Versie historie van OpenVPN

<<Terug naar software beschrijving

Veranderingen voor v2.4.6 - v2.4.7

  • Adam Ciarciński (1):
  • Fix subnet topology on NetBSD (2.4).
  • Antonio Quartulli (3):
  • add support for %lu in argv_printf and prevent ASSERT
  • buffer_list: add functions documentation
  • ifconfig-ipv6(-push): allow using hostnames
  • Arne Schwabe (7):
  • Properly free tuntap struct on android when emulating persist-tun
  • Add OpenSSL compat definition for RSA_meth_set_sign
  • Add support for tls-ciphersuites for TLS 1.3
  • Add better support for showing TLS 1.3 ciphersuites in --show-tls
  • Use right function to set TLS1.3 restrictions in show-tls
  • Add message explaining early TLS client hello failure
  • Fallback to password authentication when auth-token fails
  • Christian Ehrhardt (1):
  • systemd: extend CapabilityBoundingSet for auth_pam
  • David Sommerseth (1):
  • plugin: Export base64 encode and decode functions
  • Gert Doering (4):
  • Add %d, %u and %lu tests to test_argv unit tests.
  • Fix combination of --dev tap and --topology subnet across multiple platforms.
  • Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
  • preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
  • Gert van Dijk (1):
  • Minor reliability layer documentation fixes
  • James Bekkema (1):
  • Resolves small IV_GUI_VER typo in the documentation.
  • Jonathan K. Bullard (1):
  • Clarify and expand management interface documentation
  • Lev Stipakov (5):
  • Refactor NCP-negotiable options handling
  • init.c: refine functions names and description
  • interactive.c: fix usage of potentially uninitialized variable
  • options.c: fix broken unary minus usage
  • Remove extra token after #endif
  • Richard van den Berg via Openvpn-devel (1):
  • Fix error message when using RHEL init script
  • Samy Mahmoudi (1):
  • man: correct a --redirection-gateway option flag
  • Selva Nair (7):
  • Replace M_DEBUG with D_LOW as the former is too verbose
  • Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
  • Bump version of openvpn plugin argument structs to 5
  • Move get system directory to a separate function
  • Enable dhcp on tap adapter using interactive service
  • Pass the hash without the DigestInfo header to NCryptSignHash()
  • White-list pull-filter and script-security in interactive service
  • Simon Rozman (2):
  • Add Interactive Service developer documentation
  • Detect TAP interfaces with root-enumerated hardware ID
  • Steffan Karger (7):
  • man: add security considerations to --compress section
  • mbedtls: print warning if random personalisation fails
  • Fix memory leak after sighup
  • travis: add OpenSSL 1.1 Windows build
  • Fix --disable-crypto build
  • Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
  • buffer_list_aggregate_separator(): simplify code



