Version history for OpenVPN

<<Back to software description

Changes for v2.4.6 - v2.4.7

Adam Ciarciński (1):
Fix subnet topology on NetBSD (2.4).
Antonio Quartulli (3):
add support for %lu in argv_printf and prevent ASSERT
buffer_list: add functions documentation
ifconfig-ipv6(-push): allow using hostnames
Arne Schwabe (7):
Properly free tuntap struct on android when emulating persist-tun
Add OpenSSL compat definition for RSA_meth_set_sign
Add support for tls-ciphersuites for TLS 1.3
Add better support for showing TLS 1.3 ciphersuites in --show-tls
Use right function to set TLS1.3 restrictions in show-tls
Add message explaining early TLS client hello failure
Fallback to password authentication when auth-token fails
Christian Ehrhardt (1):
systemd: extend CapabilityBoundingSet for auth_pam
David Sommerseth (1):
plugin: Export base64 encode and decode functions
Gert Doering (4):
Add %d, %u and %lu tests to test_argv unit tests.
Fix combination of --dev tap and --topology subnet across multiple platforms.
Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
Gert van Dijk (1):
Minor reliability layer documentation fixes
James Bekkema (1):
Resolves small IV_GUI_VER typo in the documentation.
Jonathan K. Bullard (1):
Clarify and expand management interface documentation
Lev Stipakov (5):
Refactor NCP-negotiable options handling
init.c: refine functions names and description
interactive.c: fix usage of potentially uninitialized variable
options.c: fix broken unary minus usage
Remove extra token after #endif
Richard van den Berg via Openvpn-devel (1):
Fix error message when using RHEL init script
Samy Mahmoudi (1):
man: correct a --redirection-gateway option flag
Selva Nair (7):
Replace M_DEBUG with D_LOW as the former is too verbose
Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
Bump version of openvpn plugin argument structs to 5
Move get system directory to a separate function
Enable dhcp on tap adapter using interactive service
Pass the hash without the DigestInfo header to NCryptSignHash()
White-list pull-filter and script-security in interactive service
Simon Rozman (2):
Add Interactive Service developer documentation
Detect TAP interfaces with root-enumerated hardware ID
Steffan Karger (7):
man: add security considerations to --compress section
mbedtls: print warning if random personalisation fails
Fix memory leak after sighup
travis: add OpenSSL 1.1 Windows build
Fix --disable-crypto build
Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
buffer_list_aggregate_separator(): simplify code

Changes for v2.4.3 - v2.4.4

Antonio Quartulli (23):
crypto: correct typ0 in error message
use M_ERRNO instead of explicitly printing errno
don't print errno twice
ntlm: avoid useless cast
ntlm: unwrap multiple function calls
route: improve error message
management: preserve wait_for_push field when asking for user/pass
tls-crypt: avoid warnings when --disable-crypto is used
ntlm: convert binary buffers to uint8_t *
ntlm: restyle compressed multiple function calls
ntlm: improve code style and readability
OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
make function declarations C99 compliant
remove unused functions
use NULL instead of 0 when assigning pointers
add missing static attribute to functions
ntlm: avoid breaking anti-aliasing rules
remove the --disable-multi config switch
rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
route: avoid definition of unused variables in certain configurations
fix a couple of typ0s in comments and strings
fragment.c: simplify boolean expression
tcp-server: ensure AF family is propagated to child context
Arne Schwabe (2):
Set tls-cipher restriction before loading certificates
Print ec bit details, refuse management-external-key if key is not RSA
Conrad Hoffmann (2):
Use provided env vars in up/down script.
Document down-root plugin usage in client.down
David Sommerseth (12):
doc: The CRL processing is not a deprecated feature
cleanup: Move write_pid() to where it is being used
contrib: Remove keychain-mcd code
cleanup: Move init_random_seed() to where it is being used
sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
Highlight deprecated features
Use consistent version references
docs: Replace all PolarSSL references to mbed TLS
systemd: Ensure systemd shuts down OpenVPN in a proper way
systemd: Enable systemd's auto-restart feature for server profiles
lz4: Move towards a newer LZ4 API
Prepare the release of OpenVPN 2.4.4
Emmanuel Deloget (3):
OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
Gert van Dijk (1):
Warn that DH config option is only meaningful in a tls-server context
Ilya Shipitsin (3):
travis-ci: add 3 missing patches from master to release/2.4
travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
travis-ci: update pkcs11-helper to 1.22
Richard Bonhomme (1):
man: Corrections to doc/openvpn.8
Steffan Karger (17):
Fix typo in extract_x509_extension() debug message
Move adjust_power_of_2() to integer.h
Undo cipher push in client options state if cipher is rejected
Remove strerror_ts()
Move openvpn_sleep() to manage.c
fixup: also change missed openvpn_sleep() occurrences
Always use default keysize for NCP'd ciphers
Move create_temp_file() out of #ifdef ENABLE_CRYPTO
Deprecate --keysize
Deprecate --no-replay
Move run_up_down() to init.c
tls-crypt: introduce tls_crypt_kt()
crypto: create function to initialize encrypt and decrypt key
Add coverity static analysis to Travis CI config
tls-crypt: don't leak memory for incorrect tls-crypt messages
travis: reorder matrix to speed up build
Fix bounds check in read_key()
Szilárd Pfeiffer (1):
OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
Thomas Veerman via Openvpn-devel (1):
Fix socks_proxy_port pointing to invalid data

Changes for v2.4.2 - v2.4.3

Antonio Quartulli (1):
Ignore auth-nocache for auth-user-pass if auth-token is pushed
David Sommerseth (3):
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
Emmanuel Deloget (8):
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Gert Doering (6):
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Matthias Andree (1):
Make openvpn-plugin.h self-contained again.
Selva Nair (1):
Pass correct buffer size to GetModuleFileNameW()
Steffan Karger (11):
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains

Changes for v2.3.12 - v2.3.13

Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (5):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Preparing release of v2.3.13
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Seppänen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys

Changes for v2.3.10 - v2.3.12

This release includes many small improvements and fixes. This is the first release that actively discourages the use of 64-bit block ciphers for security reasons.

Changes for v2.3.9 - v2.3.10

Gert Doering (2):
Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
Preparing for release v2.3.10 (ChangeLog, version.m4)
Jan Just Keijser (1):
Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
Lev Stipakov (1):
Repair IPv6 netsh calls if Win XP is detected
Phillip Smith (1):
Use bob.example.com and alice.example.com to improve clarity of documentation
Steffan Karger (6):
Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
Upgrade OpenVPN 2.3 to PolarSSL 1.3
Warn user if their certificate has expired
Make assert_failed() print the failed condition
cleanup: get rid of httpdigest.c type warnings
Fix regression in setups without a client certificate
Yegor Yefremov (1):
polarssl: fix unreachable code

Changes for v2.3.7 - v2.3.8

Arne Schwabe (2):
Report missing endtags of inline files as warnings
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
Gert Doering (3):
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
Document --daemon changes and consequences (--askpass, --auth-nocache).
Preparing for release v2.3.8 (ChangeLog, version.m4)
Holger Kummert (1):
Del ipv6 addr on close of linux tun interface
James Geboski (1):
Fix --askpass not allowing for password input via stdin
Steffan Karger (5):
write pid file immediately after daemonizing
Make __func__ work with Visual Studio too
fix regression: query password before becoming daemon
Fix using management interface to get passwords.
Fix overflow check in openvpn_decrypt()

Changes for v2.3.5 - v2.3.6

systemd: Reworked the systemd unit file to handle server and client configs better
Add client-only support for peer-id.
Preparing for release v2.3.6 (ChangeLog, version.m4)
Fix to --shaper documentation on the man-page
Fix assertion error when using --cipher none
Add --tls-version-max
Modernize sample keys and sample configs
Drop too-short control channel packets instead of asserting out.

Changes for v2.3.4 - v2.3.5

Fix some typos in the man page.
Do not upcase x509-username-field for mixed-case arguments.
Fix server routes not working in topology subnet with --server [v3]
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
Don't let openvpn_popen() keep zombies around
Add systemd unit file for OpenVPN
systemd: Use systemd functions to consider systemd availability
Drop incoming fe80:: packets silently now.
Fix t_lpback.sh platform-dependent failures
Call init script helpers with explicit path (./)
Preparing for release v2.3.5 (ChangeLog, version.m4)
refine assertion to allow other modes than CBC
ocsp_check - signature verification and cert staus results are separate
ocsp_check - double check if ocsp didn't report any errors in execution
Fix socket-flag/TCP_NODELAY on Mac OS X
Fixed several instances of declarations after statements.
In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
Define PATH_SEPARATOR for MSVC builds.
Fixed some compile issues with show_library_versions()
Remove quadratic complexity from openvpn_base64_decode()
Add configure check for the path to systemd-ask-password
Add topology in sample server configuration file
Implement on-link route adding for iproute2
Ensure that client-connect files are always deleted
Remove function without effect (cipher_ok() always returned true).
Remove unneeded wrapper functions in crypto_openssl.c
Fix bug that incorrectly refuses oid representation eku's in polar builds
Update README.polarssl
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Improve --show-ciphers to show if a cipher can be used in static key mode
Extend t_lpback tests to test all ciphers reported by --show-ciphers
Don't exit daemon if opening or parsing the CRL fails.
Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
Fix regression with password protected private keys (polarssl)
ssl_polarssl.c: fix includes and make casts explicit
Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
Fix "code=995" bug with windows NDIS6 tap driver.

Changes for v2.3.3 - v2.3.4

Fix man page and OSCP script: tls_serial_{n} is decimal
Fix is_ipv6 in case of tap interface.
IPv6 address/route delete fix for Win8
Add SSL library version reporting.
Minor t_client.sh cleanups
Repair --multihome on FreeBSD for IPv4 sockets.
Rewrite manpage section about --multihome
More IPv6-related updates to the openvpn man page.
Conditionalize calls to print_default_gateway on !ENABLE_SMALL
Preparing for release v2.3.4 (ChangeLog, version.m4)
Use native strtoull() with MSVC 2013.
When tls-version-min is unspecified, revert to original versioning approach.
Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
Fix OCSP_check.sh to also use decimal for stdout verification.
Fix build system to accept non-system crypto library locations for plugins.
Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
Fix SOCKSv5 method selection
Fix typo in sample build script to use LDFLAGS

Changes for v2.3.2-I003 - v2.3.3

Alon Bar-Lev (1):
pkcs11: use generic evp key instead of rsa
Arne Schwabe (8):
Add support of utun devices under Mac OS X
Add support to ignore specific options.
Add a note what setenv opt does for OpenVPN < 2.3.3
Add reporting of UI version to basic push-peer-info set.
Fix compile error in ssl_openssl introduced by polar external-management patch
Fix assertion when SIGUSR1 is received while getaddrinfo is successful
Add warning for using connection block variables after connection blocks
Introduce safety check for http proxy options
David Sommerseth (5):
man page: Update man page about the tls_digest_{n} environment variable
Remove the --disable-eurephia configure option
plugin: Extend the plug-in v3 API to identify the SSL implementation used
autoconf: Fix typo
Fix file checks when --chroot is being used
Davide Brini (1):
Document authfile for socks server
Gert Doering (9):
Fix IPv6 examples in t_client.rc-sample
Fix slow memory drain on each client renegotiation.
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
Make code and documentation for --remote-random-hostname consistent.
Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
Document issue with --chroot, /dev/urandom and PolarSSL.
Rename 'struct route' to 'struct route_ipv4'
Replace copied structure elements with including
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
Heikki Hannikainen (1):
Always load intermediate certificates from a PKCS#12 file
Heiko Hund (2):
Support non-ASCII TAP adapter names on Windows
Support non-ASCII characters in Windows tmp path
James Yonan (3):
TLS version negotiation
Added "setenv opt" directive prefix.
Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
Jens Wagner (1):
Fix spurious ignoring of pushed config options (trac#349).
Joachim Schipper (3):
Refactor tls_ctx_use_external_private_key()
--management-external-key for PolarSSL
external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
Josh Cepek (2):
Correct error text when no Windows TAP device is present
Require a 1.2.x PolarSSL version
Klee Dienes (1):
tls_ctx_load_ca: Improve certificate error messages
Max Muster (1):
Remove duplicate cipher entries from TLS translation table.
Peter Sagerson (1):
Fix configure interaction with static OpenSSL libraries
Steffan Karger (7):
Do not pass struct tls_session* as void* in key_state_ssl_init().
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
If --tls-cipher is supplied, make --show-tls parse the list.
Add openssl-specific common cipher list names to ssl.c.
Tamas TEVESZ (1):
Add support for client-cert-not-required for PolarSSL.
Thomas Veerman (1):
Fix "." in description of utun.

Changes for v2.3.2 - v2.3.2-I003

The I003 Windows installer fixes a signature problem in tap-windows driver, which prevented the driver from being installed in many cases

Changes for v2.3.1 - v2.3.2

Only print script warnings when a script is used. Remove stray mention of script-security system.
Move settings of user script into set_user_script function
Move checking of script file access into set_user_script
Provide more accurate warning message
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Fix problem with UDP tunneling due to mishandled pktinfo structures.
Always push basic set of peer info values to server.
make 'explicit-exit-notify' pullable again
Fix proto tcp6 for server & non-P2MP modes
Fix Windows script execution when called from script hooks
Fixed tls-cipher translation bug in openssl-build
Fixed usage of stale define USE_SSL to ENABLE_SSL
Fix segfault when enabling pf plug-ins

Changes for v2.3.0 - v2.3.1

Arne Schwabe (4):
Remove dead code path and putenv functionality
Remove unused function xor
Move static prototype definition from header into c file
Remove unused function no_tap_ifconfig
Christian Hesse (1):
fix build with automake 1.13(.1)
Christian Niessner (1):
Fix corner case in NTLM authentication (trac #172)
Gert Doering (6):
Update README.IPv6 to match what is in 2.3.0
Repair "tcp server queue overflow" brokenness, more fallout.
Permit pool size of /64.../112 for ifconfig-ipv6-pool
Add MIN() compatibility macro
Fix directly connected routes for "topology subnet" on Solaris.
Preparing for v2.3.1 (ChangeLog, version.m4)
Heiko Hund (5):
close more file descriptors on exec
Ignore UTF-8 byte order mark
reintroduce --no-name-remapping option
make --tls-remote compatible with pre 2.3 configs
add new option for X.509 name verification
Jan Just Keijser (1):
man page patch for missing options
Josh Cepek (2):
Fix parameter listing in non-debug builds at verb 4
(updated) [PATCH] Warn when using verb levels >=7 without debug
Matthias Andree (1):
Enable TCP_NODELAY configuration on FreeBSD.
Samuli Seppänen (4):
Removed ChangeLog.IPv6
Added cross-compilation information INSTALL-win32.txt
Updated README
Cleaned up and updated INSTALL
Steffan Karger (7):
PolarSSL-1.2 support
Improve PolarSSL key_state_read_{cipher, plain}text messages
Improve verify_callback messages
Config compatibility patch. Added translate_cipher_name.
Switch to IANA names for TLS ciphers.
Fixed autoconf script to properly detect missing pkcs11 with polarssl.
Use constant time memcmp when comparing HMACs in openvpn_decrypt.

Version history for OpenVPN

Top downloads

Latest updates

Help us

Sections:

Follow us: