Several modifications to win/make_dist.py to allow building the NSI installer
Copied install-win32/setpath.nsi to win/setpath.nsi
Added first version of NSI installer script to win/openvpn.nsi
Changes to buildsystem patchset
Temporary snprintf-related fix to service-win32/openvpnserv.c
2010.11.25 -- Version 2.2-beta5
Samuli Seppänen (1)
Fixed an issue causing a build failure with MS Visual Studio 2008.
2010.11.18 -- Version 2.2-beta4
David Sommerseth (10)
Clarified --explicit-exit-notify man page entry
Clean-up: Remove pthread and mutex locking code
Clean-up: Remove more dead and inactive code paths
Clean-up: Removing useless code - hash related functions
Use stricter snprintf() formatting in socks_username_password_auth() (v3)
Fix compiler warnings about not used dummy() functions
Fixed potential misinterpretation of boolean logic
Only add some functions when really needed
Removed functions not being used anywhere
Merged add_bypass_address() and add_host_route_if_nonlocal()
Gert Doering (3)
Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa admin2@whiteboard.ne.jp.
Make "topology subnet" work on Solaris
Improved man page entry for script_type
James Yonan (5)
Fixed initialization bug in route_list_add_default_gateway (Gert Doering).
Implement challenge/response authentication support in client mode
Make base64.h have the same conditional compilation expression as base64.c.
Fixed compiling issues when using --disable-crypto
In verify_callback, the subject var should be freed by OPENSSL_free, not free
Jesse Young (1)
Remove hardcoded path to resolvconf
Lars Hupel (1)
Add HTTP/1.1 Host header
Pierre Bourdon (1)
Adding support for SOCKS plain text authentication
Samuli Seppänen (2)
Added check for variable CONFIGURE_DEFINES into options.c
Added command-line option parser and an unsigned build option to build_all.py
2010.08.21 -- Version 2.2-beta3
General
Attempt to fix issue where domake-win build system was not properly signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver and tapinstall binaries using different DDK versions to span from Win2K to Win7 and beyond.
David Sommerseth (2)
Test framework improvment - Do not FAIL if t_client.rc is missing
More t_client.sh updates - exit with SKIP when we want to skip
Gert Doering (4)
Fix compile problems on NetBSD and OpenBSD
Fix <net/if.h> compile time problems on OpenBSD for good
full "VPN client connect" test framework for OpenVPN
Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity
Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory).
When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted.
Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication.
Don't advance to the next connection profile on AUTH_FAILED errors.
Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried.
Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period.
Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
Enable exponential backoff in reliability layer retransmits.
Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen.
Management interface performance optimizations:
Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth
man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o
Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly.
Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in.
Proxy improvements:
Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy.
Added http-auth "auto-nct" flag to reject weak proxy auth methods.
Added HTTP proxy digest authentication method.
Removed extraneous openvpn_sleep calls from proxy.c.
Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails.
Implemented a key/value auth channel from client to server.
Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds.
Added support for MSVC debugging of openvpn.exe in settings.in: # Build debugging version of openvpn.exe
!define PRODUCT_OPENVPN_DEBUG
Implemented multi-address DNS expansion on the network field of route commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection.
Added --register-dns option for Windows. Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection.
Fixed an issue where application payload transmissions on the TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped.
Added warning about tls-remote option in man page.
This update has been submitted for testing by robert.
This update has been submitted for testing by robert.
This update is currently being pushed to the Fedora EPEL 5 testing updates repository.
This update has been pushed to testing
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by robert.
This update is currently being pushed to the Fedora EPEL 5 stable updates repository.
This update has been pushed to stable