Tags: greendev5/openvpn-wasel
Tags
OpenVPN v2.3.10
2016.01.04 -- Version 2.3.10
Gert Doering (1):
Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
Jan Just Keijser (1):
Make certificate expiry warning patch (091edd8) work on OpenSSL 1.0.1 and earlier.
Lev Stipakov (1):
Repair IPv6 netsh calls if Win XP is detected
Phillip Smith (1):
Use bob.example.com and alice.example.com to improve clarity of documentation
Steffan Karger (6):
Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
Upgrade OpenVPN 2.3 to PolarSSL 1.3
Warn user if their certificate has expired
Make assert_failed() print the failed condition
cleanup: get rid of httpdigest.c type warnings
Fix regression in setups without a client certificate
Yegor Yefremov (1):
polarssl: fix unreachable code
OpenVPN v2.3.9
2015.12.16 -- Version 2.3.9
Arne Schwabe (7):
Show extra-certs in current parameters.
Fix commit a3160fc
Do not set the buffer size by default but rely on the operation system default.
Remove --enable-password-save option
Reflect enable-password-save change in documentation
Also remove second instance of enable-password-save in the man page
Detect config lines that are too long and give a warning/error
Boris Lytochkin (1):
Log serial number of revoked certificate
Christos Trochalakis (1):
Adjust server-ipv6 documentation
David Sommerseth (1):
Avoid partial authentication state when using --disabled in CCD configs
Fish (1):
Make "block-outside-dns" option platform agnostic
Gert Doering (8):
Un-break --auth-user-pass on windows
Replace unaligned 16bit access to TCP MSS value with bytewise access
Repair test_local_addr() on WIN32
Fix possible heap overflow on read accessing getaddrinfo() result.
Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
remove unused gc_arena in FreeBSD close_tun()
Fix isatty() check for good.
Preparing for release v2.3.9 (ChangeLog, version.m4)
Heiko Hund (1):
put virtual IPv6 addresses into env
Lev Stipakov (5):
Use adapter index instead of name for windows IPv6 interface config
Client-side part for server restart notification
Use adapter index for add/delete_route_ipv6
Pass adapter index to up/down scripts
Fix VS2013 compilation
Lukasz Kutyla (1):
Fix privilege drop if first connection attempt fails
Michal Ludvig (1):
Support for username-only auth file.
Samuli Seppänen (2):
Add CONTRIBUTING.rst
Updates to Changes.rst
Selva Nair (4):
Fix termination when windows suspends/sleeps
Do not hard-code windows systemroot in env_block
Handle ctrl-C and ctrl-break events on Windows
Unbreak read username password from management
Steffan Karger (11):
Replace strdup() calls for string_alloc() calls
Check return value of ms_error_text()
Increase control channel packet size for faster handshakes
hardening: add insurance to exit on a failed ASSERT()
Fix memory leak in auth-pam plugin
Fix (potential) memory leak in init_route_list()
Fix unintialized variable in plugin_vlog()
Add macro to ensure we exit on fatal errors
Fix memory leak in add_option() by simplifying get_ipv6_addr
openssl: properly check return value of RAND_bytes()
Fix rand_bytes return value checking
ValdikSS (1):
Add Windows DNS Leak fix using WFP ('block-outside-dns')
janjust (1):
Fix "White space before end tags can break the config parser"
OpenVPN v2.3.8
2015.08.03 -- Version 2.3.8
Arne Schwabe (2):
Report missing endtags of inline files as warnings
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
Gert Doering (2):
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
Document --daemon changes and consequences (--askpass, --auth-nocache).
Holger Kummert (1):
Del ipv6 addr on close of linux tun interface
James Geboski (1):
Fix --askpass not allowing for password input via stdin
Steffan Karger (5):
write pid file immediately after daemonizing
Make __func__ work with Visual Studio too
fix regression: query password before becoming daemon
Fix using management interface to get passwords.
Fix overflow check in openvpn_decrypt()
OpenVPN v2.3.7
2015.06.02 -- Version 2.3.7
Alexander Pyhalov (1):
Default gateway can't be determined on illumos/Solaris platforms
Arne Schwabe (1):
Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
David Sommerseth (6):
autotools: Fix wrong ./configure help screen default values
down-root plugin: Replaced system() calls with execve()
down-root: Improve error messages
plugin, down-root: Fix compiler warnings
sockets: Remove the limitation of --tcp-nodelay to be server-only
plugins, down-root: Code style clean-up
David Woodhouse (2):
pkcs11: Load p11-kit-proxy.so module by default
Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
Felix Janda (1):
Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
Gert Doering (17):
New approach to handle peer-id related changes to link-mtu (2.3 version)
Fix incorrect use of get_ipv6_addr() for iroute options.
