Version 2.4.4
=============
This is primarily a maintenance release, with further improved OpenSSL 1.1
integration, several minor bug fixes and other minor improvements.
Bug fixes
---------
- Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is
rejected by the remote side
- Ignore ``--keysize`` when NCP have resulted in a changed cipher.
- Configurations using ``--auth-nocache`` and the management interface to provide
user credentials (like NetworkManager on Linux) on client side with servers
implementing authentication tokens (for example, using ``--auth-gen-token``)
will now behave correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
- Fix bug causing invalid or corrupt SOCKS port number when changing the
proxy via the management interface.
- The man page should now have proper escaping of hyphens/minus characters
and have seen some minor corrections.
User-visible Changes
--------------------
- Linux servers with systemd which uses the ``openvpn-server@.service`` unit
file for server configurations will now utilize the automatic restart feature
in systemd. If the OpenVPN server process dies unexpectedly, systemd will
ensure the OpenVPN configuration will be restarted without any user interaction.
Deprecated features
-------------------
- ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5.
- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
Security
--------
- CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``.
Before this fix, it could allow an attacker to send a malformed packet to
trigger a stack overflow. This is considered to be a low risk issue, as
``--key-method 2`` has been the default since OpenVPN 2.0 (released on
2005-04-17). This option is already deprecated in v2.4 and will be
completely removed in v2.5.
Ignore auth-nocache for auth-user-pass if auth-token is pushed
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Make openvpn-plugin.h self-contained again.
Pass correct buffer size to GetModuleFileNameW()
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Fix gateway detection with OpenBSD routing domains
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.
Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
* fix redirect-gateway behaviour when an IPv4 default route does not exist
* Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
* Check for errors in the return value of GetModuleFileNameW()
* Fix gateway detection with OpenBSD routing domains
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044
relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
2017.05.11 -- Version 2.3.15
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (2):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Seppänen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
Only build and run cmocka unit tests if its submodule is initialized
Another fix related to unit test framework
Remove NOP function and callers
Dorian Harmans (1):
Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
Add unit testing support via cmocka
Add a test for auth-pam searchandreplace
Josh Cepek (1):
Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
Add link to bug tracker
Samuli Seppänen (2):
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
Make error non-fatal while deleting address using netsh
Make block-outside-dns work with persist-tun
Ignore SIGUSR1/SIGHUP during exit notification
Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
Fix polarssl / mbedtls builds
Don't limit max incoming message size based on c2->frame
Fix '--cipher none --cipher' crash
Discourage using 64-bit block ciphers
2016.05.09 -- Version 2.3.11
Fixed port-share bug with DoS potential
Make intent of utun device name validation clear
Fix buffer overflow by user supplied data
Correctly report TCP connection timeout on windows.
Report Windows bitness
Fix undefined signed shift overflow
Fix build with libressl
Improve LZO, PAM and OpenSSL documentation
Ensure input read using systemd-ask-password is null terminated
Support reading the challenge-response from console
openssl: improve logging
polarssl: improve logging
Update manpage: OpenSSL might also need /dev/urandom inside chroot
socks.c: fix check on get_user_pass() return value(s)
Fix OCSP_check.sh
hardening: add safe FD_SET() wrapper openvpn_fd_set()
Fix memory leak in argv_extract_cmd_name()
Replace MSG_TEST() macro for static inline msg_test()
Restrict default TLS cipher list
Various Changes.rst fixes
Clarify mssfix documentation
Clarify --block-outside-dns documentation
Update --block-outside-dns to work on Windows Vista
2016.01.04 -- Version 2.3.10
Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
Repair IPv6 netsh calls if Win XP is detected
Use bob.example.com and alice.example.com to improve clarity of documentation
Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
Upgrade OpenVPN 2.3 to PolarSSL 1.3
Warn user if their certificate has expired
Make assert_failed() print the failed condition
cleanup: get rid of httpdigest.c type warnings
Fix regression in setups without a client certificate
polarssl: fix unreachable code
2015.12.15 -- Version 2.3.9
Show extra-certs in current parameters.
Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
Do not set the buffer size by default but rely on the operation system default.
