AfterDawn | News | Guides | Software downloads | Tech Support | Forums | HIGH.FI
AfterDawn

Version history for OpenVPN (64-bit)

<<Back to software description

Changes for v2.3.12 - v2.3.13

  • Arne Schwabe (2):
  • Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
  • Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
  • David Sommerseth (5):
  • t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
  • t_client.sh: Add support for Kerberos/ksu
  • t_client.sh: Improve detection if the OpenVPN process did start during tests
  • t_client.sh: Add prepare/cleanup possibilties for each test case
  • Preparing release of v2.3.13
  • Gert Doering (5):
  • Do not abort t_client run if OpenVPN instance does not start.
  • Fix t_client runs on OpenSolaris
  • make t_client robust against sudoers misconfiguration
  • add POSTINIT_CMD_suf to t_client.sh and sample config
  • Fix --multihome for IPv6 on 64bit BSD systems.
  • Ilya Shipitsin (1):
  • skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
  • Lev Stipakov (2):
  • Exclude peer-id from pulled options digest
  • Fix compilation in pedantic mode
  • Samuli Seppänen (1):
  • Automatically cache expected IPs for t_client.sh on the first run
  • Steffan Karger (6):
  • Fix unittests for out-of-source builds
  • Make gnu89 support explicit
  • cleanup: remove code duplication in msg_test()
  • Update cipher-related man page text
  • Limit --reneg-bytes to 64MB when using small block ciphers
  • Add a revoked cert to the sample keys



Changes for v2.3.10 - v2.3.12

  • This release includes many small improvements and fixes. This is the first release that actively discourages the use of 64-bit block ciphers for security reasons.



Changes for v2.3.9 - v2.3.10

  • Gert Doering (2):
  • Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
  • Preparing for release v2.3.10 (ChangeLog, version.m4)
  • Jan Just Keijser (1):
  • Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
  • Lev Stipakov (1):
  • Repair IPv6 netsh calls if Win XP is detected
  • Phillip Smith (1):
  • Use bob.example.com and alice.example.com to improve clarity of documentation
  • Steffan Karger (6):
  • Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
  • Upgrade OpenVPN 2.3 to PolarSSL 1.3
  • Warn user if their certificate has expired
  • Make assert_failed() print the failed condition
  • cleanup: get rid of httpdigest.c type warnings
  • Fix regression in setups without a client certificate
  • Yegor Yefremov (1):
  • polarssl: fix unreachable code



Changes for v2.3.7 - v2.3.8

  • Arne Schwabe (2):
  • Report missing endtags of inline files as warnings
  • Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
  • Gert Doering (3):
  • Produce a meaningful error message if --daemon gets in the way of asking for passwords.
  • Document --daemon changes and consequences (--askpass, --auth-nocache).
  • Preparing for release v2.3.8 (ChangeLog, version.m4)
  • Holger Kummert (1):
  • Del ipv6 addr on close of linux tun interface
  • James Geboski (1):
  • Fix --askpass not allowing for password input via stdin
  • Steffan Karger (5):
  • write pid file immediately after daemonizing
  • Make __func__ work with Visual Studio too
  • fix regression: query password before becoming daemon
  • Fix using management interface to get passwords.
  • Fix overflow check in openvpn_decrypt()



Changes for v2.3.5 - v2.3.6

  • systemd: Reworked the systemd unit file to handle server and client configs better
  • Add client-only support for peer-id.
  • Preparing for release v2.3.6 (ChangeLog, version.m4)
  • Fix to --shaper documentation on the man-page
  • Fix assertion error when using --cipher none
  • Add --tls-version-max
  • Modernize sample keys and sample configs
  • Drop too-short control channel packets instead of asserting out.