Print helpful error message on --mktun/--rmtun if not available.
explain effect of --topology subnet on --ifconfig
Add note about file permissions and --crl-verify to manpage.
repair --dev null breakage caused by db950be
assume res_init() is always there.
Correct note about DNS randomization in openvpn.8
Disallow usage of --server-poll-timeout in --secret key mode.
slightly enhance documentation about --cipher
Enforce "serial-tests" behaviour for tests/Makefile
Revert "Enforce "serial-tests" behaviour for tests/Makefile"
On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
Use configure.ac hack to apply serial_test AM option only if supported.
Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
Move res_init() call to inner openvpn_getaddrinfo() loop
Fix FreeBSD ifconfig for topology subnet tunnels.
Guy Yur (1):
Fix --redirect-private in --dev tap mode.
Jan Just Keijser (1):
include ifconfig_ environment variables in --up-restart env set
Jonathan K. Bullard (1):
Fix null pointer dereference in options.c
Lev Stipakov (1):
Fix mssfix default value in connection_list context
Matthias Andree (1):
Manual page update for Re-enabled TLS version negotiation.
Mike Gilbert (1):
Include systemd units in the source tarball (make dist)
Robert Fischer (1):
Updated manpage for --rport and --lport
Samuli Seppänen (2):
Properly escape dashes on the man-page
Improve documentation in --script-security section of the man-page
Steffan Karger (14):
Really fix '--cipher none' regression
Update doxygen (a bit)
Set tls-version-max to 1.1 if cryptoapicert is used
Account for peer-id in frame size calculation
Disable SSL compression
Fix frame size calculation for non-CBC modes.
Allow for CN/username of 64 characters (fixes off-by-one)
Remove unneeded parameter 'first_time' from possibly_become_daemon()
Re-enable TLS version negotiation by default
Remove size limit for files inlined in config
Improve --tls-cipher and --show-tls man page description
Re-read auth-user-pass file on (re)connect if required
Clarify --capath option in manpage
Call daemon() before initializing crypto library
OpenVPN 2.2.3
2014.11.30 -- Version 2.2.3
Christian Niessner (1):
Fix corner case in NTLM authentication (trac OpenVPN#172)
Gert Doering (1):
Fix client crash on double PUSH_REPLY.
Jens Wagner (1):
Fix spurious ignoring of pushed config options (trac#349).
Matthias Andree (1):
Enable TCP_NODELAY configuration on FreeBSD.
Steffan Karger (2):
Drop too-short control channel packets instead of asserting out.
Use constant time memcmp when comparing HMACs in openvpn_decrypt.
OpenVPN v2.3.6 OpenVPN Change Log Copyright (C) 2002-2014 OpenVPN Technologies, Inc. <[email protected]> 2014.11.28 -- Version 2.3.6 David Sommerseth (1): systemd: Reworked the systemd unit file to handle server and client configs better Gert Doering (1): Add client-only support for peer-id. Samuli Seppänen (1): Fix to --shaper documentation on the man-page Steffan Karger (4): Fix assertion error when using --cipher none Add --tls-version-max Modernize sample keys and sample configs Drop too-short control channel packets instead of asserting out.
OpenVPN v2.3.5
2014.10.24 -- Version 2.3.5
Andris Kalnozols (2):
Fix some typos in the man page.
Do not upcase x509-username-field for mixed-case arguments.
Arne Schwabe (1):
Fix server routes not working in topology subnet with --server [v3]
David Sommerseth (4):
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
Don't let openvpn_popen() keep zombies around
Add systemd unit file for OpenVPN
systemd: Use systemd functions to consider systemd availability
Gert Doering (3):
Drop incoming fe80:: packets silently now.
Fix t_lpback.sh platform-dependent failures
Call init script helpers with explicit path (./)
Heiko Hund (1):
refine assertion to allow other modes than CBC
Hubert Kario (2):
ocsp_check - signature verification and cert staus results are separate
ocsp_check - double check if ocsp didn't report any errors in execution
James Bekkema (1):
Fix socket-flag/TCP_NODELAY on Mac OS X
James Yonan (6):
Fixed several instances of declarations after statements.
In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
Define PATH_SEPARATOR for MSVC builds.
Fixed some compile issues with show_library_versions()
Jann Horn (1):
Remove quadratic complexity from openvpn_base64_decode()
Mike Gilbert (1):
Add configure check for the path to systemd-ask-password
Philipp Hagemeister (2):
Add topology in sample server configuration file
Implement on-link route adding for iproute2
Samuel Thibault (1):
Ensure that client-connect files are always deleted
Steffan Karger (13):
Remove function without effect (cipher_ok() always returned true).
Remove unneeded wrapper functions in crypto_openssl.c
Fix bug that incorrectly refuses oid representation eku's in polar builds
Update README.polarssl
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Add proper check for crypto modes (CBC or OFB/CFB)
Improve --show-ciphers to show if a cipher can be used in static key mode
Extend t_lpback tests to test all ciphers reported by --show-ciphers
Don't exit daemon if opening or parsing the CRL fails.
Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
Fix regression with password protected private keys (polarssl)
ssl_polarssl.c: fix includes and make casts explicit
Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
TDivine (1):
Fix "code=995" bug with windows NDIS6 tap driver.
OpenVPN 2.3.4
2014.04.30 -- Version 2.3.4
Arne Schwabe (1):
Fix man page and OSCP script: tls_serial_{n} is decimal
Dmitrij Tejblum (1):
Fix is_ipv6 in case of tap interface.
Gert Doering (7):
IPv6 address/route delete fix for Win8
Add SSL library version reporting.
Minor t_client.sh cleanups
Repair --multihome on FreeBSD for IPv4 sockets.
Rewrite manpage section about --multihome
More IPv6-related updates to the openvpn man page.
Conditionalize calls to print_default_gateway on !ENABLE_SMALL
James Yonan (2):
Use native strtoull() with MSVC 2013.
When tls-version-min is unspecified, revert to original versioning approach.
Steffan Karger (4):
Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
Fix OCSP_check.sh to also use decimal for stdout verification.
Fix build system to accept non-system crypto library locations for plugins.
Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
Yawning Angel (1):
Fix SOCKSv5 method selection
kangsterizer (1):
Fix typo in sample build script to use LDFLAGS
v2.3.3 OpenVPN v2.3.3
2014.04.08 -- Version 2.3.3
Alon Bar-Lev (1):
pkcs11: use generic evp key instead of rsa
Arne Schwabe (8):
Add support of utun devices under Mac OS X
Add support to ignore specific options.
Add a note what setenv opt does for OpenVPN < 2.3.3
Add reporting of UI version to basic push-peer-info set.
Fix compile error in ssl_openssl introduced by polar external-management patch
Fix assertion when SIGUSR1 is received while getaddrinfo is successful
Add warning for using connection block variables after connection blocks
Introduce safety check for http proxy options
David Sommerseth (5):
man page: Update man page about the tls_digest_{n} environment variable
Remove the --disable-eurephia configure option
plugin: Extend the plug-in v3 API to identify the SSL implementation used
autoconf: Fix typo
Fix file checks when --chroot is being used
Davide Brini (1):
Document authfile for socks server
Gert Doering (9):
Fix IPv6 examples in t_client.rc-sample
Fix slow memory drain on each client renegotiation.
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
Make code and documentation for --remote-random-hostname consistent.
Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
Document issue with --chroot, /dev/urandom and PolarSSL.
Rename 'struct route' to 'struct route_ipv4'
Replace copied structure elements with including <net/route.h>
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
Heikki Hannikainen (1):
Always load intermediate certificates from a PKCS#12 file
Heiko Hund (2):
Support non-ASCII TAP adapter names on Windows
Support non-ASCII characters in Windows tmp path
James Yonan (3):
TLS version negotiation
Added "setenv opt" directive prefix.
Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
Jens Wagner (1):
Fix spurious ignoring of pushed config options (trac#349).
Joachim Schipper (3):
Refactor tls_ctx_use_external_private_key()
--management-external-key for PolarSSL
external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
Josh Cepek (2):
Correct error text when no Windows TAP device is present
Require a 1.2.x PolarSSL version
Klee Dienes (1):
tls_ctx_load_ca: Improve certificate error messages
Max Muster (1):
Remove duplicate cipher entries from TLS translation table.
Peter Sagerson (1):
Fix configure interaction with static OpenSSL libraries
Steffan Karger (7):
Do not pass struct tls_session* as void* in key_state_ssl_init().
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
If --tls-cipher is supplied, make --show-tls parse the list.
Add openssl-specific common cipher list names to ssl.c.
Tamas TEVESZ (1):
Add support for client-cert-not-required for PolarSSL.
Thomas Veerman (1):
Fix "." in description of utun.
PreviousNext