Tags give the ability to mark specific points in history as being important
  • v2.5.7
    a0f9a3e9 · Preparing release 2.5.7 ·
    OpenVPN v2.5.7 release
    
    2022.05.24 -- Version 2.5.7
    
    Antonio Quartulli (4):
          networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
          networking_iproute2: don't pass M_WARN to openvpn_execve_check()
          t_net.sh: delete dummy iface using iproute command
          auth-pam.c: add missing include limits.h
    
    Arne Schwabe (11):
          Add insecure tls-cert-profile options
          Refactor early initialisation and uninitialisation into methods
          Allow loading of non default providers
          Add ubuntu 22.04 to Github Actions
          Add macos OpenSSL 3.0 and ASAN builds
          Add --with-openssl-engine autoconf option (auto|yes|no)
          Fix allowing/showing unsupported ciphers and digests
          Remove dependency on BF-CBC existance from test_ncp
          Add message when decoding PKCS12 file fails.
          Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
          Fix client-pending-auth error message to say ERROR instead of SUCCESS
    
    Gert Doering (1):
          Preparing release 2.5.7
    
    Jan Mikkelsen (1):
          cipher-negotiation.rst missing from doc/Makefile.am
    
    Lev Stipakov (5):
          vcpkg-ports\pkcs11-helper: shorten patch filename
          msvc: adjust build options to harden binaries
          vcpkg-ports: remove openssl port
          vcpkg: switch to manifest
          Fix M_ERRNO behavior on Windows
    
    Marc Becker (1):
          vcpkg-ports/pkcs11-helper: bump to release 1.29
    
    Simon Rozman (1):
          tapctl: Resolve MSVC C4996 warnings
    
  • v2.4.12
    OpenVPN v2.4.12 release
    
    2022.03.16 -- Version 2.4.12
    
    Arne Schwabe (1):
          Remove always enabled USE_64_BIT_COUNTERS define
    
    David Korczynski (1):
          Fix argv leaks in add_route() and add_route_ipv6()
    
    David Sommerseth (1):
          plug-ins: Disallow multiple deferred authentication plug-ins
    
    Gert Doering (2):
          Revert "Remove always enabled USE_64_BIT_COUNTERS define"
          Fix --mtu-disc maybe|yes on Linux.
    
    Richard T Bonhomme (1):
          doc openvpn.8: Use free open-source dynamic-DNS provider URL
    
    Selva Nair (2):
          Apply the connect-retry backoff to only one side of a connection
          Ensure the current common_name is in the environment for scripts
    
  • v2.5.6
    e8df2e64 · Preparing release 2.5.6 ·
    OpenVPN v2.5.6 release
    
    2022.03.16 -- Version 2.5.6
    
    Antonio Quartulli (4):
          GitHub Actions: update script to same version as master
          update copyright year to 2022
          keyingmaterialexporter.c: include strings.h
          remove unused sitnl.h file
    
    David Sommerseth (2):
          sample-plugin: New plugin for testing multiple auth plugins
          plug-ins: Disallow multiple deferred authentication plug-ins
    
    Frank Lichtenheld (2):
          doc/Makefile: rebuild rst docs if input files change
          doc/options: clean up documentation for --proto and related options
    
    Gert Doering (4):
          fix Changes.rst errors in 2.5.3 and 2.5.5 announcement
          Repair --inactive with 'bytes' argument larger 2Gbytes.
          Fix --mtu-disc maybe|yes on Linux.
          Preparing release 2.5.6
    
    Ilya Shipitsin (1):
          CI: github actions: keep "pdb" in artifacts
    
    Lev Stipakov (7):
          auth_token.c: add NULL initialization
          vcpkg-ports/pkcs11-helper: bump to release 1.28
          vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support
          msvc: cleanup
          vcpkg: link lzo statically
          vcpkg-ports/pkcs11-helper: adapt to new upstream URL
          vcpkg-ports: add openssl 1.1.1n
    
  • v2.5.5
    869f194c · Preparing release 2.5.5 ·
    OpenVPN v2.5.5 release
    
    2021.12.14 -- Version 2.5.5
    
    Adrian (1):
          Fix error in example firewall.sh script
    
    Antonio Quartulli (1):
          configure: remove useless -Wno-* from default CFLAGS
    
    Arne Schwabe (2):
          Add argv_insert_head__empty_argv__head_only to argv tests
          Move deprecation of SWEET32/64bit block size ciphers to 2.7
    
    Gert Doering (3):
          Include --push-remove in the output of --help.
          Move '--push-peer-info' documentation from 'server' to 'client options'
          add test case(s) to notice 'openvpn --show-cipher' crashing
    
    Ilya Shipitsin (1):
          BUILD: enable CFG and Spectre mitigation for MSVC
    
    Lev Stipakov (12):
          Fix loading PKCS12 files on Windows
          msvc: fix product version display
          msvc: add missing header to project file
          config-msvc.h: fix OpenSSL-related defines
          contrib/vcpkg-ports: remove openssl port
          GitHub Actions: use latest working lukka/run-vcpkg
          Use network address for emulated DHCP server as a default
          Load OpenSSL config on Windows from trusted location
          ring_buffer.h: fix GCC warning about unused function
          ssh_openssl.h: remove unused declaration
          vcpkg/pkcs11-helper: compatibility with latest vcpkg
          config-msvc.h: indicate key material export support
    
    Max Fillinger (2):
          Don't use BF-CBC in unit tests if we don't have it
          Define have_blowfish variable in ncp unit tests
    
    Richard T Bonhomme (1):
          doc link-options.rst: Use free open-source dynamic-DNS provider URL
    
    Selva Nair (3):
          Fix some more wrong defines in config-msvc.h
          Ensure the current common_name is in the environment for scripts
          Require EC key support in Windows builds
    
    Sergio E. Nemirowski (1):
          resolvconf fails with -p
    
    Todd Zullinger (2):
          Update IRC information in CONTRIBUTING.rst
          doc/man (vpn-network-options): fix foreign_option_{n} typo
    
    Ville Skytt (1):
          README.down-root: Fix plugin module name
    
  • v2.5.4
    3f7a85b9 · Preparing release 2.5.4 ·
    OpenVPN v2.5.4 release
    
    2021.10.04 -- Version 2.5.4
    
    Antonio Quartulli (3):
          route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED
          configure: search also for rst2{man, html}.py
          networking: add networking API net_addr_ll_set() and use it on Linux
    
    Arne Schwabe (1):
          Move examples into openvpn-examples(5) man page
    
    David Korczynski (1):
          Fix argv leaks in add_route() and add_route_ipv6()
    
    David Sommerseth (2):
          doc: Use generic rules for man/html generation
          man: Clarify IV_HWADDR
    
    Gert Doering (1):
          Add error reporting to get_console_input_win32().
    