Changes for v2.3.4 - v2.3.5

  • Fix some typos in the man page.
  • Do not upcase x509-username-field for mixed-case arguments.
  • Fix server routes not working in topology subnet with --server [v3]
  • Improve error reporting on file access to --client-config-dir and --ccd-exclusive
  • Don't let openvpn_popen() keep zombies around
  • Add systemd unit file for OpenVPN
  • systemd: Use systemd functions to consider systemd availability
  • Drop incoming fe80:: packets silently now.
  • Fix t_lpback.sh platform-dependent failures
  • Call init script helpers with explicit path (./)
  • Preparing for release v2.3.5 (ChangeLog, version.m4)
  • refine assertion to allow other modes than CBC
  • ocsp_check - signature verification and cert staus results are separate
  • ocsp_check - double check if ocsp didn't report any errors in execution
  • Fix socket-flag/TCP_NODELAY on Mac OS X
  • Fixed several instances of declarations after statements.
  • In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
  • Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
  • MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
  • Define PATH_SEPARATOR for MSVC builds.
  • Fixed some compile issues with show_library_versions()
  • Remove quadratic complexity from openvpn_base64_decode()
  • Add configure check for the path to systemd-ask-password
  • Add topology in sample server configuration file
  • Implement on-link route adding for iproute2
  • Ensure that client-connect files are always deleted
  • Remove function without effect (cipher_ok() always returned true).
  • Remove unneeded wrapper functions in crypto_openssl.c
  • Fix bug that incorrectly refuses oid representation eku's in polar builds
  • Update README.polarssl
  • Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
  • Improve --show-ciphers to show if a cipher can be used in static key mode
  • Extend t_lpback tests to test all ciphers reported by --show-ciphers
  • Don't exit daemon if opening or parsing the CRL fails.
  • Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
  • Fix regression with password protected private keys (polarssl)
  • ssl_polarssl.c: fix includes and make casts explicit
  • Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
  • Fix "code=995" bug with windows NDIS6 tap driver.



Changes for v2.3.3 - v2.3.4

  • Fix man page and OSCP script: tls_serial_{n} is decimal
  • Fix is_ipv6 in case of tap interface.
  • IPv6 address/route delete fix for Win8
  • Add SSL library version reporting.
  • Minor t_client.sh cleanups
  • Repair --multihome on FreeBSD for IPv4 sockets.
  • Rewrite manpage section about --multihome
  • More IPv6-related updates to the openvpn man page.
  • Conditionalize calls to print_default_gateway on !ENABLE_SMALL
  • Preparing for release v2.3.4 (ChangeLog, version.m4)
  • Use native strtoull() with MSVC 2013.
  • When tls-version-min is unspecified, revert to original versioning approach.
  • Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
  • Fix OCSP_check.sh to also use decimal for stdout verification.
  • Fix build system to accept non-system crypto library locations for plugins.
  • Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
  • Fix SOCKSv5 method selection
  • Fix typo in sample build script to use LDFLAGS



Changes for v2.3.2-I003 - v2.3.3

  • Alon Bar-Lev (1):
  • pkcs11: use generic evp key instead of rsa
  • Arne Schwabe (8):
  • Add support of utun devices under Mac OS X
  • Add support to ignore specific options.
  • Add a note what setenv opt does for OpenVPN < 2.3.3
  • Add reporting of UI version to basic push-peer-info set.
  • Fix compile error in ssl_openssl introduced by polar external-management patch
  • Fix assertion when SIGUSR1 is received while getaddrinfo is successful
  • Add warning for using connection block variables after connection blocks
  • Introduce safety check for http proxy options
  • David Sommerseth (5):
  • man page: Update man page about the tls_digest_{n} environment variable
  • Remove the --disable-eurephia configure option
  • plugin: Extend the plug-in v3 API to identify the SSL implementation used
  • autoconf: Fix typo
  • Fix file checks when --chroot is being used
  • Davide Brini (1):
  • Document authfile for socks server
  • Gert Doering (9):
  • Fix IPv6 examples in t_client.rc-sample
  • Fix slow memory drain on each client renegotiation.
  • t_client.sh: ignore fields from "ip -6 route show" output that distort results.
  • Make code and documentation for --remote-random-hostname consistent.
  • Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
  • Document issue with --chroot, /dev/urandom and PolarSSL.
  • Rename 'struct route' to 'struct route_ipv4'
  • Replace copied structure elements with including
  • Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
  • Heikki Hannikainen (1):
  • Always load intermediate certificates from a PKCS#12 file
  • Heiko Hund (2):
  • Support non-ASCII TAP adapter names on Windows
  • Support non-ASCII characters in Windows tmp path
  • James Yonan (3):
  • TLS version negotiation
  • Added "setenv opt" directive prefix.
  • Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
  • Jens Wagner (1):
  • Fix spurious ignoring of pushed config options (trac#349).
  • Joachim Schipper (3):
  • Refactor tls_ctx_use_external_private_key()
  • --management-external-key for PolarSSL
  • external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
  • Josh Cepek (2):
  • Correct error text when no Windows TAP device is present
  • Require a 1.2.x PolarSSL version
  • Klee Dienes (1):
  • tls_ctx_load_ca: Improve certificate error messages
  • Max Muster (1):
  • Remove duplicate cipher entries from TLS translation table.
  • Peter Sagerson (1):
  • Fix configure interaction with static OpenSSL libraries
  • Steffan Karger (7):
  • Do not pass struct tls_session* as void* in key_state_ssl_init().
  • Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
  • Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
  • Also update TLSv1_method() calls in support code to SSLv23_method() calls.
  • Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
  • If --tls-cipher is supplied, make --show-tls parse the list.
  • Add openssl-specific common cipher list names to ssl.c.
  • Tamas TEVESZ (1):
  • Add support for client-cert-not-required for PolarSSL.
  • Thomas Veerman (1):
  • Fix "." in description of utun.