Remove --enable-password-save option
Reflect enable-password-save change in documentation
Also remove second instance of enable-password-save in the man page
Detect config lines that are too long and give a warning/error
Log serial number of revoked certificate
Adjust server-ipv6 documentation
Avoid partial authentication state when using --disabled in CCD configs
Make "block-outside-dns" option platform agnostic
Un-break --auth-user-pass on windows
Replace unaligned 16bit access to TCP MSS value with bytewise access
Repair test_local_addr() on WIN32
Fix possible heap overflow on read accessing getaddrinfo() result.
Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
remove unused gc_arena in FreeBSD close_tun()
Fix isatty() check for good.
put virtual IPv6 addresses into env
Use adapter index instead of name for windows IPv6 interface config
Client-side part for server restart notification
Use adapter index for add/delete_route_ipv6
Pass adapter index to up/down scripts
Fix VS2013 compilation
Fix privilege drop if first connection attempt fails
Support for username-only auth file.
Add CONTRIBUTING.rst
Updates to Changes.rst
Fix termination when windows suspends/sleeps
Do not hard-code windows systemroot in env_block
Handle ctrl-C and ctrl-break events on Windows
Unbreak read username password from management
Replace strdup() calls for string_alloc() calls
Check return value of ms_error_text()
Increase control channel packet size for faster handshakes
hardening: add insurance to exit on a failed ASSERT()
Fix memory leak in auth-pam plugin
Fix (potential) memory leak in init_route_list()
Fix unintialized variable in plugin_vlog()
Add macro to ensure we exit on fatal errors
Fix memory leak in add_option() by simplifying get_ipv6_addr
openssl: properly check return value of RAND_bytes()
Fix rand_bytes return value checking
Add Windows DNS Leak fix using WFP ('block-outside-dns')
Fix "White space before end tags can break the config parser"
2015.08.03 -- Version 2.3.8
Report missing endtags of inline files as warnings
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
Document --daemon changes and consequences (--askpass, --auth-nocache).
Del ipv6 addr on close of linux tun interface
Fix --askpass not allowing for password input via stdin
write pid file immediately after daemonizing
Make __func__ work with Visual Studio too
fix regression: query password before becoming daemon
Fix using management interface to get passwords.
Fix overflow check in openvpn_decrypt()
2015.06.02 -- Version 2.3.7
Default gateway can't be determined on illumos/Solaris platforms
Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
autotools: Fix wrong ./configure help screen default values
down-root plugin: Replaced system() calls with execve()
down-root: Improve error messages
plugin, down-root: Fix compiler warnings
sockets: Remove the limitation of --tcp-nodelay to be server-only
plugins, down-root: Code style clean-up
pkcs11: Load p11-kit-proxy.so module by default
Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
New approach to handle peer-id related changes to link-mtu (2.3 version)
Fix incorrect use of get_ipv6_addr() for iroute options.
Print helpful error message on --mktun/--rmtun if not available.
explain effect of --topology subnet on --ifconfig
Add note about file permissions and --crl-verify to manpage.
repair --dev null breakage caused by db950be85d37
assume res_init() is always there.
Correct note about DNS randomization in openvpn.8
Disallow usage of --server-poll-timeout in --secret key mode.
slightly enhance documentation about --cipher
Enforce "serial-tests" behaviour for tests/Makefile
Revert "Enforce "serial-tests" behaviour for tests/Makefile"
On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
Use configure.ac hack to apply serial_test AM option only if supported.
Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
Move res_init() call to inner openvpn_getaddrinfo() loop
Fix FreeBSD ifconfig for topology subnet tunnels.
Fix --redirect-private in --dev tap mode.
include ifconfig_ environment variables in --up-restart env set
Fix null pointer dereference in options.c
Fix mssfix default value in connection_list context
Manual page update for Re-enabled TLS version negotiation.
Include systemd units in the source tarball (make dist)
Updated manpage for --rport and --lport
Properly escape dashes on the man-page
Improve documentation in --script-security section of the man-page
Really fix '--cipher none' regression
Update doxygen (a bit)
Set tls-version-max to 1.1 if cryptoapicert is used
Account for peer-id in frame size calculation
Disable SSL compression
Fix frame size calculation for non-CBC modes.
