp-server: ensure AF family is propagated to child context
- Set tls-cipher restriction before loading certificates
- Print ec bit details, refuse management-external-key if key is not RSA
- Use provided env vars in up/down script.
- Document down-root plugin usage in client.down
- doc: The CRL processing is not a deprecated feature
- cleanup: Move write_pid() to where it is being used
- contrib: Remove keychain-mcd code
- cleanup: Move init_random_seed() to where it is being used
- sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
- Highlight deprecated features
- Use consistent version references
- docs: Replace all PolarSSL references to mbed TLS
- systemd: Ensure systemd shuts down OpenVPN in a proper way
- systemd: Enable systemd's auto-restart feature for server profiles
- lz4: Move towards a newer LZ4 API
- Prepare the release of OpenVPN 2.4.4
- OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
- OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
- OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
- Warn that DH config option is only meaningful in a tls-server context
- travis-ci: add 3 missing patches from master to release/2.4
- travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
- travis-ci: update pkcs11-helper to 1.22
- man: Corrections to doc/openvpn.8
- Fix typo in extract_x509_extension() debug message
- Move adjust_power_of_2() to integer.h
- Undo cipher push in client options state if cipher is rejected
- Remove strerror_ts()
- Move openvpn_sleep() to manage.c
- fixup: also change missed openvpn_sleep() occurrences
- Always use default keysize for NCP'd ciphers
- Move create_temp_file() out of #ifdef ENABLE_CRYPTO
- Deprecate --keysize
- Deprecate --no-replay
- Move run_up_down() to init.c
- tls-crypt: introduce tls_crypt_kt()
- crypto: create function to initialize encrypt and decrypt key
- Add coverity static analysis to Travis CI config
- tls-crypt: don't leak memory for incorrect tls-crypt messages
- travis: reorder matrix to speed up build
- Fix bounds check in read_key()
- OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
- Fix socks_proxy_port pointing to invalid data
New in OpenVPN 2.4.3 (Jun 23, 2017)
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- OpenSSL: don't use direct access to the internal of X509
- OpenSSL: don't use direct access to the internal of EVP_PKEY
- OpenSSL: don't use direct access to the internal of RSA
- OpenSSL: don't use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don't use direct access to the internal of HMAC_CTX
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option 'connection'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Make openvpn-plugin.h self-contained again.
- Pass correct buffer size to GetModuleFileNameW()
- Log the negotiated (NCP) cipher
- Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
- Skip tls-crypt unit tests if required crypto mode not supported
- openssl: fix overflow check for long --tls-cipher option
- Add a DSA test key/cert pair to sample-keys
- Fix mbedtls fingerprint calculation
- mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
- mbedtls: require C-string compatible types for --x509-username-field
- Fix remote-triggerable memory leaks (CVE-2017-7521)
- Restrict --x509-alt-username extension types
- Fix potential double-free in --x509-alt-username (CVE-2017-7521)
- Fix gateway detection with OpenBSD routing domains
New in OpenVPN 2.4.2 (May 12, 2017)
- auth-token: Ensure tokens are always wiped on de-auth
- docs: Fixed man-page warnings discoverd by rpmlint
- Make --cipher/--auth none more explicit on the risks
- plugin: Fix documentation typo for type_mask
- plugin: Export secure_memzero() to plug-ins
- Preparing v2.4.2 release
- Fix extract_x509_field_ssl for external objects, v2
- In auth-pam plugin clear the password after use
- cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
- Don't run packet_id unit tests for --disable-crypto builds
- Fix Changes.rst layout
- Fix memory leak in x509_verify_cert_ku()
- mbedtls: correctly check return value in pkcs11_certificate_dn()
- Restore pre-NCP frame parameters for new sessions
- Always clear username/password from memory on error
- Document tls-crypt security considerations in man page
- Don't assert out on receiving too-large control packets (CVE-2017-7478)
- Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
- Set a low interface metric for tap adapter when block-outside-dns is in use
New in OpenVPN 2.4.1 (Mar 22, 2017)
- attempt to add IPv6 route even when no IPv6 address was configured
- fix redirect-gateway behaviour when an IPv4 default route does not exist
- CRL: use time_t instead of struct timespec to store last mtime
- ignore remote-random-hostname if a numeric host is provided
- man: fix formatting for alternative option
- systemd: Use automake tools to install unit files
- systemd: Do not race on RuntimeDirectory
- systemd: Add more security feature for systemd units
- Clean up plugin path handling
- plugin: Remove GNUism in openvpn-plugin.h generation
- fix typo in notification message
- management: >REMOTE operation would overwrite ce change indicator
- management: Remove a redundant #ifdef block
- git: Merge .gitignore files into a single file
- systemd: Move the READY=1 signalling to an earlier point
- plugin: Improve the handling of default plug-in directory
- cleanup: Remove faulty env processing functions
- OpenSSL: check for the SSL reason, not the full error
- OpenSSL: don't use direct access to the internal of X509_STORE_CTX
- OpenSSL: don't use direct access to the internal of SSL_CTX
- OpenSSL: don't use direct access to the internal of X509_STORE
- OpenSSL: don't use direct access to the internal of X509_OBJECT
- OpenSSL: don't use direct access to the internal of RSA_METHOD
- OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
- OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
- Fix Building Using MSVC
- Add openssl_compat.h to openvpn_SOURCES
- Fix '--dev null'
- Fix installation of IPv6 host route to VPN server when using iservice.
- Make ENABLE_OCC no longer depend on !ENABLE_SMALL
- Crash in options.c
- Resolve several travis-ci issues
- travis-ci: remove unused files
- Fix building with LibreSSL 2.5.1 by cleaning a hack.
- Fix push options digest update
- Always release dhcp address in close_tun() on Windows.
- Add a check for -Wl, --wrap support in linker
- Fix user's group membership check in interactive service to work with domains
- Fix segfault when using crypto lib without AES-256-CTR or SHA256
- More broadly enforce Allman style and braces-around-conditionals
- Use SHA256 for the internal digest, instead of MD5
- OpenSSL: 1.1 fallout - fix configure on old autoconf
- Fix types in WIN32 socket_listen_accept()
- Remove duplicate X509 env variables
- Fix non-C99-compliant builds: don't use const size_t as array length
- Deprecate --ns-cert-type
- Be less picky about keyUsage extensions
New in OpenVPN 2.4.0 (Dec 28, 2016)
- dev-tools: Added script for updating copyright years in files
- Update copyrights
- docs: Further enhance the documentation related to SWEET32
- man: Remove references to no longer present IV_RGI6 peer-info
- Remove IV_RGI6=1 peer-info signalling.