    Lev Stipakov (3):
          Fix console prompts with redirected log
          Add building man page on Windows
          GitHub Actions: remove Ubuntu 16.04 environment
    
    Max Fillinger (1):
          Update Fox e-mail address in copyright notices
    
    Selva Nair (1):
          Minor doc correction: tls-crypt-v2 key generation
    
  • v2.5.3
    ecaf88f8 · Preparing release 2.5.3 ·
    OpenVPN v2.5.3 release
    
    2021.06.17 -- Version 2.5.3
    
    Arne Schwabe (3):
          Add missing free_key_ctx for auth_token
          Add github actions
          Implement auth-token-user
    
    David Sommerseth (1):
          Update copyrights
    
    Gert Doering (1):
          Preparing release 2.5.3
    
    Lev Stipakov (8):
          openvpnmsica: properly schedule reboot in the end of installation
          msvc: add ARM64 configuration
          msvc: standalone building
          contrib/vcpkg-ports: add pkcs11-helper port
          vcpkg-ports: restore trailing whitespaces in .patch files
          GitHub actions: add MSVC build
          crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
          contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)
    
    Matthias Andree (1):
          Fix SIGSEGV (NULL deref) receiving push "echo"
    
    Max Fillinger (1):
          Fix build with mbedtls w/o SSL renegotiation support
    
    Selva Nair (2):
          Improve documentation of AUTH_PENDING related directives
          Apply the connect-retry backoff to only one side of a connection
    
  • v2.4.11
    OpenVPN v2.4.11 release
    
    2021.04.20 -- Version 2.4.11
    
    Arne Schwabe (1):
          Ensure key state is authenticated before sending push reply
    
    Gert Doering (2):
          clean up / rewrite sample-plugins/defer/simple.c
          Fix potential NULL ptr crash if compiled with DMALLOC
    
    Greg Cox (5):
          Fix naming error in sample-plugins/defer/simple.c
          Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
          Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
          More explicit versioning compatibility in sample-plugins/defer/simple.c
          Explain structver usage in sample defer plugin.
    
  • v2.5.2
    23ae78e6 · Preparing release 2.5.2 ·
    OpenVPN v2.5.2 release
    
    2021.04.20 -- Version 2.5.2
    
    Arne Schwabe (10):
          Avoid generating unecessary mbed debug messages
          Restore also ping related options on a reconnect
          Cleanup print_details and add signature/ED certificate print
          Always disable TLS renegotiations
          Also restore/save route-gateway options on SIGUSR1 reconnects
          Move context_auth from context_2 to tls_multi and name it multi_state
          Fix condition to generate session keys
          Move auth_token_state from multi to key_state
          Ensure auth-token is only sent on a fully authenticated session
          Ensure key state is authenticated before sending push reply
    
    Gert Doering (2):
          Fix potential NULL ptr crash if compiled with DMALLOC
    
    Max Fillinger (2):
          In init_ssl, open the correct CRL path pre-chroot
          Abort if CRL file can't be stat-ed in ssl_init
    
    Richard Bonhomme (1):
          Do not print Diffie Hellman parameters file to log file
    
    Simon Rozman (1):
          openvpnserv: Cache last error before it is overridden
    
    Vladislav Grishenko (1):
          Fix IPv4 default gateway with multiple route tables
    
  • v2.5.1
    f186691b · Preparing release 2.5.1 ·
    OpenVPN v2.5.1 release
    
    2021.02.24 -- Version 2.5.1
    Arne Schwabe (5):
          Fix auth-token not being updated if auth-nocache is set
          Remove auth_user_pass.wait_for_push variable
          Fix port-share option with TLS-Crypt v2
          Zero initialise msghdr prior to calling sendmesg
          Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
    
    David Sommerseth (1):
          build: Fix missing install of man page in certain environments
    
    Domagoj Pensa (3):
          Fix too early argv freeing when registering DNS
          Remove 1 second delay before running netsh
          Skip DHCP renew with Wintun adapter
    
    Gert Doering (6):
          Change travis build scripts to use https when fetching prerequisites.
          Fix line number reporting on config file errors after <inline> segments
          Clarify --block-ipv6 intent and direction.
          Document common uses of 'echo' directive, re-enable logging for 'echo'.
          Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
          clean up / rewrite sample-plugins/defer/simple.c
    
    Greg Cox (5):
          Fix naming error in sample-plugins/defer/simple.c
          Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
          Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
          More explicit versioning compatibility in sample-plugins/defer/simple.c
          Explain structver usage in sample defer plugin.
    
    Richard Bonhomme (1):
          Man page sections corrections
    
    Selva Nair (1):
          Quote the domain name argument passed to the wmic command
    
    Steffan Karger (2):
          tls-crypt-v2: fix server memory leak
          tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
    
  • v2.4.10
    OpenVPN v2.4.10 release
    
    2020.12.09 -- Version 2.4.10
    
    Antonio Quartulli (1):
          pool: prevent IPv6 pools to be larger than 2^16 addresses
    
    Arne Schwabe (5):
          Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
          Normalise ncp-ciphers option and restrict it to 127 bytes
          Also announce IV_CIPHERS as client in OpenVPN 2.4
          Fix auth-token not being updated if auth-nocache is set
          Remove auth_user_pass.wait_for_push variable
    
    David Sommerseth (1):
          compat/lz4: Update to v1.9.2
    
    Gert Doering (12):
          Fix stack overflow in OpenSolaris NEXTADDR()
          Document that --push-remove is generally more suitable than --push-reset
          Fix error detection / abort in --inetd corner case.
          Fix TUNSETGROUP compatibility with very old Linux systems.
          Fix handling of 'route remote_host' for IPv6 transport case.
          Fix description of --client-disconnect calling convention in manpage.
          Handle NULL returns from calloc() in sample plugins.
          Fix --show-gateway for IPv6 on NetBSD/i386.
          socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
          Fix redirecting of IPv4 default gateway if connecting over IPv6.
          Change travis build scripts to use https when fetching prerequisites.
          Fix line number reporting on config file errors after <inline> segments
    
    Jeremy Evans (1):
          Switch assertion failure to returning false
    
    Matthias Andree (1):
          Fix stack buffer overruns in NEXTADDR() macro:
    
    Selva Nair (3):
          Parse static challenge response in auth-pam plugin
          Accept empty password and/or response in auth-pam plugin
          Persist management-query-remote and proxy prompts
    
    Vladislav Grishenko (2):
          Log serial number of revoked certificate
          Fix fatal error at switching remotes (#629)
    
  • v2.5.0
    a73072d8 · Preparing release 2.5.0 ·
    OpenVPN v2.5.0 release
    
    2020.10.27 -- Version 2.5.0
          (no changes relative to v2.5_rc3)
    
  • v2.5_rc3
    781825d9 · Preparing release 2.5_rc3 ·
    OpenVPN v2.5_rc3 release
    
    2020.10.15 -- Version 2.5_rc3
    Arne Schwabe (2):
          Allow 'none' cipher being specified in --data-ciphers
          Add function for common env setting of verify user/pass calls
    
    David Sommerseth (1):
          compat/lz4: Update to v1.9.2
    
    Gert Doering (2):
          Fix redirecting of IPv4 default gateway if connecting over IPv6.
          Avoid passing NULL to argv_printf_cat() in temp_file error case.
    
    Jan Seeger (1):
          Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric.
    
    Richard Bonhomme (1):
          Improve error msg when all TAP adapters are in use 'or disabled'
    
    Steffan Karger (1):
          networking_iproute2: fix memory leak in net_iface_mtu_set()
    
    Vladislav Grishenko (2):
          Selectively reformat too long lines
          Speedup TCP remote hosts connections
    
  • v2.5_rc2
    9f96c34a · Preparing release 2.5_rc2 ·
    OpenVPN v2.5_rc2 release
    
    2020.09.30 -- Version 2.5_rc2
    
    Lev Stipakov (1):
          Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN
    
    Selva Nair (2):
          Set DNS Domain using iservice
          Improve documentation of --username-as-common-name
    
    Simon Rozman (4):
          netsh: Specify interfaces by index rather than name
          netsh: Clear existing IPv6 DNS servers before configuring new ones
          netsh: Delete WINS servers on TUN close
          openvpnmsica: Simplify find_adapters() to void return
    
    Vladislav Grishenko (1):
          Fix update_time() and openvpn_gettimeofday() coexistence
    
  • v2.5_rc1
    9fbd9aef · Preparing release 2.5_rc1 ·
    OpenVPN v2.5_rc1 release
    
    2020.09.21 -- Version 2.5_rc1
    
    David Sommerseth (4):
          man: Add missing --server-ipv6
          man: Improve --remote entry
          sample-plugins: Partially autotoolize the sample-plugins build
          build: Fix make distclean/distcheck
    
    Gert Doering (10):
          Fix handling of 'route remote_host' for IPv6 transport case.
          Replace 'echo -n' with 'printf' in tests/t_lpback.sh
          Fix description of --client-disconnect calling convention in manpage.
          Handle NULL returns from calloc() in sample plugins.
          Fix --show-gateway for IPv6 on NetBSD/i386.
          socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
          Fix netbits setting (in TAP mode) for IPv6 on Windows.
          If IPv6 pool specification sets pool start to ::0 address, increment.
          Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths
          Fix combination of --dev tap and --topology subnet across multiple platforms.
    