Allow for CN/username of 64 characters (fixes off-by-one)
Remove unneeded parameter 'first_time' from possibly_become_daemon()
Re-enable TLS version negotiation by default
Remove size limit for files inlined in config
Improve --tls-cipher and --show-tls man page description
Re-read auth-user-pass file on (re)connect if required
Clarify --capath option in manpage
Call daemon() before initializing crypto library
2014.11.28 -- Version 2.3.6
David Sommerseth (1):
systemd: Reworked the systemd unit file to handle server and client configs better
Gert Doering (1):
Add client-only support for peer-id.
Samuli Seppänen (1):
Fix to --shaper documentation on the man-page
Steffan Karger (4):
Fix assertion error when using --cipher none
Add --tls-version-max
Modernize sample keys and sample configs
Drop too-short control channel packets instead of asserting out.
2014.10.24 -- Version 2.3.5
Andris Kalnozols (2):
Fix some typos in the man page.
Do not upcase x509-username-field for mixed-case arguments.
Arne Schwabe (1):
Fix server routes not working in topology subnet with --server [v3]
David Sommerseth (4):
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
Don't let openvpn_popen() keep zombies around
Add systemd unit file for OpenVPN
systemd: Use systemd functions to consider systemd availability
Gert Doering (3):
Drop incoming fe80:: packets silently now.
Fix t_lpback.sh platform-dependent failures
Call init script helpers with explicit path (./)
Heiko Hund (1):
refine assertion to allow other modes than CBC
Hubert Kario (2):
ocsp_check - signature verification and cert staus results are separate
ocsp_check - double check if ocsp didn't report any errors in execution
James Bekkema (1):
Fix socket-flag/TCP_NODELAY on Mac OS X
James Yonan (6):
Fixed several instances of declarations after statements.
In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
Define PATH_SEPARATOR for MSVC builds.
Fixed some compile issues with show_library_versions()
Jann Horn (1):
Remove quadratic complexity from openvpn_base64_decode()
Mike Gilbert (1):
Add configure check for the path to systemd-ask-password
Philipp Hagemeister (2):
Add topology in sample server configuration file
Implement on-link route adding for iproute2
Samuel Thibault (1):
Ensure that client-connect files are always deleted
Steffan Karger (13):
Remove function without effect (cipher_ok() always returned true).
Remove unneeded wrapper functions in crypto_openssl.c
Fix bug that incorrectly refuses oid representation eku's in polar builds
Update README.polarssl
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Add proper check for crypto modes (CBC or OFB/CFB)
Improve --show-ciphers to show if a cipher can be used in static key mode
Extend t_lpback tests to test all ciphers reported by --show-ciphers
Don't exit daemon if opening or parsing the CRL fails.
Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
Fix regression with password protected private keys (polarssl)
ssl_polarssl.c: fix includes and make casts explicit
Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
TDivine (1):
Fix "code=995" bug with windows NDIS6 tap driver.
The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.
Only print script warnings when a script is used. Remove stray mention of script-security system.
Move settings of user script into set_user_script function
Move checking of script file access into set_user_script
Provide more accurate warning message
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Fix problem with UDP tunneling due to mishandled pktinfo structures.
Always push basic set of peer info values to server.