- Document that RSA_SIGN can also request TLS 1.2 signatures
- man: encourage user to read on about --tls-crypt
New in OpenVPN 2.4 RC 2 (Dec 17, 2016)
- Fix wrong configure.ac parsing of --enable-async-push
- Changes: Further improve systemd unit file updates
- systemd: Intermediate --chroot fix with the new sd_notify() implementation
- Further enhance async-push feature description
- Changes.rst: Mainatiner update on C99
- dev-tools: Add reformat-all.sh for code style unification
- The Great Reformatting - first phase
- Merge 'reformatting' branch into master
- auth-gen-token: Hardening memory cleanup on auth-token failuers
- Preparing OpenVPN v2.4_rc2 release
- Refactor setting close-on-exec for socket FDs
- Arm inotify only in server mode
- Add "async push" feature to Changes.rst
- mbedtls: include correct net/net_sockets header according to version
- Correctly state the default dhcp server address in man page
- Unhide a line in man page by fixing a typo
- Fix (and cleanup) crypto flags in combination with NCP
- Deprecate --no-iv
- man: mention that --ecdh-curve does not work on mbed TLS builds
- Don't reopen tun if cipher changes
New in OpenVPN 2.3.14 (Dec 7, 2016)
- update year in copyright message
- man: Improve the --keepalive section
- Document the --auth-token option
- Repair topology subnet on FreeBSD 11
- Repair topology subnet on OpenBSD
- Preparing release of v2.3.14
- Drop recursively routed packets
- Support --block-outside-dns on multiple tunnels
- When parsing '--setenv opt xx ..' make sure a third parameter is present
- Map restart signals from event loop to SIGTERM during exit-notification wait
- Correctly state the default dhcp server address in man page
- Clean up format_hex_ex()
New in OpenVPN 2.4 RC 1 (Dec 2, 2016)
- reload CRL only if file was modified
- update year in copyright message
- Use systemd service manager notification
- Refuse to daemonize when running from systemd
- Preparing OpenVPN v2.4_rc1 release
- Fix windows path in Changes.rst
- Mention that OpenVPN 2.4 requires Windows Vista or higher
- Map restart signals from event loop to SIGTERM during exit-notification wait
- When parsing '--setenv opt xx ..' make sure a third parameter is present
- Force 'def1' method when --redirect-gateway is done through service
- Do not restart dns client service as a part of --register-dns processing
- tls_process: don't set variable that's never read
- Unconditionally enable TLS_AGGREGATE_ACK
- Clean up format_hex_ex()
- Introduce and use secure_memzero() to erase secrets
New in OpenVPN 2.4 Beta 2 (Nov 25, 2016)
- Document that tls-crypt also supports inline
- Fix warning that RAND_bytes is undeclared
- Remove compat-stdbool.h.
- Fix various compiler warnings
- Handle DNS6 option on Android
- Changes.rst: Fixing wrong formatting
- Document the --auth-token option
- Preparing OpenVPN v2.4_beta2 release
- Remove remaining traces of compat-stdbool.h
- Stub implementation of "--dhcp-option DNS6 "
- Do not set ipv6 address if '--ip-win32 manual' is used
- Handle --dhcp-option DNS6 on Windows using netsh
- Set IPv6 DNS servers using interactive service
- multi_process_float: revert part of c14c4a9e
- --tls-crypt fixes
- Change cmocka remote to use https in stead of git protocol
- generate_key_expansion: make assumption explicit, use C99 features
- Poor man's NCP for non-NCP peers
- Refactor data channel key generation API
New in OpenVPN 2.4 Beta 1 (Nov 17, 2016)
- Make Changes.rst nicer for 2.4 release
- cleanup: Remove NOP code sections in ssl.c:tls_process()
- Remove last rest of INSTALL-win32.txt references
- auth-gen-token: Add --auth-gen-token option
- auth-gen-token: Generate an auth-token per client
- auth-gen-token: Push generated auth-tokens to the client
- auth-gen-token: Authenticate generated auth-tokens when client re-authenticates
- Fix builds with --disable-crypto
- man: Improve the --keepalive section
- console: Fix compiler warning
- systemd: Improve the systemd unit files
- tun: Fix compiler warnings
- file checks: Merge warn_if_group_others_accessible() into check_file_access()
- tun: Fix weird commit error causing a double assignment
- options: Remove --tls-remote
- Remove unused variable in argv_printf_arglist()
- Preparing for release v2.4_beta1 (ChangeLog, version.m4)
- openvpn version line: remove [IPv6], add [AEAD] if available
- clean up *sig_info handling in link_socket_init_phase2()
- check c->c2.link_socket before calling do_init_route_ipv6_list()
- Check previously-unchecked buf_alloc_write() call in crypto self-test.
- Fix potential division by zero in shaper_reset()
- Repair topology subnet on FreeBSD 11
- Repair topology subnet on OpenBSD
- Add in_port_t check to configure.ac
- Fix compilation on MinGW with -std=c99
- Replace WIN32 by _WIN32
- put argv_* functions into own file, add unit tests
- Remove unused and unecessary argv interfaces
- remove unused system_str from struct argv
- Factor out %sc handling from argv_printf()
- Drop recursively routed packets
- Remove INSTALL-win32.txt that is now hosted in openvpn-build
- Fix update_t_client_ips.sh for out of tree builds
- Make sure that all relevant files under test go to release tarballs
- Allow passing extra arguments to fping/fping6 in t_client.rc
- Prevent generation of duplicate EXPECT_IFCONFIG entries
- Fix a logic problem in handling of --up scripts in t_client.sh
- Support --block-outside-dns on multiple tunnels
- Unbreak windows build
- Remove verbose msg() from send_push_reply()
- Limit --reneg-bytes to 64MB when using small block ciphers
- Add a revoked cert to the sample keys
- Fix --tls-version-max in mbed TLS builds
- Don't deference type-punned pointers
- Fix builds on compilers without anonymous union support
- Refactor static/tls-auth key loading
- Add missing includes in error.h
- Make argv unit tests obey {MBEDTLS, OPENSSL}_{LIBS, CFLAGS}
- Move private file access checks to options_postprocess_filechecks()
- Deprecate key-method 1
- Refactor CRL handling
- Remove unneeded check for extra_certs_file_inline
- Fix missing return value checks in multi_process_float()
- Restore pre-NCP cipher options on SIGUSR1
- Remove unused variables from do_init_crypto_static()
- Add control channel encryption (--tls-crypt)
- Add --tls-crypt unit tests
New in OpenVPN 2.3.13 (Nov 4, 2016)
- Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
- Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
- t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
- t_client.sh: Add support for Kerberos/ksu
- t_client.sh: Improve detection if the OpenVPN process did start during tests
- t_client.sh: Add prepare/cleanup possibilties for each test case
- Preparing release of v2.3.13
- Do not abort t_client run if OpenVPN instance does not start.
- Fix t_client runs on OpenSolaris
- make t_client robust against sudoers misconfiguration
- add POSTINIT_CMD_suf to t_client.sh and sample config
- Fix --multihome for IPv6 on 64bit BSD systems.
- skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
- Exclude peer-id from pulled options digest
- Fix compilation in pedantic mode
- Automatically cache expected IPs for t_client.sh on the first run
- Fix unittests for out-of-source builds
- Make gnu89 support explicit
- cleanup: remove code duplication in msg_test()
- Update cipher-related man page text
- Limit --reneg-bytes to 64MB when using small block ciphers
- Add a revoked cert to the sample keys
New in OpenVPN 2.4 Alpha 2 (Oct 21, 2016)
- Fixed a bug where PolarSSL gave an error when using an inline file tag.
- Fix --show-pkcs11-ids (Bug #239)
- Default gateway can't be determined on illumos/Solaris platforms
- pkcs11: use generic evp key instead of rsa
- Fix some typos in the man page.
- Do not upcase x509-username-field for mixed-case arguments.
- extract_x509_extension(): hide status message during normal operation.
- Document man agent-external-key
- Options parsing demands unnecessary configuration if PKCS11 is used
- Error message if max-routes used incorrectly
- Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
- Remove dnsflags_to_socktype, it is not used anywhere
- Fix the proto is used inconsistently warning
- Remove dead code path and putenv functionality
- Remove unused function xor
- Move static prototype definition from header into c file
- Remove unused function no_tap_ifconfig
- Add the client id (CID) to the output of the status command
- Print client id only if compiled with man agent support. Otherwise print an empty string.
- Allow routes to be set before opening tun, similar to ifconfig before opening tun
- Add ability to send/receive file descriptors via management interface
- Android platform specific changes.
- Emulate persist-tun on Android
- Document the Android implementation in OpenVPN
- Only print script warnings when a script is used. Remove stray mention of script-security system.
- Fix #ifdefs for P2MP_SERVER
- Move settings of user script into set_user_script function
- Move checking of script file access into set_user_script
- Fix another #ifdef/#if P2MP_SERVER
- PATCHv3 Remove unused variables or put them to the defines they are being used in
- Add support of utun devices under Mac OS X
- Add support to ignore specific options.
