From 311ea893aa3aba4bb1314e2ce4acbf39a9d3fb57 Mon Sep 17 00:00:00 2001
From: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Date: Thu, 12 Nov 2009 09:30:45 +0000
Subject: Version 2.1_rc21

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5152 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 ChangeLog                 | 16 ++++++++++++++++
 install-win32/settings.in |  2 +-
 version.m4                |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2822b5b..b25d9c7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,22 @@
 OpenVPN Change Log
 Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
 
+2009.11.12 -- Version 2.1_rc21
+
+* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
+  CVE-2009-3555.  Note that OpenVPN has never relied on the session
+  renegotiation capabilities that are built into the SSL/TLS protocol,
+  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
+  completely) will not adversely affect OpenVPN mid-session SSL/TLS
+  renegotation or any other OpenVPN capabilities.
+
+* Added additional session renegotiation hardening.  OpenVPN has always
+  required that mid-session renegotiations build up a new SSL/TLS
+  session from scratch.  While the client certificate common name is
+  already locked against changes in mid-session TLS renegotiations, we
+  now extend this locking to the auth-user-pass username as well as all
+  certificate content in the full client certificate chain.
+
 2009.10.01 -- Version 2.1_rc20
 
 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
diff --git a/install-win32/settings.in b/install-win32/settings.in
index cbfe58d..643ef99 100644
--- a/install-win32/settings.in
+++ b/install-win32/settings.in
@@ -22,7 +22,7 @@
 ;!define OPENVPN_XGUI_DIR "../ovpnxml"
 
 # Prebuilt libraries.  DMALLOC is optional.
-!define OPENSSL_DIR	  "../openssl-0.9.8k"
+!define OPENSSL_DIR	  "../openssl-0.9.8l"
 !define LZO_DIR		  "../lzo-2.02"
 !define PKCS11_HELPER_DIR "../pkcs11-helper"
 ;!define DMALLOC_DIR	  "../dmalloc-5.4.2"
diff --git a/version.m4 b/version.m4
index 4e1fd3d..9f61a81 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1_rc20a])
+define(PRODUCT_VERSION,[2.1_rc21])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])
-- 
cgit v1.2.3