make 'explicit-exit-notify' pullable again
Fix proto tcp6 for server & non-P2MP modes
Fix Windows script execution when called from script hooks
Fixed tls-cipher translation bug in openssl-build
Fixed usage of stale define USE_SSL to ENABLE_SSL
Fix segfault when enabling pf plug-ins
Bump openvpn-acct-wtmpx to add its licence and to take into account the
new location of plugin directory
Significant changes since 2.2.x:
* Full IPv6 support
* SSL layer modularised, enabling easier implementation for other SSL
libraries
* PolarSSL support as a drop-in replacement for OpenSSL
* New plug-in API providing direct certificate access, improved logging API
and easier to extend in the future
* Added 'dev_type' environment variable to scripts and plug-ins - which
is set to 'TUN' or 'TAP'
* New feature: --management-external-key - to provide access to the
encryption keys via the management interface
* New feature: --x509-track option, more fine grained access to X.509
fields in scripts and plug-ins
* New feature: --client-nat support
* New feature: --mark which can mark encrypted packets from the tunnel,
suitable for more advanced routing and firewalling
* New feature: --management-query-proxy - manage proxy settings via the
management interface (supercedes --http-proxy-fallback)
* New feature: --stale-routes-check, which cleans up the internal
routing table
* New feature: --x509-username-field, where other X.509v3 fields can be
used for the authentication instead of Common Name
* Improved client-kill management interface command
* Improved UTF-8 support - and added --compat-names to provide backwards
compatibility with older scripts/plug-ins
* Improved auth-pam with COMMONNAME support, passing the certificate's
common name in the PAM conversation
* More options can now be used inside <connection> blocks
* Completely new build system, enabling easier cross-compilation and
Windows builds
* Much of the code has been better documented
* Many documentation updates
* Plenty of bug fixes and other code clean-ups
* Only warn about non-tackled IPv6 packets once
* add missing break between "case IPv4" and "case IPv6"
* bump tap driver version from 9.8 to 9.9
* log error message and exit for "win32, tun mode, tap driver version 9.8"
* Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch
- openvpn_chrootdir variable was introduced for running openvpn in chroot
- openvpn_flags variable was introduced for extra flag passed to openvpn
++pkgrevision
* Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
* Fix compiling issues with pkcs11 when --disable-management is configured
* Remove support for Linux 2.2 configuration fallback
* Fix compile issues when using --enable-small and
--disable-ssl/--disable-crypto
* Fix 2.2.0 build failure when management interface disabled
* Added info about --show-proxy-settings
* Documented --x509-username-field option
* Updated "easy-rsa" for OpenSSL 1.0.0
* Fixes to easy-rsa/2.0
* Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
* Fix a build-ca issue on Windows
* Fix issues with some older GCC compilers
* Several man-page updates
* Several buildsystem fixes
* Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
* Change the default --tmp-dir path to a more suitable path
* Improve the mysprintf() issue in openvpnserv.c
* Fixed bug in port-share that could cause port share process to crash
* Fix the --client-cert-not-required feature
* Fix problem with special case route targets ('remote_host')
The init_route() function will leave &netlist untouched for
get_special_addr() routes ("remote_host" being one of them).
netlist is on stack, contains random garbage, and
netlist.len will not be 0 - thus, random stack data is copied from
netlist.data[] until the route_list is full.
* Fixed potential local privilege escalation vulnerability in
Windows service.
* Added Python-based based alternative build system for Windows using
Visual Studio 2008 (in win directory).
* When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
* Fixed an issue where AUTH_FAILED was not being properly delivered
to the client when a bad password is given for mid-session reauth,
causing the connection to fail without an error indication.
* Don't advance to the next connection profile on AUTH_FAILED errors.
* Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
* Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window period.
* Modified ">PASSWORD:Verification Failed" management interface
notification to include a client reason string:
>PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
* Enable exponential backoff in reliability layer retransmits.
* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
socket is created rather than waiting until after connect/listen.
* Management interface performance optimizations:
1. Added env-filter MI command to perform filtering on env vars
passed through as a part of --management-client-auth
2. man_write will now try to aggregate output into larger blocks
(up to 1024 bytes) for more efficient i/o
* Fixed minor issue in Windows TAP driver DEBUG builds
where non-null-terminated unicode strings were being
printed incorrectly.
* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
was not being compiled in.
* Proxy improvements:
* Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
* Implemented a key/value auth channel from client to server.
* Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
Changes:
2009.12.11 -- Version 2.1.1
* Fixed some breakage in openvpn.spec (which is required to build an
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).
2009.12.11 -- Version 2.1.0
* Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
(1) Fail gracefully rather than segfault if calloc returns NULL.
(2) The openvpn_plugin_abort_v1 function can potentially be called
with handle == NULL. Add code to detect this case, and if so, avoid
dereferencing pointers derived from handle (Thanks to David
Sommerseth for finding this bug).
* Documented "multihome" option in the man page.
2009.11.20 -- Version 2.1_rc22
* Fixed a client-side bug on Windows that occurred when the
"dhcp-pre-release" or "dhcp-renew" options were combined with
"route-gateway dhcp". The release/renew would not occur
because the Windows DHCP renew function is blocking and
therefore must be called from another process or thread
so as not to stall the tunnel.