    Lev Stipakov (1):
          msvc: better support for 32bit architecture
    
    Selva Nair (2):
          Add a remark on dropping privileges when --mlock is used
          Allow --dhcp-option in config file when windows-driver is wintun
    
    Vladislav Grishenko (1):
          Fix fatal error at switching remotes (#629)
    
  • v2.5_beta4
    OpenVPN v2.5_beta4 release
    
    2020.09.10 -- Version 2.5_beta4
    
    Gert Doering (3):
          Document that --push-remove is generally more suitable than --push-reset
          Fix error detection / abort in --inetd corner case.
          Fix TUNSETGROUP compatibility with very old Linux systems.
    
    Lev Stipakov (1):
          openvpnmsica: make adapter renaming non-fatal
    
    Selva Nair (1):
          In tap.c use DiInstallDevice to install the driver on a new adapter
    
    Vladislav Grishenko (1):
          Fix best gateway selection over netlink
    
  • v2.5_beta3
    OpenVPN v2.5_beta3 release
    
    2020.08.31 -- Version 2.5_beta3
    
    Arne Schwabe (1):
          Fix client NCP OCC fallback when server and client cipher are identical
    
  • v2.5_beta2
    OpenVPN v2.5_beta2 release
    
    2020.08.26 -- Version 2.5_beta2
    
    Arne Schwabe (1):
          Fix client's poor man NCP fallback
    
    Eric Thorpe (1):
          Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof
    
    Gert Doering (2):
          Fix stack overflow in OpenSolaris NEXTADDR()
          Workaround FreeBSD 12+ race condition on tun/tap open with IPv6.
    
    Lev Stipakov (1):
          tun.c: enable using wintun driver under SYSTEM
    
    Magnus Kroken (2):
          doc: fix typos in cipher-negotiation.rst
          Changes.rst: fix mistyped option names
    
    Selva Nair (1):
          Improve the documentation for --dhcp-option
    
  • v2.5_beta1
    OpenVPN v2.5_beta1
    
    2020.08.12 -- Version 2.5_beta1
    
    Adam Ciarcin?ski (1):
          Fix subnet topology on NetBSD.
    
    Antonio Quartulli (113):
          attempt to add IPv6 route even when no IPv6 address was configured
          fix redirect-gateway behaviour when an IPv4 default route does not exist
          CRL: use time_t instead of struct timespec to store last mtime
          ignore remote-random-hostname if a numeric host is provided
          Ignore auth-nocache for auth-user-pass if auth-token is pushed
          crypto: correct typ0 in error message
          use M_ERRNO instead of explicitly printing errno
          don't print errno twice
          ntlm: avoid useless cast
          ntlm: unwrap multiple function calls
          route: improve error message
          management: preserve wait_for_push field when asking for user/pass
          tls-crypt: avoid warnings when --disable-crypto is used
          ntlm: convert binary buffers to uint8_t *
          ntlm: restyle compressed multiple function calls
          ntlm: improve code style and readability
          OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
          make function declarations C99 compliant
          remove unused functions
          use NULL instead of 0 when assigning pointers
          add missing static attribute to functions
          ntlm: avoid breaking anti-aliasing rules
          remove the --disable-multi config switch
          rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
          route: avoid definition of unused variables in certain configurations
          fix a couple of typ0s in comments and strings
          fragment.c: simplify boolean expression
          tcp-server: ensure AF family is propagated to child context
          Remove ENABLE_CRYPTO
          Remove option to disable crypto engine
          Remove ENABLE_PUSH_PEER_INFO
          Remove SSL_LIB_VER_STR
          Remove MD5SUM
          reload HTTP proxy credentials when moving to the next connection profile
          Allow learning iroutes with network made up of all 0s (only if netbits < 8)
          mbedtls: fix typ0 in comment
          manpage: fix simple typ0
          pool: restyle ipv4/ipv6 members to improve readability
          pool: convert pool 'type' to enum
          tun: ensure gc and argv are properly handled
          tun: always pass a valid tt pointer
          tun: get rid of tt->did_ifconfig member
          tun: ensure interface can be configured with IPv6 only
          add support for %lu in argv_printf and prevent ASSERT
          windows: properly configure TAP driver when no IPv4 is configured
          socket: make stream_buf_* functions static
          crypto: always reload tls-auth/crypt key contexts
          make tls-auth and tls-crypt per-connection-block options
          pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic
          merge *-inline.h files with their main header
          ensure function declarations are compiled with their definitions
          buffer_list: add functions documentation
          ifconfig-ipv6(-push): allow using hostnames
          tls-crypt: properly cast time_t to uint64_t
          implement platform generic networking API
          implement networking API for iproute2
          introduce sitnl: Simplified Interface To NetLink
          tun.c: use new networking API to handle tun interface on Linux
          travis.yml: add test for iproute2 net implementation
          route.c: use new networking API to handle routing table on Linux
          unit tests: implement test for sitnl
          t_net.sh: make bash dep explicit and run only if SITNL is compiled
          t_net.sh: properly perform sudo check and print test steps
          route.c: fix windows build by removing mismatching function parameter
          t_net.sh: fixes for the networking test script
          route.c: use sitnl to implement get_default_gateway_ipv6()
          networking/best_gw: remove useless prefixlen parameter
          sitnl: harden strncpy() by forcing arguments to have the same length
          mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
          networking: extend API for better memory management
          tun.c: undo_ifconfig_ipv4/6 remove useless gc argument
          networking_sitnl.c: uncrustify file
          route.c: simplify ifdef logic
          t_net.sh: wait for NO-CARRIER bit to settle before starting test
          t_net.sh: execute sleep after checking exit code of previous command
          maddr: create helper function to populate maddr object from eth_addr
          VLAN: add basic VLAN tagging support
          maddr: export VLAN ID from client context to maddr object
          VLAN: filter multicast and client-to-client unicast traffic
          is_ipv_X: add support for parsing IP header inside a 802.1q frame
          VLAN: implement support for forwarding only pre-tagged VLAN packets
          VLAN: allow forwarding tagged and untagged packets on the server TAP device
          VLAN: add documentation to manpage
          socks: use the right function when printing struct openvpn_sockaddr
          add -Wno-stringop-truncation to CFLAGS on linux
          get rid of 'broadcast' argument when configuring the tun device
          auth_token_kt: ensure key_type object is initialized
          auth.c: make cast explicit in the crypto API
          travis: compile with -Werror on Linux
          travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux
          sitnl: fix failure reporting by keeping error negative
          sitnl: fix TUN/TAP confusion in error messages
          sitnl: fix ignoring EEXIST when sending a netlink command
          t_net.sh: use dummy interface instead of tun
          remove bogus file check on --genkey argument
          t_net.sh: assign MAC address directly during interface creation
          convert *_inline attributes to bool
          options: fix inlining auth-gen-token-secret file
          tls-crypt-v2: fix testing of inline key
          get rid of INLINE_FILE_TAG constant
          pool: prevent IPv6 pools to be larger than 2^16 addresses
          pool: allow to configure an IPv6-only ifconfig-pool
          allow usage of --server-ipv6 even when no --server is specified
          pool: add support for ifconfig-pool-persist with IPv6 only
          route: warn on IPv4 routes installation when no IPv4 is configured
          options: enable IPv4 redirection logic only if really required
          ipv6-pool: get rid of size constraint
          pool: remove useless 'options.h' include
          multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured
          multi.c: use mi->cc_config instead of config variable
          options: don't leak inline'd key material in logfile
          t_net.sh: drop hard dependency on t_client.rc
          travis: don't run t_net.sh test
    
