Skip to content

Tags: fxckgfw/openvpn

Tags

v2.3.8

OpenVPN v2.3.8

2015.08.03 -- Version 2.3.8
Arne Schwabe (2):
      Report missing endtags of inline files as warnings
      Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit

Gert Doering (2):
      Produce a meaningful error message if --daemon gets in the way of asking for passwords.
      Document --daemon changes and consequences (--askpass, --auth-nocache).

Holger Kummert (1):
      Del ipv6 addr on close of linux tun interface

James Geboski (1):
      Fix --askpass not allowing for password input via stdin

Steffan Karger (5):
      write pid file immediately after daemonizing
      Make __func__ work with Visual Studio too
      fix regression: query password before becoming daemon
      Fix using management interface to get passwords.
      Fix overflow check in openvpn_decrypt()

v2.3.7

OpenVPN v2.3.7

2015.06.02 -- Version 2.3.7
Alexander Pyhalov (1):
      Default gateway can't be determined on illumos/Solaris platforms

Arne Schwabe (1):
      Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4

David Sommerseth (6):
      autotools: Fix wrong ./configure help screen default values
      down-root plugin: Replaced system() calls with execve()
      down-root: Improve error messages
      plugin, down-root: Fix compiler warnings
      sockets: Remove the limitation of --tcp-nodelay to be server-only
      plugins, down-root: Code style clean-up

David Woodhouse (2):
      pkcs11: Load p11-kit-proxy.so module by default
      Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present

Felix Janda (1):
      Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary

Gert Doering (17):
      New approach to handle peer-id related changes to link-mtu (2.3 version)
      Fix incorrect use of get_ipv6_addr() for iroute options.
      Print helpful error message on --mktun/--rmtun if not available.
      explain effect of --topology subnet on --ifconfig
      Add note about file permissions and --crl-verify to manpage.
      repair --dev null breakage caused by db950be
      assume res_init() is always there.
      Correct note about DNS randomization in openvpn.8
      Disallow usage of --server-poll-timeout in --secret key mode.
      slightly enhance documentation about --cipher
      Enforce "serial-tests" behaviour for tests/Makefile
      Revert "Enforce "serial-tests" behaviour for tests/Makefile"
      On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
      Use configure.ac hack to apply serial_test AM option only if supported.
      Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
      Move res_init() call to inner openvpn_getaddrinfo() loop
      Fix FreeBSD ifconfig for topology subnet tunnels.

Guy Yur (1):
      Fix --redirect-private in --dev tap mode.

Jan Just Keijser (1):
      include ifconfig_ environment variables in --up-restart env set

Jonathan K. Bullard (1):
      Fix null pointer dereference in options.c

Lev Stipakov (1):
      Fix mssfix default value in connection_list context

Matthias Andree (1):
      Manual page update for Re-enabled TLS version negotiation.

Mike Gilbert (1):
      Include systemd units in the source tarball (make dist)

Robert Fischer (1):
      Updated manpage for --rport and --lport

Samuli Seppänen (2):
      Properly escape dashes on the man-page
      Improve documentation in --script-security section of the man-page

Steffan Karger (14):
      Really fix '--cipher none' regression
      Update doxygen (a bit)
      Set tls-version-max to 1.1 if cryptoapicert is used
      Account for peer-id in frame size calculation
      Disable SSL compression
      Fix frame size calculation for non-CBC modes.
      Allow for CN/username of 64 characters (fixes off-by-one)
      Remove unneeded parameter 'first_time' from possibly_become_daemon()
      Re-enable TLS version negotiation by default
      Remove size limit for files inlined in config
      Improve --tls-cipher and --show-tls man page description
      Re-read auth-user-pass file on (re)connect if required
      Clarify --capath option in manpage
      Call daemon() before initializing crypto library

v2.2.3

OpenVPN 2.2.3

2014.11.30 -- Version 2.2.3
Christian Niessner (1):
      Fix corner case in NTLM authentication (trac OpenVPN#172)

Gert Doering (1):
      Fix client crash on double PUSH_REPLY.

Jens Wagner (1):
      Fix spurious ignoring of pushed config options (trac#349).

Matthias Andree (1):
      Enable TCP_NODELAY configuration on FreeBSD.

Steffan Karger (2):
      Drop too-short control channel packets instead of asserting out.
      Use constant time memcmp when comparing HMACs in openvpn_decrypt.

v2.3.6

OpenVPN v2.3.6

OpenVPN Change Log
Copyright (C) 2002-2014 OpenVPN Technologies, Inc. <[email protected]>

2014.11.28 -- Version 2.3.6
David Sommerseth (1):
      systemd: Reworked the systemd unit file to handle server and client configs better

Gert Doering (1):
      Add client-only support for peer-id.

