aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 05:28:27 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 05:28:27 +0000
commit6fbf66fad3367b24fd6743bcd50254902fd9c8d5 (patch)
tree9802876e3771744eead18917bb47ff6e90ac39f5 /ChangeLog
downloadopenvpn-6fbf66fad3367b24fd6743bcd50254902fd9c8d5.tar.xz
This is the start of the BETA21 branch.
It includes the --topology feature, and TAP-Win32 driver changes to allow non-admin access. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog2102
1 files changed, 2102 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..f70ed1d
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,2102 @@
+OpenVPN
+Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
+
+$Id$
+
+2005.09.25 -- Version 2.0.3-rc1
+
+* openvpn_plugin_abort_v1 function wasn't being properly
+ registered on Windows.
+* Fixed a bug where --mode server --proto tcp-server --cipher none
+ operation could cause tunnel packet truncation.
+
+2005.08.25 -- Version 2.0.2
+
+* No change from 2.0.2-rc1.
+
+2005.08.24 -- Version 2.0.2-rc1
+
+* Fixed regression bug in Win32 installer, introduced in 2.0.1,
+ which incorrectly set OpenVPN service to autostart.
+* Don't package source code zip file in Windows installer
+ in order to reduce the size of the installer. The source
+ zip file can always be downloaded separately if needed.
+* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
+ version of get_default_gateway. Allocated socket for route
+ manipulation is never freed so number of mbufs continuously
+ grow and exhaust system resources after a while (Jaroslav Klaus).
+* Fixed bug where "--proto tcp-server --mode p2p --management
+ host port" would cause the management port to not respond until
+ the OpenVPN peer connects.
+* Modified pkitool script to be /bin/sh compatible (Johnny Lam).
+
+2005.08.16 -- Version 2.0.1
+
+* Security Fix -- DoS attack against server when run with "verb 0" and
+ without "tls-auth". If a client connection to the server fails
+ certificate verification, the OpenSSL error queue is not properly
+ flushed, which can result in another unrelated client instance on the
+ server seeing the error and responding to it, resulting in disconnection
+ of the unrelated client (CAN-2005-2531).
+* Security Fix -- DoS attack against server by authenticated client.
+ This bug presents a potential DoS attack vector against the server
+ which can only be initiated by a connected and authenticated client.
+ If the client sends a packet which fails to decrypt on the server,
+ the OpenSSL error queue is not properly flushed, which can result in
+ another unrelated client instance on the server seeing the error and
+ responding to it, resulting in disconnection of the unrelated client
+ (CAN-2005-2532).
+* Security Fix -- DoS attack against server by authenticated client.
+ A malicious client in "dev tap" ethernet bridging mode could
+ theoretically flood the server with packets appearing to come from
+ hundreds of thousands of different MAC addresses, causing the OpenVPN
+ process to deplete system virtual memory as it expands its internal
+ routing table. A --max-routes-per-client directive has been added
+ (default=256) to limit the maximum number of routes in OpenVPN's
+ internal routing table which can be associated with a given client
+ (CAN-2005-2533).
+* Security Fix -- DoS attack against server by authenticated client.
+ If two or more client machines try to connect to the server at the
+ same time via TCP, using the same client certificate, and when
+ --duplicate-cn is not enabled on the server, a race condition can
+ crash the server with "Assertion failed at mtcp.c:411"
+ (CAN-2005-2534).
+* Fixed server bug where under certain circumstances, the client instance
+ object deletion function would try to delete iroutes which had never been
+ added in the first place, triggering "Assertion failed at mroute.c:349".
+* Added --auth-retry option to prevent auth errors from being fatal
+ on the client side, and to permit username/password requeries in case
+ of error. Also controllable via new "auth-retry" management interface
+ command. See man page for more info.
+* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
+* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
+ would fail to build.
+* Implement "make check" to perform loopback tests (Matthias Andree).
+
+2005.07.21 -- Version 2.0.1-rc7
+
+* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
+* Include linux/types.h before checking for linux/errqueue.h (Matthias
+ Andree).
+
+2005.07.15 -- Version 2.0.1-rc6
+
+* Commented out "user nobody" and "group nobody" in sample
+ client/server config files.
+* Allow '@' character to be used in --client-config-dir
+ file names.
+
+2005.07.04 -- Version 2.0.1-rc5
+
+* Windows version will log a for-further-info URL when
+ initialization sequence is completed with errors.
+* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
+ to control whether auth-pam plugin links to PAM via
+ dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
+ behavior should be preserved. DLOPEN_PAM=0 is the preferred
+ setting to link via -lpam, but DLOPEN_PAM=1 works around
+ a bug in SuSE 9.1 (and possibly other distros as well)
+ where the PAM modules are not linked with -lpam. See
+ thread on openvpn-devel for more discussion about this
+ patch (Simon Perreault).
+
+2005.06.15 -- Version 2.0.1-rc4
+
+* Support LZO 2.00, including changes to configure script to
+ autodetect LZO version.
+
+2005.06.12 -- Version 2.0.1-rc3
+
+* Fixed a bug which caused standard file handles to not be closed
+ after daemonization when --plugin and --daemon are used together,
+ and if the plugin initialization function forks (as does auth-pam
+ and down-root) (Simon Perreault).
+* Added client-side up/down scripts in contrib/pull-resolv-conf
+ for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
+ on Linux/Unix systems (Jesse Adelman).
+* Fixed bug where if client-connect scripts/plugins were cascaded,
+ and one (but not all) of them returned an error status, there might
+ be cases where for an individual script/plugin, client-connect was
+ called but not client-disconnect. The goal of this fix is to
+ ensure that if client-connect is called on a given client instance,
+ then client-disconnect will definitely be called. A potential
+ complication of this fix is that when client-connect functions are
+ cascaded, it's possible that the client-disconnect function would
+ be called in cases where the related client-connect function returned
+ an error status. This fix should not alter OpenVPN behavior when
+ scripts/plugins are not cascaded.
+* Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
+ fatal error to a warning: "FRAG: outgoing buffer is not empty".
+ Need more info on how to reproduce this one.
+* When --duplicate-cn is used, the --ifconfig-pool allocation
+ algorithm will now allocate the first available IP address.
+* When --daemon and --management-hold are used together,
+ OpenVPN will daemonize before it enters the management hold state.
+
+2005.05.16 -- Version 2.0.1-rc2
+
+* Modified vendor test in openvpn.spec file to match against
+ "Mandrakesoft" in addition to "MandrakeSoft".
+* Using --iroute in a --client-config-dir file while in --dev tap
+ mode is not currently supported and will produce a warning
+ message. Fixed bug where in certain cases, in addition to
+ generating a warning message, this combination of options
+ would also produce a fatal assertion in mroute.c.
+* Pass --auth-user-pass username to server-side plugin without
+ performing any string remapping (plugins, unlike scripts,
+ don't get any security benefit from string remapping).
+ This is intended to fix an issue with openvpn-auth-pam/pam_winbind
+ where backslash characters in a username ('\') were being remapped
+ to underscore ('_').
+* Updated OpenSSL DLLs in Windows build to 0.9.7g.
+* Documented --explicit-exit-notify in man page.
+* --explicit-exit-notify seconds parameter defaults to 1 if
+ unspecified.
+
+2005.04.30 -- Version 2.0.1-rc1
+
+* Fixed bug where certain kinds of fatal errors after
+ initialization (such as port in use) would leave plugin
+ processes (such as openvpn-auth-pam) still running.
+* Added optional openvpn_plugin_abort_v1 plugin function for
+ closing initialized plugin objects in the event of a fatal
+ error by main OpenVPN process.
+* When the --remote list is > 1, and --resolv-retry is not
+ specified (meaning that it defaults to "infinite"), apply the
+ infinite timeout to the --remote list as a whole, but try each
+ list item only once before moving on to the next item.
+* Added new --syslog directive which redirects output
+ to syslog without requiring the use of the --daemon or --inetd
+ directives.
+* Added openvpn.spec option to allow RPM to be built with support
+ for passwords read from a file:
+ rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
+
+2005.04.17 -- Version 2.0
+
+* Fixed minor options string typo in options.c.
+
+2005.04.10 -- Version 2.0-rc21
+
+* Change license description from "GPL Version 2 or (at your
+ option) any later version" to just "GPL Version 2".
+
+2005.04.04 -- Version 2.0-rc20
+
+* Dag Wieers has put together an OpenVPN/LZO binary RPM set with
+ excellent distro/version coverage for RH/EL/Fedora, though
+ using his own SPEC. I modified openvpn.spec to follow some of
+ the same conventions such as putting sample scripts and doc
+ files in %doc rather than /usr/share/openvpn.
+* Minor change to init scripts to run the user-defined script
+ /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
+ configs are started, and to run /etc/openvpn/openvpn-shutdown
+ after all OpenVPN configs have been stopped. The
+ openvpn-startup script can be used for stuff like
+ insmod tun.o, setting up firewall rules, or starting
+ ethernet bridges.
+
+2005.03.29 -- Version 2.0-rc19
+
+* Omit additions of routes where the network and
+ gateway are equal and the netmask is 255.255.255.255.
+ This can come up if you are using both
+ server/ifconfig-pool and client-config-dir with
+ ifconfig-push static addresses for some subset of clients
+ which directly reference the server IP address as the
+ remote endpoint.
+
+2005.03.28 -- Version 2.0-rc18
+
+* Packaged Windows installer with OpenSSL 0.9.7f.
+* Built Windows installer with NSIS 2.06.
+
+2005.03.12 -- Version 2.0-rc17
+
+* "MANAGEMENT: CMD" log file output will now only occur
+ at --verb 7 or greater.
+* Added an optional name/value configuration list to
+ the openvpn-auth-pam plugin module argument list. See
+ plugin/auth-pam/README for documentation. This is necessary
+ in order for openvpn-auth-pam to work with queries generated
+ by arbitrary PAM modules.
+* In both auth-pam and down-root plugins, in the forked process,
+ a read error on the parent process socket is no longer fatal.
+* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
+ A conditional test of the vendor has been added to
+ Require the appropriately named 'lzo' (liblzo1 / lzo).
+ (Tom Walsh - http://openhardware.net)
+
+
+2005.02.20 -- Version 2.0-rc16
+
+* Fixed bug introduced in rc13 where Windows service wrapper
+ would be installed with a startup type of Automatic.
+ This fix restores the previous behavior of installing
+ with a startup type of Manual.
+
+2005.02.19 -- Version 2.0-rc15
+
+* Added warning when --keepalive is not used in a server
+ configuration.
+* Don't include OpenSSL md4.h file if we are not building
+ NTLM proxy support (Waldemar Brodkorb).
+* Added easy-rsa/build-key-pkcs12 and
+ easy-rsa/Windows/build-key-pkcs12.bat scripts
+ (Mathias Sundman).
+
+2005.02.16 -- Version 2.0-rc14
+
+* Fixed small memory leak that occurs when --crl-verify
+ is used.
+* Upgraded Windows installer and .nsi script to NSIS 2.05
+ (Mathias Sundman).
+* Changed #include backslash usage in cryptoapi.c to use
+ forward slashes instead (Gisle Vanem).
+* Created easy-rsa/revoke-full to handle revocations in
+ a single step: (a) revoke crt, (b) regenerate CRL, and
+ (c) verify that revocation succeeded.
+* Renamed easy-rsa/Windows/revoke-key to revoke-full so
+ that both *nix and Windows scripts are equivalent.
+
+2005.02.11 -- Version 2.0-rc13
+
+* Improve human-readability of local/remote options
+ diff, when inconsistencies are present.
+* For Windows easy-rsa, distribute vars.bat.sample and
+ openssl.cnf.sample, then copy them to their normal
+ filenames (without the .sample) when init-config.bat
+ is run. This is to prevent OpenVPN upgrades from
+ wiping out vars.bat and openssl.cnf edits.
+* Modified service wrapper (Windows) to use a
+ case-insensitive search when scanning for .ovpn files
+ in \Program Files\OpenVPN\config. Prior versions
+ required an all-lower-case .ovpn file extension.
+* Miscellaneous service wrapper code cleanup.
+* If --user/--group is used on Windows, treat it
+ as a no-op with a warning (this makes it easier to
+ distribute the same client config file to Windows
+ and *nix users).
+* Warn if --ifconfig-pool-persist is used with
+ --duplicate-cn.
+
+2005.02.05 -- Version 2.0-rc12
+
+* Removed some debugging code inadvertently included
+ in rc11 which would print the --auth-user-pass
+ username/password provided by clients in the server
+ logfile.
+* Client code for cycling through --remote list will
+ retry the last address which successfully authenticated
+ before moving on through the list.
+* Windows installer will now install sample configuration
+ files in \Program Files\OpenVPN\sample-configs as well
+ as generate a start menu shortcut to this directory.
+* Minor type change in buffer.[ch] to work around char-type
+ ambiguity bug. Caused management interface lock-ups on
+ ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
+
+2005.02.03 -- Version 2.0-rc11
+
+* Windows installer will now install easy-rsa directory
+ in \Program Files\OpenVPN
+* Allow syslog facility to be controlled at compile time,
+ e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
+* Changed certain shell scripts in distribution to use
+ #!/bin/sh rather than #!/bin/bash for better portability.
+* If --ifconfig-pool-persist seconds parameter is 0, treat
+ persist file as an allocation of fixed IP addresses
+ (previous versions took IP-to-common-name associations
+ from this list as hints, not mandatory static allocations).
+* Fixed bug on *nix where if --auth-user-pass and --log
+ were used together, the username prompt would be sent to
+ the log file rather than /dev/tty.
+* Spurious text in openvpn.8 detected by doclifter
+ (Eric S. Raymond).
+* Call closelog later on daemon kill so that process
+ exit message is written to syslog.
+
+2005.01.27 -- Version 2.0-rc10
+
+* When ./configure is run with plugins enabled (the default),
+ check whether or not dlopen exists in libc before testing
+ for libdl. This is to fix an issue on FreeBSD and possibly
+ other OSes which bundle libdl functions in libc.
+* On Windows, filter initial WSAEINVAL warning which occurs
+ on the initial read attempt of an unbound socket.
+* The easy-rsa scripts build-key, build-key-pass, and
+ build-key-server will now chmod the .key file
+ to 0600. This is in addition to the fact the generated
+ keys directory has always been similarly protected
+ (Pete Harlan).
+
+2005.01.23 -- Version 2.0-rc9
+
+* Fixed error "ROUTE: route addition failed using
+ CreateIpForwardEntry ..." on Windows when --redirect-gateway
+ is used over a RRAS internet link.
+* When using --route-method exe on Windows, include the
+ gateway parameter on route delete commands (Mathias Sundman).
+* Try not to do a hard reset (i.e. SIGHUP) when two
+ SIGUSR1 signals are received in close succession.
+* If the push list tries to grow beyond its buffer capacity,
+ the resulting error will be non-fatal.
+* To increase the push list capacity (must be done on both
+ client and server), increase TLS_CHANNEL_BUF_SIZE in
+ common.h (default=1024).
+
+2005.01.15 -- Version 2.0-rc8
+
+* Fixed bug introduced in rc7 where options error
+ "--auth-user-pass requires --pull" might occur even
+ if --pull was correctly specified.
+* Changed management interface code to bind once
+ to TCP socket, rather than rebinding after every
+ client disconnect.
+* Added "disable" directive for client-config-dir
+ files.
+* Windows binary install is now distributed with
+ OpenSSL 0.9.7e.
+* Query the management interface for --http-proxy
+ username/password if authfile is set to "stdin".
+* Added current OpenVPN version number to "Unrecognized
+ option or missing parameter" error message.
+* Added "-extensions server" to "openssl req" command
+ in easy-rsa/build-key-server (Nir Yeffet).
+
+2005.01.10 -- Version 2.0-rc7
+
+* Fixed bug in management interface which could cause
+ 100% CPU utilization in --proto tcp-server mode
+ on all *nix OSes except for Linux 2.6.
+* --ifconfig-push now accepts DNS names as well as
+ IP addresses.
+* Added sanity check errors when --pull or
+ --auth-user-pass is used in an incorrect mode.
+* Updated man page entries for --client-connect and
+ --ifconfig-push.
+* Added "String Types and Remapping" section to man
+ page to consisely document the way which OpenVPN
+ may convert certain types of characters in strings
+ to ('_').
+* Modified bridging description in HOWTO to emphasize
+ the fact that bridging allows Windows file and print
+ sharing without a WINS server (Charles Duffy).
+
+2004.12.20 -- Version 2.0-rc6
+
+* Improved checking for epoll support in ./configure
+ to fix false positive on RH9 (Jan Just Keijser).
+* Made the "MULTI TCP: I/O wait required blocking in
+ multi_tcp_action, action=7" error nonfatal and replaced
+ with "MULTI: Outgoing TUN queue full, dropped packet".
+ So far the issue only seems to occur on Linux 2.2
+ in --mode server --proto tcp mode. It occurs when
+ the TUN/TAP driver locks up and refuses to accept
+ new packet writes for a second or more.
+* Fixed bug where if a --client-config-dir file tried
+ to include another file using "config", and if that
+ include failed, OpenVPN would abort with a fatal
+ error. Now such inclusion failures will be logged
+ but are no longer fatal.
+* Global changes to the way that packet buffer alignment
+ is handled. Previously we didn't care about alignment
+ and took care, when handling 16 and 32 bit words
+ in buffers, to always use alignment-safe transfers.
+ This approach appears to be inadequate on some
+ architectures such as alpha. The new approach is
+ to initialize packet buffers in a way that anticipates
+ how component structures will be allocated within
+ them, to maintain correct alignment.
+* Added --dhcp-option DISABLE-NBT to disable NetBIOS
+ over TCP (Jan Just Keijser).
+* Added --http-proxy-option directive for controlling
+ miscellaneous HTTP proxy options.
+* Management state will no longer transition to "WAIT"
+ during TLS renegotiations.
+
+2004.12.16 -- Version 2.0-rc5
+
+* The --client-config-dir option will now try to open
+ a default file called "DEFAULT" if no file matching
+ the common name of the incoming client was found.
+* The --client-connect script/plugin can now veto client
+ authentication by returning a failure code.
+* The --learn-address script/plugin can now prevent a
+ client-instance/address association from being learned
+ by returning a failure code.
+* Changed RPM group in .spec file to Applications/Internet.
+
+2004.12.14 -- Version 2.0-rc4
+
+* SuSE only -- Fixed interaction between openvpn.spec and
+ suse/openvpn.init where the .spec file was writing the
+ OpenVPN binary to a different location than where the
+ .init script was referencing it (Stefan Engel).
+* Solaris only -- Split Solaris ifconfig command into two
+ parts (Jan Just Keijser).
+* Some cleanup in add_option().
+* Better error checking on input dotted quad IP addresses.
+* Verify that --push argument is quoted, if there is
+ more than one.
+* More miscellaneous option sanity checks.
+
+2004.12.13 -- Version 2.0-rc3
+
+* On Windows, when --log or --log-append is used,
+ save the original stderr for username and password
+ prompts.
+* Fixed a bug introduced in the late 2.0 betas where
+ if a "verb" parameter >= 16 was used, it would be
+ ignored and the actual verb level would remain at 1.
+* Fixed a bug mostly seen on OS X where --management-hold
+ or --management-query-passwords would cause the management
+ interface to be unresponsive to incoming client connections.
+* Trigger an options error if one of the management-modifying
+ options is used without "management" itself.
+
+2004.12.12 -- Version 2.0-rc2
+
+* Amplified warnings in documentation about possible
+ man-in-the-middle attack when clients do not properly
+ verify server certificate. Changes to easy-rsa README,
+ FAQ, HOWTO, man page, and sample client config file.
+* Added a warning message if --tls-client or --client
+ is used without also specifying one of either
+ --ns-cert-type, --tls-remote, or --tls-verify.
+* status_open() fixes for MSVC builds (Blaine Fleming).
+* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
+ compiler error which has been reported on some platforms.
+* The openvpn.spec file for rpmbuild has several
+ new build-time options. See comments in the file.
+* Plugins are now built and packaged in the RPM and
+ will be saved in /usr/share/openvpn/plugin/lib.
+* Added --management-hold directive to start OpenVPN
+ in a hibernating state until released by the
+ management interface. Also added "hold" command
+ to the management interface.
+
+2004.12.07 -- Version 2.0-rc1
+
+* openvpn.spec workaround for SuSE confusion regarding
+ /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
+
+2004.12.05 -- Version 2.0-beta20
+
+* The ability to read --askpass and --auth-user-pass
+ passwords from a file has been disabled by default.
+ To re-enable, use ./configure --enable-password-save.
+* Added additional pre-connected states to management
+ interface. See management/management-notes.txt
+ for more info.
+* State history is now recorded by the management
+ interface, and the "state" command now works like
+ the log or echo commands.
+* State history and real-time state change notifications
+ are now prepended with an integer unix timestamp.
+* Added --http-proxy-timeout option, previously
+ the timeout was hardcoded to 5 seconds.
+
+2004.12.02 -- Version 2.0-beta19
+
+* Fixed bug in management interface line termination
+ where output lines incorrectly contained a \00 char
+ after the customary \0d \0a.
+* Fixed bug introduced in beta18 where Windows version
+ would segfault on options errors.
+* Fixed bug in management interface where an empty
+ quoted string ("") entered as a parameter would cause
+ a segfault.
+* Fixed bug where --resolv-retry was not working
+ properly with multiple --remote hosts.
+* Added additional ./configure options to reduce
+ executable size for embedded applications.
+ See ./configure --help.
+
+2004.11.28 -- Version 2.0-beta18
+
+* Added management interface. See new --management-*
+ options or the full management interface documentation
+ in management/management-notes.txt in the tarball.
+ Management interface inclusion can be disabled by
+ ./configure --disable-management.
+* Added two new plugin modules: auth-pam and down-root.
+ Auth-pam supports pam-based authentication using a
+ split privilege execution model, while down-root enables
+ a down script to be executed with root privileges, even
+ when --user/--group is used to drop root privileges.
+ See the plugin directory in the tarball for READMEs,
+ source code, and Makefiles.
+* Plugin developers should note that some changes were
+ made to the plugin interface since beta17. See
+ openvpn-plugin.h for details.
+ Plugin interface inclusion can be disabled with
+ ./configure --disable-plugins
+* Added easy-rsa/build-key-server script which will
+ build a certificate with with nsCertType=server.
+* Added --ns-cert-type option for verification
+ of nsCertType field in peer certificate.
+* If --fragment n is specified and --mssfix is specified
+ without a parameter, default --mssfix to n. This restores
+ the 1.6 behavior when using --mssfix without a parameter.
+* Fixed SSL context initialization bug introduced in beta14
+ where this error might occur on restarts: "Cannot load
+ certificate chain ... PEM_read_bio:no start line".
+
+2004.11.11 -- Version 2.0-beta17
+
+* Changed default port number to 1194 per IANA official
+ port number assignment.
+* Added --plugin directive which allows compiled
+ modules to intercept script callbacks. See
+ plugin folder in tarball for more info.
+* Fixed bug introduced in beta12 where --key-method 1
+ authentications which should have succeeded would fail.
+* Ignore SIGUSR1 during DNS resolution.
+* Added SuSE support to openvpn.spec (Umberto Nicoletti).
+* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
+ Runestig).
+
+2004.11.07 -- Version 2.0-beta16
+
+* Modified sample-scripts/auth-pam.pl to get username
+ and password from OpenVPN via a file rather than
+ via environmental variables.
+* Added bytes_sent and bytes_received environmental
+ variables to be set prior to client-disconnect script.
+* Changed client virtual IP derivation precedence:
+ (1) use --ifconfig-push directive from --client-connect
+ script, (2) use --ifconfig-push directive from
+ --client-config-dir, and (3) use --ifconfig-pool
+ address.
+* If a --client-config-dir file specifies --ifconfig-push,
+ it will be visible to the --client-connect-script in
+ the ifconfig_pool_remote_ip environmental variable.
+* For tun-style tunnels, the ifconfig_pool_local_ip
+ environmental variable will be set, while for
+ tap-style tunnels, the ifconfig_pool_netmask variable
+ will be set.
+* Added intelligence to autoconf script to test
+ compiler for the accepted form of zero-length arrays.
+* Fixed a bug introduced in beta12 where --ip-win32
+ netsh would fail if --dev-node was not explicitly
+ specified.
+* --ip-win32 netsh will now work on hidden adapters.
+* Fix attempt of "Assertion failed at crypto.c:149".
+ This assertion has also been reported on 1.x with a
+ slightly different line number. The fix is twofold:
+ (1) In previous releases, --mtu-test may trigger this
+ assertion -- this bug has been fixed. (2) If something
+ else causes the assertion to be thrown, don't panic,
+ just output a nonfatal warning to the log and drop
+ the packet which generated the error.
+* Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
+* Added --echo directive.
+* Added --auth-nocache directive.
+
+2004.10.28 -- Version 2.0-beta15
+
+* Changed environmental variable character classes
+ so that names must consist of alphanumeric or
+ underbar chars and values must consist of printable
+ characters. Illegal chars will be deleted.
+ Versions prior to 2.0-beta12 were more restrictive
+ and would map spaces to '.'.
+* On Windows, when the TAP adapter fails to
+ initialize with the correct IP address, output
+ "Initialization Sequence Completed with Errors"
+ to the console or log file.
+* Added a warning when user/group/chroot is used
+ without persist-tun and persist-key.
+* Added cryptoapi.[ch] to tarball and source zip.
+* --tls-remote option now works with common name
+ prefixes as well as with the full X509 subject
+ string. This is a useful alternative to using
+ a CRL on the client.
+* common names associated with a static
+ --ifconfig-push setting will no longer leave
+ any state in the --ifconfig-pool-persist file.
+* Hard TLS errors (TLS handshake failed) will now
+ trigger either a SIGUSR1 signal by default
+ or SIGTERM (if --tls-exit is specified). In TCP
+ mode, all TLS errors are considered to be hard.
+ In server mode, the signal will be local to the
+ client instance.
+* Added method parameter to --auth-user-pass-verify
+ directive to select whether username/password
+ is passed to script via environment or a temporary
+ file.
+* Added --status-version option to control format
+ of --status file. The --mode server
+ --status-version 2 format now includes a line
+ type token, the virtual IP address is shown
+ in the client list (even in --dev tap mode),
+ and the integer time_t value is shown anywhere
+ an ascii-formatted time/date is also shown.
+* Added --remap-usr1 directive which can be used
+ to control whether internally or externally
+ generated SIGUSR1 signals are remapped to
+ SIGHUP (restart without persisting state) or
+ SIGTERM (exit).
+* When running as a Windows service (using
+ --service option), check the exit event before
+ and after reading one line of input from
+ stdin, when reading username/password info.
+* For developers: Extended the --gremlin function
+ to better stress-test the new 2.0 features,
+ added Valgrind support on Linux and Dmalloc
+ support on Windows.
+
+2004.10.19 -- Version 2.0-beta14
+
+* Fixed a bug introduced in Beta12 that would occur
+ if you use a --client-connect script without also
+ defining --tmp-dir.
+* Fixed a bug introduced in Beta12 where a learn-address
+ script might segfault on the delete method.
+* Added Crypto API support in Windows version via
+ the --cryptoapicert option (Peter 'Luna' Runestig).
+
+2004.10.18 -- Version 2.0-beta13
+
+* Fixed an issue introduced in Beta12 where the private
+ key password would not be prompted for unless --askpass
+ was explicitly specified in the config.
+
+2004.10.17 -- Version 2.0-beta12
+
+* Added support for username/password-based authentication.
+ Clients can now authentication themselves with the server
+ using either a certificate, a username/password, or both.
+ New directives: --auth-user-pass, --auth-user-pass-verify,
+ --client-cert-not-required, and --username-as-common-name.
+* Added NTLM proxy patch (William Preston).
+* Added --ifconfig-pool-linear server flag to allocate
+ individual tun addresses for clients rather than /30
+ subnets (won't work with Windows clients).
+* Modified --http-proxy code to cache username/password
+ across restarts.
+* Modified --http-proxy code to read username/password
+ from the console when the auth file is given as "stdin".
+* Modified --askpass to take an optional filename argument.
+* --persist-tun and --persist-key now work in client mode
+ and can be pushed to clients as well.
+* Added --ifconfig-pool-persist directive, to maintain
+ ifconfig-pool info in a file which is persistent across
+ daemon instantiations.
+* --user and --group privilege downgrades as well as
+ --chroot now also work in client mode (the
+ dowgrade/chroot will be delayed until the initialization
+ sequence is completed).
+* Added --show-engines standalone directive to show
+ available OpenSSL crypto accelerator engine support.
+* --engine directive now accepts an optional engine-ID
+ parameter to control which engine is used.
+* "Connection reset, restarting" log message now shows
+ which client is being reset.
+* Added --dhcp-pre-release directive in Windows version.
+* Second parm to --ip-win32 can be "default", e.g.
+ --ip-win32 dynamic default 60.
+* Fixed documentation bug regarding environmental
+ variable settings for --ifconfig-pool IP addresses.
+ The correct environmental variable names are:
+ ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
+* ifconfig_pool_local_ip and ifconfig_pool_remote_ip
+ environmental variables are now passed to the
+ client-disconnect script.
+* In server mode, environmental variables are now scoped
+ according to the client they are associated with,
+ to solve the problem of "crosstalk" between different
+ client's environmental variable sets.
+* Added --down-pre flag to cause --down script to be
+ called before TUN/TAP close (rather than after).
+* Added --tls-exit flag which will cause OpenVPN
+ to exit on any TLS errors.
+* Don't push a route to a client if it exactly
+ matches an iroute (this lets you push routes to
+ all clients, and OpenVPN will automatically remove
+ the route from the route push list only for that client
+ which the route actually belongs to).
+* Made '--resolv-retry infinite' the default.
+ --resolv-retry can be disabled by using a parameter of 0.
+* For clients which plan to pull config info from server,
+ set an initial default ping-restart of 60 seconds.
+* Optimized mute code to lessen the load on the processor
+ when messages are being muted at a higher frequency.
+* Made route log messages non-mutable.
+* Silence the Linux "No buffer space available" message.
+* Added miscellaneous additional option sanity checks.
+* Added Windows version of easy-rsa scripts in
+ easy-rsa/Windows directory (Andrew J. Richardson).
+* Added NetBSD route patch (Ed Ravin).
+* Added OpenBSD patch for TAP + --redirect-gateway
+ (Waldemar Brodkorb).
+* Directives which prompt for a username and/or password
+ will now work with --daemon (OpenVPN will prompt
+ before forking).
+* Warn if CRL is from a different issuer than the
+ issuer of the peer certificate (Bernhard Weisshuhn).
+* Changed init script chkconfig parameters to start
+ OpenVPN daemon(s) before NFS.
+* Bug fix attempt of "too many I/O wait events" which occurs
+ on OSes which prefer select() over poll() such as Mac OS X.
+* Added --ccd-exclusive flag. This flag will require, as a
+ condition of authentication, that a connecting client has
+ a --client-config-dir file.
+* TAP-Win32 open code will attempt to open a free adapter
+ if --dev-node is not specified (Mathias Sundman).
+* Resequenced --nice and --chroot ordering so that --nice
+ occurs first.
+* Added --suppress-timestamps flag (Charles Duffy).
+* Source code changes to allow compilation by MSVC
+ (Peter 'Luna' Runestig).
+* Added experimental --fast-io flag which optimizes
+ TUN/TAP/UDP writes on non-Windows systems.
+
+2004.08.18 -- Version 2.0-beta11
+
+* Added --server, --server-bridge, --client, and
+ --keepalive helper directives. See client.conf
+ and server.conf in sample-config-files for sample
+ configurations which use the new directives.
+* On Windows, added --route-method to control
+ whether IP Helper API or route.exe is used
+ to add/delete routes.
+* On Windows, added a second parameter to
+ --route-delay to control the maximum time period
+ to wait for the TAP-Win32 adapter to come up
+ before adding routes.
+* Fixed bug in Windows version where configurations
+ which omit --ifconfig might fail to recognize when
+ the TAP adapter is up.
+* Proxy connection failures will now retry according
+ to the --connect-retry parameter.
+* Fixed --dev null handling on Windows so that TLS
+ loopback test described in INSTALL file works
+ correctly on Windows.
+* Added "Initialization Sequence Completed" message
+ after all initialization steps have been completed
+ and the VPN can be considered "up".
+* Better sanity-checking on --ifconfig-pool parameters.
+* Added --tcp-queue-limit option to control
+ TUN/TAP -> TCP socket overflow.
+* --ifconfig-nowarn flag will now silence general
+ warnings about possible --ifconfig address
+ conflicts, including the warning about --ifconfig
+ and --remote addresses being in same /24 subnet.
+* Fixed case where server mode did not correctly
+ identify certain types of ethernet multicast packets
+ (Marcel de Kogel).
+* Added --explicit-exit-notify option (experimental).
+
+2004.08.02 -- Version 2.0-beta10
+
+* Fixed possible reference after free of option strings
+ after a restart, bug was introduced in beta8.
+* Fixed segfault at route.c:919 in the beta9
+ Windows version that was being caused by indirection
+ through a NULL pointer.
+* Mistakenly built debug version of TAP-Win32 driver
+ for beta9. Beta10 has correct release build.
+
+2004.07.30 -- Version 2.0-beta9
+
+* Fixed --route issue on Windows that was introduced with
+ the new beta8 route implementation based on the
+ IP Helper API.
+
+2004.07.27 -- Version 2.0-beta8
+
+* Added TCP support in server mode.
+* Added PKCS #12 support (Mathias Sundman).
+* Added patch to make revoke-crt and make-crl work
+ seamlessly within the easy-rsa environment (Jan Kiszka).
+* Modified --mode server ethernet bridge code to forward
+ special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
+* Added --dhcp-renew and --dhcp-release flags to Windows
+ version. Normally DHCP renewal and release on the TAP
+ adapter occurs automatically under Windows, however
+ if you set the TAP-Win32 adapter Media Status property
+ to "Always Connected", you may need these flags.
+* Added --show-net standalone flag to Windows version to
+ show OpenVPN's view of the system adapter and routing
+ tables.
+* Added --show-net-up flag to Windows version to output
+ the system routing table and network adapter list to
+ the log file after the TAP-Win32 adapter has been brought
+ up and any routes have been added.
+* Modified Windows version to add routes using the IP Helper
+ API rather than by calling route.exe.
+* Fixed bug where --route-up script was not being called
+ if no --route options were specified.
+* Added --mute-replay-warnings to suppress packet replay
+ warnings. This is a common false alarm on WiFi nets.
+* Added "def1" flag to --redirect-gateway option to override
+ the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
+ rather than 0.0.0.0/0. This has the benefit of overriding
+ but not wiping out the original default gateway.
+ (Thanks to Jim Carter for pointing out this idea).
+* You can now run OpenVPN with a single config file argument.
+ For example, you can now say "openvpn config.conf"
+ rather than "openvpn --config config.conf".
+* On Windows, made --route and --route-delay more adaptive
+ with respect to waiting for interfaces referenced by the
+ route destination to come up. Routes added by --route
+ should now be added as soon as the interface comes up,
+ rather than after an obligatory 10 second delay. The
+ way this works internally is that --route-delay now
+ defaults to 0 on Windows. Previous versions would
+ wait for --route-delay seconds then add the routes.
+ This version will wait --route-delay seconds and then
+ test the routing table at one second intervals for the
+ next 30 seconds and will not add the routes until they
+ can be added without errors.
+* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
+ default on TCP/UDP socket in light of reports that this
+ action can have undesirable global side effects on the
+ MTU settings of other adapters. These parameters can
+ still be set, but you need to explicitly specify
+ --sndbuf and/or --rcvbuf.
+* Added --max-clients option to limit the maximum number
+ of simultaneously connected clients in server mode.
+* Added error message to illuminate shell escape gotcha when
+ single backslashes are used in Windows path names.
+* Added optional netmask parm to --ifconfig-pool.
+* Fixed bug where http-proxy connect retry attempts were
+ incorrectly going to the remote OpenVPN server,
+ not to the HTTP proxy server.
+
+2004.06.29 -- Version 2.0-beta7
+
+* Fixed bug in link_socket_verify_incoming_addr() which
+ under certain circumstances could have caused --float
+ behavior even if --float was not specified.
+* --tls-auth option now works with --mode server.
+ All clients and the server should use the same
+ --tls-auth key when operating in client/server mode.
+* Added --engine option to make use of OpenSSL-supported
+ crypto acceleration hardware.
+* Fixed some high verbosity print format size issues
+ in event.c for 64 bit platforms (Janne Johansson).
+* Made failure to open --log or --log-append file
+ a non-fatal error.
+
+2004.06.23 -- Version 2.0-beta6
+
+* Fixed Windows installer to intelligently put
+ up a reboot dialog only if tapinstall tells
+ us that it's really necessary.
+* Fixed "Assertion failed at fragment.c:309"
+ bug when --mode server and --fragment are used
+ together.
+* Ignore HUP, USR1, and USR2 signals during
+ initialization. Prior versions would abort.
+* Fixed bug on OS X: "Assertion failed at event.c:406".
+* Added --service option to Windows version, for use
+ when OpenVPN is being programmatically instantiated
+ by another process (see man page for info).
+* --log and --log-append options now work on Windows.
+* Update OpenBSD INSTALL notes (Janne Johansson).
+* Enable multicast on tun interface when running on
+ OpenBSD (Pavlin Radoslavov).
+* Fixed recent --test-crypto breakage, where options
+ such as --cipher were not being parsed correctly.
+* Modified options compatibility string by removing
+ ifconfig substring if it is empty. Incremented
+ options compatibility string version number to 4.
+* Fixed typo in --tls-timeout option parsing
+ (Mikael Lonnroth).
+
+2004.06.13 -- Version 2.0-beta5
+
+* Fixed rare --mode server crash that could occur
+ if data was being routed to a client at
+ high bandwidth at the precise moment that the
+ client instance object on the server was being
+ deleted.
+* Fixed issue on machines which have epoll.h and
+ the epoll_create glibc call defined, but which
+ don't actually implement epoll in the kernel.
+ OpenVPN will now gracefully fall back to the
+ poll API in this case.
+* Fixed Windows bug which would cause the following
+ error in a --mode server --dev tap configuration:
+ "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
+ exceeded".
+* Added CRL (certificate revocation list) management
+ scripts to easy-rsa directory (Jon Bendtsen).
+* Do a better job of getting the ifconfig component
+ of the options consistency check to work correctly
+ when --up-delay is used.
+* De-inlined some functions which were too complex
+ to be inlined anyway with gcc.
+* If a --dhcp-option option is pushed to a non-windows
+ client, the option will be saved in the client's
+ environment before the --up script is called, under
+ the name "foreign_option_{n}".
+* Added --learn-address script (see man page) which
+ allows for firewall access through the VPN to be
+ controlled based on the client common name.
+* In mode --server mode, when a client connects to
+ the server, the server will disconnect any
+ still-active clients which use the same common
+ name. Use --duplicate-cn flag to revert to
+ previous behavior of allowing multiple clients
+ to concurrently connect with the same common name.
+
+2004.06.08 -- Version 2.0-beta4
+
+* Fixed issue with beta3 where Win32 service wrapper
+ was keying off of old TAP HWID as a dependency. To
+ ensure that the new service wrapper is correctly
+ installed, the Windows install script will uninstall
+ the old wrapper before installing the new one,
+ causing a reset of service properties.
+* Fixed permissions issue on --status output file,
+ with default access permissions of owner read/write
+ only (default permissions can be changed of course with
+ chmod).
+
+2004.06.05 -- Version 2.0-beta3
+
+* More changes to TAP-Win32 driver's INF file which
+ affects the placement of the driver in the Windows
+ device namespace. This is done to work around an
+ apparent bug in Windows when short HWIDs are used,
+ and will also ease the upgrade from 1.x to 2.0 by
+ reducing the chances that a reboot will be needed
+ on upgrade. Like beta2, this upgrade will
+ delete existing TAP-Win32 interfaces, and reinstall
+ a single new interface with default properties.
+* Major rewrite of I/O event wait layer in the style
+ of libevent. This is a precursor to TCP support
+ in --mode server.
+* New feature: --status. Outputs a SIGUSR2-like
+ status summary to a given file, updated once
+ per n seconds. The status file is comma delimited
+ for easy machine parsing.
+* --ifconfig-pool now remembers common names and
+ will try to assign a consistent IP to a given
+ common name. Still to do: persist --ifconfig-pool
+ memory across restarts by saving state in file.
+* Fixed bug in event timer queue which could cause
+ recurring timer events such as --ping to not
+ correctly schedule again after firing. This in
+ turn would cause spurrious ping restarts and possible
+ connection outages. Thanks to Denis Vlasenko for
+ tracking this down.
+* Possible fix to reported bug where --daemon argument
+ was not printing to syslog correctly after restart.
+* Fixed bug where pulling --route or --dhcp-option
+ directives from a server would problematically
+ interact with --persist-tun on the client.
+* Updated contrib/multilevel-init.patch (Farkas Levente).
+* Added RPM build option to .spec and .spec.in files
+ to optionally disable LZO inclusion (Ian Pilcher).
+* The latest MingW runtime and headers define
+ 'ssize_t', so a patch is needed (Gisle Vanem).
+
+2004.05.14 -- Version 2.0-beta2
+
+* Fixed signal handling bug in --mode server, where
+ SIGHUP and SIGUSR1 were treated as SIGTERM.
+* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
+ Apparently the larger string may work around
+ a problem where the TAP adapter is sometimes missing
+ from the network connections panel, especially under
+ XP SP2. Also note that installing this upgrade will
+ uninstall any pre-existing TAP-Win32 adapters, and then
+ install a single new adapter, meaning that old adapter
+ properties will be lost. Thanks to Md5Chap for solving
+ this one.
+* For --mode server --dev tap, the options --ifconfig and
+ --ifconfig-pool are now optional. This allows address
+ assignment via DHCP or use of a TAP VPN without
+ IP support, as has always been possible with 1.x.
+* Fixed bug where --ifconfig may not work correctly on
+ Linux 2.2.
+* Added 'local' flag to --redirect-gateway for use on
+ networks where both OpenVPN daemons are connected
+ to a shared subnet, such as wireless.
+
+2004.05.09 -- Version 2.0-beta1
+
+* Unchanged from test29 except for version number
+ upgrade.
+
+2004.05.08 -- Version 2.0-test29
+
+* Modified --dev-node on Windows to accept a TAP-Win32
+ GUID name. In addition, --show-adapters will now
+ display the high-level name and GUID of each adapter.
+ This is an attempt to work around an issue in Windows
+ where sometimes the TAP-Win32 adapter installs correctly
+ but has no icon in the network connections control
+ panel. In such cases, being able to specify
+ --dev-node {TAP-GUID} can work around the missing icon.
+
+2004.05.07 -- Version 2.0-test28
+
+* Fixed bug which could cause segfault on program
+ shutdown if --route and --persist-tun are used
+ together.
+
+2004.05.06 -- Version 2.0-test27
+
+* Fixed bug in close_instance() which might cause
+ memory to be accessed after it had already been freed.
+* Fixed bug in verify_callback() that might have
+ caused uninitialized data to be referenced.
+* --iroute now allows full CIDR subnet routing.
+* In "--mode server --dev tun" usage, source addresses
+ on VPN packets coming from a particular client must
+ be associated with that client in the OpenVPN internal
+ routing table.
+
+2004.04.28 -- Version 2.0-test26
+
+* Optimized broadcast path in multi-client mode.
+* Added socket buffer size options --rcvbuf & --sndbuf.
+* Configure Linux tun/tap driver to use a more sensible
+ txqueuelen default. Also allow explicit setting
+ via --txqueuelen option (Harald Roelle).
+* The --remote option now allows the port number
+ to be specified as the second parameter. If
+ unspecified, the port number defaults to the
+ --rport value.
+* Multiple --remote options on the client can now be
+ specified for load balancing and failover. The
+ --remote-random flag can be used to initially randomize
+ the --remote list for basic load balancing.
+* If a remote DNS name resolves to multiple DNS addresses,
+ one will be chosen by random as a kind of basic
+ load-balancing feature if --remote-random is used.
+* Added --connect-freq option to control maximum
+ new connection frequency in multi-client mode.
+* In multi-client mode, all syslog messages associated
+ with a specific client now include a client-ID prefix.
+* For Windows, use a gettimeofday() function based
+ on QueryPerformanceCounter (Derek Burdick).
+* Fixed bug in interaction between --key-method 2
+ and DES ciphers, where dynamic keys would be generated
+ with bad parity and then be rejected.
+
+2004.04.17 -- Version 2.0-test24
+
+* Reworked multi-client broadcast handling.
+
+2004.04.13 -- Version 2.0-test23
+
+* Fixed bug in --dev tun --client-to-client routing.
+* Fixed a potential deadlock in --pull.
+* Fixed a problem with select() usage which could
+ cause a repeating sequence of "select : Invalid
+ argument (code=22)"
+
+2004.04.11 -- Version 2.0-test22
+
+* Fixed bug where --mode server + --daemon was
+ prematurely closing syslog connection.
+* Added support for --redirect-gateway on Mac OS X
+ (Jeremy Apple).
+* Minor changes to TAP-Win32 driver based on feedback
+ from the NDISTest tool.
+
+2004.04.11 -- Version 2.0-test21
+
+* Optimizations in multi-client server event loop.
+
+2004.04.10 -- Version 2.0-test20
+
+* --mode server capability now works with either tun
+ or tap interfaces. When used with tap interfaces,
+ OpenVPN will internally bridge all client tap
+ interfaces with the server tap interface.
+* Connecting clients can now have a client-specific
+ configuration on the server, based on the client
+ common name embedded in the client certificate.
+ See --client-config-dir and --client-connect.
+ These options can be used to configure client-specific
+ routes.
+* Added an option --client-to-client that enables
+ internal client-to-client routing or bridging.
+ Otherwise, clients will only "see" the server,
+ not other connected clients.
+* Fixed bug in route scheduling which would have caused
+ --mode server to not work on Windows in test18
+ and test19 with the sample config file.
+* Man page is up to date with all new options.
+* OpenVPN 2.0 release notes on web site updated
+ with tap-style tunnel examples.
+
+2004.04.02 -- Version 2.0-test19
+
+* Fixed bug where routes pushed from server were
+ not working correctly on Windows clients.
+* Added Mac OS X route patch (Jeremy Apple).
+
+2004.03.30 -- Version 2.0-test18
+
+* Minor fixes + Windows self-install modified
+ to use OpenSSL 0.9.7d.
+
+2004.03.29 -- Version 2.0-test17
+
+* Fixed some bugs related to instance timeout and deletion.
+* Extended --push/--pull option to support additional
+ option classes.
+
+2004.03.28 -- Version 2.0-test16
+
+* Successful test of --mode udp-server, --push,
+ --pull, and --ifconfig-pool with server on
+ Linux 2.4 and clients on Linux and Windows.
+
+2004.03.25 -- Version 2.0-test15
+
+* Implemented hash-table lookup of client instances
+ based either on remote UDP address/port or remote
+ ifconfig endpoint.
+* Implemented a randomized binary tree based
+ scheduler for scalably scheduling a large number
+ of client instance events. Uses the treap
+ data structure and node rotation algorithm
+ to keep the tree balanced.
+* Initial implementation of ifconfig-pool.
+* Made --key-method 2 the default.
+
+2004.03.20 -- Version 2.0-test14
+
+* Implemented --push and --pull.
+
+2004.03.20 -- Version 2.0-test13
+
+* Reduced struct tls_multi and --single-session
+ memory footprint.
+* Modified --single-session flag to be used
+ in multi-client UDP server client instances.
+
+2004.03.19 -- Version 2.0-test12
+
+* Added the key multi-client UDP server options,
+ --mode, --push, --pull, and --ifconfig-pool.
+* Revamped GC (garbage collection) code to not rely
+ on any global data.
+* Modifications to thread.[ch] to allow a more
+ flexible thread model.
+
+2004.03.16 -- Version 2.0-test11
+
+* Moved all timer code to interval.h, added new file
+ interval.c.
+* Fixed missing include.
+
+2004.03.16 -- Version 2.0-test10
+
+* More TAP-Win32 fixes.
+* Initial debugging and testing of multi.[ch].
+
+2004.03.14 -- Version 2.0-test9
+
+* Branch merge with 1.6-rc3
+* More point-to-multipoint work in multi.[ch].
+* Major TAP-Win32 driver restructuring to use
+ NdisMRegisterDevice instead of
+ IoCreateDevice/IoCreateSymbolicLink.
+* Changed TAP-Win32 symbolic links to use \DosDevices\Global\
+ pathname prefix.
+* In the majority of cases, TAP-Win32 should now be
+ able to install and uninstall on Win2K without requiring
+ a reboot.
+* TAP-Win32 MAC address can now be explicitly set in the
+ adapter advanced properties page.
+
+2004.03.04 -- Version 2.0-test8
+
+* Branch merge with 1.6-rc2.
+
+2004.03.03 -- Version 2.0-test7
+
+* Branch merge with 1.6-rc1.2.
+
+2004.03.02 -- Version 2.0-test6
+
+* Branch merge with 1.6-rc1.
+
+2004.03.02 -- Version 2.0-test5
+
+* Move Socks5 UDP header append/remove to socks.c, and is
+ called from forward.c.
+* Moved verify statics from ssl.c into struct tls_session.
+* Wrote multi.[ch] to handle top level of point-to-multipoint
+ mode.
+* Wrote some code to allow a struct link_socket in a child context
+ to be slaved to the parent context.
+* Broke up packet read and process functions in forward.c
+ (from socket or tuntap) into separate functions for read
+ and process, so that point-to-point and point-to-multipoint can
+ share the same code.
+* Expand TLS control channel to allow the passing of configuration
+ commands.
+* Wrote mroute.[ch] to handle internal packet routing for
+ point-to-multipoint mode.
+
+2004.02.22 -- Version 2.0-test3
+
+* Initial work on UDP multi-client server.
+* Branch merge of 1.6-beta7
+
+2004.02.14 -- Version 2.0-test2
+
+* Refactorization of openvpn.c into openvpn.[ch]
+ init.[ch] forward.[ch] forward-inline.h
+ occ.[ch] occ-inline.h ping.[ch] ping-inline.h
+ sig.[ch]. Created a master per-tunnel
+ struct context in openvpn.h.
+* Branch merge of 1.6-beta6.2
+
+2003.11.06 -- Version 2.0-test1
+
+* Initial testbed for 2.0.
+
+2004.05.09 -- Version 1.6.0
+
+* Unchanged from 1.6-rc4 except for version number
+ upgrade.
+
+2004.04.01 -- Version 1.6-rc4
+
+* Made minor customizations to devcon and
+ renamed as tapinstall.exe for Windows version.
+* Fixed "storage size of `iv' isn't known" build
+ problem on FreeBSD.
+* OpenSSL 0.9.7d bundled with Windows self-install.
+
+2004.03.13 -- Version 1.6-rc3
+
+* Minor Windows fixes for --ip-win32 dynamic, relating to
+ the way the TAP-Win32 driver responds to a DHCP request
+ from the Windows DHCP client.
+* The net_gateway environmental variable wasn't being
+ set correctly for called scripts (Paul Zuber).
+* Added code to determine the default gateway on FreeBSD,
+ allowing the --redirect-gateway option to work
+ (Juan Rodriguez Hervella).
+
+2004.03.04 -- Version 1.6-rc2
+
+* Fixed bug in Windows version where the NetBIOS node-type
+ DHCP option might have been passed even if it was not
+ specified.
+* Fixed bug in Windows version introduced in 1.6-rc1, where
+ DHCP timeout would be set to 0 seconds if --ifconfig option
+ was used and --ip-win32 option was not explicitly specified.
+* Added some new --dhcp-option types for Windows version.
+
+2004.03.02 -- Version 1.6-rc1
+
+* For Windows, make "--ip-win32 dynamic" the default.
+* For Windows, make "--route-delay 10" the default
+ unless --ip-win32 dynamic is not used or --route-delay
+ is explicitly specified.
+* L_TLS mutex could have been left in a locked state
+ for certain kinds of TLS errors.
+
+2004.02.22 -- Version 1.6-beta7
+
+* Allow scheduling priority increase (--nice) together
+ with UID/GID downgrade (--user/--group).
+* Code that causes SIGUSR1 restart on TLS errors in TCP
+ mode was not activated in pthread builds.
+* Save the certificate serial number in an environmental
+ variable called tls_serial_{n} prior to calling the
+ --tls-verify script. n is the current cert chain level.
+* Added NetBSD IPv6 tunnel capability (also requires
+ a kernel patch) (Horst Laschinsky).
+* Fixed bug in checking the return value of the nice()
+ function (Ian Pilcher).
+* Bug fix in new FreeBSD IPv6 over TUN code which was
+ originally added in 1.6-beta5 (Nathanael Rensen).
+* More Socks5 fixes -- extended the struct frame
+ infrastructure to accomodate proxy-based encapsulation
+ overhead.
+* Added --dhcp-option to Windows version for setting
+ adapter properties such as WINS & DNS servers.
+* Use a default route-delay of 5 seconds when
+ --ip-win32 dynamic is specified (only applicable when
+ --route-delay is not explicitly specified).
+* Added "log_append" registry variable to control
+ whether the OpenVPN service wrapper on Windows
+ opens log files in append (log_append="1") or
+ truncate (log_append="0") mode. The default
+ is truncate.
+
+2004.02.05 -- Version 1.6-beta6
+
+* UDP over Socks5 fix to accomodate Socks5 encapsulation
+ overhead (Christof Meerwald).
+* Minor --ip-win32 dynamic tweaks (use long lease time,
+ invalidate existing lease with DHCPNAK).
+
+2004.02.01 -- Version 1.6-beta5
+
+* Added Socks5 proxy support (Christof Meerwald).
+* IPv6 tun support for FreeBSD (Thomas Glanzmann).
+* Special TAP-Win32 debug mode for Windows self-install that was
+ enabled in beta4 is now turned off.
+* Added some new Solaris notes to INSTALL (Koen Maris).
+* More work on --ip-win32 dynamic.
+
+2004.01.27 -- Version 1.6-beta4
+
+* For this beta, the Windows self-install is a debug version
+ and will run slower -- use only for testing.
+* Reverted the --ip-win32 default back to 'ipapi'
+ from 'dynamic'.
+* Added the offset parameter to '--ip-win32 dynamic' which
+ can be used to control the address of the masqueraded
+ DHCP server which replies to Windows DHCP requests.
+* Added a wait/nowait option to --inetd (nowait can only
+ be used with TCP sockets, TLS authentication, and over
+ a bridged configuration -- see FAQ for more info)
+ (Stefan `Sec` Zehl).
+* Added a build-time capability where TAP-Win32 driver
+ debug messages can be output by OpenVPN at --verb 6
+ or higher.
+
+2004.01.20 -- Version 1.6-beta2
+
+* Added ./configure --enable-iproute2 flag which
+ uses iproute2 instead of route + ifconfig --
+ this is necessary for the LEAF Linux distro
+ (Martin Hejl).
+* Added renewal-time and rebind-time to set of
+ DHCP options returned by the TAP-Win32 driver when
+ "--ip-win32 dynamic" is used.
+
+2004.01.14 -- Version 1.6-beta1
+
+* Fixed --proxy bug that sometimes caused plaintext
+ control info generated by the proxy prior to http
+ CONNECT method establishment to be incorrectly
+ parsed as OpenVPN data.
+* For Windows version, implemented the
+ "--ip-win32 dynamic" method and made it the default.
+ This method sets the TAP-Win32 adapter IP address
+ and netmask by replying to the kernel's DHCP queries.
+ See the man page for more detailed info.
+* Added --connect-retry parameter which controls
+ the time interval (in seconds) between connect()
+ retries when --proto tcp-client is used. Previously,
+ this value was hardcoded to 5 seconds, and still
+ defaults as such.
+* --resolv-retry can now be used with a parameter
+ of "infinite" to retry indefinitely.
+* Added SSL_CTX_use_certificate_chain_file() to ssl.c
+ for support of multi-level certificate chains
+ (Sten Kalenda).
+* Fixed --tls-auth incompatibility with 1.4.x and earlier
+ versions of OpenVPN when the passphrase file is an
+ OpenVPN static key file (as generated by --genkey).
+* Added shell-escape support in config files using
+ the backslash character ("\") so that (for example)
+ double quotes can be passed to the shell.
+* Added "contrib" subdirectory on tarball, source zip,
+ and CVS containing user-submitted contributions.
+* Added an optional patch to the Redhat init script to
+ allow the configuration file directory to be a
+ multi-level directory hierarchy (Farkas Levente).
+ See contrib/multilevel-init.patch
+* Added some scripts and documentation on using
+ Linux "fwmark" iptables rules to enable
+ fine-grained routing control over the VPN
+ (Sean Reifschneider, <jafo@tummy.com>).
+ See contrib/openvpn-fwmarkroute-1.00
+
+2003.11.20 -- Version 1.5.0
+
+* Minor documentation changes.
+
+2003.11.04 -- Version 1.5-beta14
+
+* Fixed build problem with ./configure --disable-ssl
+ that was reported on Debian woody.
+* Fixed bug where --redirect-gateway could not be used
+ together with --resolv-retry.
+
+2003.11.03 -- Version 1.5-beta13
+
+* Added CRL (certificate revocation list) capability using
+ --crl-verify option (Stefano Bracalenti).
+* Added --replay-window option for variable replay-protection
+ window sizes.
+* Fixed --fragment bug which might have caused certain large
+ packets to be sent unfragmented.
+* Modified --secret and --tls-auth to permit different cipher and
+ HMAC keys to be used for each data flow direction. Also
+ increased static key file size generated by --genkey from
+ 1024 to 2048 bits, where 512 bits each are reserved for
+ send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
+ and backward compatibility is maintained. See --secret option
+ documentation on the man page for more info.
+* Added --tls-remote option (Teemu Kiviniemi).
+* Fixed --tls-cipher documention regarding correct delimiter
+ usage (Teemu Kiviniemi).
+* Added --key-method option for selecting alternative data
+ channel key negotiation methods. Method 1 is the default.
+ Method 2 has been added (see man page for more info).
+* Added French translation of HOWTO to web site
+ (Guillaume Lehmann).
+* Fixed problem caused by late resolver library load on
+ certain platforms when --resolv-retry and --chroot are
+ used together (Teemu Kiviniemi).
+* In TCP mode, all decryption or TLS errors will abort the current
+ connection (this is not done in UDP mode because UDP is
+ "connectionless").
+* Fixed a TCP client reconnect bug that only occurs on the
+ BSDs, where connect() fails with an invalid argument. This
+ bug was partially (but not completely) fixed in beta7.
+* Added "route_net_gateway" environmental variable which contains
+ the pre-existing default gateway address from the routing table
+ (there's no standard API for getting the default gateway, so
+ right now this feature only works on Windows or Linux).
+* Renamed the "route_default_gateway" enviromental variable to
+ "route_vpn_gateway" -- this is the remote VPN endpoint.
+* The special keywords vpn_gateway, net_gateway, and remote_host
+ can now be used for the network or gateway components of the
+ --route option. See the man page for more info.
+* Added the --redirect-gateway option to configure the VPN
+ as the default gateway (implemented on Linux and Windows only).
+* Added the --http-proxy option with basic authentication
+ support for use in TCP client mode. Successfully tested
+ using Squid as the HTTP proxy, with and without authentication.
+
+2003.10.12 -- Version 1.5-beta12
+
+* Fixed Linux-only bug in --mktun and --rmtun which was
+ introduced around beta8 or so, which would cause
+ an error such as "I don't recognize device tun0 as a
+ tun or tap device1".
+* Added --ifconfig-nowarn option to disable options
+ consistency warnings about --ifconfig parameters.
+* Don't allow any kind of sequence number backtracking or
+ message reordering when in TCP mode.
+* Changed beta naming convention to use '_' (underscore)
+ rather than '-' (dash) to pacify rpmbuild.
+
+2003.10.08 -- Version 1.5-beta11
+
+* Modified code in the Windows version which sets the IP address
+ and netmask of the TAP-Win32 adapter using the IP Helper API.
+ Most of the changes involve better error recovery when
+ the IP Helper API returns an error status. See the
+ manual page entry on --ip-win32 for more info.
+
+2003.10.08 -- Version 1.5-beta10
+
+* Added getpass() function for Windows version so that --askpass
+ option works correctly (Stefano Bracalenti).
+* Added reboot advisory to end of Win32 install script.
+* Changed crypto code to use pseudo-random IVs rather than
+ carrying forward the IV state from the previous packet.
+ This is in response to item 2 in the following document:
+ http://www.openssl.org/~bodo/tls-cbc.txt which points
+ out weaknesses in TLS's use of the same IV carryforward
+ approach. This change does not break protocol compatibility
+ with previous versions of OpenVPN.
+* Made a change to the crypto replay protection code to also
+ protect against certain kinds of packet reordering attacks.
+ This change does not break protocol compatibility with
+ previous versions of OpenVPN.
+* Added --ip-win32 option to provide several choices for
+ setting the IP address on the TAP-Win32 adapter.
+* #ifdefed out non-CBC crypto modes by default.
+* Added --up-delay option to delay TUN/TAP open and --up script
+ execution until after connection establishment. This option
+ replaces the earlier windows-only option --tap-delay.
+
+2003.10.01 -- Version 1.5-beta9
+
+* Fixed --route-noexec bug where option was not parsed correctly.
+* Complain if --dev tun is specified without --ifconfig on Windows.
+* Fixed bug where TCP connections on windows would sometimes cause
+ an assertion failure.
+* Added a new flag to TAP-Win32 advanced properties that allows one
+ to set the adapter to be always "connected" even when an OpenVPN
+ process doesn't have it open. The default behavior is to report
+ a media status of connected only when an OpenVPN process has the
+ adapter open.
+* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
+ DLLs in response to an OpenSSL security advisory.
+
+2003.09.30 -- Version 1.5-beta8
+
+* Extended the --ifconfig option to work on tap devices as well
+ as tun devices.
+* Implemented the --ifconfig option for Windows, by calling the
+ netsh tool.
+* By default, do an "arp -d *" on Windows after TAP-Win32 open to
+ refresh the MAC cache. This behaviour can be disabled with
+ --no-arp-del.
+* On Windows, allow the --dev-node parameter (which specifies
+ the name of the TAP-Win32 adapter) to be omitted in cases where
+ there is a single TAP-Win32 adapter on the system which can be
+ assumed to be the default.
+* Modified the diagnostic --verb 5 debugging level to print 'R'
+ for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
+ and 'w' for TUN/TAP write.
+* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
+ mode.
+* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
+* Make the --enable-mtu-dynamic ./configure option enabled by
+ default.
+* Deprecated the --mtu-dynamic run-time option, in favor of
+ --fragment.
+* DNS names can now be used as --ifconfig parameters.
+* Significant work on TAP-Win32 driver to bring up to SMP standards.
+* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
+ unloaded or disabled, while a user-space process has it open.
+* On Windows, if --tun-mtu is not specified, it will be read from
+ the TAP-Win32 driver via ioctl.
+* On Windows, added TAP-Win32 driver status info to "F2" keyboard
+ signal (only when run from a console window).
+* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
+* Renamed --mtu-dynamic option to --fragment to more accurately
+ reflect its function. Fragment accepts a single parameter which
+ is the upper limit on acceptable UDP packet size.
+* Changed default --tun-mtu-extra parameter to 32 from 64.
+* Eliminated reference to malloc.o in configure.ac.
+* Added tun device emulation to the TAP-Win32 driver.
+* Added --route and related options.
+* Added init script for SuSE Linux (Frank Plohmann).
+* Extended option consistency check between peers to function
+ in all crypto modes, including static-key and cleartext modes.
+ Previously only TLS mode was supported. Disable with
+ --disable-occ.
+* Overall, increased the amount of configuration option sanity
+ checking, especially of networking parameters.
+* Added --mtu-test option for empirical MTU measurement.
+* Added Windows-only option --tap-delay to not set the TAP-Win32
+ adapter media state to 'connected' until TCP/UDP connection
+ establishment with peer.
+* Slightly modified --route/--route-delay semantics so that when
+ --route is given without --route-delay, routes are added
+ immediately after tun/tap device open. When --route-delay is
+ specified, routes will be added n seconds after connection
+ initiation, where n is the --route-delay parameter (which
+ can be set to 0).
+* Made TCP framing error into a non-fatal error that triggers a
+ connection reset.
+
+2003.08.28 -- Version 1.5-beta7
+
+* Fixed bug that caused OpenVPN not to respond to exit/restart
+ signals when --resolv-retry is used and a local or remote DNS
+ name cannot be resolved.
+* Exported a series of environmental variables with useful
+ info for scripts. See man page for more info. Based
+ on a suggestion by Anthony Ciaravalo.
+* Moved TCP/UDP socket bind to a point in the initialization
+ before the --up script gets called. This is desirable
+ because (a) a socket bind failure will happen before
+ daemonization, allowing an error status code to be returned
+ to the shell and (b) the possibility is eliminated of a
+ socket bind failure causing the --up script to be run
+ but not the --down script. This change has a side effect
+ that --resolv-retry will no longer work with --local.
+* Fixed bug where if an OpenVPN TCP server went down and back
+ up again, Solaris or FreeBSD clients would fail to reconnect
+ to it.
+* Fixed bug that prevented OpenVPN from being run by
+ inetd/xinetd in TCP mode.
+* Added --log and --log-append options for logging messages to
+ a file.
+* On Windows, check that the current user is a member of the
+ Administrator group before attempting install or uninstall.
+
+2003.08.16 -- Version 1.5-beta6
+
+* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
+
+2003.08.14 -- Version 1.5-beta5
+
+* Added user-configurability of the TAP-Win32 adapter MTU
+ through the adapter advanced properties page.
+* Added Windows Service support.
+* On Windows, added file association and right-clickability
+ for .ovpn files (OpenVPN config files).
+
+2003.08.05 -- Version 1.5-beta4
+
+* Extra refinements and error checking added to Windows
+ NSIS install script.
+
+2003.08.05 -- Version 1.5-beta3
+
+* Added md5.h include to crypto.c to fix build problem on
+ OpenBSD.
+* Created a Win32 installer using NSIS.
+* Removed DelService command from TAP-Win32 INF file. It appears
+ to be not necessary and it interfered with the ability to
+ uninstall and reinstall the driver without needing to reboot.
+* On Windows version, added "addtap" and "deltapall" batch
+ files to add and delete TAP-Win32 adapter instances.
+
+2003.07.31 -- Version 1.5-beta2
+
+* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
+ in Windows ASCII so it's easier to click and view.
+* Added postscript and PDF versions of the HOWTO to the web
+ site (C R Zamana).
+* Merged Michael Clarke's stability patch into TAP-Win32
+ driver which appears to fix the suspend/resume driver bug
+ and significantly improve driver stability.
+* Added Christof Meerwald's Media Status patch to the
+ TAP-Win32 driver which shows the TAP adapter to be
+ disconnected when OpenVPN is not running.
+* Moved socket connect and TCP server listen code to a later
+ point in openvpn() function so that the TCP server listen
+ state is entered after daemonization.
+* Added keyboard shortcuts to simulate signals in the Windows
+ version, see the window title bar for descriptions.
+
+2003.07.24 -- Version 1.5-beta1
+
+* Added TCP support via the new --proto option.
+* Renamed udp-centric options such as --udp-mtu to
+ --link-mtu (old option names preserved for compatibility).
+* Ported to Windows 2000 + XP using mingw and a TAP driver
+ derived from the Cipe-Win32 project by Damion K. Wilson.
+* Added --show-adapters flag for windows version.
+* Reworked the SSL/TLS packet acknowledge code to better
+ handle certain corner cases.
+* Turned off the default enabling of IP forwarding in the
+ sample-scripts/openvpn.init script for Redhat.
+ Forwarding can be enabled by users in their --up scripts
+ or firewall config.
+* Added --up-restart option based on suggestion from Sean
+ Reifschneider.
+* If --dev tap or --dev-type tap is specified, --tun-mtu
+ defaults to 1500 and --tun-mtu-extra defaults to 64.
+* Enabled --verb 5 debugging mode that prints 'R' and 'W'
+ for each packet read or write on the TCP/UDP socket.
+
+2003.08.04 -- Version 1.4.3
+
+* Added md5.h include to crypto.c
+ to fix build problem on OpenBSD.
+
+2003.07.15 -- Version 1.4.2
+
+* Removed adaptive bandwidth from
+ --mtu-dynamic -- its absence appears
+ to work better than its existence (1.4.1.2).
+* Minor changes to --shaper to fix long
+ retransmit timeouts at low bandwidth
+ (1.4.1.2).
+* Added LOG_RW flag to openvpn.h for
+ debugging (1.4.1.2).
+* Silenced spurious configure warnings (1.4.1.2).
+* Backed out --dev-name patch, modified --dev
+ to offer equivalent functionality (1.4.1.4).
+* Added an optional parameter to --daemon and
+ --inetd to support the passing of a custom
+ program name to the system logger (1.4.1.5).
+* Add compiled-in options to the program title
+ (1.4.1.5).
+* Coded the beginnings of a WIN32 port (1.4.1.5).
+* Succeeded in porting to Win32 Mingw environment
+ and running loopback tests (1.4.1.6). Still
+ need a kernel driver for full Win32
+ functionality.
+* Fixed a bug in error.h where
+ HAVE_CPP_VARARG_MACRO_GCC was misspelled.
+ This would have caused a significant slowdown
+ of OpenVPN when built by compilers that
+ lack ISO C99 vararg macros (1.4.1.6).
+* Created an init script for Gentoo Linux
+ in ./gentoo directory (1.4.1.6).
+
+2003.05.15 -- Version 1.4.1
+
+* Modified the Linux 2.4 TUN/TAP open code to
+ fall back to the 2.2 TUN/TAP interface if the
+ open or ioctl fails.
+* Fixed bug when --verb is set to 0 and non-fatal
+ socket errors occur, causing 100% CPU utilization.
+ Occurs on platorms where
+ EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
+ such as Linux 2.4.
+* Fixed typo in tun.c that was preventing
+ OpenBSD build.
+* Added --enable-mtu-dynamic configure option
+ to enable --mtu-dynamic experimental option.
+
+2003.05.07 -- Version 1.4.0
+
+* Added --replay-persist feature to allow replay
+ protection across sessions.
+* Fixed bug where --ifconfig could not be used
+ with --tun-mtu.
+* Added --tun-mtu-extra parameter to deal with
+ the situation where a read on a TUN/TAP device
+ returns more data than the device's MTU size.
+* Fixed bug where some IPv6 support code for
+ Linux was not being properly ifdefed out for
+ Linux 2.2, causing compile errors.
+* Added OPENVPN_EXIT_STATUS_x codes to
+ openvpn.h to control which status value
+ openvpn returns to its caller (such as
+ a shell or inetd/xinetd) for various conditions.
+* Added OPENVPN_DEBUG_COMMAND_LINE flag to
+ openvpn.h to allow debugging in situations
+ where stdout, stderr, and syslog cannot be used
+ for message output, such as when OpenVPN is
+ instantiated by inetd/xinetd.
+* Removed owner-execute permission from file
+ created by static key generator (Herbert Xu
+ and Alberto Gonzalez Iniesta).
+* Added --passtos option to allow IPv4 TOS bits
+ to be passed from TUN/TAP input packets to
+ the outgoing UDP socket (Craig Knox).
+* Added code to prevent open socket file descriptors
+ from being accessible to called scripts.
+* Added --dev-name option (Christian Lademann).
+* Added --mtu-disc option for manual control
+ over MTU options.
+* Show OS MTU value on UDP socket write failures
+ (linux only).
+* Numerous build system and portability
+ fixes (Matthias Andree).
+* Added better sensing of compiler support for
+ variable argument macros, including (a) gcc
+ style, (b) ISO C 1999 style, and (c) no support.
+* Removed generated files from CVS. Note INSTALL
+ file for new CVS build commands.
+* Changed certain internal symbol names
+ for C standards compliance.
+* Added TUN/TAP open code to cycle dynamically
+ through unit numbers until it finds a free
+ unit (based on code from Thomas Gielfeldt
+ and VTun).
+* Added dynamic MTU and fragmenting infrastructure
+ (Experimental). Rebuild with FRAGMENT_ENABLE
+ defined to enable.
+* Minor changes to SSL/TLS negotiation, use
+ exponential backoff on retransmits, and use
+ a smaller MTU size (note that no protocol
+ changes have been made which would break
+ compatibility with 1.3.x).
+* Added --enable-strict-options flag
+ to ./configure. This option will cause
+ a more strict check for options compatibility
+ between peers when SSL/TLS negotiation is used,
+ but should only be used when both OpenVPN peers
+ are of the same version.
+* Reorganization of debugging levels.
+* Added a workaround in configure.ac for
+ default SSL header location on Linux
+ to fix RH9 build problem.
+* Fixed potential deadlock when pthread support
+ is used on OSes that allocate a small socketpair()
+ message buffer.
+* Fixed openvpn.init to be sh compliant
+ (Bishop Clark).
+* Changed --daemon to wait until all
+ initialization is finished before becoming a
+ daemon, for the benefit of initialization
+ scripts that want a useful return status from
+ the openvpn command.
+* Made openvpn.init script more robust, including
+ positive indication of initialization errors
+ in the openvpn daemon and better sanity checks.
+* Changed --chroot to wait until initialization
+ is finished before calling chroot(), and allow
+ the use of --user and --group with --chroot.
+* When syslog logging is enabled (--daemon or
+ --inetd), set stdin/stdout/stderr to point
+ to /dev/null.
+* For inetd instantiations, dup socket descriptor
+ to a >2 value.
+* Fixed bug in verify-cn script, where test would
+ incorrectly fail if CN=x was the last component
+ of the X509 composite string (Anonymous).
+* Added Markus F.X.J. Oberhumer's special
+ license exception to COPYING.
+
+2002.10.23 -- Version 1.3.2
+
+* Added SSL_CTX_set_client_CA_list call
+ to follow the canonical form for TLS initialization
+ recommended by the OpenSSL docs. This change allows
+ better support for intermediate CAs and has no impact
+ on security.
+* Added build-inter script to easy-rsa package, to
+ facilitate the generation of intermediate CAs.
+* Ported to NetBSD (Dimitri Goldin).
+* Fixed minor bug in easy-rsa/sign-req. It refers to
+ openssl.cnf file, instead of $KEY_CONFIG, like all
+ other scripts (Ernesto Baschny).
+* Added --days 3650 to the root CA generation command
+ in the HOWTO to override the woefully small 30 day
+ default (Dominik 'Aeneas' Schnitzer).
+* Fixed bug where --ping-restart would sometimes
+ not re-resolve remote DNS hostname.
+* Added --tun-ipv6 option and related infrastructure
+ support for IPv6 over tun.
+* Added IPv6 over tun support for Linux (Aaron Sethman).
+* Added FreeBSD 4.1.1+ TUN/TAP driver notes to
+ INSTALL (Matthias Andree).
+* Added inetd/xinetd support (--inetd) including
+ documentation in the HOWTO.
+* Added "Important Note on the use of commercial certificate
+ authorities (CAs) with OpenVPN" to HOWTO based on
+ issues raised on the openvpn-users list.
+
+2002.07.10 -- Version 1.3.1
+
+* Fixed bug in openvpn.spec and openvpn.init
+ which caused RPM upgrade to fail.
+
+2002.07.10 -- Version 1.3.0
+
+* Added --dev-node option to allow explicit selection of
+ tun/tap device node.
+* Removed mlockall call from child thread, as it doesn't
+ appear to be necessary (child thread inherits mlockall
+ state from parent).
+* Added --ping-timer-rem which causes timer for --ping-exit
+ and --ping-restart not to run unless we have a remote IP
+ address.
+* Added condrestart to openvpn.init and openvpn.spec
+ (Bishop Clark).
+* Added --ifconfig case for FreeBSD (Matthias Andree).
+* Call openlog with facility=LOG_DAEMON (Matthias Andree).
+* Changed LOG_INFO messages to LOG_NOTICE.
+* Added warning when key files are group/others accessible.
+* Added --single-session flag for TLS mode.
+* Fixed bug where --writepid would segfault if used with
+ an invalid filename.
+* Fixed bug where --ipchange status message was formatted
+ incorrectly.
+* Print more concise error message when system() call
+ fails.
+* Added --disable-occ option.
+* Added --local, --remote, and --ifconfig options sanity
+ check.
+* Changed default UDP MTU to 1300 and TUN/TAP MTU to
+ 1300.
+* Successfully tested with OpenSSL 0.9.7 Beta 2.
+* Broke out debug level definitions to errlevel.h
+* Minor documentation and web site changes.
+* All changes maintain protocol compatibility
+ with OpenVPN versions since 1.1.0, however default
+ MTU changes will require setting the MTU explicitly
+ by command line option, if you want 1.3.0 to
+ communicate with previous versions.
+
+2002.06.12 -- Version 1.2.1
+
+* Added --ping-restart option to restart
+ connection on ping timeout using SIGUSR1
+ logic (Matthias Andree).
+* Added --persist-tun, --persist-key,
+ --persist-local-ip, and --persist-remote-ip
+ options for finer-grained control over SIGUSR1
+ and --ping-restart restarts. To
+ replicate previous SIGUSR1 functionality,
+ use --persist-remote-ip.
+* Changed residual IV fetching code to take
+ IV from tail of ciphertext.
+* Added check to make sure that CFB or OFB
+ cipher modes are only used with SSL/TLS
+ authentication mode, and added a caveat
+ to INSTALL.
+* Changed signal handling during initialization
+ (including re-initialization during restarts)
+ to exit on SIGTERM or SIGINT and ignore other
+ signals which would ordinarily be caught.
+* Added --resolv-retry option to allow
+ retries on hostname resolution.
+* Expanded the --float option to also
+ allow dynamic changes in source port number
+ on incoming datagrams.
+* Added --mute option to limit repetitive
+ logging of similar message types.
+* Added --group option to downgrade GID
+ after initialization.
+* Try to set ifconfig path automatically
+ in configure.
+* Added --ifconfig code for Mac OS X
+ (Christoph Pfisterer).
+* Moved "Peer Connection Initiated" message
+ to --verb level 1.
+* Successfully tested with
+ OpenSSL 0.9.7 Beta 1 and AES cipher.
+* Added RPM notes to INSTALL.
+* Added ACX_PTHREAD (from the autoconf
+ macro archive) to configure.ac
+ to figure out the right pthread
+ options for a given platform.
+* Broke out macro definitions from
+ configure.ac to acinclude.m4.
+* Minor changes to docs and HOWTO.
+* All changes maintain protocol compatibility
+ with OpenVPN versions since 1.1.0.
+
+2002.05.22 -- Version 1.2.0
+
+* Added configuration file support via
+ the --config option.
+* Added pthread support to improve latency.
+ With pthread support, OpenVPN
+ will offload CPU-intensive tasks such as RSA
+ key number crunching to a background thread
+ to improve tunnel packet forwarding
+ latency. pthread support can be enabled
+ with the --enable-pthread configure option.
+ Pthread support is currently available
+ only for Linux and Solaris.
+* Added --dev-type option so that tun/tap
+ device names don't need to begin with
+ "tun" or "tap".
+* Added --writepid option to write main
+ process ID to a file.
+* Numerous portability fixes to ease
+ porting to other OSes including changing
+ all network types to uint8_t and uint32_t,
+ and not assuming that time_t is 32 bits.
+* Backported to OpenSSL 0.9.5.
+* Ported to Solaris.
+* Finished OpenBSD port except for
+ pthread support.
+* Added initialization script:
+ sample-scripts/openvpn.init
+ (Douglas Keller)
+* Ported to Mac OS X (Christoph Pfisterer).
+* Improved resilience to DoS attacks when
+ TLS mode is used without --remote or
+ --tls-auth, or when --float is used
+ with --remote. Note however that the best
+ defense against DoS attacks in TLS mode
+ is to use --tls-auth.
+* Eliminated automake/autoconf dependency
+ for non-developers.
+* Ported configure.in to configure.ac
+ and autoconf 2.50+.
+* SIGHUP signal now causes OpenVPN to restart
+ and re-read command line and or config file,
+ in conformance with canonical daemon behaviour.
+* SIGUSR1 now does what SIGHUP did in
+ version 1.1.1 and earlier -- close and reopen
+ the UDP socket for use when DHCP changes
+ host's IP address and preserve most recently
+ authenticated peer address without rereading
+ config file.
+* SIGUSR2 added -- outputs current statistics,
+ including compression statistics.
+* All changes maintain protocol compatibility
+ with 1.1.1 and 1.1.0.
+
+2002.04.22 -- Version 1.1.1
+
+* Added --ifconfig option to automatically configure
+ TUN device.
+* Added inactivity disconnect (--inactive
+ and --ping-exit options).
+* Added --ping option to keep stateful firewalls
+ from timing out.
+* Added sanity check to command line parser to
+ err if any TLS options are used in non-TLS mode.
+* Fixed build problem with compiler environments that
+ define printf as a macro.
+* Fixed build problem on linux systems that have
+ an integrated TUN/TAP driver but lack the persistent
+ tunnel feature (TUNSETPERSIST). Some linux kernels
+ >= 2.4.0 and < 2.4.7 fall into this category.
+* Changed all calls to EVP_CipherInit to use explicit
+ encrypt/decrypt mode in order to fix problem with
+ IDEA-CBC and AES-256-CBC ciphers.
+* Minor changes to control channel transmit limiter
+ algorithm to fix problem where TLS control channel
+ might not renegotiate within the default 60 second window.
+* Simplified man page examples by taking advantage
+ of the new --ifconfig option.
+* Minor changes to configure.in to check more
+ rigourously for OpenSSL 0.9.6 or greater.
+* Put back openvpn.spec, eliminated
+ openvpn.spec.in.
+* Modified openvpn.spec to reflect new automake-based
+ build environment (Bishop Clark).
+* Other documentation changes.
+* Added --test-crypto option for debugging.
+* Added "missing" and "mkinstalldirs" automake
+ support files.
+
+
+2002.04.09 -- Version 1.1.0
+
+* Strengthened replay protection and IV handling,
+ extending it fully to both static key and
+ TLS dynamic key exchange modes.
+* Added --mlock option to disable paging and ensure that key
+ material and tunnel data is never paged to disk.
+* Added optional traffic shaping feature to cap the maximum
+ data rate of the tunnel.
+* Converted to automake (The Platypus Brothers 2002-04-01).
+* Ported to OpenBSD by Janne Johansson.
+* Added --tun-af-inet option to work around an incompatibility
+ between Linux and BSD tun drivers.
+* Sequence number-based replay protection using the
+ IPSec sliding window model is now the default,
+ disable with --no-replay.
+* Explicit IV is now the default, disable with --no-iv.
+* Disabled all cipher modes except CBC, CFB, and OFB.
+* In CBC mode, use explicit IV and carry forward residuals,
+ using IPSec model.
+* In CFB/OFB mode, IV is timestamp, sequence number.
+* Eliminated --packet-id, --timestamp, and max-delta parameter to
+ the --tls-auth option as they are now supplanted by improved
+ replay code which is enabled by default.
+* Eliminated --rand-iv as it is now obsolete with improved
+ IV code.
+* Eliminated --reneg-err option as it increases vulnerability
+ to DoS attacks.
+* Added weak key check for DES ciphers.
+* --tls-freq option is no longer specified on the command line,
+ instead it now inherits its parameter from the
+ --tls-timeout option.
+* Fixed bug that would try to free memory on exit that was
+ never malloced if --comp-lzo was not specified.
+* Errata fixed in the man page examples: "test-ca" should be
+ "tmp-ca".
+* Updated manual page.
+* Preliminary work in porting to OpenSSL 0.9.7.
+* Changed license to allowing linking with OpenSSL.
+
+2002.03.29 -- Version 1.0.3
+
+* Fixed a problem in configure with library ordering on the
+ command line.
+
+2002.03.28 -- Version 1.0.2
+
+* Improved the efficiency of the inner event loop.
+* Fixed a minor bug with timeout handling.
+* Improved the build system to build on RH 6.2 through 7.2.
+* Added an openvpn.spec file for RPM builders (Bishop Clark).
+
+2002.03.23 -- Version 1.0
+
+* Added TLS-based authentication and key exchange.
+* Added gremlin mode to stress test.
+* Wrote man page.
+
+2001.12.26 -- Version 0.91
+
+* Added any choice of cipher or HMAC digest.
+
+2001.5.13 -- Version 0.90
+
+* Initial release.
+* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.