    Arne Schwabe (124):
          Set tls-cipher restriction before loading certificates
          Print ec bit details, refuse management-external-key if key is not RSA
          Replace buffer backed strings for management_android_control with simple stack variables
          Treat dhcp-option DNS6 and DNS identical
          show the right string for key-direction
          Add MTU to Android IFCONFIG6 control command
          Properly free tuntap struct on android when emulating persist-tun
          Add OpenSSL compat definition for RSA_meth_set_sign
          Skip error about ioctl(SIOCGIFCONF) failed on Android
          Factor out convert_tls_list_to_openssl method
          Remove AUTO_USERID feature
          Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR
          Add support for tls-ciphersuites for TLS 1.3
          Add better support for showing TLS 1.3 ciphersuites in --show-tls
          Use right function to set TLS1.3 restrictions in show-tls
          Refuse mbed TLS external key with non RSA certificates
          Add message explaining early TLS client hello failure
          Add tls-crypt-v2 to the list of supported inline options
          Implement block-ipv6
          Fallback to password authentication when auth-token fails
          Fix loading inline tls-crypt-v2 keys with mbed TLS
          Refactor tls_crypt_v2_write_server_key_file into crypto.c
          Add send_control_channel_string_dowork variant
          Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file
          Fix poll.h logic in syshead.h
          Write key to stdout if filename is not given
          Implement --genkey type keyfile syntax and migrate tls-crypt-v2
          Add generate_ephemeral_key that allows a random ephermal key
          Remove -no-cpp-precomp flag from Darwin builds
          Fix check if iface name is set
          Adjust Android code after sitnl patch merge
          Rewrite auth-token-gen to be based on HMAC based tokens
          Implement a permanent session id in auth-token
          Sent indication that a session is expired to clients
          Implement unit tests for auth-gen-token
          Make tls_version_max return the actual maximum version
          Add support for OpenSSL TLS 1.3 when using management-external-key
          Document tls-ciphersuites also in --help output
          Only announce IV_NCP=2 when we are willing to support these ciphers
          Add strsep compat function
          Implement dynamic NCP negotiation
          Warn about insecure ciphers also in init_key_type
          Move NCP related function into a seperate file and add unit tests
          Normalise ncp-ciphers option and restrict it to 127 bytes
          Fetch OpenSSL versions via source/old links
          Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
          Fix off-by-one in tls-crypt-v2 client wrapping with custom metadata
          Fix OpenSSL 1.1.1 not using auto elliptic curve selection
          Refactor counting number of element in a : delimited list into function
          Minor style change to improve code style
          Another round of uncrustify code cleanup.
          Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
          Add tls-crypt-v2 test writing metadata
          Use crypto library functions for const time memcmp when possible
          Fix session id in env missing first byte
          Document reneweal mechanic of auth-token in manual
          Fix session id and initial timestamp not being preserved
          Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2
          Refuse server mode on Android
          Add .git-blame-ignore-revs with reformat commits
          Make cipher_kt_name always return normalised cipher name
          Make cipher_kt_get also accept OpenVPN config cipher name
          Implement parsing and sending INFO and INFO_PRE control messages
          Implement support for signalling IV_SSO to server
          Implement sending response to challenge via CR_RESPONSE
          Implement sending AUTH_PENDING challenges to clients
          Implement forwarding client CR_RESPONSE messages to management
          Add unit test for cipher name translations
          Make compression asymmetric by default and add warnings
          Reformat files using uncrustify
          Remove parameter config from multi_client_connect_mda
          Remove push_reply_deferred variable
          Remove did_open_context, defined and connection_established_flag
          merge key_state->authenticated and key_state->auth_deferred
          Simplify multi_connection_established.
          Deprecate ncp-disable and add improved ncp to Changes.rst
          Make key_state->authenticated more state machine like
          Extract process_incoming_push_reply from process_incoming_push_msg
          Removed unused definition
          Code cleanup: remove superflous variable
          Move protocol option negotiation from push_prepare to new function
          Generate data channel keys after connect options have been parsed
          Cleanup: Remove special case code for old poor man's NCP.
          Allow changing fallback cipher from ccd files/client-connect
          client-connect: Change cas_context from int to enum
          client-connect: Move adding inotify watch into its own function
          reformat multi_client_generate_tls_keys according to uncrustify
          client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect
          Remove CAS_PARTIAL state
          client-connect: Use inotify for the deferred client-connect status file
          client-connect: Implement deferred connect support for plugin API v2
          Drop support for OpenSSL 1.0.1
          Require AEAD support in the crypto library
          Remove key-method 1
          Remove ENABLE_OCC #define
          Implement tls-groups option to specify eliptic curves/groups
          Avoid sending --cipher to clients not supporting NCP
          Indicate that a client is in pull mode in IV_PROTO
          Deprecate --inetd
          Include utun device number in utun error messages
          Simplify calling logic of check_connection_established_dowork
          Avoid sending push request after receving push reply
          Rename ncp-ciphers to data-ciphers
          Add a note that ncp-ciphers is replaced by data-ciphers
          client-connect: Add documentation for the deferred client connect feature
          Rework NCP compability logic and drop BF-CBC support by default
          Document different behaviour of dynamic cipher negotiation
          Minor cleanup in push.c
          Clean up a number of leftover C89 initialisations in ssl.c
          Remove buf argument from link_socket_set_outgoing_addr
          Remove a number of check/do_work wrapper calls from coarse_timers
          Split pf_check_reload check and check timer in process_coarse_timers
          Rename check_ping_restart_dowork to trigger_ping_timeout_signal
          Eliminate check_fragment function
          Eliminate check_incoming_control_channel wrapper function
          Eliminate check_tls wrapper function
          Merge check_coarse_timers and check_coarse_timers_dowork
          Skip existing interfaces on opening the first available utun on macOS
          Move parsing IV_PROTO to separate function
          Remove S_OP_NORMAL key state.
          Document comp-lzo no and compress being incompatible
          Refactor/Reformat tls_pre_decrypt
          Cleanup tls_pre_decrypt_lite and tls_pre_encrypt
          Improve sections about older OpenVPN clients in cipher-negotiation.rst
    
    Bertrand Bonnefoy-Claudet (1):
          Fix typo in error message: "optione" -> "option"
    
    Christian Ehrhardt (1):
          systemd: extend CapabilityBoundingSet for auth_pam
    
    Christian Hesse (7):
          man: fix formatting for alternative option
          systemd: Use automake tools to install unit files
          systemd: Do not race on RuntimeDirectory
          systemd: Add more security feature for systemd units
          Clean up plugin path handling
          plugin: Remove GNUism in openvpn-plugin.h generation
          fix typo in notification message
    
    Christopher Schenk (3):
          Set the correct mtu on windows based systems
          Log a note if someone wants to set a MTU below 1280 on IPv6
          Unified success messages for setting mtu
    
    Conrad Hoffmann (2):
          Use provided env vars in up/down script.
          Document down-root plugin usage in client.down
    
    David Sommerseth (64):
          docs: Further enhance the documentation related to SWEET32
          man: Remove references to no longer present IV_RGI6 peer-info
          build: Ensure Changes.rst is shipped and installed as a doc file
          management: >REMOTE operation would overwrite ce change indicator
          management: Remove a redundant #ifdef block
          git: Merge .gitignore files into a single file
          systemd: Move the READY=1 signalling to an earlier point
          dev-tools: Simple tool which automates rebasing LZ4 compat library
          dev-tools: lz4-rebaser tool carried a typo
          plugin: Improve the handling of default plug-in directory
          cleanup: Remove faulty env processing functions
          auth-token: Ensure tokens are always wiped on de-auth
          docs: Fixed man-page warnings discoverd by rpmlint
          Make --cipher/--auth none more explicit on the risks
          Require minimum OpenSSL 1.0.1
          Fix broken ./configure on systems without openssl.pc
          plugin: Fix documentation typo for type_mask
          plugin: Export secure_memzero() to plug-ins
          crypto: Enable SHA256 fingerprint checking in --verify-hash
          copyright: Update GPLv2 license texts
          dev-tools: Script generating the source releases in an automated fashion
          auth-token with auth-nocache fix broke --disable-crypto builds
          doc: The CRL processing is not a deprecated feature
          cleanup: Move write_pid() to where it is being used
          contrib: Remove keychain-mcd code
          cleanup: Move init_random_seed() to where it is being used
          Highlight deprecated features
          Use consistent version references
          docs: Replace all PolarSSL references to mbed TLS
          systemd: Ensure systemd shuts down OpenVPN in a proper way
          systemd: Enable systemd's auto-restart feature for server profiles
          lz4: Move towards a newer LZ4 API
          lz4: Fix confused version check
          lz4: Fix broken builds when pkg-config is not present but system library is
          Remove references to keychain-mcd in Changes.rst
          lz4: Rebase compat-lz4 against upstream v1.7.5
          systemd: Add and ship README.systemd
          Update copyright to include 2018 plus company name change
          man: Add .TQ groff support macro
          man: Reword --management to prefer unix sockets over TCP
          management: Warn if TCP port is used without password
          plugin: Export base64 encode and decode functions
          build: Fix build warnings related to get_random()
          build: Fix another compile warning in console_systemd.c
          cleanup: Remove RPM openvpn.spec build approach
          docs: Update INSTALL
          build: Package missing mock_msg.h
          auth-token: Fix building with --disable-server
          auth-token: Fix compiler complaints with --disable-management
          Improve the comments related to auth-token-hmac patches
          Documented all the argv related code with minor refactoring
          build: Remove --disable-server from ./configure
          options: Fix failing inline tls-auth/crypt with persist-key
          options: Restore --tls-crypt-v2 inline file capability
          doc/man: convert openvpn.8 to split-up .rst files
          doc/man: Mark compression options as deprecated
          doc/man: Adopt compression documentation
          doc/man: Documentation for --bind-dev / VRFs on Linux
          doc/man: Add misssing renegotiation.rst to Makefile.am
          Remove --no-iv
          doc/man: Do not install man *.rst files
          travis: Fix make distcheck failure
          Remove --ifconfig-pool-linear
          Remove --client-cert-not-required
    
    Domagoj Pensa (2):
          Fix linking issues on MinGW
          Skip DNS address validation
    
    Emmanuel Deloget (20):
          OpenSSL: check for the SSL reason, not the full error
          OpenSSL: don't use direct access to the internal of X509_STORE_CTX
          OpenSSL: don't use direct access to the internal of SSL_CTX
          OpenSSL: don't use direct access to the internal of X509_STORE
          OpenSSL: don't use direct access to the internal of X509_OBJECT
          OpenSSL: don't use direct access to the internal of RSA_METHOD
          OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
          OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
          OpenSSL: don't use direct access to the internal of X509
          OpenSSL: don't use direct access to the internal of EVP_PKEY
          OpenSSL: don't use direct access to the internal of RSA
          OpenSSL: don't use direct access to the internal of DSA
          OpenSSL: force meth->name as non-const when we free() it
          OpenSSL: don't use direct access to the internal of EVP_MD_CTX
          OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
          OpenSSL: don't use direct access to the internal of HMAC_CTX
          OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
          OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
          OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
          OpenSSL: check EVP_PKEY key types before returning the pkey
    
    Eric Thorpe (1):
          Fix Building Using MSVC
    
    Fabian Knittel (7):
          client-connect: Split multi_connection_established into separate functions
          client-connect: Refactor multi_client_connect_source_ccd
          client-connect: Move multi_client_connect_setenv into early_setup
          client-connect: Refactor to use return values instead of modifying a passed-in flag
          client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop
          client-connect: Add deferred support to the client-connect script handler
          client-connect: Add deferred support to the client-connect v1 plugin handler
    
    Gert Doering (50):
          Remove IV_RGI6=1 peer-info signalling.
          Add openssl_compat.h to openvpn_SOURCES
          Fix '--dev null'
          Fix installation of IPv6 host route to VPN server when using iservice.
          Make ENABLE_OCC no longer depend on !ENABLE_SMALL
          Fix NCP behaviour on TLS reconnect.
          Remove erroneous limitation on max number of args for --plugin
          proxy.c refactoring: remove always-NULL gc parameter
          Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
          Fix potential 1-byte overread in TCP option parsing.
          Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
          Update Changes.rst with relevant info for 2.4.3 release.
          Remove warning on pushed tun-ipv6 option.
          Fix removal of on-link prefix on windows with netsh
          Fix potential double-free() in Interactive Service (CVE-2018-9336)
          Add %d, %u and %lu tests to test_argv unit tests.
          Extend push-remove to also handle 'ifconfig'.
          Print lzo_init() return code in case of errors
          Uncrustify sample-plugin sources according to code style
          uncrustify openvpnserv/ sources
          uncrustify openvpn/ sources
          Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
          Stop complaining about IPv6 routes without gateway address.
          Copy one byte less in strncpynt()
          Remove cmocka submodule, rely on system-wide installation instead.
          Increase listen() backlog queue to 32
          repair tap mode on OpenSolaris/OpenIndiana
          Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
          OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts.
          Force combinationation of --socks-proxy and --proto UDP to use IPv4.
          Uncrustify the tests/unit_tests/ part of our tree.
          Change client side of t_lpback.sh configs to use inline material.
          Simplify pool size handling, fix possible array overrun on pool reading.
          Change timestamps in file-based logging to ISO 8601 time format.
          Depreciation warning for --topology net30 on servers with IPv4 pools.
          Convert plugin/auth-pam.c from stderr logging to plugin_log().
          Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs
          Linux: do not change --txqueuelen OS default if not configured.
          Fix 'engine' unit test on FreeBSD (specifically 'not GNU make')
          t_client.sh: correctly report all failed instances in summary
          Remove --writepid file on program exit.
          Handle connecting clients without NCP or OCC without crashing.
          Add deferred authentication support to plugin-auth-pam
          Separate handling of non-deferred return values for client-connect-scripts.
          Repair --inetd
          Fix sequence of events for async plugin v1 handler.
          Abort client-connect handler loop after first handler sets 'disable'.
          Add depreciation notice for --ncp-disable to protocol-options.rst
          Changes.rst updates in preparation to 2.5_beta1
          Preparing release 2.5_beta1
    
    Gert van Dijk (7):
          Warn that DH config option is only meaningful in a tls-server context
          Add generated openvpn.doxyfile to .gitignore
          manpage: improve description of --status and --status-version
          Add negotiated cipher to status file format 2 and 3
          Minor reliability layer documentation fixes
          Make second parameter to reliable_send_purge() const
          Remove unneeded newline in debug message in reliable.c
    