- Add a note what setenv opt does for OpenVPN < 2.3.3
- Implement custom HTTP header for http-proxy, and always send user-agent:
- Add reporting of UI version to basic push-peer-info set.
- Change the type of all ports in openvpn to const char* and let getaddrinfo resolve the port together with the hostname.
- Fix compile error in ssl_openssl introduced by polar external-management patch
- Simplify print_sockaddr_ex function, merge duplicate ipv4/ipv6 logic.
- Split the PROTO_UDP_xx options into AF_INET/AF_INET6 and PROTO_TCP/PROTO_UDP part.
- Fix two instances of asserting AF_INET
- Fix assertion when SIGUSR1 is received while getaddrinfo is successful
- Split link_socket_init_phase1 and link_socket_init_phase2 into smaller more managable/readable functions. No functional changes
- Change proto_remote() function to return a constant string
- Remove the ip-remote-hint option.
- change the type of 'remote' to addrinfo*, and rename to 'remote_list'.
- When resolving fails print the error message from socket layer
- Implement dual stack client support for OpenVPN
- Move ASSERT so external-key with OpenSSL works again
- Implement listing on IPv4/IPv6 dual socket on all platform
- Add warning for using connection block variables after connection blocks
- Update IPv6 related readme files
- Introduce safety check for http proxy options
- Fix warning for max-routes: do not quit when parsing an old configuration. Format the message to be more like the other deprecated options
- Fix connecting to localhost on Android
- Move the initialization of the environment to the top so c2.es is initialized
- Workaround broken Android 4.4 VpnService API for persist-tun mode
- Implement an easy parsable log output that allows access to flags of the log message
- Introduce an option to resolve dns names in advance for --remote, --local and --http-proxy
- Fix for server selecting address family
- Don't show the connection profile store in options->ce if there is a connection_list defined.
- Add gateway and device to android control messages
- Clean up of socket code.
- Fix assert when using port-share
- Work around Solaris getaddrinfo() returing ai_protocol=0
- Fix man page and OSCP script: tls_serial_{n} is decimal
- Remove ENABLE_BUFFER_LIST
- Fix server routes not working in topology subnet with --server [v3]
- Always enable http-proxy and socks-proxy
- Remove deprecated --max-routes option from manual
- Add documentation for PERSIST_TUN_ACTION (Android specific)
- Remove possibility of using --tls-auth with non OpenVPN Static key files
- Remove unused function sock_addr_set
- Document the default for tls-cipher.
- Report missing end-tags of inline files as errors
- Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
- Show extra-certs in current parameters, fix clang warning and logic error in preresolve
- Remove unused function h_errno_msg
- Add support for requesting the fd again to rebind to the next interface.
- Don't redirect the gateway on Android even if requested
- Fix loglevel of protect socket message
- Extend network-change command to allow reprotecting on the same network (for short connection losses)
- Use pseudo gw as default gw on Android as a workaround for not being able to read /proc/net/route
- Remove #ifdefs for client nat support.
- Do not install a host route for the VPN on Android
- Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
- Do not set the buffer size by default but rely on the operation system default.
- Start Changes.rst that lists changes in 2.4.0
- Remove --enable-password-save option
- Reflect enable-password-save change in documentation
- Also remove second instance of enable-password-save in the man page
- Detect config lines that are too long and give a warning/error
- Implement the compression V2 data format for stub and lz4.
- Fix assert when comp is called with unknown algorithm, always call comp init method
- Ignore stamp-h2 we generate during build process
- Implement inlining of crl files
- Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
- Remove http-proxy-timeout, socks timeout and set default of server-poll-timeout to 120s
- Add documentation for http-proxy-user-pass option
- Remove http-proxy-retry and socks-proxy-retry.
- Update android documentation to match source code
- Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
- Fix ENABLE_CRYPTO_OPENSSL set to YES even with --disable-crypto set
- Prefer RECVDSTADDR to PKTINFO for IPv4 in OS X since it actually works (unlike PKTINFO)
- Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
- Enable TCP non-linear packet ID
- Change the hold command to communicate the time that OpenVPN would wait to the UI.
- Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.
- Log serial number of revoked certificate
- fix build with automake 1.13(.1)
- Fix corner case in NTLM authentication (trac #172)
- Adjust server-ipv6 documentation
- Use SSL_MODE_RELEASE_BUFFERS if available
- options: fix option check for "plugin"
- Added support for TLS Keying Material Exporters [RFC-5705]
- Added document for TLS Keying Material Exporters [RFC-5705]
- sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in
- Fix buffer size parameter for exported keying material.
- Make git ignore some more files
- Remove the support for using system() when executing external programs or scripts
- Fix double-free issue in pf_destroy_context()
- Reset the version.m4 version for the master branch
- Avoid recursion in virtual_output_callback_func()
- The get_default_gateway() function uses warn() instead of msg()
- Improve the git revision tracking
- man page: Update man page about the tls_digest_{n} environment variable
- Remove the --disable-eurephia configure option
- plugin: Extend the plug-in v3 API to identify the SSL implementation used
- autoconf: Fix typo
- t_client.sh: Check for fping/fping6 availability
- t_client.sh: Write errors to stderr and document requirements
- t_client.sh: Add prepare/cleanup possibilties for each test case
- Fix file checks when --chroot is being used
- Adjusted autotools files to build more cleanly on newer autoconf/automake versions
- Improve error reporting on file access to --client-config-dir and --ccd-exclusive
- Don't let openvpn_popen() keep zombies around
- Don't try to use systemd-ask-password if it is not available
- Clean up the pipe closing in openvpn_popen()
- Add systemd unit file for OpenVPN
- systemd: Use systemd functions to consider systemd availability
- systemd: Reworked the systemd unit file to handle server and client configs better
- autotools: Fix wrong ./configure help screen default values
- down-root plugin: Replaced system() calls with execve()
- down-root: Improve error messages
- plugin, down-root: Fix compiler warnings
- sockets: Remove the limitation of --tcp-nodelay to be server-only
- plugins, down-root: Code style clean-up
- Provide compile time OpenVPN version information to plug-ins
- Provide OpenVPN runtime version information to plug-ins
- Avoid partial authentication state when using --disabled in CCD configs
- Only build and run cmocka unit tests if its submodule is initialized
- Another fix related to unit test framework
- Remove NOP function and callers
- Revert "Drop recursively routed packets"
- Fix client connection instant timeout
- t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
- t_client.sh: Add support for Kerberos/ksu
- t_client.sh: Improve detection if the OpenVPN process did start during tests
- Rework the user input interface to make it more modular
- Re-implement the systemd support using the new query user API
- systemd: Do not mask usernames when querying for it via systemd-ask-password
- Move memcmp_constant_time() to crypto.h
- Update .mailmap to unify and clean up odd names and e-mail addresses
- pkcs11: Load p11-kit-proxy.so module by default
- Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
- Provide more accurate warning message
- Document authfile for socks server
- Fix is_ipv6 in case of tap interface.
- Add CHACHA20-POLY1305 ciphersuite IANA name translations.
- Use OPENVPN_ETH_P_* so that is unecessary
- Add lz4 support to MSVC.
- Implement --mssfix handling for IPv6 packets.
- Fix option inconsistency warnings about "proto" and "tun-ipv6"
- Fix parameter type for IP_TOS setsockopt on non-Linux systems.
- Fix client crash on double PUSH_REPLY.
- Update README.IPv6 to match what is in 2.3.0
- Repair "tcp server queue overflow" brokenness, more fallout.
- Permit pool size of /64.../112 for ifconfig-ipv6-pool
- Add MIN() compatibility macro
- Fix directly connected routes for "topology subnet" on Solaris.