* Added a hard failure when peer provides a certificate chain
with depth > 16. Previously, a warning was issued.
* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
CVE-2009-3555. Note that OpenVPN has never relied on the session
renegotiation capabilities that are built into the SSL/TLS protocol,
therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
completely) will not adversely affect OpenVPN mid-session SSL/TLS
renegotation or any other OpenVPN capabilities.
* Added additional session renegotiation hardening. OpenVPN has always
required that mid-session renegotiations build up a new SSL/TLS
session from scratch. While the client certificate common name is
already locked against changes in mid-session TLS renegotiations, we
now extend this locking to the auth-user-pass username as well as all
certificate content in the full client certificate chain.
a tun device and subnet topology, OpenVPN insisted on setting a broadcast
address on the tun device, causing a fatal error. This patch fixes that,
and has been submitted upstream
2009.10.01 -- Version 2.1_rc20
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
* Fixed build problem when ./configure --disable-server is used.
* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
* Added --remote-random-hostname option.
* Added "load-stats" management interface command to get global server
load statistics.
* Added new ./configure flags:
--disable-def-auth Disable deferred authentication
--disable-pf Disable internal packet filter
* Added "setcon" directive for interoperability with SELinux (Sebastien
Raveau).
* Optimized PUSH_REQUEST handshake sequence to shave several seconds
off of a typical client connection initiation.
* The maximum number of "route" directives (specified in the config
file or pulled from a server) can now be configured via the new
"max-routes" directive.
* Eliminated the limitation on the number of options that can be pushed
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
* Added --server-poll-timeout option : when polling possible remote
servers to connect to in a round-robin fashion, spend no more than
n seconds waiting for a response before trying the next server.
* Added the ability for the server to provide a custom reason string
when an AUTH_FAILED message is returned to the client. This
string can be set by the server-side managment interface and read
by the client-side management interface.
* client-kill management interface command, when issued on server, will
now send a RESTART message to client.
This feature is intended to make UDP clients respond the same as TCP
clients in the case where the server issues a RESTART message in
order to force the client to reconnect and pull a new options/route
list.
2009.07.16 -- Version 2.1_rc19
* In Windows TAP driver, refactor DHCP/ARP packet injection code to
use a DPC (deferred procedure call) to defer packet injection until
IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
in the context of AdapterTransmit. This is an attempt to reduce kernel
stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
observed on Vista. Updated TAP driver version number to 9.6.
* In configure.ac, use datadir instead of datarootdir for compatibility
with <autoconf-2.60.
2009.06.07 -- Version 2.1_rc18
* Fixed compile error on ./configure --enable-small
* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
does not build on Windows on non-MINGW32.
2009.05.30 -- Version 2.1_rc17
* Reduce the debug level (--verb) at which received management interface
commands are echoed from 7 to 3. Passwords will be filtered.
* Fixed race condition in management interface recv code on
Windows, where sending a set of several commands to the
management interface in quick succession might cause the
latter commands in the set to be ignored.
* Increased management interface input command buffer size
from 256 to 1024 bytes.
* Minor tweaks to Windows build system.
* Added "redirect-private" option which allows private subnets
to be pushed to the client in such a way that they don't accidently
obscure critical local addresses such as the DHCP server address and
DNS server addresses.
* Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
client will examine the routing table and determine whether (a) the
OpenVPN server is reachable via a locally connected interface, or (b)
traffic to the server must be forwarded through the default router.
Only add a special bypass route for the OpenVPN server if (b) is true.
If (a) is true, behave as if the 'local' flag is specified, and do not
add a bypass route.
The new 'autolocal' flag depends on the non-portable test_local_addr()
function in route.c, which is currently only implemented for Windows.
The 'autolocal' flag will act as a no-op on platforms that have not
yet defined a test_local_addr() function.
* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
more option content to be pushed from server to client).
* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
levels <=3) a common and usually innocuous warning.
* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
functionality (Alon Bar-Lev).
* Fixed bug where the remote_X environmental variables were not being
set correctly when the 'local' option is specifed.