    Gisle Vanem (2):
          Crash in options.c
          Wrong FILETYPE in .rc files
    
    Guido Vranken (6):
          refactor my_strupr
          Fix 2 memory leaks in proxy authentication routine
          Fix memory leak in add_option() for option 'connection'
          Ensure option array p[] is always NULL-terminated
          Fix a null-pointer dereference in establish_http_proxy_passthru()
          Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
    
    Heiko Hund (3):
          re-implement argv_printf_*()
          argv: do fewer memory re-allocations
          Add gc_arena to struct argv to save allocations
    
    Hilko Bengen (1):
          Do not set pkcs11-helper 'safe fork mode'
    
    Hristo Venev (1):
          Fix extract_x509_field_ssl for external objects, v2
    
    Ilya Shipitsin (18):
          Resolve several travis-ci issues
          github: Add PR template with contributor related information
          travis-ci: add 'make distcheck' to test scenario, V2
          travis-ci: remove unused files
          v4, travis-ci: add 2 mingw "build only" configurations
          travis-ci: added gcc and clang openssl-1.1.0 builds
          travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
          travis-ci: update pkcs11-helper to 1.22
          travis-ci: add brew cache, remove ccache
          travis-ci: modify openssl build script to support openssl-1.1.0
          travis-ci: cleanup, refactor, upgrade ssl libraries
          travis-ci: add "linux-ppc64le" to build matrix
          travis-ci: change trusty image to xenial
          travis-ci: update osx to xcode9.4 and modernize brew management
          configure.ac: fix compile-time error in argv_testdriver
          travis-ci: fix osx builds
          travis-ci: update components versions
          travis-ci: add arm64, s390x builds.
    
    James Bekkema (2):
          Resolves small IV_GUI_VER typo in the documentation.
          Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option.
    
    James Bottomley (7):
          autoconf: Fix engine checks for openssl 1.1
          openssl: add engine method for loading the key
          crypto_openssl: add initialization to pick up local configuration
          crypto_openssl: add include for openssl/conf.h
          Add unit tests for engine keys
          Fix make distcheck for new engine key unit test
          engine-key tests: make check_engine_keys.sh work with --enable-small
    
    Jan Just Keijser (1):
          Added support for DHCP option 119 (dns search suffix list) for Windows.
    
    Jeremie Courreges-Anglas (5):
          Cast time_t to long long in order to print it.
          Print time_t as long long and suseconds_t as long
          Cast and print another suseconds_t as long
          Use long long to format time_t-related environment variables
          Fix build with LibreSSL
    
    Jeremy Evans (1):
          Switch assertion failure to returning false
    
    Jonathan K. Bullard (1):
          Clarify and expand management interface documentation
    
    Jonathan Tooker (1):
          Fix various spelling mistakes
    
    Joost Rijneveld (1):
          Make return code external tls key match docs
    
    Jrmie Courrges-Anglas (2):
          Fix an unaligned access on OpenBSD/sparc64
          Missing include for socket-flags TCP_NODELAY on OpenBSD
    
    Kyle Evans (1):
          tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
    
    Lev Stipakov (46):
          win: support for Visual Studio 2017
          Refactor NCP-negotiable options handling
          init.c: refine functions names and description
          openvpnserv: clarify return values type
          crypto.h: remove unused function declaration
          interactive.c: fix usage of potentially uninitialized variable
          options.c: fix broken unary minus usage
          Introduce openvpn_swprintf() with nul termination guarantee
          Wrap openvpn_swprintf into Windows define
          test_tls_crypt.c: fix global-buffer-overflow found by AddressSanitizer
          crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer
          Fix various compiler warnings
          Fix broken fragment/mssfix with NCP
          crypto.c: fix Visual Studio build
          tun.h: change tun_set() return value type to void
          tun.h: remove TUN_PASS_BUFFER define
          tapctl: add optional 'hardware id' parameter
          vcxproj: add missing source files
          push.c: fix Visual Studio build
          Visual Studio: make it easier to build with VS
          msvc: OpenSSL 1.1.x support
          travis: add Visual Studio build
          Visual Studio: upgrade project files to VS2019
          wintun: add --windows-driver config option
          wintun: implement opening wintun device
          travis: bump MSVC to 2019
          travis: bump clang version
          wintun: ring buffers based I/O
          wintun: interactive service support
          wintun: set adapter properties via interactive service
          wintun: clear adapter settings on tun close
          tun.c: refactor open_tun() implementation
          tun.c: do not add/remove on-link IPv4 route on tun open/close
          options.c: do not force route delay when not using DHCP
          configure.ac: simplify AC_CHECK_FUNCS statements
          cryptoapi.c: fix run-time check failure in msvc debugger
          interactive.c: remove unused function
          tun.c: fix 'use after free' error
          Fix building with --enable-async-push in FreeBSD
          Fix broken async push with NCP is used
          Fix illegal client float (CVE-2020-11810)
          msvc: fix various level2 warnings
          tap.c: fix adapter renaming
          Improve Windows version detection with manifest
          wintun: remove SYSTEM elevation hack
          Fix compilation with --disable-lzo and --disable-lz4
    
    Matthias Andree (3):
          Make openvpn-plugin.h self-contained again.
          Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.
          Fix stack buffer overruns in NEXTADDR() macro:
    
    Maxim Plotnikov (1):
          OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
    
    Maximilian Wilhelm (1):
          Add --bind-dev option.
    
    Michal Soltys (1):
          man: correct the description of --capath and --crl-verify regarding CRLs
    
    Mykola Baibuz (1):
          Fix typo in NTLM proxy debug message
    
    Olivier Wahrenberger (1):
          Fix building with LibreSSL 2.5.1 by cleaning a hack.
    
    Richard Bonhomme (3):
          man: Corrections to doc/openvpn.8
          Ignore --pull-filter for --mode server
          doc/man: Update --txqueuelen default setting (Now OS default)
    
    Richard van den Berg via Openvpn-devel (1):
          Fix error message when using RHEL init script
    
    Rosen Penev (2):
          Remove wrong poll.h include
          openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
    
    Samy Mahmoudi (1):
          man: correct a --redirection-gateway option flag
    
    Santtu Lakkala (1):
          Fix OpenSSL private key passphrase notices
    
    Selva Nair (55):
          Fix push options digest update
          Always release dhcp address in close_tun() on Windows.
          Add a check for -Wl, --wrap support in linker
          Fix user's group membership check in interactive service to work with domains
          In auth-pam plugin clear the password after use
          Pass correct buffer size to GetModuleFileNameW()
          Check whether in pull_mode before warning about previous connection blocks
          Avoid illegal memory access when malformed data is read from the pipe
          Fix missing check for return value of malloc'd buffer
          Return NULL if GetAdaptersInfo fails
          Use RSA_meth_free instead of free
          Bring cryptoapi.c upto speed with openssl 1.1
          Add SSL_CTX_get_max_proto_version() not in openssl 1.0
          TLS v1.2 support for cryptoapicert -- RSA only
          Refactor ssl_openssl.c in prep for external EC key support
          Refactor get_interface_metric to return metric and auto flag separately
          Add management client version
          Prompt for signature using '>PK_SIGN' if the client supports it
          Allow external EC key through --management-external-key
          Ensure strings read from registry are null-terminated
          Make most registry values optional
          Use lowest metric interface when multiple interfaces match a route
          Move code to free cd to a function CAPI_DATA_free()
          Disable external ec key support when building with libressl
          Adapt to RegGetValue brokenness in Windows 7
          Fix format spec errors in Windows builds
          Move setting private key to a function in prep for EC support
          Support EC certificates with cryptoapicert
          Delete the IPv6 route to the "connected" network on tun close
          Management: warn about password only when the option is in use
          Avoid overflow in wakeup time computation
          Replace M_DEBUG with D_LOW as the former is too verbose
          Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
          Parse static challenge response in auth-pam plugin
          Bump version of openvpn plugin argument structs to 5
          Accept empty password and/or response in auth-pam plugin
          Pass the hash without the DigestInfo header to NCryptSignHash()
          Move get system directory to a separate function
          Enable dhcp on tap adapter using interactive service
          Refactor sending commands to interactive service
          Declare Windows version of openvpn_execve() before use
          White-list pull-filter and script-security in interactive service
          Move OpenSSL vs CNG signature digest type mapping to a function
          Handle PSS padding in cryptoapicert
          Better error message when script fails due to script-security setting
          Correct the return value of cryptoapi RSA signature callbacks
          Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang
          Swap the order of checks for validating interactive service user
          Skip expired certificates in Windows certificate store
          Allow unicode search string in --cryptoapicert option
          Fix possibly uninitialized return value in GetOpenvpnSettings()
          Fix possible access of uninitialized pipe handles
          Move querying username/password from management to a function
          When auth-user-pass file has no password query the management interface (if available).
          Persist management-query-remote and proxy prompts
    