Changes for v2.3.1 - v2.3.2

  • Only print script warnings when a script is used. Remove stray mention of script-security system.
  • Move settings of user script into set_user_script function
  • Move checking of script file access into set_user_script
  • Provide more accurate warning message
  • Fix NULL-pointer crash in route_list_add_vpn_gateway().
  • Fix problem with UDP tunneling due to mishandled pktinfo structures.
  • Always push basic set of peer info values to server.
  • make 'explicit-exit-notify' pullable again
  • Fix proto tcp6 for server & non-P2MP modes
  • Fix Windows script execution when called from script hooks
  • Fixed tls-cipher translation bug in openssl-build
  • Fixed usage of stale define USE_SSL to ENABLE_SSL
  • Fix segfault when enabling pf plug-ins



Changes for v2.3.0 - v2.3.1

  • Arne Schwabe (4):
  • Remove dead code path and putenv functionality
  • Remove unused function xor
  • Move static prototype definition from header into c file
  • Remove unused function no_tap_ifconfig
  • Christian Hesse (1):
  • fix build with automake 1.13(.1)
  • Christian Niessner (1):
  • Fix corner case in NTLM authentication (trac #172)
  • Gert Doering (6):
  • Update README.IPv6 to match what is in 2.3.0
  • Repair "tcp server queue overflow" brokenness, more fallout.
  • Permit pool size of /64.../112 for ifconfig-ipv6-pool
  • Add MIN() compatibility macro
  • Fix directly connected routes for "topology subnet" on Solaris.
  • Preparing for v2.3.1 (ChangeLog, version.m4)
  • Heiko Hund (5):
  • close more file descriptors on exec
  • Ignore UTF-8 byte order mark
  • reintroduce --no-name-remapping option
  • make --tls-remote compatible with pre 2.3 configs
  • add new option for X.509 name verification
  • Jan Just Keijser (1):
  • man page patch for missing options
  • Josh Cepek (2):
  • Fix parameter listing in non-debug builds at verb 4
  • (updated) [PATCH] Warn when using verb levels >=7 without debug
  • Matthias Andree (1):
  • Enable TCP_NODELAY configuration on FreeBSD.
  • Samuli Seppänen (4):
  • Removed ChangeLog.IPv6
  • Added cross-compilation information INSTALL-win32.txt
  • Updated README
  • Cleaned up and updated INSTALL
  • Steffan Karger (7):
  • PolarSSL-1.2 support
  • Improve PolarSSL key_state_read_{cipher, plain}text messages
  • Improve verify_callback messages
  • Config compatibility patch. Added translate_cipher_name.
  • Switch to IANA names for TLS ciphers.
  • Fixed autoconf script to properly detect missing pkcs11 with polarssl.
  • Use constant time memcmp when comparing HMACs in openvpn_decrypt.



<<Back to software description