Changelog:
Add SHA256 support for server cert hashes.
Enable DHE ciphers for Cisco DTLS.
Increase initial oNCP configuration buffer size.
Reopen CONIN$ when stdin is redirected on Windows.
Improve support for point-to-point routing on Windows.
Check for non-resumed DTLS sessions which may indicate a MiTM attack.
Add TUNIDX environment variable on Windows.
Fix compatibility with Pulse Secure 8.2R5.
Fix IPv6 support in Solaris.
Support DTLS automatic negotiation.
Support --key-password for GnuTLS PKCS#11 PIN.
Support automatic DTLS MTU detection with OpenSSL.
Drop support for combined GnuTLS/OpenSSL build.
Update OpenSSL to allow TLSv1.2, improve compatibility options.
Remove --no-cert-check option. It was being (mis)used.
Fix OpenSSL support for PKCS#11 EC keys without public key.
Support for final OpenSSL 1.1 release.
Fix polling/retry on "tun" socket when buffers full.
Fix AnyConnect server-side MTU setting.
Fix ESP replay detection.
Allow build with LibreSSL (for fetishists only; do not use this as DTLS is broken).
Add certificate torture test suite.
Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL.
Fix integer overflow issues with ESP packet replay detection.
Add --pass-tos option as in OpenVPN.
Support rôle selection form in Juniper VPN.
Support DER-format certificates, add certificate format torture tests.
For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option.
Support Juniper "Pre Sign-in Message".
From Kai-Uwe Eckhardt in PR 51576.
OpenConnect v7.07 (PGP signature) — 2016-07-11
More fixes for OpenSSL 1.1 build.
Support Juniper "Post Sign-in Message".
Add --protocol option.
Fix ChaCha20-Poly1305 cipher suite to reflect final standard.
Add ability to disable IPv6 support via library API.
Set groups appropriately when using setuid().
Automatic DTLS MTU detection.
Support SSL client certificate authentication with Juniper servers.
Revamp SSL certificate validation for OpenSSL and stop supporting OpenSSL older than 0.9.8.
Fix handling of multiple DNS search domains with Network Connect.
Fix handling of large configuration packets for Network Connect.
Enable SNI when built with OpenSSL (1.0.1g or later).
Add --resolve and --local-hostname options to command line.
OpenConnect v7.06 (PGP signature) — 2015-03-17
Fix openconnect.pc breakage after liboath removal.
Refactor Juniper Network Connect receive loop.
Fix some memory leaks.
Add Bosnian translation.
OpenConnect v7.05 (PGP signature) — 2015-03-10
Fix alignment issue which broke LZS compression on ARM etc.
Support HTTP authentication to servers, not just proxies.
Work around Yubikey issue with non-ASCII passphrase set on pre-KitKat Android.
Add SHA256/SHA512 support for OATH.
Remove liboath dependency.
Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2.
Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711).
Fix build with OpenSSL HEAD (OpenSSL 1.1.x).
Preliminary support for Juniper SSL VPN.
