Bump openvpn-acct-wtmpx to add its licence and to take into account the
new location of plugin directory
Significant changes since 2.2.x:
* Full IPv6 support
* SSL layer modularised, enabling easier implementation for other SSL
libraries
* PolarSSL support as a drop-in replacement for OpenSSL
* New plug-in API providing direct certificate access, improved logging API
and easier to extend in the future
* Added 'dev_type' environment variable to scripts and plug-ins - which
is set to 'TUN' or 'TAP'
* New feature: --management-external-key - to provide access to the
encryption keys via the management interface
* New feature: --x509-track option, more fine grained access to X.509
fields in scripts and plug-ins
* New feature: --client-nat support
* New feature: --mark which can mark encrypted packets from the tunnel,
suitable for more advanced routing and firewalling
* New feature: --management-query-proxy - manage proxy settings via the
management interface (supercedes --http-proxy-fallback)
* New feature: --stale-routes-check, which cleans up the internal
routing table
* New feature: --x509-username-field, where other X.509v3 fields can be
used for the authentication instead of Common Name
* Improved client-kill management interface command
* Improved UTF-8 support - and added --compat-names to provide backwards
compatibility with older scripts/plug-ins
* Improved auth-pam with COMMONNAME support, passing the certificate's
common name in the PAM conversation
* More options can now be used inside <connection> blocks
* Completely new build system, enabling easier cross-compilation and
Windows builds
* Much of the code has been better documented
* Many documentation updates
* Plenty of bug fixes and other code clean-ups
* Several man-page updates
* Several buildsystem fixes
* Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
* Change the default --tmp-dir path to a more suitable path
* Improve the mysprintf() issue in openvpnserv.c
* Fixed bug in port-share that could cause port share process to crash
* Fix the --client-cert-not-required feature
* Fixed potential local privilege escalation vulnerability in
Windows service.
* Added Python-based based alternative build system for Windows using
Visual Studio 2008 (in win directory).
* When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
* Fixed an issue where AUTH_FAILED was not being properly delivered
to the client when a bad password is given for mid-session reauth,
causing the connection to fail without an error indication.
* Don't advance to the next connection profile on AUTH_FAILED errors.
* Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
* Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window period.
* Modified ">PASSWORD:Verification Failed" management interface
notification to include a client reason string:
>PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
* Enable exponential backoff in reliability layer retransmits.
* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
socket is created rather than waiting until after connect/listen.
* Management interface performance optimizations:
1. Added env-filter MI command to perform filtering on env vars
passed through as a part of --management-client-auth
2. man_write will now try to aggregate output into larger blocks
(up to 1024 bytes) for more efficient i/o
* Fixed minor issue in Windows TAP driver DEBUG builds
where non-null-terminated unicode strings were being
printed incorrectly.
* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
was not being compiled in.
* Proxy improvements:
* Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
* Implemented a key/value auth channel from client to server.
* Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