Samuli Seppänen (1):
      Fix to --shaper documentation on the man-page

Steffan Karger (4):
      Fix assertion error when using --cipher none
      Add --tls-version-max
      Modernize sample keys and sample configs
      Drop too-short control channel packets instead of asserting out.

v2.3.5

OpenVPN v2.3.5

2014.10.24 -- Version 2.3.5
Andris Kalnozols (2):
      Fix some typos in the man page.
      Do not upcase x509-username-field for mixed-case arguments.

Arne Schwabe (1):
      Fix server routes not working in topology subnet with --server [v3]

David Sommerseth (4):
      Improve error reporting on file access to --client-config-dir and --ccd-exclusive
      Don't let openvpn_popen() keep zombies around
      Add systemd unit file for OpenVPN
      systemd: Use systemd functions to consider systemd availability

Gert Doering (3):
      Drop incoming fe80:: packets silently now.
      Fix t_lpback.sh platform-dependent failures
      Call init script helpers with explicit path (./)

Heiko Hund (1):
      refine assertion to allow other modes than CBC

Hubert Kario (2):
      ocsp_check - signature verification and cert staus results are separate
      ocsp_check - double check if ocsp didn't report any errors in execution

James Bekkema (1):
      Fix socket-flag/TCP_NODELAY on Mac OS X

James Yonan (6):
      Fixed several instances of declarations after statements.
      In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
      Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
      MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
      Define PATH_SEPARATOR for MSVC builds.
      Fixed some compile issues with show_library_versions()

Jann Horn (1):
      Remove quadratic complexity from openvpn_base64_decode()

Mike Gilbert (1):
      Add configure check for the path to systemd-ask-password

Philipp Hagemeister (2):
      Add topology in sample server configuration file
      Implement on-link route adding for iproute2

Samuel Thibault (1):
      Ensure that client-connect files are always deleted

Steffan Karger (13):
      Remove function without effect (cipher_ok() always returned true).
      Remove unneeded wrapper functions in crypto_openssl.c
      Fix bug that incorrectly refuses oid representation eku's in polar builds
      Update README.polarssl
      Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
      Add proper check for crypto modes (CBC or OFB/CFB)
      Improve --show-ciphers to show if a cipher can be used in static key mode
      Extend t_lpback tests to test all ciphers reported by --show-ciphers
      Don't exit daemon if opening or parsing the CRL fails.
      Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
      Fix regression with password protected private keys (polarssl)
      ssl_polarssl.c: fix includes and make casts explicit
      Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

TDivine (1):
      Fix "code=995" bug with windows NDIS6 tap driver.

v2.3.4

OpenVPN 2.3.4

2014.04.30 -- Version 2.3.4
Arne Schwabe (1):
      Fix man page and OSCP script: tls_serial_{n} is decimal

Dmitrij Tejblum (1):
      Fix is_ipv6 in case of tap interface.

Gert Doering (7):
      IPv6 address/route delete fix for Win8
      Add SSL library version reporting.
      Minor t_client.sh cleanups
      Repair --multihome on FreeBSD for IPv4 sockets.
      Rewrite manpage section about --multihome
      More IPv6-related updates to the openvpn man page.
      Conditionalize calls to print_default_gateway on !ENABLE_SMALL

James Yonan (2):
      Use native strtoull() with MSVC 2013.
      When tls-version-min is unspecified, revert to original versioning approach.

Steffan Karger (4):
      Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
      Fix OCSP_check.sh to also use decimal for stdout verification.
      Fix build system to accept non-system crypto library locations for plugins.
      Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

Yawning Angel (1):
      Fix SOCKSv5 method selection

kangsterizer (1):
      Fix typo in sample build script to use LDFLAGS

v2.3.3

v2.3.3 OpenVPN v2.3.3

2014.04.08 -- Version 2.3.3
Alon Bar-Lev (1):
      pkcs11: use generic evp key instead of rsa

Arne Schwabe (8):
      Add support of utun devices under Mac OS X
      Add support to ignore specific options.
      Add a note what setenv opt does for OpenVPN < 2.3.3
      Add reporting of UI version to basic push-peer-info set.
      Fix compile error in ssl_openssl introduced by polar external-management patch
      Fix assertion when SIGUSR1 is received while getaddrinfo is successful
      Add warning for using connection block variables after connection blocks
      Introduce safety check for http proxy options

David Sommerseth (5):
      man page: Update man page about the tls_digest_{n} environment variable
      Remove the --disable-eurephia configure option
      plugin: Extend the plug-in v3 API to identify the SSL implementation used
      autoconf: Fix typo
      Fix file checks when --chroot is being used