- Print "Virtual IPv6 Address" on management interface queries [v4]
- Use constrain_int() instead of MIN()+syshead.c compat definition - v2.
- Fix NULL-pointer crash in route_list_add_vpn_gateway().
- Fix usage of 'compression ...' from global config.
- Make push-peer-info visible in "normal" per-instance environment.
- Fix problem with UDP tunneling due to mishandled pktinfo structures.
- Improve documentation and help text for --route-ipv6.
- Fix argument type warning introduced by http extra proxy header patch.
- Fix IPv6 examples in t_client.rc-sample
- Fix slow memory drain on each client renegotiation.
- t_client.sh: ignore fields from "ip -6 route show" output that distort results.
- Fix IPv6_V6ONLY logic.
- Implement LZ4 compression.
- Provide LZ4 sources in src/compat/ and use if no system lz4 library found.
- Document "lz4" argument to "compress" config option.
- Make code and documentation for --remote-random-hostname consistent.
- Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
- remove some 'unused variable' warnings
- Cleanup ir6->netbits handling.
- Document issue with --chroot, /dev/urandom and PolarSSL.
- Rename 'struct route' to 'struct route_ipv4'
- Replace copied structure elements with including
- Add "test-driver" and "compile" to .gitignore
- Fix crash when using --inetd.
- IPv6 address/route delete fix for Win8
- Add SSL library version reporting.
- Minor t_client.sh cleanups
- Repair --multihome on FreeBSD for IPv4 sockets.
- Rewrite manpage section about --multihome
- More IPv6-related updates to the openvpn man page.
- Conditionalize calls to print_default_gateway on !ENABLE_SMALL
- Merge get_default_gateway() implementation for all 4+1 BSD variants.
- Drop incoming fe80:: packets silently now.
- Recognize AIX, define TARGET_AIX
- Add tap driver initialization and ifconfig for AIX.
- implement adding/deleting routes on AIX, for IPv4 and IPv6
- Make t_client.sh work on AIX.
- Fix t_lpback.sh platform-dependent failures
- Call init script helpers with explicit path (./)
- Fix windows build on older mingw versions.
- New approach to handle peer-id related changes to link-mtu.
- Print remote IPv4 address on a dual-stack v6 socket in IPv4 format
- Fix incorrect use of get_ipv6_addr() for iroute options.
- Remove count_netmask_bits(), convert users to use netmask_to_netbits2()
- Fix leftover 'if (false) ;' statements
- Print helpful error message on --mktun/--rmtun if not available.
- explain effect of --topology subnet on --ifconfig
- Add note about file permissions and --crl-verify to manpage.
- repair --dev null breakage caused by db950be85d37
- assume res_init() is always there.
- Correct note about DNS randomization in openvpn.8
- Disallow usage of --server-poll-timeout in --secret key mode.
- slightly enhance documentation about --cipher
- Enforce "serial-tests" behaviour for tests/Makefile
- Revert "Enforce "serial-tests" behaviour for tests/Makefile"
- On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
- Use configure.ac hack to apply serial_test AM option only if supported.
- Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
- Move res_init() call to inner openvpn_getaddrinfo() loop
- Fix FreeBSD ifconfig for topology subnet tunnels.
- Produce a meaningful error message if --daemon gets in the way of asking for passwords.
- Document --daemon changes and consequences (--askpass, --auth-nocache).
- Fix build on OpenSolaris (non-gmake)
- Un-break --auth-user-pass on windows
- refactor struct route_ipv6, bring in line with struct route_ipv4 again
- refactor struct route_ipv6_list, bring in line with struct route_list again
- Add route_ipv6_gateway* data structures for rgi6 support.
- Create basic infrastructure for IPv6 default gateway handling / redirection.
- Make client delay less before sending PUSH_REQUEST
- get_default_gateway_ipv6(): Linux / Netlink implementation.
- Implement handling of overlapping IPv6 routes with IPv6 remote VPN server address
- Implement '--redirect-gateway ipv6'
- get_default_gateway_ipv6(): *BSD / MacOS / Solaris PF_ROUTE implementation
- Fix IPv6 host routes to LAN gateway on OpenSolaris
- Replace unaligned 16bit access to TCP MSS value with bytewise access
- Repair test_local_addr() on WIN32
- Add custom check for inet_pton()/inet_ntop() on MinGW/WIN32
- get_default_gateway_ipv6(): Win32 implementation using GetBestRoute2()
- Remove support for snappy compression.
- Fix info.af == AF_UNSPEC case for server with --mtu-disc
- Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
- remove unused gc_arena in FreeBSD close_tun()
- Un-break compilation on *BSD
- Fix isatty() check for good.
- Fix openserv/validate.o linking issues on mingw.
- Fix library order in -lmbedtls test.
- Implement push-remove option to selectively remove pushed options.
- Upgrade bundled compat-lz4 to upstream release r131.
- Change --enable-pedantic to use -std=c99 and not -ansi (C90).
- Fix problems with NCP and --inetd.
- Do not abort t_client run if OpenVPN instance does not start.
- Fix IP_PKTINFO related compilation failure on NetBSD 7.0
- Show compile-time variant for --multihome in --version output.
- Fix win32 building with C99 mode
- Fix t_client runs on OpenSolaris
- make t_client robust against sudoers misconfiguration
- add POSTINIT_CMD_suf to t_client.sh and sample config
- Fix --multihome for IPv6 on 64bit BSD systems.
- Enable -D_SVR4_2 for compilation on Solaris
- Revert "Enable -D_SVR4_2 for compilation on Solaris"
- Enable -D_XPG4_2 for compilation on Solaris
- Preparing for release v2.4_alpha1 (ChangeLog, version.m4)
- Preparing for release v2.4_alpha2 (ChangeLog, version.m4)
- Fix --redirect-private in --dev tap mode.
- Always load intermediate certificates from a PKCS#12 file
- Fix display of plugin hook types
- Support UTF-8 --client-config-dir
- close more file descriptors on exec
- Ignore UTF-8 byte order mark
- reintroduce --no-name-remapping option
- make --tls-remote compatible with pre 2.3 configs
- add new option for X.509 name verification
- Support non-ASCII TAP adapter names on Windows
- Support non-ASCII characters in Windows tmp path
- make sure sa_family_t is defined
- convert struct signal_info element
- grow route lists dynamically
- fix route struct name
- refine assertion to allow other modes than CBC
- Fix compilation on Windows
- fix warnings on Windows
- extend management interface command "state"
- put virtual IPv6 addresses into env
- interactive service v3
- Windows: do_ifconfig() after open_tun()
- Del ipv6 addr on close of linux tun interface
- ocsp_check - signature verification and cert staus results are separate
- ocsp_check - double check if ocsp didn't report any errors in execution
- initial travis-ci support
- skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
- enable "--disable-crypto" build configuration for travis
- Plug memory leak in mbedTLS backend
- Fix socket-flag/TCP_NODELAY on Mac OS X
- Fix --askpass not allowing for password input via stdin
- Added support for the Snappy compression algorithm
- Always push basic set of peer info values to server.
- TLS version negotiation
- Added "setenv opt" directive prefix. If present, and if the directive that follows is recognized, it will be processed as if the "setenv opt" prefix was absent. If present and if the directive that follows is not recognized, the directive will be ignored rather than cause a fatal error.
- MSVC fixes
- Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
- Use native strtoull() with MSVC 2013.
- Define PATH_SEPARATOR for MSVC builds.
- Fixed some compile issues with show_library_versions()
- Added flags parameter to format_hex_ex.
- Extended x509-track for OpenSSL to report SHA1 fingerprint.
- Fixed port-share bug with DoS potential
- Added directive to specify HTTP proxy credentials in config.
- Bind to local socket before dropping privileges
- man page patch for missing options
- make 'explicit-exit-notify' pullable again
- include ifconfig_ environment variables in --up-restart env set
- Fix "White space before end tags can break the config parser"
- Author: Jan Just Keijser
- Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
- Remove quadratic complexity from openvpn_base64_decode()
- Update contrib/pull-resolv-conf/client.up for no DOMAIN
- Make intent of utun device name validation clear
- Fix buffer overflow by user supplied data
- ignore the local config file t_client.rc in git
- Prevent integration test timeout bc. of sudo
- Add unit testing support via cmocka
- Add a test for auth-pam searchandreplace
- Fix spurious ignoring of pushed config options (trac#349).
- Allow use of NetBeans without saving nbproject/ directory.
- doc/management-notes.txt: fix typo
- Fix typo in ./configure message
- Refactor tls_ctx_use_external_private_key()
- --management-external-key for PolarSSL
- external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
- Fix mismatch of fprintf format specifier and argument type
- Fix null pointer dereference in options.c
- Fail if options have extra parameters [v2]
- Fix parameter listing in non-debug builds at verb 4
- (updated) [PATCH] Warn when using verb levels >=7 without debug
- Fix proto tcp6 for server & non-P2MP modes
- Fix Windows script execution when called from script hooks
- Correct error text when no Windows TAP device is present
- Require a 1.2.x PolarSSL version
- Push an IPv6 CIDR mask used by the server, not the pool's size
- Fix --mtu-disc option with IPv6 transport
- Fix v3 plugins to support returning values back to OpenVPN.
- tls_ctx_load_ca: Improve certificate error messages
- Add link to bug tracker
- Correctly report TCP connection timeout on windows.
- Peer-id patch v7
- Add the peer-id to the output of the status command
- Prevent memory drain for long lasting floating sessions
- Disallow lameduck's float to an address taken by another client
- Fix NULL dereferencing
- Fix mssfix default value in connection_list context
- This fixes MSVS 2013 compilation.
- Continuation of MSVS fixes
- Fast recovery when host is in unreachable network
- Fix compilation error with --disable-crypto
- Send push reply right after async auth complete
- Fix compilation with --disable-server
- Refine float logging
- Generate openvpn-plugin.h for MSVC build
- Replace variable length array with malloc
- Use adapter index instead of name for windows IPv6 interface config
- Notify clients about server's exit/restart
- Use adapter index for add/delete_route_ipv6
- Pass adapter index to up/down scripts
- Detecting and logging Windows versions
- Report Windows bitness
- Fix "implicit declaration" compiler warning
- Drop recursively routed packets
- Support for disabled peer-id
- Exclude peer-id from pulled options digest
- Use separate list for per-client push options
- Fix privilege drop if first connection attempt fails
- Enable TCP_NODELAY configuration on FreeBSD.
- Remove duplicate cipher entries from TLS translation table.
- Fix undefined signed shift overflow
- Support for username-only auth file.
- Add configure check for the path to systemd-ask-password
- Include systemd units in the source tarball (make dist)
- Fix build with libressl
- Fix configure interaction with static OpenSSL libraries
- Add topology in sample server configuration file
- Implement on-link route adding for iproute2
- Use bob.example.com and alice.example.com to improve clarity of documentation
- Updated manpage for --rport and --lport
- Ensure that client-connect files are always deleted
- Removed ChangeLog.IPv6
- Added cross-compilation information INSTALL-win32.txt
- Updated README
- Cleaned up and updated INSTALL
- Fix to --shaper documentation on the man-page
- Properly escape dashes on the man-page
- Improve documentation in --script-security section of the man-page
- Add CONTRIBUTING.rst
- Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
- Clarify the fact that build instructions in README are for release tarballs
- Mention tap-windows6 in INSTALL file
- Use an up-to-date easy-rsa URL on the man-page
- Clarify which Windows versions require which TUN/TAP driver
- Deprecate the automatic part of openvpnserv.exe in favor of openvpnserv2.exe
- Automatically cache expected IPs for t_client.sh on the first run
- Fix termination when windows suspends/sleeps
- Do not hard-code windows systemroot in env_block
- Handle ctrl-C and ctrl-break events on Windows
- Unbreak read username password from management
- Restrict options/configs for startup through interactive service
- Send stdout and stderr of OpenVPN started by interactive service to NUL
- Handle localized Administrators group name in windows
- Fix interactive service ignoring stop command if openvpn is running
- Use appropriate buffer size for WideCharToMultiByte output in interactive.c
- Refactor and move the block-outside-dns code to a new file (block_dns.[ch])
- Add support for block-outside-dns through the interactive service
- Ensure input read using systemd-ask-password is null terminated
- Support reading the challenge-response from console
- Make error non-fatal while deleting address using netsh
- Add support for register-dns through interactive service
- Fix handling of out of memory error in interactive service
- Fix the comparison of pull options hash on restart
- Set WFP engine handle to NULL in win_wfp_uninit()
- Make block-outside-dns work with persist-tun
- Add an option to filter options received from server
- Ignore SIGUSR1/SIGHUP during exit notification
- Fix management-external-cert option parsing error
- Return process id of openvpn from interactive service to client
- Exponentially back off on repeated connect retries
- Promptly close the netcmd_semaphore handle after use
- Avoid format specifier %zu for Windows compatibility
- PolarSSL-1.2 support
- Improve PolarSSL key_state_read_{cipher, plain}text messages
- Improve verify_callback messages
- Config compatibility patch. Added translate_cipher_name.
- Switch to IANA names for TLS ciphers.
- Fixed autoconf script to properly detect missing pkcs11 with polarssl.
- Use constant time memcmp when comparing HMACs in openvpn_decrypt.
- Fixed tls-cipher translation bug in openssl-build
- Fixed usage of stale define USE_SSL to ENABLE_SSL
- Do not pass struct tls_session* as void* in key_state_ssl_init().
- Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
- Also update TLSv1_method() calls in support code to SSLv23_method() calls.
- Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
- If --tls-cipher is supplied, make --show-tls parse the list.
- Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.
- Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.
- Disable export ciphers by default for OpenSSL builds.
- Fix compiler warning for unused result of write()
- Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
- Fix compiler warnings in ssl_polarssl.c
- Bump minimum OpenSSL version to 0.9.8
- Add openssl-specific common cipher list names to ssl.c.
- Disable unsupported TLS cipher modes by default, cleans --show-tls output.
- configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSL
- configure.ac: use CPPFLAGS for SSL_OP_NO_TICKET check
- Upgrade to PolarSSL 1.3
- Improve error reporting during key/cert loading with PolarSSL.
- Update openvpn-plugin.h for PolarSSL 1.3.
- Add support for elliptic curve diffie-hellmann key exchange (ECDH)
- Add an elliptic curve testing cert chain to the sample keys
- Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
- Fix OCSP_check.sh to also use decimal for stdout verification.
- Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
- Fix build system to accept non-system crypto library locations for plugins.
- Remove function without effect (cipher_ok() always returned true).
- Remove unneeded wrapper functions in crypto_openssl.c
- Remove unneeded defines (were needed for pre-0.9.7 OpenSSL).
- Fix merge error in a6c573d, the ssl ctx is now abstracted.
- Use generic openvpn_x509_cert_t in ssl_verify_polarssl.c
- Fix ssl.c, ssl_verify_* includes
- Move #include "ssl_verify.h" from ssl.h to the source files that need it.
- Remove dependency on manage.h from ssl_verify.h
- Remove unused variable 'proxy' from socket_restart_pause()
- Add (default disabled) --enable-werror option to configure
- Fix --disable-ssl builds, were broken by cleanup in 63dc03d.
- configure.ac: fix SSL_OP_NO_TICKET check
- Fix bug that incorrectly refuses oid representation eku's in polar builds
- Update README.polarssl
- cleanup: remove #if 0'ed function initiate_untrusted_session() from ssl.c.
- Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
- Add proper check for crypto modes (CBC or OFB/CFB)
- Improve --show-ciphers to show if a cipher can be used in static key mode
- Extend t_lpback tests to test all ciphers reported by --show-ciphers
- Don't issue warning for 'translate to self' tls-ciphers
- Don't exit daemon if opening or parsing the CRL fails.
- Define dummy SSL_OP_NO_TICKET flag if not present in OpenSSL.
- Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
- Fix some unintialized variable warnings
- Fix clang warning in options.c
- Fix compiler warnings in ssl_polarssl.c.
- Fix regression with password protected private keys (polarssl)
- Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
- Fix assertion error when using --cipher none
- Add --tls-version-max
- Modernize sample keys and sample configs
- Drop too-short control channel packets instead of asserting out.
- Really fix '--cipher none' regression
- Update doxygen (a bit)
- Set tls-version-max to 1.1 if cryptoapicert is used
- openssl: add crypto_msg(), to easily log openssl errors
- openssl: add more descriptive message for 'no shared cipher' error
- Remove ENABLE_SSL define (and --disable-ssl configure option)
- openssl: use crypto_msg(), get rid of openssl-specific code in error.c
- Add option to disable Diffie Hellman key exchange by setting '--dh none'
- Account for peer-id in frame size calculation
- Disable SSL compression
- Use tls-auth in sample config files
- Fix frame size calculation for non-CBC modes.
- Get rid of old OpenSSL workarounds.
- polarssl: make sure to always null-terminate the cn
- Allow for CN/username of 64 characters (fixes off-by-one)
- Change float log message to include common name, if available.
- Remove unneeded parameter 'first_time' from possibly_become_daemon()
- Remove size limit for files inlined in config
- polarssl: remove code duplication in key_state_write_plaintext{, _const}()
- Improve --tls-cipher and --show-tls man page description
- polarssl: disable 1/n-1 record splitting
- cleanup: remove md5 helper functions
- Re-read auth-user-pass file on (re)connect if required
- Clarify --capath option in manpage
- Call daemon() before initializing crypto library
- write pid file immediately after daemonizing
- Increase control channel packet size for faster handshakes
- Make __func__ work with Visual Studio too
- fix regression: query password before becoming daemon
- Fix using management interface to get passwords.
- reintroduce md5_digest wrapper struct to fix gcc warnings
- Fix out-of-tree builds; openvpn-plugin.h should be in AC_CONFIG_HEADERS
- Fix overflow check in openvpn_decrypt()
- Replace strdup() calls for string_alloc() calls
- Check return value of ms_error_text()
- polarssl: add easy logging for PolarSSL errors
- polarssl: Improve PolarSSL logging
- openssl: be less verbose about cipher translation errors
- hardening: add insurance to exit on a failed ASSERT()
- Fix memory leak in auth-pam plugin
- openssl: remove usage of OPENSSL_malloc() from show_available_curves
- polarssl: fix --client-cert-not-required
- polarssl: add --verify-client-cert optional support
- Fix (potential) memory leak in init_route_list()
- Add macro to ensure we exit on fatal errors
- polarssl: also allocate PKCS#11 certificate object on demand
- polarssl: don't use deprecated functions anymore
- polarssl: require >= 1.3.8
- Fix memory leak in add_option() by simplifying get_ipv6_addr
- remove nonsense const specifier in nonfatal() return value
- openssl: properly check return value of RAND_bytes()
- Fix rand_bytes return value checking
- Fix openssl builds with custom-built library: specify most-dependent first
- Support duplicate x509 field values in environment
- Warn user if their certificate has expired
- Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2
- Make assert_failed() print the failed condition
- cleanup: get rid of httpdigest.c type warnings
- Fix regression in setups without a client certificate
- polarssl: actually use polarssl debug logging
- polarssl: optimize polar_ok() for non-errors
- Update manpage: OpenSSL might also need /dev/urandom inside chroot
- polarssl: use wrappers to access md_info_t member functions
- polarssl: remove now redundant 128-bit blowfish key override
- socks.c: fix check on get_user_pass() return value(s)
- configure.ac: simplify crypto library configuration
- configure.ac: fix polarssl autodetection
- Allow NULL argument in cipher_ctx_get_cipher_kt()
- Remove reuse of key_type during init of data channel auth and tls-auth
- Move crypto_options into key_state and stop using context in SSL-mode.
- Move key_ctx_bi into crypto_options
- Move packet_id into crypto_options
- Change openvpn_encrypt() to append to work buffer only
- Create separate function for replay check
- Add AEAD cipher support (GCM)
- Add cipher name translation for OpenSSL.
- Add preliminary server-side support for negotiable crypto parameters
- Minor AEAD patch cleanup
- Clean up get_tls_handhake_key()
- Fix OCSP_check.sh
- Make AEAD modes work with OpenSSL 1.0.1-1.0.1c
- hardening: add safe FD_SET() wrapper openvpn_fd_set()
- Only include aead encrypt/decrypt functions if AEAD modes are supported
- Fix potential null-pointer dereference
- Fix memory leak in argv_extract_cmd_name()
- Replace MSG_TEST() macro for static inline msg_test()
- fixup: change init_key_type() param name in declaration too
- Further restrict default cipher list
- PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint.
- Implemented x509-track for PolarSSL.
- Migrate to mbed TLS 2.x
- Rename files with 'polarssl' in the name to 'mbedtls'
- configure.ac: link to all mbed TLS libs during library detection
- mbedtls: check that private key and certificate match on start
- mbedtls: improve error reporting in tls verify callback
- Remove trailing newline from verify callback error messages
- Don't limit max incoming message size based on c2->frame
- cleanup: remove alloc_buffers argument from multi_top_init()
- mbedtls: don't set debug threshold if compiled without MBEDTLS_DEBUG_C
- Add client-side support for cipher negotiation
- Add options to restrict cipher negotiation
- Add server-side support for cipher negotiation
- Allow ncp-disable and ncp-ciphers to be specified in ccd files
- Fix '--cipher none --cipher' crash
- Discourage using 64-bit block ciphers
- Fix unittests for out-of-source builds
- Fix --mssfix when using NCP
- Drop gnu89/c89 support, switch to c99
- cleanup: remove code duplication in msg_test()
- Add SHA256 fingerprint support
- Make sure options->ciphername and options->authname are always defined
- Update cipher-related man page text
- Fix duplicate PUSH_REPLY options
- Check --ncp-ciphers list on startup
- Fix use-after-free bug in prepare_push_reply()
- Fix "code=995" bug with windows NDIS6 tap driver.
- Add support for client-cert-not-required for PolarSSL.
- Fix "." in description of utun.
- Update expiry date in management event loop
- Add Windows DNS Leak fix using WFP ('block-outside-dns')
- Clarify mssfix documentation
- Clarify --block-outside-dns documentation
- Update --block-outside-dns to work on Windows Vista
- Mac OS X Keychain management client
- Fix SOCKSv5 method selection
- socket: remove duplicate expression
- polarssl: fix unreachable code
- cert_data: fix memory leak
- Fix typo in sample build script to use LDFLAGS
- Fix segfault when enabling pf plug-ins
New in OpenVPN 2.3.12 (Aug 24, 2016)
- Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
- Move ASSERT so external-key with OpenSSL works again
- Only build and run cmocka unit tests if its submodule is initialized
- Another fix related to unit test framework
- Remove NOP function and callers
- Revert "Drop recursively routed packets"
- Preparing release of v2.3.12
- Add CHACHA20-POLY1305 ciphersuite IANA name translations.