Veranderingen voor v2.4.3 - v2.4.4

  • Antonio Quartulli (23):
  • crypto: correct typ0 in error message
  • use M_ERRNO instead of explicitly printing errno
  • don't print errno twice
  • ntlm: avoid useless cast
  • ntlm: unwrap multiple function calls
  • route: improve error message
  • management: preserve wait_for_push field when asking for user/pass
  • tls-crypt: avoid warnings when --disable-crypto is used
  • ntlm: convert binary buffers to uint8_t *
  • ntlm: restyle compressed multiple function calls
  • ntlm: improve code style and readability
  • OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
  • make function declarations C99 compliant
  • remove unused functions
  • use NULL instead of 0 when assigning pointers
  • add missing static attribute to functions
  • ntlm: avoid breaking anti-aliasing rules
  • remove the --disable-multi config switch
  • rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
  • route: avoid definition of unused variables in certain configurations
  • fix a couple of typ0s in comments and strings
  • fragment.c: simplify boolean expression
  • tcp-server: ensure AF family is propagated to child context
  • Arne Schwabe (2):
  • Set tls-cipher restriction before loading certificates
  • Print ec bit details, refuse management-external-key if key is not RSA
  • Conrad Hoffmann (2):
  • Use provided env vars in up/down script.
  • Document down-root plugin usage in client.down
  • David Sommerseth (12):
  • doc: The CRL processing is not a deprecated feature
  • cleanup: Move write_pid() to where it is being used
  • contrib: Remove keychain-mcd code
  • cleanup: Move init_random_seed() to where it is being used
  • sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
  • Highlight deprecated features
  • Use consistent version references
  • docs: Replace all PolarSSL references to mbed TLS
  • systemd: Ensure systemd shuts down OpenVPN in a proper way
  • systemd: Enable systemd's auto-restart feature for server profiles
  • lz4: Move towards a newer LZ4 API
  • Prepare the release of OpenVPN 2.4.4
  • Emmanuel Deloget (3):
  • OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
  • OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
  • OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
  • Gert van Dijk (1):
  • Warn that DH config option is only meaningful in a tls-server context
  • Ilya Shipitsin (3):
  • travis-ci: add 3 missing patches from master to release/2.4
  • travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
  • travis-ci: update pkcs11-helper to 1.22
  • Richard Bonhomme (1):
  • man: Corrections to doc/openvpn.8
  • Steffan Karger (17):
  • Fix typo in extract_x509_extension() debug message
  • Move adjust_power_of_2() to integer.h
  • Undo cipher push in client options state if cipher is rejected
  • Remove strerror_ts()
  • Move openvpn_sleep() to manage.c
  • fixup: also change missed openvpn_sleep() occurrences
  • Always use default keysize for NCP'd ciphers
  • Move create_temp_file() out of #ifdef ENABLE_CRYPTO
  • Deprecate --keysize
  • Deprecate --no-replay
  • Move run_up_down() to init.c
  • tls-crypt: introduce tls_crypt_kt()
  • crypto: create function to initialize encrypt and decrypt key
  • Add coverity static analysis to Travis CI config
  • tls-crypt: don't leak memory for incorrect tls-crypt messages
  • travis: reorder matrix to speed up build
  • Fix bounds check in read_key()
  • Szilárd Pfeiffer (1):
  • OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
  • Thomas Veerman via Openvpn-devel (1):
  • Fix socks_proxy_port pointing to invalid data



Veranderingen voor v2.4.2 - v2.4.3

  • Antonio Quartulli (1):
  • Ignore auth-nocache for auth-user-pass if auth-token is pushed
  • David Sommerseth (3):
  • crypto: Enable SHA256 fingerprint checking in --verify-hash
  • copyright: Update GPLv2 license texts
  • auth-token with auth-nocache fix broke --disable-crypto builds
  • Emmanuel Deloget (8):
  • OpenSSL: don't use direct access to the internal of X509
  • OpenSSL: don't use direct access to the internal of EVP_PKEY
  • OpenSSL: don't use direct access to the internal of RSA
  • OpenSSL: don't use direct access to the internal of DSA
  • OpenSSL: force meth->name as non-const when we free() it
  • OpenSSL: don't use direct access to the internal of EVP_MD_CTX
  • OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
  • OpenSSL: don't use direct access to the internal of HMAC_CTX
  • Gert Doering (6):
  • Fix NCP behaviour on TLS reconnect.
  • Remove erroneous limitation on max number of args for --plugin
  • Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
  • Fix potential 1-byte overread in TCP option parsing.
  • Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
  • Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
  • Guido Vranken (6):
  • refactor my_strupr
  • Fix 2 memory leaks in proxy authentication routine
  • Fix memory leak in add_option() for option 'connection'
  • Ensure option array p[] is always NULL-terminated
  • Fix a null-pointer dereference in establish_http_proxy_passthru()
  • Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
  • Jérémie Courrčges-Anglas (2):
  • Fix an unaligned access on OpenBSD/sparc64
  • Missing include for socket-flags TCP_NODELAY on OpenBSD
  • Matthias Andree (1):
  • Make openvpn-plugin.h self-contained again.
  • Selva Nair (1):
  • Pass correct buffer size to GetModuleFileNameW()
  • Steffan Karger (11):
  • Log the negotiated (NCP) cipher
  • Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
  • Skip tls-crypt unit tests if required crypto mode not supported
  • openssl: fix overflow check for long --tls-cipher option
  • Add a DSA test key/cert pair to sample-keys
  • Fix mbedtls fingerprint calculation
  • mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
  • mbedtls: require C-string compatible types for --x509-username-field
  • Fix remote-triggerable memory leaks (CVE-2017-7521)
  • Restrict --x509-alt-username extension types
  • Fix potential double-free in --x509-alt-username (CVE-2017-7521)
  • Steven McDonald (1):
  • Fix gateway detection with OpenBSD routing domains