2009.05.17 -- Version 2.1_rc16
* Windows installer changes:
1. ifdefed out the check Windows version code which is causing
problems on Windows 7
2. don't define SF_SELECTED if it is already defined
3. Use LZMA instead of BZIP2 compression for better compression
4. Upgraded OpenSSL to 0.9.8k
* Added the ability to read the configuration file
from stdin, when "stdin" is given as the config
file name.
* Allow "management-client" directive to be used
with unix domain sockets.
* Added errors-to-stderr option. When enabled, fatal errors
that result in the termination of the daemon will be written
to stderr.
* Added optional "nogw" (no gateway) flag to --server-bridge
to inhibit the pushing of the route-gateway parameter to
clients.
* Added new management interface command "pid" to show the
process ID of the current OpenVPN process (Angelo Laub).
* Fixed issue where SIGUSR1 restarts would fail if private
key was specified as an inline file.
* Added daemon_start_time and daemon_pid environmental variables.
* In management interface, added new ">CLIENT:ESTABLISHED" notification.
* Build fixes:
1. Fixed some issues with C++ style comments that leaked into the code.
2. Updated configure.ac to work on MinGW64.
3. Updated common.h types for _WIN64.
4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
compilers.
5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
OpenVPNCryptAcquireCertificatePrivateKey to work around
a symbol conflict in MinGW-5.1.4.
2008.11.19 -- Version 2.1_rc15
* Fixed issue introduced in 2.1_rc14 that may cause a
segfault when a --plugin module is used.
* Added server-side --opt-verify option: clients that connect
with options that are incompatible with those of the server
will be disconnected (without this option, incompatible
clients would trigger a warning message in the server log
but would not be disconnected).
* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
flag on the server as well as pushes it to connecting clients.
* Minor options check fix: --no-name-remapping is a
server-only option and should therefore generate an
error when used on the client.
* Added --prng option to control PRNG (pseudo-random
number generator) parameters. In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash. Now any OpenSSL hash may be used. This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.
* Cleaned up man page synopsis.
2008.11.16 -- Version 2.1_rc14
* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
with the goal of fixing a build issue on Fedora 9 that was
introduced in 2.1_rc13.
* Added additional method parameter to --script-security to preserve
backward compatibility with system() call semantics used in OpenVPN
2.1_rc8 and earlier. To preserve backward compatibility use:
script-security 3 system
* Added additional warning messages about --script-security 2
or higher being required to execute user-defined scripts or
executables.
* Windows build system changes:
Modified Windows domake-win build system to write all openvpn.nsi
input files to gen, so that gen can be disconnected from
the rest of the source tree and makensis openvpn.nsi will
still function correctly.
Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
(commented out by default).
Added optional files SAMPCONF_CONF2 (second sample configuration
file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
build system, and may be defined in settings.in.
* Extended Management Interface "bytecount" command
to work when OpenVPN is running as a server.
Documented Management Interface "bytecount" command in
management/management-notes.txt.
* Fixed informational message in ssl.c to properly indicate
deferred authentication.
* Added server-side --auth-user-pass-optional directive, to allow
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
Calling scripts can set the KEY_NAME environmental variable to set
the "name" X509 subject field in generated certificates.
Modified pkitool to allow flexibility in separating the Common Name
convention from the cert/key filename convention.
For example:
KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
will create a client certificate/key pair of james.crt/james.key
having a Common Name of "James's Laptop" and a Name of "james".
* Added --no-name-remapping option to allow Common Name, X509 Subject,
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return (this is important for compatibility with external
authentication systems).
As a related change, added --status-version 3 format (and "status 3"
in the management interface) which uses the version 2 format except
that tabs are used as delimiters instead of commas so that there
is no ambiguity when parsing a Common Name that contains a comma.
Also, save X509 Subject fields to environment, using the naming
convention:
X509_{cert_depth}_{name}={value}
This is to avoid ambiguities when parsing out the X509 subject string
since "/" characters could potentially be used in the common name.
* Fixed some ifconfig-pool issues that precluded it from being combined
with --server directive.
Now, for example, we can configure thusly:
server 10.8.0.0 255.255.255.0 nopool
ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
to have ifconfig-pool manage only a subset
of the VPN subnet.
* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
config file syntax checking to allow directives for future OpenVPN
versions to be ignored.
