Versie historie van OpenVPN
<<Terug naar software beschrijving
Veranderingen voor v2.4.6 - v2.4.7
- Adam Ciarciński (1):
- Fix subnet topology on NetBSD (2.4).
- Antonio Quartulli (3):
- add support for %lu in argv_printf and prevent ASSERT
- buffer_list: add functions documentation
- ifconfig-ipv6(-push): allow using hostnames
- Arne Schwabe (7):
- Properly free tuntap struct on android when emulating persist-tun
- Add OpenSSL compat definition for RSA_meth_set_sign
- Add support for tls-ciphersuites for TLS 1.3
- Add better support for showing TLS 1.3 ciphersuites in --show-tls
- Use right function to set TLS1.3 restrictions in show-tls
- Add message explaining early TLS client hello failure
- Fallback to password authentication when auth-token fails
- Christian Ehrhardt (1):
- systemd: extend CapabilityBoundingSet for auth_pam
- David Sommerseth (1):
- plugin: Export base64 encode and decode functions
- Gert Doering (4):
- Add %d, %u and %lu tests to test_argv unit tests.
- Fix combination of --dev tap and --topology subnet across multiple platforms.
- Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
- preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
- Gert van Dijk (1):
- Minor reliability layer documentation fixes
- James Bekkema (1):
- Resolves small IV_GUI_VER typo in the documentation.
- Jonathan K. Bullard (1):
- Clarify and expand management interface documentation
- Lev Stipakov (5):
- Refactor NCP-negotiable options handling
- init.c: refine functions names and description
- interactive.c: fix usage of potentially uninitialized variable
- options.c: fix broken unary minus usage
- Remove extra token after #endif
- Richard van den Berg via Openvpn-devel (1):
- Fix error message when using RHEL init script
- Samy Mahmoudi (1):
- man: correct a --redirection-gateway option flag
- Selva Nair (7):
- Replace M_DEBUG with D_LOW as the former is too verbose
- Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- Bump version of openvpn plugin argument structs to 5
- Move get system directory to a separate function
- Enable dhcp on tap adapter using interactive service
- Pass the hash without the DigestInfo header to NCryptSignHash()
- White-list pull-filter and script-security in interactive service
- Simon Rozman (2):
- Add Interactive Service developer documentation
- Detect TAP interfaces with root-enumerated hardware ID
- Steffan Karger (7):
- man: add security considerations to --compress section
- mbedtls: print warning if random personalisation fails
- Fix memory leak after sighup
- travis: add OpenSSL 1.1 Windows build
- Fix --disable-crypto build
- Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
- buffer_list_aggregate_separator(): simplify code
Veranderingen voor v2.4.3 - v2.4.4
- Antonio Quartulli (23):
- crypto: correct typ0 in error message
- use M_ERRNO instead of explicitly printing errno
- don't print errno twice
- ntlm: avoid useless cast
- ntlm: unwrap multiple function calls
- route: improve error message
- management: preserve wait_for_push field when asking for user/pass
- tls-crypt: avoid warnings when --disable-crypto is used
- ntlm: convert binary buffers to uint8_t *
- ntlm: restyle compressed multiple function calls
- ntlm: improve code style and readability
- OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
- make function declarations C99 compliant
- remove unused functions
- use NULL instead of 0 when assigning pointers
- add missing static attribute to functions
- ntlm: avoid breaking anti-aliasing rules
- remove the --disable-multi config switch
- rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
- route: avoid definition of unused variables in certain configurations
- fix a couple of typ0s in comments and strings
- fragment.c: simplify boolean expression
- tcp-server: ensure AF family is propagated to child context
- Arne Schwabe (2):
- Set tls-cipher restriction before loading certificates
- Print ec bit details, refuse management-external-key if key is not RSA
- Conrad Hoffmann (2):
- Use provided env vars in up/down script.