Veranderingen voor v2.3.12 - v2.3.13

  • Arne Schwabe (2):
  • Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
  • Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
  • David Sommerseth (5):
  • t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
  • t_client.sh: Add support for Kerberos/ksu
  • t_client.sh: Improve detection if the OpenVPN process did start during tests
  • t_client.sh: Add prepare/cleanup possibilties for each test case
  • Preparing release of v2.3.13
  • Gert Doering (5):
  • Do not abort t_client run if OpenVPN instance does not start.
  • Fix t_client runs on OpenSolaris
  • make t_client robust against sudoers misconfiguration
  • add POSTINIT_CMD_suf to t_client.sh and sample config
  • Fix --multihome for IPv6 on 64bit BSD systems.
  • Ilya Shipitsin (1):
  • skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
  • Lev Stipakov (2):
  • Exclude peer-id from pulled options digest
  • Fix compilation in pedantic mode
  • Samuli Seppänen (1):
  • Automatically cache expected IPs for t_client.sh on the first run
  • Steffan Karger (6):
  • Fix unittests for out-of-source builds
  • Make gnu89 support explicit
  • cleanup: remove code duplication in msg_test()
  • Update cipher-related man page text
  • Limit --reneg-bytes to 64MB when using small block ciphers
  • Add a revoked cert to the sample keys



Veranderingen voor v2.3.10 - v2.3.12

  • This release includes many small improvements and fixes. This is the first release that actively discourages the use of 64-bit block ciphers for security reasons.



Veranderingen voor v2.3.9 - v2.3.10

  • Gert Doering (2):
  • Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
  • Preparing for release v2.3.10 (ChangeLog, version.m4)
  • Jan Just Keijser (1):
  • Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
  • Lev Stipakov (1):
  • Repair IPv6 netsh calls if Win XP is detected
  • Phillip Smith (1):
  • Use bob.example.com and alice.example.com to improve clarity of documentation
  • Steffan Karger (6):
  • Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
  • Upgrade OpenVPN 2.3 to PolarSSL 1.3
  • Warn user if their certificate has expired
  • Make assert_failed() print the failed condition
  • cleanup: get rid of httpdigest.c type warnings
  • Fix regression in setups without a client certificate
  • Yegor Yefremov (1):
  • polarssl: fix unreachable code



Veranderingen voor v2.3.7 - v2.3.8

  • Arne Schwabe (2):
  • Report missing endtags of inline files as warnings
  • Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
  • Gert Doering (3):
  • Produce a meaningful error message if --daemon gets in the way of asking for passwords.
  • Document --daemon changes and consequences (--askpass, --auth-nocache).
  • Preparing for release v2.3.8 (ChangeLog, version.m4)
  • Holger Kummert (1):
  • Del ipv6 addr on close of linux tun interface
  • James Geboski (1):
  • Fix --askpass not allowing for password input via stdin
  • Steffan Karger (5):
  • write pid file immediately after daemonizing
  • Make __func__ work with Visual Studio too
  • fix regression: query password before becoming daemon
  • Fix using management interface to get passwords.
  • Fix overflow check in openvpn_decrypt()



Veranderingen voor v2.3.5 - v2.3.6

  • systemd: Reworked the systemd unit file to handle server and client configs better
  • Add client-only support for peer-id.
  • Preparing for release v2.3.6 (ChangeLog, version.m4)
  • Fix to --shaper documentation on the man-page
  • Fix assertion error when using --cipher none
  • Add --tls-version-max
  • Modernize sample keys and sample configs
  • Drop too-short control channel packets instead of asserting out.



Veranderingen voor v2.3.4 - v2.3.5

  • Fix some typos in the man page.
  • Do not upcase x509-username-field for mixed-case arguments.
  • Fix server routes not working in topology subnet with --server [v3]
  • Improve error reporting on file access to --client-config-dir and --ccd-exclusive
  • Don't let openvpn_popen() keep zombies around
  • Add systemd unit file for OpenVPN
  • systemd: Use systemd functions to consider systemd availability
  • Drop incoming fe80:: packets silently now.
  • Fix t_lpback.sh platform-dependent failures
  • Call init script helpers with explicit path (./)
  • Preparing for release v2.3.5 (ChangeLog, version.m4)
  • refine assertion to allow other modes than CBC
  • ocsp_check - signature verification and cert staus results are separate
  • ocsp_check - double check if ocsp didn't report any errors in execution
  • Fix socket-flag/TCP_NODELAY on Mac OS X
  • Fixed several instances of declarations after statements.
  • In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
  • Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
  • MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
  • Define PATH_SEPARATOR for MSVC builds.
  • Fixed some compile issues with show_library_versions()
  • Remove quadratic complexity from openvpn_base64_decode()
  • Add configure check for the path to systemd-ask-password
  • Add topology in sample server configuration file
  • Implement on-link route adding for iproute2
  • Ensure that client-connect files are always deleted
  • Remove function without effect (cipher_ok() always returned true).
  • Remove unneeded wrapper functions in crypto_openssl.c
  • Fix bug that incorrectly refuses oid representation eku's in polar builds
  • Update README.polarssl
  • Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
  • Improve --show-ciphers to show if a cipher can be used in static key mode
  • Extend t_lpback tests to test all ciphers reported by --show-ciphers
  • Don't exit daemon if opening or parsing the CRL fails.
  • Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
  • Fix regression with password protected private keys (polarssl)
  • ssl_polarssl.c: fix includes and make casts explicit
  • Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
  • Fix "code=995" bug with windows NDIS6 tap driver.



Veranderingen voor v2.3.3 - v2.3.4

  • Fix man page and OSCP script: tls_serial_{n} is decimal
  • Fix is_ipv6 in case of tap interface.
  • IPv6 address/route delete fix for Win8
  • Add SSL library version reporting.
  • Minor t_client.sh cleanups
  • Repair --multihome on FreeBSD for IPv4 sockets.
  • Rewrite manpage section about --multihome
  • More IPv6-related updates to the openvpn man page.
  • Conditionalize calls to print_default_gateway on !ENABLE_SMALL
  • Preparing for release v2.3.4 (ChangeLog, version.m4)
  • Use native strtoull() with MSVC 2013.
  • When tls-version-min is unspecified, revert to original versioning approach.
  • Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
  • Fix OCSP_check.sh to also use decimal for stdout verification.
  • Fix build system to accept non-system crypto library locations for plugins.
  • Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
  • Fix SOCKSv5 method selection
  • Fix typo in sample build script to use LDFLAGS



Veranderingen voor v2.3.2-I003 - v2.3.3

  • Alon Bar-Lev (1):
  • pkcs11: use generic evp key instead of rsa
  • Arne Schwabe (8):
  • Add support of utun devices under Mac OS X
  • Add support to ignore specific options.
  • Add a note what setenv opt does for OpenVPN < 2.3.3
  • Add reporting of UI version to basic push-peer-info set.
  • Fix compile error in ssl_openssl introduced by polar external-management patch
  • Fix assertion when SIGUSR1 is received while getaddrinfo is successful
  • Add warning for using connection block variables after connection blocks
  • Introduce safety check for http proxy options
  • David Sommerseth (5):
  • man page: Update man page about the tls_digest_{n} environment variable
  • Remove the --disable-eurephia configure option
  • plugin: Extend the plug-in v3 API to identify the SSL implementation used
  • autoconf: Fix typo
  • Fix file checks when --chroot is being used
  • Davide Brini (1):
  • Document authfile for socks server
  • Gert Doering (9):
  • Fix IPv6 examples in t_client.rc-sample
  • Fix slow memory drain on each client renegotiation.
  • t_client.sh: ignore fields from "ip -6 route show" output that distort results.
  • Make code and documentation for --remote-random-hostname consistent.
  • Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
  • Document issue with --chroot, /dev/urandom and PolarSSL.
  • Rename 'struct route' to 'struct route_ipv4'
  • Replace copied structure elements with including
  • Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
  • Heikki Hannikainen (1):
  • Always load intermediate certificates from a PKCS#12 file
  • Heiko Hund (2):
  • Support non-ASCII TAP adapter names on Windows
  • Support non-ASCII characters in Windows tmp path
  • James Yonan (3):
  • TLS version negotiation
  • Added "setenv opt" directive prefix.
  • Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
  • Jens Wagner (1):
  • Fix spurious ignoring of pushed config options (trac#349).
  • Joachim Schipper (3):
  • Refactor tls_ctx_use_external_private_key()
  • --management-external-key for PolarSSL
  • external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
  • Josh Cepek (2):
  • Correct error text when no Windows TAP device is present
  • Require a 1.2.x PolarSSL version
  • Klee Dienes (1):
  • tls_ctx_load_ca: Improve certificate error messages
  • Max Muster (1):
  • Remove duplicate cipher entries from TLS translation table.
  • Peter Sagerson (1):
  • Fix configure interaction with static OpenSSL libraries
  • Steffan Karger (7):
  • Do not pass struct tls_session* as void* in key_state_ssl_init().
  • Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
  • Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
  • Also update TLSv1_method() calls in support code to SSLv23_method() calls.
  • Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
  • If --tls-cipher is supplied, make --show-tls parse the list.
  • Add openssl-specific common cipher list names to ssl.c.
  • Tamas TEVESZ (1):
  • Add support for client-cert-not-required for PolarSSL.
  • Thomas Veerman (1):
  • Fix "." in description of utun.



Veranderingen voor v2.3.2 - v2.3.2-I003

  • The I003 Windows installer fixes a signature problem in tap-windows driver, which prevented the driver from being installed in many cases



Veranderingen voor v2.3.1 - v2.3.2

  • Only print script warnings when a script is used. Remove stray mention of script-security system.
  • Move settings of user script into set_user_script function
  • Move checking of script file access into set_user_script
  • Provide more accurate warning message
  • Fix NULL-pointer crash in route_list_add_vpn_gateway().
  • Fix problem with UDP tunneling due to mishandled pktinfo structures.
  • Always push basic set of peer info values to server.
  • make 'explicit-exit-notify' pullable again
  • Fix proto tcp6 for server & non-P2MP modes
  • Fix Windows script execution when called from script hooks
  • Fixed tls-cipher translation bug in openssl-build
  • Fixed usage of stale define USE_SSL to ENABLE_SSL
  • Fix segfault when enabling pf plug-ins



Veranderingen voor v2.3.0 - v2.3.1

  • Arne Schwabe (4):
  • Remove dead code path and putenv functionality
  • Remove unused function xor
  • Move static prototype definition from header into c file
  • Remove unused function no_tap_ifconfig
  • Christian Hesse (1):
  • fix build with automake 1.13(.1)
  • Christian Niessner (1):
  • Fix corner case in NTLM authentication (trac #172)
  • Gert Doering (6):
  • Update README.IPv6 to match what is in 2.3.0
  • Repair "tcp server queue overflow" brokenness, more fallout.
  • Permit pool size of /64.../112 for ifconfig-ipv6-pool
  • Add MIN() compatibility macro
  • Fix directly connected routes for "topology subnet" on Solaris.
  • Preparing for v2.3.1 (ChangeLog, version.m4)
  • Heiko Hund (5):
  • close more file descriptors on exec
  • Ignore UTF-8 byte order mark
  • reintroduce --no-name-remapping option
  • make --tls-remote compatible with pre 2.3 configs
  • add new option for X.509 name verification
  • Jan Just Keijser (1):
  • man page patch for missing options
  • Josh Cepek (2):
  • Fix parameter listing in non-debug builds at verb 4
  • (updated) [PATCH] Warn when using verb levels >=7 without debug
  • Matthias Andree (1):
  • Enable TCP_NODELAY configuration on FreeBSD.
  • Samuli Seppänen (4):
  • Removed ChangeLog.IPv6
  • Added cross-compilation information INSTALL-win32.txt
  • Updated README
  • Cleaned up and updated INSTALL
  • Steffan Karger (7):
  • PolarSSL-1.2 support
  • Improve PolarSSL key_state_read_{cipher, plain}text messages
  • Improve verify_callback messages
  • Config compatibility patch. Added translate_cipher_name.
  • Switch to IANA names for TLS ciphers.
  • Fixed autoconf script to properly detect missing pkcs11 with polarssl.
  • Use constant time memcmp when comparing HMACs in openvpn_decrypt.



<<Terug naar software beschrijving