    Simon Matter (2):
          Fix segfault when using crypto lib without AES-256-CTR or SHA256
          Add per session pseudo-random jitter to --reneg-sec intervals
    
    Simon Rozman (67):
          Local functions are not supported in MSVC. Bummer.
          Mixing wide and regular strings in concatenations is not allowed in MSVC.
          RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
          Simplify iphlpapi.dll API calls
          Fix local #include to use quoted form
          Document ">PASSWORD:Auth-Token" real-time message
          Fix typo in "verb" command examples
          Uniform swprintf() across MinGW and MSVC compilers
          MSVC meta files added to .gitignore list
          openvpnserv: Review MSVC down-casting warnings
          openvpnserv: Add support for multi-instances
          Document missing OpenVPN states
          Add Interactive Service developer documentation
          Change quoted to angled form when #including external .h files
          Signed/unsigned warnings of MSVC resolved
          Reference msvc-generate from compat to assure correct build order
          msvc: Move common project settings to reusable property sheets
          msvc: Unify Unicode/MultiByte string setting across all cfg|plat
          Introduce tapctl.exe utility and openvpnmsica.dll MSI CA
          Set output name to libopenvpnmsica.dll in MSVC builds too
          Prevent __stdcall name mangling of MSVC
          Define _WIN32_WINNT=_WIN32_WINNT_VISTA in MSVC
          Add MSI custom action for reliable Windows 10 detection
          Detect TAP interfaces with root-enumerated hardware ID
          Change C++ to C comments
          Make MSI custom action debug pop-up more informative
          Delete TAP interface before the TAP driver is uninstalled
          Add detection of active VPN connections for MSI packages
          Add a MSI custom actions to close and relaunch OpenVPN GUI
          Make DriverCertification MSI property public
          Extend FindSystemInfo custom action to detect OpenVPNService state
          Uncrustify tapctl and openvpnmsica
          Strip _stdcall suffixes (@nn) for 32-bit builds
          Detect missing TAP driver and bail out gracefully
          Disambiguate thread local storage references from TLS
          Add NULL checks
          Add user manual and developer notes URL for tapctl.exe
          Refactor OpenVPNService state detection code
          Add developer notes URL for openvpnmsica.dll
          Limit tapctl.exe and openvpnmsica.dll to TAP-Windows6 adapters only
          msvc: Add vlan.c/h
          tun.c: make Windows device lookup functions more general
          tun.c: upgrade get_device_guid() to return the Windows driver type
          tun.c: make wintun_register_ring_buffer() non-fatal on failures
          wintun: register ring buffers when iterating adapters
          wintun: add support for --dev-node
          tun.c: reword the at_least_one_tap_win() error
          wintun: stop sending TAP-Windows6 ioctls to NDIS device
          wintun: refactor code to use enum driver type
          tun.c: refactor driver detection and make it case-insensitive
          tun.c: uncrustify
          wintun: check for conflicting options
          openvpnmsica: Remove required Windows driver certification detection
          openvpnmsica: Fix TAPInterface.DisplayName field interpretation
          tapctl: Update documentation
          wintun: upgrade error message in case of ring registration failure
          tun.c: reorder IPv6 ifconfig on Windows
          tapctl: Add functions for enabling/disabling adapters
          openvpnmsica: Revise MSI custom actions interop
          openvpnmsica: Simplify static function names
          openvpnmsica, tapctl: "interface" => "adapter"
          openvpnmsica: "TAP" => "TUN/TAP"
          openvpnmsica: Extend to support arbitrary HWID network adapters
          openvpnmsica, tapctl: Revise default hardware ID management
          openvpnmsica: Merge FindTUNTAPAdapters into FindSystemInfo
          tapctl: Support multiple hardware IDs
          tun.c: revise the IPv4 ifconfig flow on Windows
    
    Stefan Strogin (1):
          Use correct ifdefs for LibreSSL support
    
    Steffan Karger (122):
          Document that RSA_SIGN can also request TLS 1.2 signatures
          man: encourage user to read on about --tls-crypt
          Textual fixes for Changes.rst
          Remove deprecated --no-iv option
          More broadly enforce Allman style and braces-around-conditionals
          Use SHA256 for the internal digest, instead of MD5
          OpenSSL: 1.1 fallout - fix configure on old autoconf
          Fix types in WIN32 socket_listen_accept()
          Remove duplicate X509 env variables
          Fix non-C99-compliant builds: don't use const size_t as array length
          Deprecate --ns-cert-type
          Be less picky about keyUsage extensions
          cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
          Don't run packet_id unit tests for --disable-crypto builds
          Fix Changes.rst layout
          Fix memory leak in x509_verify_cert_ku()
          mbedtls: correctly check return value in pkcs11_certificate_dn()
          Restore pre-NCP frame parameters for new sessions
          Always clear username/password from memory on error
          Document tls-crypt security considerations in man page
          Don't assert out on receiving too-large control packets (CVE-2017-7478)
          Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
          Log the negotiated (NCP) cipher
          Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
          Skip tls-crypt unit tests if required crypto mode not supported
          openssl: fix overflow check for long --tls-cipher option
          Add a DSA test key/cert pair to sample-keys
          Fix mbedtls fingerprint calculation
          mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
          mbedtls: require C-string compatible types for --x509-username-field
          Fix remote-triggerable memory leaks (CVE-2017-7521)
          Restrict --x509-alt-username extension types
          Fix potential double-free in --x509-alt-username (CVE-2017-7521)
          Fix typo in extract_x509_extension() debug message
          init_key_ctx: key and iv arguments can (now) be const
          Move adjust_power_of_2() to integer.h
          Undo cipher push in client options state if cipher is rejected
          Remove strerror_ts()
          Move openvpn_sleep() to manage.c
          fixup: also change missed openvpn_sleep() occurrences
          Always use default keysize for NCP'd ciphers
          Move create_temp_file() out of #ifdef ENABLE_CRYPTO
          sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
          Deprecate --keysize
          Move run_up_down() to init.c
          tls-crypt: introduce tls_crypt_kt()
          crypto: create function to initialize encrypt and decrypt key
          Add coverity static analysis to Travis CI config
          tls-crypt: don't leak memory for incorrect tls-crypt messages
          travis: reorder matrix to speed up build
          Fix bounds check in read_key()
          buffer_list_aggregate_separator(): add unit tests
          doxygen: add make target and use relative paths
          Simplify and inline clear_buf()
          Add --tls-cert-profile option.
          pf: clean up temporary files if plugin init fails
          pf: reject client if PF plugin is configured, but init fails
          Don't throw fatal errors from create_temp_file()
          create_temp_file/gen_path: prevent memory leak if gc == NULL
          Use P_DATA_V2 for server->client packets too
          Fix memory leak in buffer unit tests
          travis: use clang's -fsanitize=address to catch more bugs
          Don't throw fatal errors from verify_cert_export_cert()
          buffer_list_aggregate_separator(): update list size after aggregating
          buffer_list_aggregate_separator(): don't exceed max_len
          buffer_list_aggregate_separator(): prevent 0-byte malloc
          Fix types around buffer_list_push(_data)
          ssl_openssl: fix compiler warning by removing getbio() wrapper
          Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
          Add support for TLS 1.3 in --tls-version-{min, max}
          tls_ctx_set_tls_versions: move verify_flags to where it is used
          Plug memory leak if push is interrupted
          Log pre-handshake packet drops using D_MULTI_DROPPED
          Enable stricter compiler warnings by default
          reliable: remove reliable_unique_retry()
          Get rid of ax_check_compile_flag.m4
          mbedtls: don't use API deprecated in mbed 2.7
          Warn if tls-version-max < tls-version-min
          Check for more data in control channel
          Move env helper functions into their own module/file
          man: add security considerations to --compress section
          openssl: don't use deprecated SSLEAY/SSLeay symbols
          openssl: add missing #include statements
          Move file-related functions from misc.c to platform.c
          Move execve/run_script helper functions to run_command.c
          Add crypto_pem_{encode,decode}()
          Introduce buffer_write_file()
          mbedtls: print warning if random personalisation fails
          Fix memory leak after sighup
          Remove unused void_ptr_hash_function and void_ptr_compare_function
          Do not load certificate from tls_ctx_use_external_private_key()
          mbedtls: make external signing code generic
          mbedtls: remove dependency on mbedtls pkcs11 module
          Fix memory leak in SSL_CTX_use_certificate
          travis: add OpenSSL 1.1 Windows build
          Fix use-after-free in tls_ctx_use_management_external_key
          Simplify --genkey option syntax
          Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
          Add support for CHACHA20-POLY1305 in the data channel
          List ChaCha20-Poly1305 as stream cipher
          mbedtls: don't print unsupported ciphers in insecure cipher list
          Fix mbedtls unit tests
          buffer_list_aggregate_separator(): simplify code
          tls-crypt-v2: add specification to doc/
          tls-crypt-v2: generate tls-crypt-v2 keys
          tls-crypt-v2: add unwrap_client_key
          tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode
          tls-crypt-v2: implement tls-crypt-v2 handshake
          tls-crypt-v2: add script hook to verify metadata
          tls-crypt-v2: clarify --tls-crypt-v2-genkey man page section
          tls-crypt-v2: fix client reconnect bug
          Remove deprecated --compat-x509-names and --no-name-remapping
          Extend tls-crypt-v2 unit tests
          Fix tls-auth/crypt in connection blocks with --persist-key
          cmocka: use relative paths
          tests: remove dependency on base64
          configure.ac: add lzo CFLAGS/LIBS to the test flags
          Update sample configs to use modern cipher, remove static key examples
          mbedtls: add RFC 5705 keying material exporter support
          Move keying material exporter check from syshead.h to configure.ac
          Make openvpn --version exit with exit code 0
          Gently push users towards --data-ciphers in --show-ciphers output
    
    Steven McDonald (1):
          Fix gateway detection with OpenBSD routing domains
    
    Szilrd Pfeiffer (1):
          OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
    
    Thomas Quinot (1):
          Fix documentation of tls-verify script argument
    
    Thomas Veerman via Openvpn-devel (1):
          Fix socks_proxy_port pointing to invalid data
    
    Tom van Leeuwen (1):
          mbedTLS: Make sure TLS session survives move
    
    ValdikSS (1):
          Set a low interface metric for tap adapter when block-outside-dns is in use
    
    Vladislav Grishenko (1):
          Log serial number of revoked certificate
    
    WGH (1):
          docs: Add reference to X509_LOOKUP_hash_dir(3)
    
    hashiz (1):
          Fix '--bind ipv6only'
    
    tincanteksup (1):
          Correct error message for --tls-crypt-v2-genkey client
    
    
  • v2.4.9
    OpenVPN v2.4.9 release
    
    2020.04.16 -- Version 2.4.9
    Antonio Quartulli (1):
          socks: use the right function when printing struct openvpn_sockaddr
    
    Arne Schwabe (3):
          Fetch OpenSSL versions via source/old links
          Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
          Fix OpenSSL 1.1.1 not using auto elliptic curve selection
    
    Lev Stipakov (4):
          Fix broken fragmentation logic when using NCP
          Fix building with --enable-async-push in FreeBSD
          Fix broken async push with NCP is used
          Fix illegal client float (CVE-2020-11810)
    
    Maxim Plotnikov (1):
          OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
    
    Santtu Lakkala (1):
          Fix OpenSSL private key passphrase notices
    
    Selva Nair (7):
          Swap the order of checks for validating interactive service user
          Move querying username/password from management interface to a function
          When auth-user-pass file has no password query the management interface (if available).
          Fix possibly uninitialized return value in GetOpenvpnSettings()
          Fix possible access of uninitialized pipe handles
          Skip expired certificates in Windows certificate store
          Allow unicode search string in --cryptoapicert option
    
    Tom van Leeuwen (1):
          mbedTLS: Make sure TLS session survives move
    
    WGH (1):
          docs: Add reference to X509_LOOKUP_hash_dir(3)
    
  • v2.4.8
    OpenVPN v2.4.8 release
    
    2019.10.30 -- Version 2.4.8
    Antonio Quartulli (1):
          mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
    
    Arne Schwabe (1):
          Remove -no-cpp-precomp flag from Darwin builds
    
    David Sommerseth (3):
          cleanup: Remove RPM openvpn.spec build approach
          docs: Update INSTALL
          build: Package missing mock_msg.h
    
    Gert Doering (5):
          repair windows builds (2.4)
          Increase listen() backlog queue to 32
          Force combinationation of --socks-proxy and --proto UDP to use IPv4.
          Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
          preparing release v2.4.8 (ChangeLog, version.m4, Changes.rst)
    
    Gisle Vanem (1):
          Wrong FILETYPE in .rc files
    
    Hilko Bengen (1):
          Do not set pkcs11-helper 'safe fork mode'
    
    Ilya Shipitsin (2):
          travis-ci: add "linux-ppc64le" to build matrix, change trusty image to xenial, update osx to xcode9.4 and modernize brew management
          travis-ci: fix osx builds
    
    Kyle Evans (1):
          tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.
    
    Lev Stipakov (1):
          Fix various compiler warnings
    
    Matthias Andree (1):
          Fix regression, reinstate LibreSSL support.
    
    Michal Soltys (1):
          man: correct the description of --capath and --crl-verify regarding CRLs
    
    Mykola Baibuz (1):
          Fix typo in NTLM proxy debug message
    
    Richard Bonhomme (1):
          Ignore --pull-filter for --mode server
    
    Rosen Penev (1):
          openssl: Fix compilation without deprecated OpenSSL 1.1 APIs
    
    Selva Nair (3):
          Better error message when script fails due to script-security setting
          Correct the return value of cryptoapi RSA signature callbacks
          Handle PSS padding in cryptoapicert
    
    Steffan Karger (1):
          cmocka: use relative paths
    
    Thomas Quinot (1):
          Fix documentation of tls-verify script argument