- Document down-root plugin usage in client.down
- David Sommerseth (12):
- doc: The CRL processing is not a deprecated feature
- cleanup: Move write_pid() to where it is being used
- contrib: Remove keychain-mcd code
- cleanup: Move init_random_seed() to where it is being used
- sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
- Highlight deprecated features
- Use consistent version references
- docs: Replace all PolarSSL references to mbed TLS
- systemd: Ensure systemd shuts down OpenVPN in a proper way
- systemd: Enable systemd's auto-restart feature for server profiles
- lz4: Move towards a newer LZ4 API
- Prepare the release of OpenVPN 2.4.4
- Emmanuel Deloget (3):
- OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
- OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
- OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
- Gert van Dijk (1):
- Warn that DH config option is only meaningful in a tls-server context
- Ilya Shipitsin (3):
- travis-ci: add 3 missing patches from master to release/2.4
- travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
- travis-ci: update pkcs11-helper to 1.22
- Richard Bonhomme (1):
- man: Corrections to doc/openvpn.8
- Steffan Karger (17):
- Fix typo in extract_x509_extension() debug message
- Move adjust_power_of_2() to integer.h
- Undo cipher push in client options state if cipher is rejected
- Remove strerror_ts()
- Move openvpn_sleep() to manage.c
- fixup: also change missed openvpn_sleep() occurrences
- Always use default keysize for NCP'd ciphers
- Move create_temp_file() out of #ifdef ENABLE_CRYPTO
- Deprecate --keysize
- Deprecate --no-replay
- Move run_up_down() to init.c
- tls-crypt: introduce tls_crypt_kt()
- crypto: create function to initialize encrypt and decrypt key
- Add coverity static analysis to Travis CI config
- tls-crypt: don't leak memory for incorrect tls-crypt messages
- travis: reorder matrix to speed up build
- Fix bounds check in read_key()
- Szilárd Pfeiffer (1):
- OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
- Thomas Veerman via Openvpn-devel (1):
- Fix socks_proxy_port pointing to invalid data
Veranderingen voor v2.4.2 - v2.4.3
- Antonio Quartulli (1):
- Ignore auth-nocache for auth-user-pass if auth-token is pushed
- David Sommerseth (3):
- crypto: Enable SHA256 fingerprint checking in --verify-hash
- copyright: Update GPLv2 license texts
- auth-token with auth-nocache fix broke --disable-crypto builds
- Emmanuel Deloget (8):
- OpenSSL: don't use direct access to the internal of X509
- OpenSSL: don't use direct access to the internal of EVP_PKEY
- OpenSSL: don't use direct access to the internal of RSA
- OpenSSL: don't use direct access to the internal of DSA
- OpenSSL: force meth->name as non-const when we free() it
- OpenSSL: don't use direct access to the internal of EVP_MD_CTX
- OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
- OpenSSL: don't use direct access to the internal of HMAC_CTX
- Gert Doering (6):
- Fix NCP behaviour on TLS reconnect.
- Remove erroneous limitation on max number of args for --plugin
- Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
- Fix potential 1-byte overread in TCP option parsing.
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
- Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
- Guido Vranken (6):
- refactor my_strupr
- Fix 2 memory leaks in proxy authentication routine
- Fix memory leak in add_option() for option 'connection'
- Ensure option array p[] is always NULL-terminated
- Fix a null-pointer dereference in establish_http_proxy_passthru()
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
- Jérémie Courrčges-Anglas (2):
- Fix an unaligned access on OpenBSD/sparc64
- Missing include for socket-flags TCP_NODELAY on OpenBSD
- Matthias Andree (1):
- Make openvpn-plugin.h self-contained again.
- Selva Nair (1):
- Pass correct buffer size to GetModuleFileNameW()
- Steffan Karger (11):
- Log the negotiated (NCP) cipher
- Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
- Skip tls-crypt unit tests if required crypto mode not supported
- openssl: fix overflow check for long --tls-cipher option
- Add a DSA test key/cert pair to sample-keys
- Fix mbedtls fingerprint calculation
- mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
- mbedtls: require C-string compatible types for --x509-username-field
- Fix remote-triggerable memory leaks (CVE-2017-7521)
- Restrict --x509-alt-username extension types
- Fix potential double-free in --x509-alt-username (CVE-2017-7521)
- Steven McDonald (1):
- Fix gateway detection with OpenBSD routing domains
Veranderingen voor v2.3.12 - v2.3.13
- Arne Schwabe (2):
- Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
- Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
- David Sommerseth (5):
- t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
- t_client.sh: Add support for Kerberos/ksu
- t_client.sh: Improve detection if the OpenVPN process did start during tests
- t_client.sh: Add prepare/cleanup possibilties for each test case
- Preparing release of v2.3.13
- Gert Doering (5):
- Do not abort t_client run if OpenVPN instance does not start.
- Fix t_client runs on OpenSolaris
- make t_client robust against sudoers misconfiguration
- add POSTINIT_CMD_suf to t_client.sh and sample config
- Fix --multihome for IPv6 on 64bit BSD systems.
- Ilya Shipitsin (1):
- skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
- Lev Stipakov (2):
- Exclude peer-id from pulled options digest
- Fix compilation in pedantic mode
- Samuli Seppänen (1):
- Automatically cache expected IPs for t_client.sh on the first run
- Steffan Karger (6):
- Fix unittests for out-of-source builds
- Make gnu89 support explicit
- cleanup: remove code duplication in msg_test()
- Update cipher-related man page text
- Limit --reneg-bytes to 64MB when using small block ciphers
- Add a revoked cert to the sample keys
Veranderingen voor v2.3.10 - v2.3.12
- This release includes many small improvements and fixes. This is the first release that actively discourages the use of 64-bit block ciphers for security reasons.
Veranderingen voor v2.3.9 - v2.3.10
- Gert Doering (2):
- Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
- Preparing for release v2.3.10 (ChangeLog, version.m4)
- Jan Just Keijser (1):
- Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
- Lev Stipakov (1):
- Repair IPv6 netsh calls if Win XP is detected
- Phillip Smith (1):
- Use bob.example.com and alice.example.com to improve clarity of documentation
- Steffan Karger (6):
- Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
- Upgrade OpenVPN 2.3 to PolarSSL 1.3
- Warn user if their certificate has expired
- Make assert_failed() print the failed condition
- cleanup: get rid of httpdigest.c type warnings
- Fix regression in setups without a client certificate
- Yegor Yefremov (1):
- polarssl: fix unreachable code
Veranderingen voor v2.3.7 - v2.3.8
- Arne Schwabe (2):
- Report missing endtags of inline files as warnings
- Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
- Gert Doering (3):
- Produce a meaningful error message if --daemon gets in the way of asking for passwords.
- Document --daemon changes and consequences (--askpass, --auth-nocache).
- Preparing for release v2.3.8 (ChangeLog, version.m4)
- Holger Kummert (1):
- Del ipv6 addr on close of linux tun interface
- James Geboski (1):
- Fix --askpass not allowing for password input via stdin
- Steffan Karger (5):
- write pid file immediately after daemonizing
- Make __func__ work with Visual Studio too
- fix regression: query password before becoming daemon
- Fix using management interface to get passwords.
- Fix overflow check in openvpn_decrypt()
Veranderingen voor v2.3.5 - v2.3.6
- systemd: Reworked the systemd unit file to handle server and client configs better
- Add client-only support for peer-id.
- Preparing for release v2.3.6 (ChangeLog, version.m4)
- Fix to --shaper documentation on the man-page
- Fix assertion error when using --cipher none
- Add --tls-version-max
- Modernize sample keys and sample configs
- Drop too-short control channel packets instead of asserting out.
Veranderingen voor v2.3.4 - v2.3.5
- Fix some typos in the man page.
- Do not upcase x509-username-field for mixed-case arguments.
- Fix server routes not working in topology subnet with --server [v3]
- Improve error reporting on file access to --client-config-dir and --ccd-exclusive
- Don't let openvpn_popen() keep zombies around
- Add systemd unit file for OpenVPN
- systemd: Use systemd functions to consider systemd availability
- Drop incoming fe80:: packets silently now.
- Fix t_lpback.sh platform-dependent failures
- Call init script helpers with explicit path (./)
- Preparing for release v2.3.5 (ChangeLog, version.m4)
- refine assertion to allow other modes than CBC
- ocsp_check - signature verification and cert staus results are separate
- ocsp_check - double check if ocsp didn't report any errors in execution
- Fix socket-flag/TCP_NODELAY on Mac OS X
- Fixed several instances of declarations after statements.
- In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
- Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
- MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
- Define PATH_SEPARATOR for MSVC builds.
- Fixed some compile issues with show_library_versions()
- Remove quadratic complexity from openvpn_base64_decode()
- Add configure check for the path to systemd-ask-password
- Add topology in sample server configuration file
- Implement on-link route adding for iproute2
- Ensure that client-connect files are always deleted
- Remove function without effect (cipher_ok() always returned true).
- Remove unneeded wrapper functions in crypto_openssl.c
- Fix bug that incorrectly refuses oid representation eku's in polar builds
- Update README.polarssl
- Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
- Improve --show-ciphers to show if a cipher can be used in static key mode
- Extend t_lpback tests to test all ciphers reported by --show-ciphers
- Don't exit daemon if opening or parsing the CRL fails.
- Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
- Fix regression with password protected private keys (polarssl)
- ssl_polarssl.c: fix includes and make casts explicit
- Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
- Fix "code=995" bug with windows NDIS6 tap driver.
Veranderingen voor v2.3.3 - v2.3.4
- Fix man page and OSCP script: tls_serial_{n} is decimal
- Fix is_ipv6 in case of tap interface.
- IPv6 address/route delete fix for Win8
- Add SSL library version reporting.
- Minor t_client.sh cleanups
- Repair --multihome on FreeBSD for IPv4 sockets.
- Rewrite manpage section about --multihome
- More IPv6-related updates to the openvpn man page.
- Conditionalize calls to print_default_gateway on !ENABLE_SMALL
- Preparing for release v2.3.4 (ChangeLog, version.m4)
- Use native strtoull() with MSVC 2013.
- When tls-version-min is unspecified, revert to original versioning approach.
- Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
- Fix OCSP_check.sh to also use decimal for stdout verification.
- Fix build system to accept non-system crypto library locations for plugins.
- Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
- Fix SOCKSv5 method selection
- Fix typo in sample build script to use LDFLAGS
Veranderingen voor v2.3.2-I003 - v2.3.3
- Alon Bar-Lev (1):
- pkcs11: use generic evp key instead of rsa
- Arne Schwabe (8):
- Add support of utun devices under Mac OS X
- Add support to ignore specific options.
- Add a note what setenv opt does for OpenVPN < 2.3.3
- Add reporting of UI version to basic push-peer-info set.
- Fix compile error in ssl_openssl introduced by polar external-management patch
- Fix assertion when SIGUSR1 is received while getaddrinfo is successful
- Add warning for using connection block variables after connection blocks
- Introduce safety check for http proxy options
- David Sommerseth (5):
- man page: Update man page about the tls_digest_{n} environment variable
- Remove the --disable-eurephia configure option
- plugin: Extend the plug-in v3 API to identify the SSL implementation used
- autoconf: Fix typo
- Fix file checks when --chroot is being used
- Davide Brini (1):
- Document authfile for socks server
- Gert Doering (9):
- Fix IPv6 examples in t_client.rc-sample
- Fix slow memory drain on each client renegotiation.
- t_client.sh: ignore fields from "ip -6 route show" output that distort results.
- Make code and documentation for --remote-random-hostname consistent.
- Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
- Document issue with --chroot, /dev/urandom and PolarSSL.
- Rename 'struct route' to 'struct route_ipv4'
- Replace copied structure elements with including
- Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
- Heikki Hannikainen (1):
- Always load intermediate certificates from a PKCS#12 file
- Heiko Hund (2):
- Support non-ASCII TAP adapter names on Windows
- Support non-ASCII characters in Windows tmp path
- James Yonan (3):
- TLS version negotiation
- Added "setenv opt" directive prefix.
- Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
- Jens Wagner (1):
- Fix spurious ignoring of pushed config options (trac#349).
- Joachim Schipper (3):
- Refactor tls_ctx_use_external_private_key()
- --management-external-key for PolarSSL
- external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
- Josh Cepek (2):
- Correct error text when no Windows TAP device is present
- Require a 1.2.x PolarSSL version
- Klee Dienes (1):
- tls_ctx_load_ca: Improve certificate error messages
- Max Muster (1):
- Remove duplicate cipher entries from TLS translation table.
- Peter Sagerson (1):
- Fix configure interaction with static OpenSSL libraries
- Steffan Karger (7):
- Do not pass struct tls_session* as void* in key_state_ssl_init().
- Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
- Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
- Also update TLSv1_method() calls in support code to SSLv23_method() calls.
- Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
- If --tls-cipher is supplied, make --show-tls parse the list.
- Add openssl-specific common cipher list names to ssl.c.
- Tamas TEVESZ (1):
- Add support for client-cert-not-required for PolarSSL.
- Thomas Veerman (1):
- Fix "." in description of utun.
Veranderingen voor v2.3.2 - v2.3.2-I003
- The I003 Windows installer fixes a signature problem in tap-windows driver, which prevented the driver from being installed in many cases
Veranderingen voor v2.3.1 - v2.3.2
- Only print script warnings when a script is used. Remove stray mention of script-security system.
- Move settings of user script into set_user_script function
- Move checking of script file access into set_user_script
- Provide more accurate warning message
- Fix NULL-pointer crash in route_list_add_vpn_gateway().
- Fix problem with UDP tunneling due to mishandled pktinfo structures.
- Always push basic set of peer info values to server.
- make 'explicit-exit-notify' pullable again
- Fix proto tcp6 for server & non-P2MP modes
- Fix Windows script execution when called from script hooks
- Fixed tls-cipher translation bug in openssl-build
- Fixed usage of stale define USE_SSL to ENABLE_SSL
- Fix segfault when enabling pf plug-ins
Veranderingen voor v2.3.0 - v2.3.1
- Arne Schwabe (4):
- Remove dead code path and putenv functionality
- Remove unused function xor
- Move static prototype definition from header into c file
- Remove unused function no_tap_ifconfig
- Christian Hesse (1):
- fix build with automake 1.13(.1)
- Christian Niessner (1):
- Fix corner case in NTLM authentication (trac #172)
- Gert Doering (6):
- Update README.IPv6 to match what is in 2.3.0
- Repair "tcp server queue overflow" brokenness, more
fallout. - Permit pool size of /64.../112 for ifconfig-ipv6-pool
- Add MIN() compatibility macro
- Fix directly connected routes for "topology subnet" on Solaris.
- Preparing for v2.3.1 (ChangeLog, version.m4)
- Heiko Hund (5):
- close more file descriptors on exec
- Ignore UTF-8 byte order mark
- reintroduce --no-name-remapping option
- make --tls-remote compatible with pre 2.3 configs
- add new option for X.509 name verification
- Jan Just Keijser (1):
- man page patch for missing options
- Josh Cepek (2):
- Fix parameter listing in non-debug builds at verb 4
- (updated) [PATCH] Warn when using verb levels >=7 without debug
- Matthias Andree (1):
- Enable TCP_NODELAY configuration on FreeBSD.
- Samuli Seppänen (4):
- Removed ChangeLog.IPv6
- Added cross-compilation information INSTALL-win32.txt
- Updated README
- Cleaned up and updated INSTALL
- Steffan Karger (7):
- PolarSSL-1.2 support
- Improve PolarSSL key_state_read_{cipher, plain}text messages
- Improve verify_callback messages
- Config compatibility patch. Added translate_cipher_name.
- Switch to IANA names for TLS ciphers.
- Fixed autoconf script to properly detect missing pkcs11 with polarssl.
- Use constant time memcmp when comparing HMACs in openvpn_decrypt.