- Plug memory leak in mbedTLS backend
- Update contrib/pull-resolv-conf/client.up for no DOMAIN
- Add unit testing support via cmocka
- Add a test for auth-pam searchandreplace
- Push an IPv6 CIDR mask used by the server, not the pool's size
- Add link to bug tracker
- Drop recursively routed packets
- Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
- Clarify the fact that build instructions in README are for release tarballs
- Make error non-fatal while deleting address using netsh
- Make block-outside-dns work with persist-tun
- Ignore SIGUSR1/SIGHUP during exit notification
- Promptly close the netcmd_semaphore handle after use
- Fix polarssl / mbedtls builds
- Don't limit max incoming message size based on c2->frame
- Fix '--cipher none --cipher' crash
- Discourage using 64-bit block ciphers
New in OpenVPN 2.3.11 (May 10, 2016)
- Fixed port-share bug with DoS potential
- Make intent of utun device name validation clear
- Correctly report TCP connection timeout on windows.
- Fix undefined signed shift overflow
- Fix build with libressl
- Improve LZO, PAM and OpenSSL documentation
- Ensure input read using systemd-ask-password is null terminated
- Support reading the challenge-response from console
- openssl: improve logging
- polarssl: improve logging
- Update manpage: OpenSSL might also need /dev/urandom inside chroot
- socks.c: fix check on get_user_pass() return value(s)
- Fix OCSP_check.sh
- hardening: add safe FD_SET() wrapper openvpn_fd_set()
- Fix memory leak in argv_extract_cmd_name()
- Replace MSG_TEST() macro for static inline msg_test()
- Restrict default TLS cipher list
- Various Changes.rst fixes
- Clarify mssfix documentation
- Clarify --block-outside-dns documentation
New in OpenVPN 2.3.10 (Jan 4, 2016)
- Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
- Preparing for release v2.3.10 (ChangeLog, version.m4)
- Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
- Use bob.example.com and alice.example.com to improve clarity of documentation
- Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
- Upgrade OpenVPN 2.3 to PolarSSL 1.3
- Warn user if their certificate has expired
- Make assert_failed() print the failed condition
- cleanup: get rid of httpdigest.c type warnings
- Fix regression in setups without a client certificate
- polarssl: fix unreachable code
New in OpenVPN 2.3.9 (Dec 16, 2015)
- Show extra-certs in current parameters.
- Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
- Do not set the buffer size by default but rely on the operation system default.
- Remove --enable-password-save option
- Reflect enable-password-save change in documentation
- Also remove second instance of enable-password-save in the man page
- Detect config lines that are too long and give a warning/error
- Log serial number of revoked certificate
- Adjust server-ipv6 documentation
- Avoid partial authentication state when using --disabled in CCD configs
- Make "block-outside-dns" option platform agnostic
- Un-break --auth-user-pass on windows
- Replace unaligned 16bit access to TCP MSS value with bytewise access
- Repair test_local_addr() on WIN32
- Fix possible heap overflow on read accessing getaddrinfo() result.
- Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
- remove unused gc_arena in FreeBSD close_tun()
- Fix isatty() check for good.
- Preparing for release v2.3.9 (ChangeLog, version.m4)
- put virtual IPv6 addresses into env
- Use adapter index instead of name for windows IPv6 interface config
- Client-side part for server restart notification
- Use adapter index for add/delete_route_ipv6
- Pass adapter index to up/down scripts
- Fix VS2013 compilation
- Fix privilege drop if first connection attempt fails
- Support for username-only auth file.
- Add CONTRIBUTING.rst
- Updates to Changes.rst
- Fix termination when windows suspends/sleeps
- Do not hard-code windows systemroot in env_block
- Handle ctrl-C and ctrl-break events on Windows
- Unbreak read username password from management
- Replace strdup() calls for string_alloc() calls
- Check return value of ms_error_text()
- Increase control channel packet size for faster handshakes
- hardening: add insurance to exit on a failed ASSERT()
- Fix memory leak in auth-pam plugin
- Fix (potential) memory leak in init_route_list()
- Fix unintialized variable in plugin_vlog()
- Add macro to ensure we exit on fatal errors
- Fix memory leak in add_option() by simplifying get_ipv6_addr
- openssl: properly check return value of RAND_bytes()
- Fix rand_bytes return value checking
- Add Windows DNS Leak fix using WFP ('block-outside-dns')
- Fix "White space before end tags can break the config parser"
New in OpenVPN 2.3.8 (Aug 5, 2015)
- Report missing endtags of inline files as warnings
- Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
- Produce a meaningful error message if --daemon gets in the way of asking for passwords.
- Document --daemon changes and consequences (--askpass, --auth-nocache).
- Preparing for release v2.3.8 (ChangeLog, version.m4)
- Del ipv6 addr on close of linux tun interface
- Fix --askpass not allowing for password input via stdin
- write pid file immediately after daemonizing
- Make __func__ work with Visual Studio too
- fix regression: query password before becoming daemon
- Fix using management interface to get passwords.
- Fix overflow check in openvpn_decrypt()
New in OpenVPN 2.3.7 (Aug 5, 2015)
- Default gateway can't be determined on illumos/Solaris platforms
- Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
- autotools: Fix wrong ./configure help screen default values
- down-root plugin: Replaced system() calls with execve()
- down-root: Improve error messages
- plugin, down-root: Fix compiler warnings
- sockets: Remove the limitation of --tcp-nodelay to be server-only
- plugins, down-root: Code style clean-up
- pkcs11: Load p11-kit-proxy.so module by default
- Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
- Use OPENVPN_ETH_P_* so that is unecessary
- New approach to handle peer-id related changes to link-mtu (2.3 version)
- Fix incorrect use of get_ipv6_addr() for iroute options.
- Print helpful error message on --mktun/--rmtun if not available.
- explain effect of --topology subnet on --ifconfig
- Add note about file permissions and --crl-verify to manpage.
- repair --dev null breakage caused by db950be85d37
- assume res_init() is always there.
- Correct note about DNS randomization in openvpn.8
- Disallow usage of --server-poll-timeout in --secret key mode.
- slightly enhance documentation about --cipher
- Enforce "serial-tests" behaviour for tests/Makefile
- Revert "Enforce "serial-tests" behaviour for tests/Makefile"
- On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
- Use configure.ac hack to apply serial_test AM option only if supported.
- Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
- Move res_init() call to inner openvpn_getaddrinfo() loop
- Fix FreeBSD ifconfig for topology subnet tunnels.
- Preparing for release v2.3.7 (ChangeLog, version.m4)
- Fix --redirect-private in --dev tap mode.
- include ifconfig_ environment variables in --up-restart env set
- Fix null pointer dereference in options.c
- Fix mssfix default value in connection_list context
- Manual page update for Re-enabled TLS version negotiation.
- Include systemd units in the source tarball (make dist)
- Updated manpage for --rport and --lport
- Properly escape dashes on the man-page
- Improve documentation in --script-security section of the man-page
- Really fix '--cipher none' regression
- Update doxygen (a bit)
- Set tls-version-max to 1.1 if cryptoapicert is used
- Account for peer-id in frame size calculation
- Disable SSL compression
- Fix frame size calculation for non-CBC modes.
- Allow for CN/username of 64 characters (fixes off-by-one)
- Remove unneeded parameter 'first_time' from possibly_become_daemon()
- Re-enable TLS version negotiation by default
- Remove size limit for files inlined in config
- Improve --tls-cipher and --show-tls man page description
- Re-read auth-user-pass file on (re)connect if required
- Clarify --capath option in manpage
- Call daemon() before initializing crypto library
New in OpenVPN 2.3.6 (Dec 2, 2014)
- systemd: Reworked the systemd unit file to handle server and client configs better
- Add client-only support for peer-id
- Fix to --shaper documentation on the man-page
- Fix assertion error when using --cipher none
- Add --tls-version-max
- Modernize sample keys and sample configs
- Drop too-short control channel packets instead of asserting out
New in OpenVPN 2.3.5 (Oct 29, 2014)
- Fix some typos in the man page.
- Do not upcase x509-username-field for mixed-case arguments.
- Fix server routes not working in topology subnet with --server [v3]
- Improve error reporting on file access to --client-config-dir and --ccd-exclusive
- Don't let openvpn_popen() keep zombies around
- Add systemd unit file for OpenVPN
- systemd: Use systemd functions to consider systemd availability
- Drop incoming fe80:: packets silently now.
- Fix t_lpback.sh platform-dependent failures
- Call init script helpers with explicit path (./)
- Preparing for release v2.3.5 (ChangeLog, version.m4)
- refine assertion to allow other modes than CBC
- ocsp_check - signature verification and cert staus results are separate
- ocsp_check - double check if ocsp didn't report any errors in execution
- Fix socket-flag/TCP_NODELAY on Mac OS X
- Fixed several instances of declarations after statements.
- In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
- Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
- MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
- Define PATH_SEPARATOR for MSVC builds.
- Fixed some compile issues with show_library_versions()
- Remove quadratic complexity from openvpn_base64_decode()
- Add configure check for the path to systemd-ask-password
- Add topology in sample server configuration file
- Implement on-link route adding for iproute2
- Ensure that client-connect files are always deleted
- Remove function without effect (cipher_ok() always returned true).
- Remove unneeded wrapper functions in crypto_openssl.c
- Fix bug that incorrectly refuses oid representation eku's in polar builds
- Update README.polarssl
- Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
- Add proper check for crypto modes (CBC or OFB/CFB)
- Improve --show-ciphers to show if a cipher can be used in static key mode
- Extend t_lpback tests to test all ciphers reported by --show-ciphers
- Don't exit daemon if opening or parsing the CRL fails.
- Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
- Fix regression with password protected private keys (polarssl)
- ssl_polarssl.c: fix includes and make casts explicit
- Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
- Fix "code=995" bug with windows NDIS6 tap driver.
New in OpenVPN 2.3.4 (May 2, 2014)
- Fix man page and OSCP script: tls_serial_{n} is decimal
- Fix is_ipv6 in case of tap interface.
- IPv6 address/route delete fix for Win8
- Add SSL library version reporting.
- Minor t_client.sh cleanups
- Repair --multihome on FreeBSD for IPv4 sockets.
- Rewrite manpage section about --multihome
- More IPv6-related updates to the openvpn man page.
- Conditionalize calls to print_default_gateway on !ENABLE_SMALL
- Use native strtoull() with MSVC 2013.
- When tls-version-min is unspecified, revert to original versioning approach.
- Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
- Fix OCSP_check.sh to also use decimal for stdout verification.
- Fix build system to accept non-system crypto library locations for plugins.
- Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
- Fix SOCKSv5 method selection
- Fix typo in sample build script to use LDFLAGS
New in OpenVPN 2.3.3 (Apr 9, 2014)
- pkcs11: use generic evp key instead of rsa
- Add support of utun devices under Mac OS X
- Add support to ignore specific options.
- Add a note what setenv opt does for OpenVPN < 2.3.3
- Add reporting of UI version to basic push-peer-info set.
- Fix compile error in ssl_openssl introduced by polar external-management patch
- Fix assertion when SIGUSR1 is received while getaddrinfo is successful
- Add warning for using connection block variables after connection blocks
- Introduce safety check for http proxy options
- man page: Update man page about the tls_digest_{n} environment variable
- Remove the --disable-eurephia configure option
- plugin: Extend the plug-in v3 API to identify the SSL implementation used
- autoconf: Fix typo
- Fix file checks when --chroot is being used
- Document authfile for socks server
- Fix IPv6 examples in t_client.rc-sample
- Fix slow memory drain on each client renegotiation.
- t_client.sh: ignore fields from "ip -6 route show" output that distort results.
- Make code and documentation for --remote-random-hostname consistent.
- Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
- Document issue with --chroot, /dev/urandom and PolarSSL.
- Rename 'struct route' to 'struct route_ipv4'
- Replace copied structure elements with including
- Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
- Always load intermediate certificates from a PKCS#12 file
- Support non-ASCII TAP adapter names on Windows
- Support non-ASCII characters in Windows tmp path
- TLS version negotiation
- Added "setenv opt" directive prefix.
- Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
- Fix spurious ignoring of pushed config options (trac#349).
- Refactor tls_ctx_use_external_private_key()
- --management-external-key for PolarSSL
- external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
- Correct error text when no Windows TAP device is present
- Require a 1.2.x PolarSSL version
- tls_ctx_load_ca: Improve certificate error messages
- Remove duplicate cipher entries from TLS translation table.
- Fix configure interaction with static OpenSSL libraries
- Do not pass struct tls_session* as void* in key_state_ssl_init().
- Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
- Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
- Also update TLSv1_method() calls in support code to SSLv23_method() calls.
- Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
- If --tls-cipher is supplied, make --show-tls parse the list.
- Add openssl-specific common cipher list names to ssl.c.
- Add support for client-cert-not-required for PolarSSL.
- Fix "." in description of utun.
New in OpenVPN 2.3.2 (Jun 4, 2013)
- Only print script warnings when a script is used. Remove stray mention of script-security system.
- Move settings of user script into set_user_script function
- Move checking of script file access into set_user_script
- Provide more accurate warning message
- Fix NULL-pointer crash in route_list_add_vpn_gateway().
- Fix problem with UDP tunneling due to mishandled pktinfo structures.
- Preparing for v2.3.2 (ChangeLog, version.m4)
- Always push basic set of peer info values to server.
- make 'explicit-exit-notify' pullable again
- Fix proto tcp6 for server & non-P2MP modes
- Fixed tls-cipher translation bug in openssl-build
- Fixed usage of stale define USE_SSL to ENABLE_SSL
- Fix segfault when enabling pf plug-ins
New in OpenVPN 2.3.1 (Mar 30, 2013)
- Remove dead code path and putenv functionality
- Remove unused function xor
- Move static prototype definition from header into c file
- Remove unused function no_tap_ifconfig
- fix build with automake 1.13(.1)
- Fix corner case in NTLM authentication (trac #172)
- Update README.IPv6 to match what is in 2.3.0
- Repair "tcp server queue overflow" brokenness, more fallout.
- Permit pool size of /64.../112 for ifconfig-ipv6-pool
- Add MIN() compatibility macro
- Fix directly connected routes for "topology subnet" on Solaris.
- Preparing for v2.3.1 (ChangeLog, version.m4)
- close more file descriptors on exec
- Ignore UTF-8 byte order mark
- reintroduce --no-name-remapping option
- make --tls-remote compatible with pre 2.3 configs
- add new option for X.509 name verification
- man page patch for missing options
- Fix parameter listing in non-debug builds at verb 4
- (updated) [PATCH] Warn when using verb levels >=7 without debug
- Enable TCP_NODELAY configuration on FreeBSD.
- Removed ChangeLog.IPv6
- Added cross-compilation information INSTALL-win32.txt
- Updated README
- Cleaned up and updated INSTALL
- PolarSSL-1.2 support
- Improve PolarSSL key_state_read_{cipher, plain}text messages
- Improve verify_callback messages
- Config compatibility patch. Added translate_cipher_name.
- Switch to IANA names for TLS ciphers.
- Fixed autoconf script to properly detect missing pkcs11 with polarssl.
- Use constant time memcmp when comparing HMACs in openvpn_decrypt.
New in OpenVPN 2.3.0 (Jan 8, 2013)
- Fix parameter type for IP_TOS setsockopt on non-Linux systems.
- Fix client crash on double PUSH_REPLY.
New in OpenVPN 2.1.1 (Dec 12, 2009)
- Fixed some breakage in openvpn.spec (which is required to build an RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth).