diff options
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 2102 |
1 files changed, 2102 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..f70ed1d --- /dev/null +++ b/ChangeLog @@ -0,0 +1,2102 @@ +OpenVPN +Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> + +$Id$ + +2005.09.25 -- Version 2.0.3-rc1 + +* openvpn_plugin_abort_v1 function wasn't being properly + registered on Windows. +* Fixed a bug where --mode server --proto tcp-server --cipher none + operation could cause tunnel packet truncation. + +2005.08.25 -- Version 2.0.2 + +* No change from 2.0.2-rc1. + +2005.08.24 -- Version 2.0.2-rc1 + +* Fixed regression bug in Win32 installer, introduced in 2.0.1, + which incorrectly set OpenVPN service to autostart. +* Don't package source code zip file in Windows installer + in order to reduce the size of the installer. The source + zip file can always be downloaded separately if needed. +* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD + version of get_default_gateway. Allocated socket for route + manipulation is never freed so number of mbufs continuously + grow and exhaust system resources after a while (Jaroslav Klaus). +* Fixed bug where "--proto tcp-server --mode p2p --management + host port" would cause the management port to not respond until + the OpenVPN peer connects. +* Modified pkitool script to be /bin/sh compatible (Johnny Lam). + +2005.08.16 -- Version 2.0.1 + +* Security Fix -- DoS attack against server when run with "verb 0" and + without "tls-auth". If a client connection to the server fails + certificate verification, the OpenSSL error queue is not properly + flushed, which can result in another unrelated client instance on the + server seeing the error and responding to it, resulting in disconnection + of the unrelated client (CAN-2005-2531). +* Security Fix -- DoS attack against server by authenticated client. + This bug presents a potential DoS attack vector against the server + which can only be initiated by a connected and authenticated client. + If the client sends a packet which fails to decrypt on the server, + the OpenSSL error queue is not properly flushed, which can result in + another unrelated client instance on the server seeing the error and + responding to it, resulting in disconnection of the unrelated client + (CAN-2005-2532). +* Security Fix -- DoS attack against server by authenticated client. + A malicious client in "dev tap" ethernet bridging mode could + theoretically flood the server with packets appearing to come from + hundreds of thousands of different MAC addresses, causing the OpenVPN + process to deplete system virtual memory as it expands its internal + routing table. A --max-routes-per-client directive has been added + (default=256) to limit the maximum number of routes in OpenVPN's + internal routing table which can be associated with a given client + (CAN-2005-2533). +* Security Fix -- DoS attack against server by authenticated client. + If two or more client machines try to connect to the server at the + same time via TCP, using the same client certificate, and when + --duplicate-cn is not enabled on the server, a race condition can + crash the server with "Assertion failed at mtcp.c:411" + (CAN-2005-2534). +* Fixed server bug where under certain circumstances, the client instance + object deletion function would try to delete iroutes which had never been + added in the first place, triggering "Assertion failed at mroute.c:349". +* Added --auth-retry option to prevent auth errors from being fatal + on the client side, and to permit username/password requeries in case + of error. Also controllable via new "auth-retry" management interface + command. See man page for more info. +* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 +* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' + would fail to build. +* Implement "make check" to perform loopback tests (Matthias Andree). + +2005.07.21 -- Version 2.0.1-rc7 + +* Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree). +* Include linux/types.h before checking for linux/errqueue.h (Matthias + Andree). + +2005.07.15 -- Version 2.0.1-rc6 + +* Commented out "user nobody" and "group nobody" in sample + client/server config files. +* Allow '@' character to be used in --client-config-dir + file names. + +2005.07.04 -- Version 2.0.1-rc5 + +* Windows version will log a for-further-info URL when + initialization sequence is completed with errors. +* Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile + to control whether auth-pam plugin links to PAM via + dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing + behavior should be preserved. DLOPEN_PAM=0 is the preferred + setting to link via -lpam, but DLOPEN_PAM=1 works around + a bug in SuSE 9.1 (and possibly other distros as well) + where the PAM modules are not linked with -lpam. See + thread on openvpn-devel for more discussion about this + patch (Simon Perreault). + +2005.06.15 -- Version 2.0.1-rc4 + +* Support LZO 2.00, including changes to configure script to + autodetect LZO version. + +2005.06.12 -- Version 2.0.1-rc3 + +* Fixed a bug which caused standard file handles to not be closed + after daemonization when --plugin and --daemon are used together, + and if the plugin initialization function forks (as does auth-pam + and down-root) (Simon Perreault). +* Added client-side up/down scripts in contrib/pull-resolv-conf + for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS" + on Linux/Unix systems (Jesse Adelman). +* Fixed bug where if client-connect scripts/plugins were cascaded, + and one (but not all) of them returned an error status, there might + be cases where for an individual script/plugin, client-connect was + called but not client-disconnect. The goal of this fix is to + ensure that if client-connect is called on a given client instance, + then client-disconnect will definitely be called. A potential + complication of this fix is that when client-connect functions are + cascaded, it's possible that the client-disconnect function would + be called in cases where the related client-connect function returned + an error status. This fix should not alter OpenVPN behavior when + scripts/plugins are not cascaded. +* Changed the hard-to-reproduce "Assertion failed at fragment.c:312" + fatal error to a warning: "FRAG: outgoing buffer is not empty". + Need more info on how to reproduce this one. +* When --duplicate-cn is used, the --ifconfig-pool allocation + algorithm will now allocate the first available IP address. +* When --daemon and --management-hold are used together, + OpenVPN will daemonize before it enters the management hold state. + +2005.05.16 -- Version 2.0.1-rc2 + +* Modified vendor test in openvpn.spec file to match against + "Mandrakesoft" in addition to "MandrakeSoft". +* Using --iroute in a --client-config-dir file while in --dev tap + mode is not currently supported and will produce a warning + message. Fixed bug where in certain cases, in addition to + generating a warning message, this combination of options + would also produce a fatal assertion in mroute.c. +* Pass --auth-user-pass username to server-side plugin without + performing any string remapping (plugins, unlike scripts, + don't get any security benefit from string remapping). + This is intended to fix an issue with openvpn-auth-pam/pam_winbind + where backslash characters in a username ('\') were being remapped + to underscore ('_'). +* Updated OpenSSL DLLs in Windows build to 0.9.7g. +* Documented --explicit-exit-notify in man page. +* --explicit-exit-notify seconds parameter defaults to 1 if + unspecified. + +2005.04.30 -- Version 2.0.1-rc1 + +* Fixed bug where certain kinds of fatal errors after + initialization (such as port in use) would leave plugin + processes (such as openvpn-auth-pam) still running. +* Added optional openvpn_plugin_abort_v1 plugin function for + closing initialized plugin objects in the event of a fatal + error by main OpenVPN process. +* When the --remote list is > 1, and --resolv-retry is not + specified (meaning that it defaults to "infinite"), apply the + infinite timeout to the --remote list as a whole, but try each + list item only once before moving on to the next item. +* Added new --syslog directive which redirects output + to syslog without requiring the use of the --daemon or --inetd + directives. +* Added openvpn.spec option to allow RPM to be built with support + for passwords read from a file: + rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1' + +2005.04.17 -- Version 2.0 + +* Fixed minor options string typo in options.c. + +2005.04.10 -- Version 2.0-rc21 + +* Change license description from "GPL Version 2 or (at your + option) any later version" to just "GPL Version 2". + +2005.04.04 -- Version 2.0-rc20 + +* Dag Wieers has put together an OpenVPN/LZO binary RPM set with + excellent distro/version coverage for RH/EL/Fedora, though + using his own SPEC. I modified openvpn.spec to follow some of + the same conventions such as putting sample scripts and doc + files in %doc rather than /usr/share/openvpn. +* Minor change to init scripts to run the user-defined script + /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN + configs are started, and to run /etc/openvpn/openvpn-shutdown + after all OpenVPN configs have been stopped. The + openvpn-startup script can be used for stuff like + insmod tun.o, setting up firewall rules, or starting + ethernet bridges. + +2005.03.29 -- Version 2.0-rc19 + +* Omit additions of routes where the network and + gateway are equal and the netmask is 255.255.255.255. + This can come up if you are using both + server/ifconfig-pool and client-config-dir with + ifconfig-push static addresses for some subset of clients + which directly reference the server IP address as the + remote endpoint. + +2005.03.28 -- Version 2.0-rc18 + +* Packaged Windows installer with OpenSSL 0.9.7f. +* Built Windows installer with NSIS 2.06. + +2005.03.12 -- Version 2.0-rc17 + +* "MANAGEMENT: CMD" log file output will now only occur + at --verb 7 or greater. +* Added an optional name/value configuration list to + the openvpn-auth-pam plugin module argument list. See + plugin/auth-pam/README for documentation. This is necessary + in order for openvpn-auth-pam to work with queries generated + by arbitrary PAM modules. +* In both auth-pam and down-root plugins, in the forked process, + a read error on the parent process socket is no longer fatal. +* MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'. + A conditional test of the vendor has been added to + Require the appropriately named 'lzo' (liblzo1 / lzo). + (Tom Walsh - http://openhardware.net) + + +2005.02.20 -- Version 2.0-rc16 + +* Fixed bug introduced in rc13 where Windows service wrapper + would be installed with a startup type of Automatic. + This fix restores the previous behavior of installing + with a startup type of Manual. + +2005.02.19 -- Version 2.0-rc15 + +* Added warning when --keepalive is not used in a server + configuration. +* Don't include OpenSSL md4.h file if we are not building + NTLM proxy support (Waldemar Brodkorb). +* Added easy-rsa/build-key-pkcs12 and + easy-rsa/Windows/build-key-pkcs12.bat scripts + (Mathias Sundman). + +2005.02.16 -- Version 2.0-rc14 + +* Fixed small memory leak that occurs when --crl-verify + is used. +* Upgraded Windows installer and .nsi script to NSIS 2.05 + (Mathias Sundman). +* Changed #include backslash usage in cryptoapi.c to use + forward slashes instead (Gisle Vanem). +* Created easy-rsa/revoke-full to handle revocations in + a single step: (a) revoke crt, (b) regenerate CRL, and + (c) verify that revocation succeeded. +* Renamed easy-rsa/Windows/revoke-key to revoke-full so + that both *nix and Windows scripts are equivalent. + +2005.02.11 -- Version 2.0-rc13 + +* Improve human-readability of local/remote options + diff, when inconsistencies are present. +* For Windows easy-rsa, distribute vars.bat.sample and + openssl.cnf.sample, then copy them to their normal + filenames (without the .sample) when init-config.bat + is run. This is to prevent OpenVPN upgrades from + wiping out vars.bat and openssl.cnf edits. +* Modified service wrapper (Windows) to use a + case-insensitive search when scanning for .ovpn files + in \Program Files\OpenVPN\config. Prior versions + required an all-lower-case .ovpn file extension. +* Miscellaneous service wrapper code cleanup. +* If --user/--group is used on Windows, treat it + as a no-op with a warning (this makes it easier to + distribute the same client config file to Windows + and *nix users). +* Warn if --ifconfig-pool-persist is used with + --duplicate-cn. + +2005.02.05 -- Version 2.0-rc12 + +* Removed some debugging code inadvertently included + in rc11 which would print the --auth-user-pass + username/password provided by clients in the server + logfile. +* Client code for cycling through --remote list will + retry the last address which successfully authenticated + before moving on through the list. +* Windows installer will now install sample configuration + files in \Program Files\OpenVPN\sample-configs as well + as generate a start menu shortcut to this directory. +* Minor type change in buffer.[ch] to work around char-type + ambiguity bug. Caused management interface lock-ups on + ARM when building with armv4b-hardhat-linux-gcc 2.95.3. + +2005.02.03 -- Version 2.0-rc11 + +* Windows installer will now install easy-rsa directory + in \Program Files\OpenVPN +* Allow syslog facility to be controlled at compile time, + e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern). +* Changed certain shell scripts in distribution to use + #!/bin/sh rather than #!/bin/bash for better portability. +* If --ifconfig-pool-persist seconds parameter is 0, treat + persist file as an allocation of fixed IP addresses + (previous versions took IP-to-common-name associations + from this list as hints, not mandatory static allocations). +* Fixed bug on *nix where if --auth-user-pass and --log + were used together, the username prompt would be sent to + the log file rather than /dev/tty. +* Spurious text in openvpn.8 detected by doclifter + (Eric S. Raymond). +* Call closelog later on daemon kill so that process + exit message is written to syslog. + +2005.01.27 -- Version 2.0-rc10 + +* When ./configure is run with plugins enabled (the default), + check whether or not dlopen exists in libc before testing + for libdl. This is to fix an issue on FreeBSD and possibly + other OSes which bundle libdl functions in libc. +* On Windows, filter initial WSAEINVAL warning which occurs + on the initial read attempt of an unbound socket. +* The easy-rsa scripts build-key, build-key-pass, and + build-key-server will now chmod the .key file + to 0600. This is in addition to the fact the generated + keys directory has always been similarly protected + (Pete Harlan). + +2005.01.23 -- Version 2.0-rc9 + +* Fixed error "ROUTE: route addition failed using + CreateIpForwardEntry ..." on Windows when --redirect-gateway + is used over a RRAS internet link. +* When using --route-method exe on Windows, include the + gateway parameter on route delete commands (Mathias Sundman). +* Try not to do a hard reset (i.e. SIGHUP) when two + SIGUSR1 signals are received in close succession. +* If the push list tries to grow beyond its buffer capacity, + the resulting error will be non-fatal. +* To increase the push list capacity (must be done on both + client and server), increase TLS_CHANNEL_BUF_SIZE in + common.h (default=1024). + +2005.01.15 -- Version 2.0-rc8 + +* Fixed bug introduced in rc7 where options error + "--auth-user-pass requires --pull" might occur even + if --pull was correctly specified. +* Changed management interface code to bind once + to TCP socket, rather than rebinding after every + client disconnect. +* Added "disable" directive for client-config-dir + files. +* Windows binary install is now distributed with + OpenSSL 0.9.7e. +* Query the management interface for --http-proxy + username/password if authfile is set to "stdin". +* Added current OpenVPN version number to "Unrecognized + option or missing parameter" error message. +* Added "-extensions server" to "openssl req" command + in easy-rsa/build-key-server (Nir Yeffet). + +2005.01.10 -- Version 2.0-rc7 + +* Fixed bug in management interface which could cause + 100% CPU utilization in --proto tcp-server mode + on all *nix OSes except for Linux 2.6. +* --ifconfig-push now accepts DNS names as well as + IP addresses. +* Added sanity check errors when --pull or + --auth-user-pass is used in an incorrect mode. +* Updated man page entries for --client-connect and + --ifconfig-push. +* Added "String Types and Remapping" section to man + page to consisely document the way which OpenVPN + may convert certain types of characters in strings + to ('_'). +* Modified bridging description in HOWTO to emphasize + the fact that bridging allows Windows file and print + sharing without a WINS server (Charles Duffy). + +2004.12.20 -- Version 2.0-rc6 + +* Improved checking for epoll support in ./configure + to fix false positive on RH9 (Jan Just Keijser). +* Made the "MULTI TCP: I/O wait required blocking in + multi_tcp_action, action=7" error nonfatal and replaced + with "MULTI: Outgoing TUN queue full, dropped packet". + So far the issue only seems to occur on Linux 2.2 + in --mode server --proto tcp mode. It occurs when + the TUN/TAP driver locks up and refuses to accept + new packet writes for a second or more. +* Fixed bug where if a --client-config-dir file tried + to include another file using "config", and if that + include failed, OpenVPN would abort with a fatal + error. Now such inclusion failures will be logged + but are no longer fatal. +* Global changes to the way that packet buffer alignment + is handled. Previously we didn't care about alignment + and took care, when handling 16 and 32 bit words + in buffers, to always use alignment-safe transfers. + This approach appears to be inadequate on some + architectures such as alpha. The new approach is + to initialize packet buffers in a way that anticipates + how component structures will be allocated within + them, to maintain correct alignment. +* Added --dhcp-option DISABLE-NBT to disable NetBIOS + over TCP (Jan Just Keijser). +* Added --http-proxy-option directive for controlling + miscellaneous HTTP proxy options. +* Management state will no longer transition to "WAIT" + during TLS renegotiations. + +2004.12.16 -- Version 2.0-rc5 + +* The --client-config-dir option will now try to open + a default file called "DEFAULT" if no file matching + the common name of the incoming client was found. +* The --client-connect script/plugin can now veto client + authentication by returning a failure code. +* The --learn-address script/plugin can now prevent a + client-instance/address association from being learned + by returning a failure code. +* Changed RPM group in .spec file to Applications/Internet. + +2004.12.14 -- Version 2.0-rc4 + +* SuSE only -- Fixed interaction between openvpn.spec and + suse/openvpn.init where the .spec file was writing the + OpenVPN binary to a different location than where the + .init script was referencing it (Stefan Engel). +* Solaris only -- Split Solaris ifconfig command into two + parts (Jan Just Keijser). +* Some cleanup in add_option(). +* Better error checking on input dotted quad IP addresses. +* Verify that --push argument is quoted, if there is + more than one. +* More miscellaneous option sanity checks. + +2004.12.13 -- Version 2.0-rc3 + +* On Windows, when --log or --log-append is used, + save the original stderr for username and password + prompts. +* Fixed a bug introduced in the late 2.0 betas where + if a "verb" parameter >= 16 was used, it would be + ignored and the actual verb level would remain at 1. +* Fixed a bug mostly seen on OS X where --management-hold + or --management-query-passwords would cause the management + interface to be unresponsive to incoming client connections. +* Trigger an options error if one of the management-modifying + options is used without "management" itself. + +2004.12.12 -- Version 2.0-rc2 + +* Amplified warnings in documentation about possible + man-in-the-middle attack when clients do not properly + verify server certificate. Changes to easy-rsa README, + FAQ, HOWTO, man page, and sample client config file. +* Added a warning message if --tls-client or --client + is used without also specifying one of either + --ns-cert-type, --tls-remote, or --tls-verify. +* status_open() fixes for MSVC builds (Blaine Fleming). +* Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared" + compiler error which has been reported on some platforms. +* The openvpn.spec file for rpmbuild has several + new build-time options. See comments in the file. +* Plugins are now built and packaged in the RPM and + will be saved in /usr/share/openvpn/plugin/lib. +* Added --management-hold directive to start OpenVPN + in a hibernating state until released by the + management interface. Also added "hold" command + to the management interface. + +2004.12.07 -- Version 2.0-rc1 + +* openvpn.spec workaround for SuSE confusion regarding + /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel). + +2004.12.05 -- Version 2.0-beta20 + +* The ability to read --askpass and --auth-user-pass + passwords from a file has been disabled by default. + To re-enable, use ./configure --enable-password-save. +* Added additional pre-connected states to management + interface. See management/management-notes.txt + for more info. +* State history is now recorded by the management + interface, and the "state" command now works like + the log or echo commands. +* State history and real-time state change notifications + are now prepended with an integer unix timestamp. +* Added --http-proxy-timeout option, previously + the timeout was hardcoded to 5 seconds. + +2004.12.02 -- Version 2.0-beta19 + +* Fixed bug in management interface line termination + where output lines incorrectly contained a \00 char + after the customary \0d \0a. +* Fixed bug introduced in beta18 where Windows version + would segfault on options errors. +* Fixed bug in management interface where an empty + quoted string ("") entered as a parameter would cause + a segfault. +* Fixed bug where --resolv-retry was not working + properly with multiple --remote hosts. +* Added additional ./configure options to reduce + executable size for embedded applications. + See ./configure --help. + +2004.11.28 -- Version 2.0-beta18 + +* Added management interface. See new --management-* + options or the full management interface documentation + in management/management-notes.txt in the tarball. + Management interface inclusion can be disabled by + ./configure --disable-management. +* Added two new plugin modules: auth-pam and down-root. + Auth-pam supports pam-based authentication using a + split privilege execution model, while down-root enables + a down script to be executed with root privileges, even + when --user/--group is used to drop root privileges. + See the plugin directory in the tarball for READMEs, + source code, and Makefiles. +* Plugin developers should note that some changes were + made to the plugin interface since beta17. See + openvpn-plugin.h for details. + Plugin interface inclusion can be disabled with + ./configure --disable-plugins +* Added easy-rsa/build-key-server script which will + build a certificate with with nsCertType=server. +* Added --ns-cert-type option for verification + of nsCertType field in peer certificate. +* If --fragment n is specified and --mssfix is specified + without a parameter, default --mssfix to n. This restores + the 1.6 behavior when using --mssfix without a parameter. +* Fixed SSL context initialization bug introduced in beta14 + where this error might occur on restarts: "Cannot load + certificate chain ... PEM_read_bio:no start line". + +2004.11.11 -- Version 2.0-beta17 + +* Changed default port number to 1194 per IANA official + port number assignment. +* Added --plugin directive which allows compiled + modules to intercept script callbacks. See + plugin folder in tarball for more info. +* Fixed bug introduced in beta12 where --key-method 1 + authentications which should have succeeded would fail. +* Ignore SIGUSR1 during DNS resolution. +* Added SuSE support to openvpn.spec (Umberto Nicoletti). +* Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna' + Runestig). + +2004.11.07 -- Version 2.0-beta16 + +* Modified sample-scripts/auth-pam.pl to get username + and password from OpenVPN via a file rather than + via environmental variables. +* Added bytes_sent and bytes_received environmental + variables to be set prior to client-disconnect script. +* Changed client virtual IP derivation precedence: + (1) use --ifconfig-push directive from --client-connect + script, (2) use --ifconfig-push directive from + --client-config-dir, and (3) use --ifconfig-pool + address. +* If a --client-config-dir file specifies --ifconfig-push, + it will be visible to the --client-connect-script in + the ifconfig_pool_remote_ip environmental variable. +* For tun-style tunnels, the ifconfig_pool_local_ip + environmental variable will be set, while for + tap-style tunnels, the ifconfig_pool_netmask variable + will be set. +* Added intelligence to autoconf script to test + compiler for the accepted form of zero-length arrays. +* Fixed a bug introduced in beta12 where --ip-win32 + netsh would fail if --dev-node was not explicitly + specified. +* --ip-win32 netsh will now work on hidden adapters. +* Fix attempt of "Assertion failed at crypto.c:149". + This assertion has also been reported on 1.x with a + slightly different line number. The fix is twofold: + (1) In previous releases, --mtu-test may trigger this + assertion -- this bug has been fixed. (2) If something + else causes the assertion to be thrown, don't panic, + just output a nonfatal warning to the log and drop + the packet which generated the error. +* Support TAP interfaces on Mac OS X (Waldemar Brodkorb). +* Added --echo directive. +* Added --auth-nocache directive. + +2004.10.28 -- Version 2.0-beta15 + +* Changed environmental variable character classes + so that names must consist of alphanumeric or + underbar chars and values must consist of printable + characters. Illegal chars will be deleted. + Versions prior to 2.0-beta12 were more restrictive + and would map spaces to '.'. +* On Windows, when the TAP adapter fails to + initialize with the correct IP address, output + "Initialization Sequence Completed with Errors" + to the console or log file. +* Added a warning when user/group/chroot is used + without persist-tun and persist-key. +* Added cryptoapi.[ch] to tarball and source zip. +* --tls-remote option now works with common name + prefixes as well as with the full X509 subject + string. This is a useful alternative to using + a CRL on the client. +* common names associated with a static + --ifconfig-push setting will no longer leave + any state in the --ifconfig-pool-persist file. +* Hard TLS errors (TLS handshake failed) will now + trigger either a SIGUSR1 signal by default + or SIGTERM (if --tls-exit is specified). In TCP + mode, all TLS errors are considered to be hard. + In server mode, the signal will be local to the + client instance. +* Added method parameter to --auth-user-pass-verify + directive to select whether username/password + is passed to script via environment or a temporary + file. +* Added --status-version option to control format + of --status file. The --mode server + --status-version 2 format now includes a line + type token, the virtual IP address is shown + in the client list (even in --dev tap mode), + and the integer time_t value is shown anywhere + an ascii-formatted time/date is also shown. +* Added --remap-usr1 directive which can be used + to control whether internally or externally + generated SIGUSR1 signals are remapped to + SIGHUP (restart without persisting state) or + SIGTERM (exit). +* When running as a Windows service (using + --service option), check the exit event before + and after reading one line of input from + stdin, when reading username/password info. +* For developers: Extended the --gremlin function + to better stress-test the new 2.0 features, + added Valgrind support on Linux and Dmalloc + support on Windows. + +2004.10.19 -- Version 2.0-beta14 + +* Fixed a bug introduced in Beta12 that would occur + if you use a --client-connect script without also + defining --tmp-dir. +* Fixed a bug introduced in Beta12 where a learn-address + script might segfault on the delete method. +* Added Crypto API support in Windows version via + the --cryptoapicert option (Peter 'Luna' Runestig). + +2004.10.18 -- Version 2.0-beta13 + +* Fixed an issue introduced in Beta12 where the private + key password would not be prompted for unless --askpass + was explicitly specified in the config. + +2004.10.17 -- Version 2.0-beta12 + +* Added support for username/password-based authentication. + Clients can now authentication themselves with the server + using either a certificate, a username/password, or both. + New directives: --auth-user-pass, --auth-user-pass-verify, + --client-cert-not-required, and --username-as-common-name. +* Added NTLM proxy patch (William Preston). +* Added --ifconfig-pool-linear server flag to allocate + individual tun addresses for clients rather than /30 + subnets (won't work with Windows clients). +* Modified --http-proxy code to cache username/password + across restarts. +* Modified --http-proxy code to read username/password + from the console when the auth file is given as "stdin". +* Modified --askpass to take an optional filename argument. +* --persist-tun and --persist-key now work in client mode + and can be pushed to clients as well. +* Added --ifconfig-pool-persist directive, to maintain + ifconfig-pool info in a file which is persistent across + daemon instantiations. +* --user and --group privilege downgrades as well as + --chroot now also work in client mode (the + dowgrade/chroot will be delayed until the initialization + sequence is completed). +* Added --show-engines standalone directive to show + available OpenSSL crypto accelerator engine support. +* --engine directive now accepts an optional engine-ID + parameter to control which engine is used. +* "Connection reset, restarting" log message now shows + which client is being reset. +* Added --dhcp-pre-release directive in Windows version. +* Second parm to --ip-win32 can be "default", e.g. + --ip-win32 dynamic default 60. +* Fixed documentation bug regarding environmental + variable settings for --ifconfig-pool IP addresses. + The correct environmental variable names are: + ifconfig_pool_local_ip and ifconfig_pool_remote_ip. +* ifconfig_pool_local_ip and ifconfig_pool_remote_ip + environmental variables are now passed to the + client-disconnect script. +* In server mode, environmental variables are now scoped + according to the client they are associated with, + to solve the problem of "crosstalk" between different + client's environmental variable sets. +* Added --down-pre flag to cause --down script to be + called before TUN/TAP close (rather than after). +* Added --tls-exit flag which will cause OpenVPN + to exit on any TLS errors. +* Don't push a route to a client if it exactly + matches an iroute (this lets you push routes to + all clients, and OpenVPN will automatically remove + the route from the route push list only for that client + which the route actually belongs to). +* Made '--resolv-retry infinite' the default. + --resolv-retry can be disabled by using a parameter of 0. +* For clients which plan to pull config info from server, + set an initial default ping-restart of 60 seconds. +* Optimized mute code to lessen the load on the processor + when messages are being muted at a higher frequency. +* Made route log messages non-mutable. +* Silence the Linux "No buffer space available" message. +* Added miscellaneous additional option sanity checks. +* Added Windows version of easy-rsa scripts in + easy-rsa/Windows directory (Andrew J. Richardson). +* Added NetBSD route patch (Ed Ravin). +* Added OpenBSD patch for TAP + --redirect-gateway + (Waldemar Brodkorb). +* Directives which prompt for a username and/or password + will now work with --daemon (OpenVPN will prompt + before forking). +* Warn if CRL is from a different issuer than the + issuer of the peer certificate (Bernhard Weisshuhn). +* Changed init script chkconfig parameters to start + OpenVPN daemon(s) before NFS. +* Bug fix attempt of "too many I/O wait events" which occurs + on OSes which prefer select() over poll() such as Mac OS X. +* Added --ccd-exclusive flag. This flag will require, as a + condition of authentication, that a connecting client has + a --client-config-dir file. +* TAP-Win32 open code will attempt to open a free adapter + if --dev-node is not specified (Mathias Sundman). +* Resequenced --nice and --chroot ordering so that --nice + occurs first. +* Added --suppress-timestamps flag (Charles Duffy). +* Source code changes to allow compilation by MSVC + (Peter 'Luna' Runestig). +* Added experimental --fast-io flag which optimizes + TUN/TAP/UDP writes on non-Windows systems. + +2004.08.18 -- Version 2.0-beta11 + +* Added --server, --server-bridge, --client, and + --keepalive helper directives. See client.conf + and server.conf in sample-config-files for sample + configurations which use the new directives. +* On Windows, added --route-method to control + whether IP Helper API or route.exe is used + to add/delete routes. +* On Windows, added a second parameter to + --route-delay to control the maximum time period + to wait for the TAP-Win32 adapter to come up + before adding routes. +* Fixed bug in Windows version where configurations + which omit --ifconfig might fail to recognize when + the TAP adapter is up. +* Proxy connection failures will now retry according + to the --connect-retry parameter. +* Fixed --dev null handling on Windows so that TLS + loopback test described in INSTALL file works + correctly on Windows. +* Added "Initialization Sequence Completed" message + after all initialization steps have been completed + and the VPN can be considered "up". +* Better sanity-checking on --ifconfig-pool parameters. +* Added --tcp-queue-limit option to control + TUN/TAP -> TCP socket overflow. +* --ifconfig-nowarn flag will now silence general + warnings about possible --ifconfig address + conflicts, including the warning about --ifconfig + and --remote addresses being in same /24 subnet. +* Fixed case where server mode did not correctly + identify certain types of ethernet multicast packets + (Marcel de Kogel). +* Added --explicit-exit-notify option (experimental). + +2004.08.02 -- Version 2.0-beta10 + +* Fixed possible reference after free of option strings + after a restart, bug was introduced in beta8. +* Fixed segfault at route.c:919 in the beta9 + Windows version that was being caused by indirection + through a NULL pointer. +* Mistakenly built debug version of TAP-Win32 driver + for beta9. Beta10 has correct release build. + +2004.07.30 -- Version 2.0-beta9 + +* Fixed --route issue on Windows that was introduced with + the new beta8 route implementation based on the + IP Helper API. + +2004.07.27 -- Version 2.0-beta8 + +* Added TCP support in server mode. +* Added PKCS #12 support (Mathias Sundman). +* Added patch to make revoke-crt and make-crl work + seamlessly within the easy-rsa environment (Jan Kiszka). +* Modified --mode server ethernet bridge code to forward + special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX. +* Added --dhcp-renew and --dhcp-release flags to Windows + version. Normally DHCP renewal and release on the TAP + adapter occurs automatically under Windows, however + if you set the TAP-Win32 adapter Media Status property + to "Always Connected", you may need these flags. +* Added --show-net standalone flag to Windows version to + show OpenVPN's view of the system adapter and routing + tables. +* Added --show-net-up flag to Windows version to output + the system routing table and network adapter list to + the log file after the TAP-Win32 adapter has been brought + up and any routes have been added. +* Modified Windows version to add routes using the IP Helper + API rather than by calling route.exe. +* Fixed bug where --route-up script was not being called + if no --route options were specified. +* Added --mute-replay-warnings to suppress packet replay + warnings. This is a common false alarm on WiFi nets. +* Added "def1" flag to --redirect-gateway option to override + the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 + rather than 0.0.0.0/0. This has the benefit of overriding + but not wiping out the original default gateway. + (Thanks to Jim Carter for pointing out this idea). +* You can now run OpenVPN with a single config file argument. + For example, you can now say "openvpn config.conf" + rather than "openvpn --config config.conf". +* On Windows, made --route and --route-delay more adaptive + with respect to waiting for interfaces referenced by the + route destination to come up. Routes added by --route + should now be added as soon as the interface comes up, + rather than after an obligatory 10 second delay. The + way this works internally is that --route-delay now + defaults to 0 on Windows. Previous versions would + wait for --route-delay seconds then add the routes. + This version will wait --route-delay seconds and then + test the routing table at one second intervals for the + next 30 seconds and will not add the routes until they + can be added without errors. +* On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by + default on TCP/UDP socket in light of reports that this + action can have undesirable global side effects on the + MTU settings of other adapters. These parameters can + still be set, but you need to explicitly specify + --sndbuf and/or --rcvbuf. +* Added --max-clients option to limit the maximum number + of simultaneously connected clients in server mode. +* Added error message to illuminate shell escape gotcha when + single backslashes are used in Windows path names. +* Added optional netmask parm to --ifconfig-pool. +* Fixed bug where http-proxy connect retry attempts were + incorrectly going to the remote OpenVPN server, + not to the HTTP proxy server. + +2004.06.29 -- Version 2.0-beta7 + +* Fixed bug in link_socket_verify_incoming_addr() which + under certain circumstances could have caused --float + behavior even if --float was not specified. +* --tls-auth option now works with --mode server. + All clients and the server should use the same + --tls-auth key when operating in client/server mode. +* Added --engine option to make use of OpenSSL-supported + crypto acceleration hardware. +* Fixed some high verbosity print format size issues + in event.c for 64 bit platforms (Janne Johansson). +* Made failure to open --log or --log-append file + a non-fatal error. + +2004.06.23 -- Version 2.0-beta6 + +* Fixed Windows installer to intelligently put + up a reboot dialog only if tapinstall tells + us that it's really necessary. +* Fixed "Assertion failed at fragment.c:309" + bug when --mode server and --fragment are used + together. +* Ignore HUP, USR1, and USR2 signals during + initialization. Prior versions would abort. +* Fixed bug on OS X: "Assertion failed at event.c:406". +* Added --service option to Windows version, for use + when OpenVPN is being programmatically instantiated + by another process (see man page for info). +* --log and --log-append options now work on Windows. +* Update OpenBSD INSTALL notes (Janne Johansson). +* Enable multicast on tun interface when running on + OpenBSD (Pavlin Radoslavov). +* Fixed recent --test-crypto breakage, where options + such as --cipher were not being parsed correctly. +* Modified options compatibility string by removing + ifconfig substring if it is empty. Incremented + options compatibility string version number to 4. +* Fixed typo in --tls-timeout option parsing + (Mikael Lonnroth). + +2004.06.13 -- Version 2.0-beta5 + +* Fixed rare --mode server crash that could occur + if data was being routed to a client at + high bandwidth at the precise moment that the + client instance object on the server was being + deleted. +* Fixed issue on machines which have epoll.h and + the epoll_create glibc call defined, but which + don't actually implement epoll in the kernel. + OpenVPN will now gracefully fall back to the + poll API in this case. +* Fixed Windows bug which would cause the following + error in a --mode server --dev tap configuration: + "resource limit WSA_MAXIMUM_WAIT_EVENTS has been + exceeded". +* Added CRL (certificate revocation list) management + scripts to easy-rsa directory (Jon Bendtsen). +* Do a better job of getting the ifconfig component + of the options consistency check to work correctly + when --up-delay is used. +* De-inlined some functions which were too complex + to be inlined anyway with gcc. +* If a --dhcp-option option is pushed to a non-windows + client, the option will be saved in the client's + environment before the --up script is called, under + the name "foreign_option_{n}". +* Added --learn-address script (see man page) which + allows for firewall access through the VPN to be + controlled based on the client common name. +* In mode --server mode, when a client connects to + the server, the server will disconnect any + still-active clients which use the same common + name. Use --duplicate-cn flag to revert to + previous behavior of allowing multiple clients + to concurrently connect with the same common name. + +2004.06.08 -- Version 2.0-beta4 + +* Fixed issue with beta3 where Win32 service wrapper + was keying off of old TAP HWID as a dependency. To + ensure that the new service wrapper is correctly + installed, the Windows install script will uninstall + the old wrapper before installing the new one, + causing a reset of service properties. +* Fixed permissions issue on --status output file, + with default access permissions of owner read/write + only (default permissions can be changed of course with + chmod). + +2004.06.05 -- Version 2.0-beta3 + +* More changes to TAP-Win32 driver's INF file which + affects the placement of the driver in the Windows + device namespace. This is done to work around an + apparent bug in Windows when short HWIDs are used, + and will also ease the upgrade from 1.x to 2.0 by + reducing the chances that a reboot will be needed + on upgrade. Like beta2, this upgrade will + delete existing TAP-Win32 interfaces, and reinstall + a single new interface with default properties. +* Major rewrite of I/O event wait layer in the style + of libevent. This is a precursor to TCP support + in --mode server. +* New feature: --status. Outputs a SIGUSR2-like + status summary to a given file, updated once + per n seconds. The status file is comma delimited + for easy machine parsing. +* --ifconfig-pool now remembers common names and + will try to assign a consistent IP to a given + common name. Still to do: persist --ifconfig-pool + memory across restarts by saving state in file. +* Fixed bug in event timer queue which could cause + recurring timer events such as --ping to not + correctly schedule again after firing. This in + turn would cause spurrious ping restarts and possible + connection outages. Thanks to Denis Vlasenko for + tracking this down. +* Possible fix to reported bug where --daemon argument + was not printing to syslog correctly after restart. +* Fixed bug where pulling --route or --dhcp-option + directives from a server would problematically + interact with --persist-tun on the client. +* Updated contrib/multilevel-init.patch (Farkas Levente). +* Added RPM build option to .spec and .spec.in files + to optionally disable LZO inclusion (Ian Pilcher). +* The latest MingW runtime and headers define + 'ssize_t', so a patch is needed (Gisle Vanem). + +2004.05.14 -- Version 2.0-beta2 + +* Fixed signal handling bug in --mode server, where + SIGHUP and SIGUSR1 were treated as SIGTERM. +* Changed the TAP-Win32 HWID from "TAP" to "TAPDEV". + Apparently the larger string may work around + a problem where the TAP adapter is sometimes missing + from the network connections panel, especially under + XP SP2. Also note that installing this upgrade will + uninstall any pre-existing TAP-Win32 adapters, and then + install a single new adapter, meaning that old adapter + properties will be lost. Thanks to Md5Chap for solving + this one. +* For --mode server --dev tap, the options --ifconfig and + --ifconfig-pool are now optional. This allows address + assignment via DHCP or use of a TAP VPN without + IP support, as has always been possible with 1.x. +* Fixed bug where --ifconfig may not work correctly on + Linux 2.2. +* Added 'local' flag to --redirect-gateway for use on + networks where both OpenVPN daemons are connected + to a shared subnet, such as wireless. + +2004.05.09 -- Version 2.0-beta1 + +* Unchanged from test29 except for version number + upgrade. + +2004.05.08 -- Version 2.0-test29 + +* Modified --dev-node on Windows to accept a TAP-Win32 + GUID name. In addition, --show-adapters will now + display the high-level name and GUID of each adapter. + This is an attempt to work around an issue in Windows + where sometimes the TAP-Win32 adapter installs correctly + but has no icon in the network connections control + panel. In such cases, being able to specify + --dev-node {TAP-GUID} can work around the missing icon. + +2004.05.07 -- Version 2.0-test28 + +* Fixed bug which could cause segfault on program + shutdown if --route and --persist-tun are used + together. + +2004.05.06 -- Version 2.0-test27 + +* Fixed bug in close_instance() which might cause + memory to be accessed after it had already been freed. +* Fixed bug in verify_callback() that might have + caused uninitialized data to be referenced. +* --iroute now allows full CIDR subnet routing. +* In "--mode server --dev tun" usage, source addresses + on VPN packets coming from a particular client must + be associated with that client in the OpenVPN internal + routing table. + +2004.04.28 -- Version 2.0-test26 + +* Optimized broadcast path in multi-client mode. +* Added socket buffer size options --rcvbuf & --sndbuf. +* Configure Linux tun/tap driver to use a more sensible + txqueuelen default. Also allow explicit setting + via --txqueuelen option (Harald Roelle). +* The --remote option now allows the port number + to be specified as the second parameter. If + unspecified, the port number defaults to the + --rport value. +* Multiple --remote options on the client can now be + specified for load balancing and failover. The + --remote-random flag can be used to initially randomize + the --remote list for basic load balancing. +* If a remote DNS name resolves to multiple DNS addresses, + one will be chosen by random as a kind of basic + load-balancing feature if --remote-random is used. +* Added --connect-freq option to control maximum + new connection frequency in multi-client mode. +* In multi-client mode, all syslog messages associated + with a specific client now include a client-ID prefix. +* For Windows, use a gettimeofday() function based + on QueryPerformanceCounter (Derek Burdick). +* Fixed bug in interaction between --key-method 2 + and DES ciphers, where dynamic keys would be generated + with bad parity and then be rejected. + +2004.04.17 -- Version 2.0-test24 + +* Reworked multi-client broadcast handling. + +2004.04.13 -- Version 2.0-test23 + +* Fixed bug in --dev tun --client-to-client routing. +* Fixed a potential deadlock in --pull. +* Fixed a problem with select() usage which could + cause a repeating sequence of "select : Invalid + argument (code=22)" + +2004.04.11 -- Version 2.0-test22 + +* Fixed bug where --mode server + --daemon was + prematurely closing syslog connection. +* Added support for --redirect-gateway on Mac OS X + (Jeremy Apple). +* Minor changes to TAP-Win32 driver based on feedback + from the NDISTest tool. + +2004.04.11 -- Version 2.0-test21 + +* Optimizations in multi-client server event loop. + +2004.04.10 -- Version 2.0-test20 + +* --mode server capability now works with either tun + or tap interfaces. When used with tap interfaces, + OpenVPN will internally bridge all client tap + interfaces with the server tap interface. +* Connecting clients can now have a client-specific + configuration on the server, based on the client + common name embedded in the client certificate. + See --client-config-dir and --client-connect. + These options can be used to configure client-specific + routes. +* Added an option --client-to-client that enables + internal client-to-client routing or bridging. + Otherwise, clients will only "see" the server, + not other connected clients. +* Fixed bug in route scheduling which would have caused + --mode server to not work on Windows in test18 + and test19 with the sample config file. +* Man page is up to date with all new options. +* OpenVPN 2.0 release notes on web site updated + with tap-style tunnel examples. + +2004.04.02 -- Version 2.0-test19 + +* Fixed bug where routes pushed from server were + not working correctly on Windows clients. +* Added Mac OS X route patch (Jeremy Apple). + +2004.03.30 -- Version 2.0-test18 + +* Minor fixes + Windows self-install modified + to use OpenSSL 0.9.7d. + +2004.03.29 -- Version 2.0-test17 + +* Fixed some bugs related to instance timeout and deletion. +* Extended --push/--pull option to support additional + option classes. + +2004.03.28 -- Version 2.0-test16 + +* Successful test of --mode udp-server, --push, + --pull, and --ifconfig-pool with server on + Linux 2.4 and clients on Linux and Windows. + +2004.03.25 -- Version 2.0-test15 + +* Implemented hash-table lookup of client instances + based either on remote UDP address/port or remote + ifconfig endpoint. +* Implemented a randomized binary tree based + scheduler for scalably scheduling a large number + of client instance events. Uses the treap + data structure and node rotation algorithm + to keep the tree balanced. +* Initial implementation of ifconfig-pool. +* Made --key-method 2 the default. + +2004.03.20 -- Version 2.0-test14 + +* Implemented --push and --pull. + +2004.03.20 -- Version 2.0-test13 + +* Reduced struct tls_multi and --single-session + memory footprint. +* Modified --single-session flag to be used + in multi-client UDP server client instances. + +2004.03.19 -- Version 2.0-test12 + +* Added the key multi-client UDP server options, + --mode, --push, --pull, and --ifconfig-pool. +* Revamped GC (garbage collection) code to not rely + on any global data. +* Modifications to thread.[ch] to allow a more + flexible thread model. + +2004.03.16 -- Version 2.0-test11 + +* Moved all timer code to interval.h, added new file + interval.c. +* Fixed missing include. + +2004.03.16 -- Version 2.0-test10 + +* More TAP-Win32 fixes. +* Initial debugging and testing of multi.[ch]. + +2004.03.14 -- Version 2.0-test9 + +* Branch merge with 1.6-rc3 +* More point-to-multipoint work in multi.[ch]. +* Major TAP-Win32 driver restructuring to use + NdisMRegisterDevice instead of + IoCreateDevice/IoCreateSymbolicLink. +* Changed TAP-Win32 symbolic links to use \DosDevices\Global\ + pathname prefix. +* In the majority of cases, TAP-Win32 should now be + able to install and uninstall on Win2K without requiring + a reboot. +* TAP-Win32 MAC address can now be explicitly set in the + adapter advanced properties page. + +2004.03.04 -- Version 2.0-test8 + +* Branch merge with 1.6-rc2. + +2004.03.03 -- Version 2.0-test7 + +* Branch merge with 1.6-rc1.2. + +2004.03.02 -- Version 2.0-test6 + +* Branch merge with 1.6-rc1. + +2004.03.02 -- Version 2.0-test5 + +* Move Socks5 UDP header append/remove to socks.c, and is + called from forward.c. +* Moved verify statics from ssl.c into struct tls_session. +* Wrote multi.[ch] to handle top level of point-to-multipoint + mode. +* Wrote some code to allow a struct link_socket in a child context + to be slaved to the parent context. +* Broke up packet read and process functions in forward.c + (from socket or tuntap) into separate functions for read + and process, so that point-to-point and point-to-multipoint can + share the same code. +* Expand TLS control channel to allow the passing of configuration + commands. +* Wrote mroute.[ch] to handle internal packet routing for + point-to-multipoint mode. + +2004.02.22 -- Version 2.0-test3 + +* Initial work on UDP multi-client server. +* Branch merge of 1.6-beta7 + +2004.02.14 -- Version 2.0-test2 + +* Refactorization of openvpn.c into openvpn.[ch] + init.[ch] forward.[ch] forward-inline.h + occ.[ch] occ-inline.h ping.[ch] ping-inline.h + sig.[ch]. Created a master per-tunnel + struct context in openvpn.h. +* Branch merge of 1.6-beta6.2 + +2003.11.06 -- Version 2.0-test1 + +* Initial testbed for 2.0. + +2004.05.09 -- Version 1.6.0 + +* Unchanged from 1.6-rc4 except for version number + upgrade. + +2004.04.01 -- Version 1.6-rc4 + +* Made minor customizations to devcon and + renamed as tapinstall.exe for Windows version. +* Fixed "storage size of `iv' isn't known" build + problem on FreeBSD. +* OpenSSL 0.9.7d bundled with Windows self-install. + +2004.03.13 -- Version 1.6-rc3 + +* Minor Windows fixes for --ip-win32 dynamic, relating to + the way the TAP-Win32 driver responds to a DHCP request + from the Windows DHCP client. +* The net_gateway environmental variable wasn't being + set correctly for called scripts (Paul Zuber). +* Added code to determine the default gateway on FreeBSD, + allowing the --redirect-gateway option to work + (Juan Rodriguez Hervella). + +2004.03.04 -- Version 1.6-rc2 + +* Fixed bug in Windows version where the NetBIOS node-type + DHCP option might have been passed even if it was not + specified. +* Fixed bug in Windows version introduced in 1.6-rc1, where + DHCP timeout would be set to 0 seconds if --ifconfig option + was used and --ip-win32 option was not explicitly specified. +* Added some new --dhcp-option types for Windows version. + +2004.03.02 -- Version 1.6-rc1 + +* For Windows, make "--ip-win32 dynamic" the default. +* For Windows, make "--route-delay 10" the default + unless --ip-win32 dynamic is not used or --route-delay + is explicitly specified. +* L_TLS mutex could have been left in a locked state + for certain kinds of TLS errors. + +2004.02.22 -- Version 1.6-beta7 + +* Allow scheduling priority increase (--nice) together + with UID/GID downgrade (--user/--group). +* Code that causes SIGUSR1 restart on TLS errors in TCP + mode was not activated in pthread builds. +* Save the certificate serial number in an environmental + variable called tls_serial_{n} prior to calling the + --tls-verify script. n is the current cert chain level. +* Added NetBSD IPv6 tunnel capability (also requires + a kernel patch) (Horst Laschinsky). +* Fixed bug in checking the return value of the nice() + function (Ian Pilcher). +* Bug fix in new FreeBSD IPv6 over TUN code which was + originally added in 1.6-beta5 (Nathanael Rensen). +* More Socks5 fixes -- extended the struct frame + infrastructure to accomodate proxy-based encapsulation + overhead. +* Added --dhcp-option to Windows version for setting + adapter properties such as WINS & DNS servers. +* Use a default route-delay of 5 seconds when + --ip-win32 dynamic is specified (only applicable when + --route-delay is not explicitly specified). +* Added "log_append" registry variable to control + whether the OpenVPN service wrapper on Windows + opens log files in append (log_append="1") or + truncate (log_append="0") mode. The default + is truncate. + +2004.02.05 -- Version 1.6-beta6 + +* UDP over Socks5 fix to accomodate Socks5 encapsulation + overhead (Christof Meerwald). +* Minor --ip-win32 dynamic tweaks (use long lease time, + invalidate existing lease with DHCPNAK). + +2004.02.01 -- Version 1.6-beta5 + +* Added Socks5 proxy support (Christof Meerwald). +* IPv6 tun support for FreeBSD (Thomas Glanzmann). +* Special TAP-Win32 debug mode for Windows self-install that was + enabled in beta4 is now turned off. +* Added some new Solaris notes to INSTALL (Koen Maris). +* More work on --ip-win32 dynamic. + +2004.01.27 -- Version 1.6-beta4 + +* For this beta, the Windows self-install is a debug version + and will run slower -- use only for testing. +* Reverted the --ip-win32 default back to 'ipapi' + from 'dynamic'. +* Added the offset parameter to '--ip-win32 dynamic' which + can be used to control the address of the masqueraded + DHCP server which replies to Windows DHCP requests. +* Added a wait/nowait option to --inetd (nowait can only + be used with TCP sockets, TLS authentication, and over + a bridged configuration -- see FAQ for more info) + (Stefan `Sec` Zehl). +* Added a build-time capability where TAP-Win32 driver + debug messages can be output by OpenVPN at --verb 6 + or higher. + +2004.01.20 -- Version 1.6-beta2 + +* Added ./configure --enable-iproute2 flag which + uses iproute2 instead of route + ifconfig -- + this is necessary for the LEAF Linux distro + (Martin Hejl). +* Added renewal-time and rebind-time to set of + DHCP options returned by the TAP-Win32 driver when + "--ip-win32 dynamic" is used. + +2004.01.14 -- Version 1.6-beta1 + +* Fixed --proxy bug that sometimes caused plaintext + control info generated by the proxy prior to http + CONNECT method establishment to be incorrectly + parsed as OpenVPN data. +* For Windows version, implemented the + "--ip-win32 dynamic" method and made it the default. + This method sets the TAP-Win32 adapter IP address + and netmask by replying to the kernel's DHCP queries. + See the man page for more detailed info. +* Added --connect-retry parameter which controls + the time interval (in seconds) between connect() + retries when --proto tcp-client is used. Previously, + this value was hardcoded to 5 seconds, and still + defaults as such. +* --resolv-retry can now be used with a parameter + of "infinite" to retry indefinitely. +* Added SSL_CTX_use_certificate_chain_file() to ssl.c + for support of multi-level certificate chains + (Sten Kalenda). +* Fixed --tls-auth incompatibility with 1.4.x and earlier + versions of OpenVPN when the passphrase file is an + OpenVPN static key file (as generated by --genkey). +* Added shell-escape support in config files using + the backslash character ("\") so that (for example) + double quotes can be passed to the shell. +* Added "contrib" subdirectory on tarball, source zip, + and CVS containing user-submitted contributions. +* Added an optional patch to the Redhat init script to + allow the configuration file directory to be a + multi-level directory hierarchy (Farkas Levente). + See contrib/multilevel-init.patch +* Added some scripts and documentation on using + Linux "fwmark" iptables rules to enable + fine-grained routing control over the VPN + (Sean Reifschneider, <jafo@tummy.com>). + See contrib/openvpn-fwmarkroute-1.00 + +2003.11.20 -- Version 1.5.0 + +* Minor documentation changes. + +2003.11.04 -- Version 1.5-beta14 + +* Fixed build problem with ./configure --disable-ssl + that was reported on Debian woody. +* Fixed bug where --redirect-gateway could not be used + together with --resolv-retry. + +2003.11.03 -- Version 1.5-beta13 + +* Added CRL (certificate revocation list) capability using + --crl-verify option (Stefano Bracalenti). +* Added --replay-window option for variable replay-protection + window sizes. +* Fixed --fragment bug which might have caused certain large + packets to be sent unfragmented. +* Modified --secret and --tls-auth to permit different cipher and + HMAC keys to be used for each data flow direction. Also + increased static key file size generated by --genkey from + 1024 to 2048 bits, where 512 bits each are reserved for + send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward + and backward compatibility is maintained. See --secret option + documentation on the man page for more info. +* Added --tls-remote option (Teemu Kiviniemi). +* Fixed --tls-cipher documention regarding correct delimiter + usage (Teemu Kiviniemi). +* Added --key-method option for selecting alternative data + channel key negotiation methods. Method 1 is the default. + Method 2 has been added (see man page for more info). +* Added French translation of HOWTO to web site + (Guillaume Lehmann). +* Fixed problem caused by late resolver library load on + certain platforms when --resolv-retry and --chroot are + used together (Teemu Kiviniemi). +* In TCP mode, all decryption or TLS errors will abort the current + connection (this is not done in UDP mode because UDP is + "connectionless"). +* Fixed a TCP client reconnect bug that only occurs on the + BSDs, where connect() fails with an invalid argument. This + bug was partially (but not completely) fixed in beta7. +* Added "route_net_gateway" environmental variable which contains + the pre-existing default gateway address from the routing table + (there's no standard API for getting the default gateway, so + right now this feature only works on Windows or Linux). +* Renamed the "route_default_gateway" enviromental variable to + "route_vpn_gateway" -- this is the remote VPN endpoint. +* The special keywords vpn_gateway, net_gateway, and remote_host + can now be used for the network or gateway components of the + --route option. See the man page for more info. +* Added the --redirect-gateway option to configure the VPN + as the default gateway (implemented on Linux and Windows only). +* Added the --http-proxy option with basic authentication + support for use in TCP client mode. Successfully tested + using Squid as the HTTP proxy, with and without authentication. + +2003.10.12 -- Version 1.5-beta12 + +* Fixed Linux-only bug in --mktun and --rmtun which was + introduced around beta8 or so, which would cause + an error such as "I don't recognize device tun0 as a + tun or tap device1". +* Added --ifconfig-nowarn option to disable options + consistency warnings about --ifconfig parameters. +* Don't allow any kind of sequence number backtracking or + message reordering when in TCP mode. +* Changed beta naming convention to use '_' (underscore) + rather than '-' (dash) to pacify rpmbuild. + +2003.10.08 -- Version 1.5-beta11 + +* Modified code in the Windows version which sets the IP address + and netmask of the TAP-Win32 adapter using the IP Helper API. + Most of the changes involve better error recovery when + the IP Helper API returns an error status. See the + manual page entry on --ip-win32 for more info. + +2003.10.08 -- Version 1.5-beta10 + +* Added getpass() function for Windows version so that --askpass + option works correctly (Stefano Bracalenti). +* Added reboot advisory to end of Win32 install script. +* Changed crypto code to use pseudo-random IVs rather than + carrying forward the IV state from the previous packet. + This is in response to item 2 in the following document: + http://www.openssl.org/~bodo/tls-cbc.txt which points + out weaknesses in TLS's use of the same IV carryforward + approach. This change does not break protocol compatibility + with previous versions of OpenVPN. +* Made a change to the crypto replay protection code to also + protect against certain kinds of packet reordering attacks. + This change does not break protocol compatibility with + previous versions of OpenVPN. +* Added --ip-win32 option to provide several choices for + setting the IP address on the TAP-Win32 adapter. +* #ifdefed out non-CBC crypto modes by default. +* Added --up-delay option to delay TUN/TAP open and --up script + execution until after connection establishment. This option + replaces the earlier windows-only option --tap-delay. + +2003.10.01 -- Version 1.5-beta9 + +* Fixed --route-noexec bug where option was not parsed correctly. +* Complain if --dev tun is specified without --ifconfig on Windows. +* Fixed bug where TCP connections on windows would sometimes cause + an assertion failure. +* Added a new flag to TAP-Win32 advanced properties that allows one + to set the adapter to be always "connected" even when an OpenVPN + process doesn't have it open. The default behavior is to report + a media status of connected only when an OpenVPN process has the + adapter open. +* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c + DLLs in response to an OpenSSL security advisory. + +2003.09.30 -- Version 1.5-beta8 + +* Extended the --ifconfig option to work on tap devices as well + as tun devices. +* Implemented the --ifconfig option for Windows, by calling the + netsh tool. +* By default, do an "arp -d *" on Windows after TAP-Win32 open to + refresh the MAC cache. This behaviour can be disabled with + --no-arp-del. +* On Windows, allow the --dev-node parameter (which specifies + the name of the TAP-Win32 adapter) to be omitted in cases where + there is a single TAP-Win32 adapter on the system which can be + assumed to be the default. +* Modified the diagnostic --verb 5 debugging level to print 'R' + for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read, + and 'w' for TUN/TAP write. +* Conditionalize OpenBSD read_tun and write_tun based on tun or tap + mode. +* Added IPv6 tun support to OpenBSD (Thomas Glanzmann). +* Make the --enable-mtu-dynamic ./configure option enabled by + default. +* Deprecated the --mtu-dynamic run-time option, in favor of + --fragment. +* DNS names can now be used as --ifconfig parameters. +* Significant work on TAP-Win32 driver to bring up to SMP standards. +* On Windows, fixed dangling IRP problem if TAP-Win32 driver is + unloaded or disabled, while a user-space process has it open. +* On Windows, if --tun-mtu is not specified, it will be read from + the TAP-Win32 driver via ioctl. +* On Windows, added TAP-Win32 driver status info to "F2" keyboard + signal (only when run from a console window). +* Added --mssfix option to control TCP MSS size (YANO Hirokuni). +* Renamed --mtu-dynamic option to --fragment to more accurately + reflect its function. Fragment accepts a single parameter which + is the upper limit on acceptable UDP packet size. +* Changed default --tun-mtu-extra parameter to 32 from 64. +* Eliminated reference to malloc.o in configure.ac. +* Added tun device emulation to the TAP-Win32 driver. +* Added --route and related options. +* Added init script for SuSE Linux (Frank Plohmann). +* Extended option consistency check between peers to function + in all crypto modes, including static-key and cleartext modes. + Previously only TLS mode was supported. Disable with + --disable-occ. +* Overall, increased the amount of configuration option sanity + checking, especially of networking parameters. +* Added --mtu-test option for empirical MTU measurement. +* Added Windows-only option --tap-delay to not set the TAP-Win32 + adapter media state to 'connected' until TCP/UDP connection + establishment with peer. +* Slightly modified --route/--route-delay semantics so that when + --route is given without --route-delay, routes are added + immediately after tun/tap device open. When --route-delay is + specified, routes will be added n seconds after connection + initiation, where n is the --route-delay parameter (which + can be set to 0). +* Made TCP framing error into a non-fatal error that triggers a + connection reset. + +2003.08.28 -- Version 1.5-beta7 + +* Fixed bug that caused OpenVPN not to respond to exit/restart + signals when --resolv-retry is used and a local or remote DNS + name cannot be resolved. +* Exported a series of environmental variables with useful + info for scripts. See man page for more info. Based + on a suggestion by Anthony Ciaravalo. +* Moved TCP/UDP socket bind to a point in the initialization + before the --up script gets called. This is desirable + because (a) a socket bind failure will happen before + daemonization, allowing an error status code to be returned + to the shell and (b) the possibility is eliminated of a + socket bind failure causing the --up script to be run + but not the --down script. This change has a side effect + that --resolv-retry will no longer work with --local. +* Fixed bug where if an OpenVPN TCP server went down and back + up again, Solaris or FreeBSD clients would fail to reconnect + to it. +* Fixed bug that prevented OpenVPN from being run by + inetd/xinetd in TCP mode. +* Added --log and --log-append options for logging messages to + a file. +* On Windows, check that the current user is a member of the + Administrator group before attempting install or uninstall. + +2003.08.16 -- Version 1.5-beta6 + +* Fixed TAP-Win32 driver to properly increment the Rx/Tx count. + +2003.08.14 -- Version 1.5-beta5 + +* Added user-configurability of the TAP-Win32 adapter MTU + through the adapter advanced properties page. +* Added Windows Service support. +* On Windows, added file association and right-clickability + for .ovpn files (OpenVPN config files). + +2003.08.05 -- Version 1.5-beta4 + +* Extra refinements and error checking added to Windows + NSIS install script. + +2003.08.05 -- Version 1.5-beta3 + +* Added md5.h include to crypto.c to fix build problem on + OpenBSD. +* Created a Win32 installer using NSIS. +* Removed DelService command from TAP-Win32 INF file. It appears + to be not necessary and it interfered with the ability to + uninstall and reinstall the driver without needing to reboot. +* On Windows version, added "addtap" and "deltapall" batch + files to add and delete TAP-Win32 adapter instances. + +2003.07.31 -- Version 1.5-beta2 + +* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted + in Windows ASCII so it's easier to click and view. +* Added postscript and PDF versions of the HOWTO to the web + site (C R Zamana). +* Merged Michael Clarke's stability patch into TAP-Win32 + driver which appears to fix the suspend/resume driver bug + and significantly improve driver stability. +* Added Christof Meerwald's Media Status patch to the + TAP-Win32 driver which shows the TAP adapter to be + disconnected when OpenVPN is not running. +* Moved socket connect and TCP server listen code to a later + point in openvpn() function so that the TCP server listen + state is entered after daemonization. +* Added keyboard shortcuts to simulate signals in the Windows + version, see the window title bar for descriptions. + +2003.07.24 -- Version 1.5-beta1 + +* Added TCP support via the new --proto option. +* Renamed udp-centric options such as --udp-mtu to + --link-mtu (old option names preserved for compatibility). +* Ported to Windows 2000 + XP using mingw and a TAP driver + derived from the Cipe-Win32 project by Damion K. Wilson. +* Added --show-adapters flag for windows version. +* Reworked the SSL/TLS packet acknowledge code to better + handle certain corner cases. +* Turned off the default enabling of IP forwarding in the + sample-scripts/openvpn.init script for Redhat. + Forwarding can be enabled by users in their --up scripts + or firewall config. +* Added --up-restart option based on suggestion from Sean + Reifschneider. +* If --dev tap or --dev-type tap is specified, --tun-mtu + defaults to 1500 and --tun-mtu-extra defaults to 64. +* Enabled --verb 5 debugging mode that prints 'R' and 'W' + for each packet read or write on the TCP/UDP socket. + +2003.08.04 -- Version 1.4.3 + +* Added md5.h include to crypto.c + to fix build problem on OpenBSD. + +2003.07.15 -- Version 1.4.2 + +* Removed adaptive bandwidth from + --mtu-dynamic -- its absence appears + to work better than its existence (1.4.1.2). +* Minor changes to --shaper to fix long + retransmit timeouts at low bandwidth + (1.4.1.2). +* Added LOG_RW flag to openvpn.h for + debugging (1.4.1.2). +* Silenced spurious configure warnings (1.4.1.2). +* Backed out --dev-name patch, modified --dev + to offer equivalent functionality (1.4.1.4). +* Added an optional parameter to --daemon and + --inetd to support the passing of a custom + program name to the system logger (1.4.1.5). +* Add compiled-in options to the program title + (1.4.1.5). +* Coded the beginnings of a WIN32 port (1.4.1.5). +* Succeeded in porting to Win32 Mingw environment + and running loopback tests (1.4.1.6). Still + need a kernel driver for full Win32 + functionality. +* Fixed a bug in error.h where + HAVE_CPP_VARARG_MACRO_GCC was misspelled. + This would have caused a significant slowdown + of OpenVPN when built by compilers that + lack ISO C99 vararg macros (1.4.1.6). +* Created an init script for Gentoo Linux + in ./gentoo directory (1.4.1.6). + +2003.05.15 -- Version 1.4.1 + +* Modified the Linux 2.4 TUN/TAP open code to + fall back to the 2.2 TUN/TAP interface if the + open or ioctl fails. +* Fixed bug when --verb is set to 0 and non-fatal + socket errors occur, causing 100% CPU utilization. + Occurs on platorms where + EXTENDED_SOCKET_ERROR_CAPABILITY is defined, + such as Linux 2.4. +* Fixed typo in tun.c that was preventing + OpenBSD build. +* Added --enable-mtu-dynamic configure option + to enable --mtu-dynamic experimental option. + +2003.05.07 -- Version 1.4.0 + +* Added --replay-persist feature to allow replay + protection across sessions. +* Fixed bug where --ifconfig could not be used + with --tun-mtu. +* Added --tun-mtu-extra parameter to deal with + the situation where a read on a TUN/TAP device + returns more data than the device's MTU size. +* Fixed bug where some IPv6 support code for + Linux was not being properly ifdefed out for + Linux 2.2, causing compile errors. +* Added OPENVPN_EXIT_STATUS_x codes to + openvpn.h to control which status value + openvpn returns to its caller (such as + a shell or inetd/xinetd) for various conditions. +* Added OPENVPN_DEBUG_COMMAND_LINE flag to + openvpn.h to allow debugging in situations + where stdout, stderr, and syslog cannot be used + for message output, such as when OpenVPN is + instantiated by inetd/xinetd. +* Removed owner-execute permission from file + created by static key generator (Herbert Xu + and Alberto Gonzalez Iniesta). +* Added --passtos option to allow IPv4 TOS bits + to be passed from TUN/TAP input packets to + the outgoing UDP socket (Craig Knox). +* Added code to prevent open socket file descriptors + from being accessible to called scripts. +* Added --dev-name option (Christian Lademann). +* Added --mtu-disc option for manual control + over MTU options. +* Show OS MTU value on UDP socket write failures + (linux only). +* Numerous build system and portability + fixes (Matthias Andree). +* Added better sensing of compiler support for + variable argument macros, including (a) gcc + style, (b) ISO C 1999 style, and (c) no support. +* Removed generated files from CVS. Note INSTALL + file for new CVS build commands. +* Changed certain internal symbol names + for C standards compliance. +* Added TUN/TAP open code to cycle dynamically + through unit numbers until it finds a free + unit (based on code from Thomas Gielfeldt + and VTun). +* Added dynamic MTU and fragmenting infrastructure + (Experimental). Rebuild with FRAGMENT_ENABLE + defined to enable. +* Minor changes to SSL/TLS negotiation, use + exponential backoff on retransmits, and use + a smaller MTU size (note that no protocol + changes have been made which would break + compatibility with 1.3.x). +* Added --enable-strict-options flag + to ./configure. This option will cause + a more strict check for options compatibility + between peers when SSL/TLS negotiation is used, + but should only be used when both OpenVPN peers + are of the same version. +* Reorganization of debugging levels. +* Added a workaround in configure.ac for + default SSL header location on Linux + to fix RH9 build problem. +* Fixed potential deadlock when pthread support + is used on OSes that allocate a small socketpair() + message buffer. +* Fixed openvpn.init to be sh compliant + (Bishop Clark). +* Changed --daemon to wait until all + initialization is finished before becoming a + daemon, for the benefit of initialization + scripts that want a useful return status from + the openvpn command. +* Made openvpn.init script more robust, including + positive indication of initialization errors + in the openvpn daemon and better sanity checks. +* Changed --chroot to wait until initialization + is finished before calling chroot(), and allow + the use of --user and --group with --chroot. +* When syslog logging is enabled (--daemon or + --inetd), set stdin/stdout/stderr to point + to /dev/null. +* For inetd instantiations, dup socket descriptor + to a >2 value. +* Fixed bug in verify-cn script, where test would + incorrectly fail if CN=x was the last component + of the X509 composite string (Anonymous). +* Added Markus F.X.J. Oberhumer's special + license exception to COPYING. + +2002.10.23 -- Version 1.3.2 + +* Added SSL_CTX_set_client_CA_list call + to follow the canonical form for TLS initialization + recommended by the OpenSSL docs. This change allows + better support for intermediate CAs and has no impact + on security. +* Added build-inter script to easy-rsa package, to + facilitate the generation of intermediate CAs. +* Ported to NetBSD (Dimitri Goldin). +* Fixed minor bug in easy-rsa/sign-req. It refers to + openssl.cnf file, instead of $KEY_CONFIG, like all + other scripts (Ernesto Baschny). +* Added --days 3650 to the root CA generation command + in the HOWTO to override the woefully small 30 day + default (Dominik 'Aeneas' Schnitzer). +* Fixed bug where --ping-restart would sometimes + not re-resolve remote DNS hostname. +* Added --tun-ipv6 option and related infrastructure + support for IPv6 over tun. +* Added IPv6 over tun support for Linux (Aaron Sethman). +* Added FreeBSD 4.1.1+ TUN/TAP driver notes to + INSTALL (Matthias Andree). +* Added inetd/xinetd support (--inetd) including + documentation in the HOWTO. +* Added "Important Note on the use of commercial certificate + authorities (CAs) with OpenVPN" to HOWTO based on + issues raised on the openvpn-users list. + +2002.07.10 -- Version 1.3.1 + +* Fixed bug in openvpn.spec and openvpn.init + which caused RPM upgrade to fail. + +2002.07.10 -- Version 1.3.0 + +* Added --dev-node option to allow explicit selection of + tun/tap device node. +* Removed mlockall call from child thread, as it doesn't + appear to be necessary (child thread inherits mlockall + state from parent). +* Added --ping-timer-rem which causes timer for --ping-exit + and --ping-restart not to run unless we have a remote IP + address. +* Added condrestart to openvpn.init and openvpn.spec + (Bishop Clark). +* Added --ifconfig case for FreeBSD (Matthias Andree). +* Call openlog with facility=LOG_DAEMON (Matthias Andree). +* Changed LOG_INFO messages to LOG_NOTICE. +* Added warning when key files are group/others accessible. +* Added --single-session flag for TLS mode. +* Fixed bug where --writepid would segfault if used with + an invalid filename. +* Fixed bug where --ipchange status message was formatted + incorrectly. +* Print more concise error message when system() call + fails. +* Added --disable-occ option. +* Added --local, --remote, and --ifconfig options sanity + check. +* Changed default UDP MTU to 1300 and TUN/TAP MTU to + 1300. +* Successfully tested with OpenSSL 0.9.7 Beta 2. +* Broke out debug level definitions to errlevel.h +* Minor documentation and web site changes. +* All changes maintain protocol compatibility + with OpenVPN versions since 1.1.0, however default + MTU changes will require setting the MTU explicitly + by command line option, if you want 1.3.0 to + communicate with previous versions. + +2002.06.12 -- Version 1.2.1 + +* Added --ping-restart option to restart + connection on ping timeout using SIGUSR1 + logic (Matthias Andree). +* Added --persist-tun, --persist-key, + --persist-local-ip, and --persist-remote-ip + options for finer-grained control over SIGUSR1 + and --ping-restart restarts. To + replicate previous SIGUSR1 functionality, + use --persist-remote-ip. +* Changed residual IV fetching code to take + IV from tail of ciphertext. +* Added check to make sure that CFB or OFB + cipher modes are only used with SSL/TLS + authentication mode, and added a caveat + to INSTALL. +* Changed signal handling during initialization + (including re-initialization during restarts) + to exit on SIGTERM or SIGINT and ignore other + signals which would ordinarily be caught. +* Added --resolv-retry option to allow + retries on hostname resolution. +* Expanded the --float option to also + allow dynamic changes in source port number + on incoming datagrams. +* Added --mute option to limit repetitive + logging of similar message types. +* Added --group option to downgrade GID + after initialization. +* Try to set ifconfig path automatically + in configure. +* Added --ifconfig code for Mac OS X + (Christoph Pfisterer). +* Moved "Peer Connection Initiated" message + to --verb level 1. +* Successfully tested with + OpenSSL 0.9.7 Beta 1 and AES cipher. +* Added RPM notes to INSTALL. +* Added ACX_PTHREAD (from the autoconf + macro archive) to configure.ac + to figure out the right pthread + options for a given platform. +* Broke out macro definitions from + configure.ac to acinclude.m4. +* Minor changes to docs and HOWTO. +* All changes maintain protocol compatibility + with OpenVPN versions since 1.1.0. + +2002.05.22 -- Version 1.2.0 + +* Added configuration file support via + the --config option. +* Added pthread support to improve latency. + With pthread support, OpenVPN + will offload CPU-intensive tasks such as RSA + key number crunching to a background thread + to improve tunnel packet forwarding + latency. pthread support can be enabled + with the --enable-pthread configure option. + Pthread support is currently available + only for Linux and Solaris. +* Added --dev-type option so that tun/tap + device names don't need to begin with + "tun" or "tap". +* Added --writepid option to write main + process ID to a file. +* Numerous portability fixes to ease + porting to other OSes including changing + all network types to uint8_t and uint32_t, + and not assuming that time_t is 32 bits. +* Backported to OpenSSL 0.9.5. +* Ported to Solaris. +* Finished OpenBSD port except for + pthread support. +* Added initialization script: + sample-scripts/openvpn.init + (Douglas Keller) +* Ported to Mac OS X (Christoph Pfisterer). +* Improved resilience to DoS attacks when + TLS mode is used without --remote or + --tls-auth, or when --float is used + with --remote. Note however that the best + defense against DoS attacks in TLS mode + is to use --tls-auth. +* Eliminated automake/autoconf dependency + for non-developers. +* Ported configure.in to configure.ac + and autoconf 2.50+. +* SIGHUP signal now causes OpenVPN to restart + and re-read command line and or config file, + in conformance with canonical daemon behaviour. +* SIGUSR1 now does what SIGHUP did in + version 1.1.1 and earlier -- close and reopen + the UDP socket for use when DHCP changes + host's IP address and preserve most recently + authenticated peer address without rereading + config file. +* SIGUSR2 added -- outputs current statistics, + including compression statistics. +* All changes maintain protocol compatibility + with 1.1.1 and 1.1.0. + +2002.04.22 -- Version 1.1.1 + +* Added --ifconfig option to automatically configure + TUN device. +* Added inactivity disconnect (--inactive + and --ping-exit options). +* Added --ping option to keep stateful firewalls + from timing out. +* Added sanity check to command line parser to + err if any TLS options are used in non-TLS mode. +* Fixed build problem with compiler environments that + define printf as a macro. +* Fixed build problem on linux systems that have + an integrated TUN/TAP driver but lack the persistent + tunnel feature (TUNSETPERSIST). Some linux kernels + >= 2.4.0 and < 2.4.7 fall into this category. +* Changed all calls to EVP_CipherInit to use explicit + encrypt/decrypt mode in order to fix problem with + IDEA-CBC and AES-256-CBC ciphers. +* Minor changes to control channel transmit limiter + algorithm to fix problem where TLS control channel + might not renegotiate within the default 60 second window. +* Simplified man page examples by taking advantage + of the new --ifconfig option. +* Minor changes to configure.in to check more + rigourously for OpenSSL 0.9.6 or greater. +* Put back openvpn.spec, eliminated + openvpn.spec.in. +* Modified openvpn.spec to reflect new automake-based + build environment (Bishop Clark). +* Other documentation changes. +* Added --test-crypto option for debugging. +* Added "missing" and "mkinstalldirs" automake + support files. + + +2002.04.09 -- Version 1.1.0 + +* Strengthened replay protection and IV handling, + extending it fully to both static key and + TLS dynamic key exchange modes. +* Added --mlock option to disable paging and ensure that key + material and tunnel data is never paged to disk. +* Added optional traffic shaping feature to cap the maximum + data rate of the tunnel. +* Converted to automake (The Platypus Brothers 2002-04-01). +* Ported to OpenBSD by Janne Johansson. +* Added --tun-af-inet option to work around an incompatibility + between Linux and BSD tun drivers. +* Sequence number-based replay protection using the + IPSec sliding window model is now the default, + disable with --no-replay. +* Explicit IV is now the default, disable with --no-iv. +* Disabled all cipher modes except CBC, CFB, and OFB. +* In CBC mode, use explicit IV and carry forward residuals, + using IPSec model. +* In CFB/OFB mode, IV is timestamp, sequence number. +* Eliminated --packet-id, --timestamp, and max-delta parameter to + the --tls-auth option as they are now supplanted by improved + replay code which is enabled by default. +* Eliminated --rand-iv as it is now obsolete with improved + IV code. +* Eliminated --reneg-err option as it increases vulnerability + to DoS attacks. +* Added weak key check for DES ciphers. +* --tls-freq option is no longer specified on the command line, + instead it now inherits its parameter from the + --tls-timeout option. +* Fixed bug that would try to free memory on exit that was + never malloced if --comp-lzo was not specified. +* Errata fixed in the man page examples: "test-ca" should be + "tmp-ca". +* Updated manual page. +* Preliminary work in porting to OpenSSL 0.9.7. +* Changed license to allowing linking with OpenSSL. + +2002.03.29 -- Version 1.0.3 + +* Fixed a problem in configure with library ordering on the + command line. + +2002.03.28 -- Version 1.0.2 + +* Improved the efficiency of the inner event loop. +* Fixed a minor bug with timeout handling. +* Improved the build system to build on RH 6.2 through 7.2. +* Added an openvpn.spec file for RPM builders (Bishop Clark). + +2002.03.23 -- Version 1.0 + +* Added TLS-based authentication and key exchange. +* Added gremlin mode to stress test. +* Wrote man page. + +2001.12.26 -- Version 0.91 + +* Added any choice of cipher or HMAC digest. + +2001.5.13 -- Version 0.90 + +* Initial release. +* IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature. |