Davide Brini (1):
      Document authfile for socks server

Gert Doering (9):
      Fix IPv6 examples in t_client.rc-sample
      Fix slow memory drain on each client renegotiation.
      t_client.sh: ignore fields from "ip -6 route show" output that distort results.
      Make code and documentation for --remote-random-hostname consistent.
      Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
      Document issue with --chroot, /dev/urandom and PolarSSL.
      Rename 'struct route' to 'struct route_ipv4'
      Replace copied structure elements with including <net/route.h>
      Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions

Heikki Hannikainen (1):
      Always load intermediate certificates from a PKCS#12 file

Heiko Hund (2):
      Support non-ASCII TAP adapter names on Windows
      Support non-ASCII characters in Windows tmp path

James Yonan (3):
      TLS version negotiation
      Added "setenv opt" directive prefix.
      Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Jens Wagner (1):
      Fix spurious ignoring of pushed config options (trac#349).

Joachim Schipper (3):
      Refactor tls_ctx_use_external_private_key()
      --management-external-key for PolarSSL
      external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids

Josh Cepek (2):
      Correct error text when no Windows TAP device is present
      Require a 1.2.x PolarSSL version

Klee Dienes (1):
      tls_ctx_load_ca: Improve certificate error messages

Max Muster (1):
      Remove duplicate cipher entries from TLS translation table.

Peter Sagerson (1):
      Fix configure interaction with static OpenSSL libraries

Steffan Karger (7):
      Do not pass struct tls_session* as void* in key_state_ssl_init().
      Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
      Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
      Also update TLSv1_method() calls in support code to SSLv23_method() calls.
      Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
      If --tls-cipher is supplied, make --show-tls parse the list.
      Add openssl-specific common cipher list names to ssl.c.

Tamas TEVESZ (1):
      Add support for client-cert-not-required for PolarSSL.

Thomas Veerman (1):
      Fix "." in description of utun.

v2.3.2

OpenVPN v2.3.2

2013.05.31 -- Version 2.3.2
Arne Schwabe (3):
      Only print script warnings when a script is used. Remove stray mention of script-security system.
      Move settings of user script into set_user_script function
      Move checking of script file access into set_user_script

Davide Brini (1):
      Provide more accurate warning message

Gert Doering (2):
      Fix NULL-pointer crash in route_list_add_vpn_gateway().
      Fix problem with UDP tunneling due to mishandled pktinfo structures.

James Yonan (1):
      Always push basic set of peer info values to server.

Jan Just Keijser (1):
      make 'explicit-exit-notify' pullable again

Josh Cepek (2):
      Fix proto tcp6 for server & non-P2MP modes
      Fix Windows script execution when called from script hooks

Steffan Karger (2):
      Fixed tls-cipher translation bug in openssl-build
      Fixed usage of stale define USE_SSL to ENABLE_SSL

svimik (1):
      Fix segfault when enabling pf plug-ins

v2.3.1

2013.03.29 -- Version 2.3.1

Arne Schwabe (4):
      Remove dead code path and putenv functionality
      Remove unused function xor
      Move static prototype definition from header into c file
      Remove unused function no_tap_ifconfig

Christian Hesse (1):
      fix build with automake 1.13(.1)

Christian Niessner (1):
      Fix corner case in NTLM authentication (trac OpenVPN#172)

Gert Doering (5):
      Update README.IPv6 to match what is in 2.3.0
      Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout.
      Permit pool size of /64.../112 for ifconfig-ipv6-pool
      Add MIN() compatibility macro
      Fix directly connected routes for "topology subnet" on Solaris.

Heiko Hund (5):
      close more file descriptors on exec
      Ignore UTF-8 byte order mark
      reintroduce --no-name-remapping option
      make --tls-remote compatible with pre 2.3 configs
      add new option for X.509 name verification

Jan Just Keijser (1):
      man page patch for missing options

Josh Cepek (2):
      Fix parameter listing in non-debug builds at verb 4
      (updated) [PATCH] Warn when using verb levels >=7 without debug

Matthias Andree (1):
      Enable TCP_NODELAY configuration on FreeBSD.

Samuli Seppänen (4):
      Removed ChangeLog.IPv6
      Added cross-compilation information INSTALL-win32.txt
      Updated README
      Cleaned up and updated INSTALL

Steffan Karger (7):
      PolarSSL-1.2 support
      Improve PolarSSL key_state_read_{cipher, plain}text messages
      Improve verify_callback messages
      Config compatibility patch. Added translate_cipher_name.
      Switch to IANA names for TLS ciphers.
      Fixed autoconf script to properly detect missing pkcs11 with polarssl.
      Use constant time memcmp when comparing HMACs in openvpn_decrypt.

v2.3.0

OpenVPN v2.3.0

2013.01.07 -- Version 2.3.0
Gert Doering (2):
      Fix parameter type for IP_TOS setsockopt on non-Linux systems.
      Fix client crash on double PUSH_REPLY.