changelog

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authe

  rather than '-' (dash) to pacify rpmbuild.
	
2003.10.08 -- Version 1.5-beta11

* Modified code in the Windows version which sets the IP address
  and netmask of the TAP-Win32 adapter using the IP Helper API.
  Most of the changes involve better error recovery when
  the IP Helper API returns an error status.  See the
  manual page entry on --ip-win32 for more info.

2003.10.08 -- Version 1.5-beta10

* Added getpass() function for Windows version so that --askpass
  option works correctly (Stefano Bracalenti).
* Added reboot advisory to end of Win32 install script.
* Changed crypto code to use pseudo-random IVs rather than
  carrying forward the IV state from the previous packet.
  This is in response to item 2 in the following document:
  http://www.openssl.org/~bodo/tls-cbc.txt which points
  out weaknesses in TLS's use of the same IV carryforward
  approach.  This change does not break protocol compatibility
  with previous versions of OpenVPN.
* Made a change to the crypto replay protection code to also
  protect against certain kinds of packet reordering attacks.
  This change does not break protocol compatibility with
  previous versions of OpenVPN.
* Added --ip-win32 option to provide several choices for
  setting the IP address on the TAP-Win32 adapter.
* #ifdefed out non-CBC crypto modes by default.
* Added --up-delay option to delay TUN/TAP open and --up script
  execution until after connection establishment.  This option
  replaces the earlier windows-only option --tap-delay.
  
2003.10.01 -- Version 1.5-beta9

* Fixed --route-noexec bug where option was not parsed correctly.
* Complain if --dev tun is specified without --ifconfig on Windows.
* Fixed bug where TCP connections on windows would sometimes cause
  an assertion failure.
* Added a new flag to TAP-Win32 advanced properties that allows one
  to set the adapter to be always "connected" even when an OpenVPN
  process doesn't have it open.  The default behavior is to report
  a media status of connected only when an OpenVPN process has the
  adapter open.
* Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
  DLLs in response to an OpenSSL security advisory.

2003.09.30 -- Version 1.5-beta8

* Extended the --ifconfig option to work on tap devices as well
  as tun devices.
* Implemented the --ifconfig option for Windows, by calling the
  netsh tool.
* By default, do an "arp -d *" on Windows after TAP-Win32 open to
  refresh the MAC cache.  This behaviour can be disabled with
  --no-arp-del.
* On Windows, allow the --dev-node parameter (which specifies
  the name of the TAP-Win32 adapter) to be omitted in cases where
  there is a single TAP-Win32 adapter on the system which can be
  assumed to be the default.
* Modified the diagnostic --verb 5 debugging level to print 'R'
  for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
  and 'w' for TUN/TAP write.
* Conditionalize OpenBSD read_tun and write_tun based on tun or tap
  mode.
* Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
* Make the --enable-mtu-dynamic ./configure option enabled by
  default.
* Deprecated the --mtu-dynamic run-time option, in favor of
  --fragment.
* DNS names can now be used as --ifconfig parameters.
* Significant work on TAP-Win32 driver to bring up to SMP standards.
* On Windows, fixed dangling IRP problem if TAP-Win32 driver is
  unloaded or disabled, while a user-space process has it open.
* On Windows, if --tun-mtu is not specified, it will be read from
  the TAP-Win32 driver via ioctl.
* On Windows, added TAP-Win32 driver status info to "F2" keyboard
  signal (only when run from a console window).
* Added --mssfix option to control TCP MSS size (YANO Hirokuni).
* Renamed --mtu-dynamic option to --fragment to more accurately
  reflect its function.  Fragment accepts a single parameter which
  is the upper limit on acceptable UDP packet size.
* Changed default --tun-mtu-extra parameter to 32 from 64.
* Eliminated reference to malloc.o in configure.ac.
* Added tun device emulation to the TAP-Win32 driver.
* Added --route and related options.
* Added init script for SuSE Linux (Frank Plohmann).
* Extended option consistency check between peers to function
  in all crypto modes, including static-key and cleartext modes.
  Previously only TLS mode was supported.  Disable with
  --disable-occ.
* Overall, increased the amount of configuration option sanity
  checking, especially of networking parameters.
* Added --mtu-test option for empirical MTU measurement.
* Added Windows-only option --tap-delay to not set the TAP-Win32
  adapter media state to 'connected' until TCP/UDP connection
  establishment with peer.
* Slightly modified --route/--route-delay semantics so that when
  --route is given without --route-delay, routes are added
  immediately after tun/tap device open.  When --route-delay is
  specified, routes will be added n seconds after connection
  initiation, where n is the --route-delay parameter (which
  can be set to 0).	
* Made TCP framing error into a non-fatal error that triggers a
  connection reset.

2003.08.28 -- Version 1.5-beta7

* Fixed bug that caused OpenVPN not to respond to exit/restart
  signals when --resolv-retry is used and a local or remote DNS
  name cannot be resolved.
* Exported a series of environmental variables with useful
  info for scripts.  See man page for more info.  Based
  on a suggestion by Anthony Ciaravalo.
* Moved TCP/UDP socket bind to a point in the initialization
  before the --up script gets called.  This is desirable
  because (a) a socket bind failure will happen before
  daemonization, allowing an error status code to be returned
  to the shell and (b) the possibility is eliminated of a
  socket bind failure causing the --up script to be run
  but not the --down script.  This change has a side effect
  that --resolv-retry will no longer work with --local.
* Fixed bug where if an OpenVPN TCP server went down and back
  up again, Solaris or FreeBSD clients would fail to reconnect
  to it.
* Fixed bug that prevented OpenVPN from being run by
  inetd/xinetd in TCP mode.
* Added --log and --log-append options for logging messages to
  a file.
* On Windows, check that the current user is a member of the
  Administrator group before attempting install or uninstall.

2003.08.16 -- Version 1.5-beta6

* Fixed TAP-Win32 driver to properly increment the Rx/Tx count.

2003.08.14 -- Version 1.5-beta5

* Added user-configurability of the TAP-Win32 adapter MTU
  through the adapter advanced properties page.
* Added Windows Service support.
* On Windows, added file association and right-clickability
  for .ovpn files (OpenVPN config files).

2003.08.05 -- Version 1.5-beta4

* Extra refinements and error checking added to Windows
  NSIS install script.
	
2003.08.05 -- Version 1.5-beta3
	
* Added md5.h include to crypto.c to fix build problem on
  OpenBSD.
* Created a Win32 installer using NSIS.
* Removed DelService command from TAP-Win32 INF file.  It appears
  to be not necessary and it interfered with the ability to
  uninstall and reinstall the driver without needing to reboot.
* On Windows version, added "addtap" and "deltapall" batch
  files to add and delete TAP-Win32 adapter instances.

2003.07.31 -- Version 1.5-beta2
	
* Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
  in Windows ASCII so it's easier to click and view.
* Added postscript and PDF versions of the HOWTO to the web
  site (C R Zamana).
* Merged Michael Clarke's stability patch into TAP-Win32
  driver which appears to fix the suspend/resume driver bug
  and significantly improve driver stability.
* Added Christof Meerwald's Media Status patch to the
  TAP-Win32 driver which shows the TAP adapter to be
  disconnected when OpenVPN is not running.
* Moved socket connect and TCP server listen code to a later
  point in openvpn() function so that the TCP server listen
  state is entered after daemonization.
* Added keyboard shortcuts to simulate signals in the Windows
  version, see the window title bar for descriptions.

2003.07.24 -- Version 1.5-beta1
	
* Added TCP support via the new --proto option.
* Renamed udp-centric options such as --udp-mtu to
  --link-mtu (old option names preserved for compatibility).
* Ported to Windows 2000 + XP using mingw and a TAP driver
  derived from the Cipe-Win32 project by Damion K. Wilson.
* Added --show-adapters flag for windows version.
* Reworked the SSL/TLS packet acknowledge code to better
  handle certain corner cases.
* Turned off the default enabling of IP forwarding in the
  sample-scripts/openvpn.init script for Redhat.
  Forwarding can be enabled by users in their --up scripts
  or firewall config.
* Added --up-restart option based on suggestion from Sean
  Reifschneider.
* If --dev tap or --dev-type tap is specified, --tun-mtu
  defaults to 1500 and --tun-mtu-extra defaults to 64.
* Enabled --verb 5 debugging mode that prints 'R' and 'W'
  for each packet read or write on the TCP/UDP socket.

2003.08.04 -- Version 1.4.3

* Added md5.h include to crypto.c
  to fix build problem on OpenBSD.

2003.07.15 -- Version 1.4.2

* Removed adaptive bandwidth from
  --mtu-dynamic -- its absence appears
  to work better than its existence (1.4.1.2).
* Minor changes to --shaper to fix long
  retransmit timeouts at low bandwidth
  (1.4.1.2).
* Added LOG_RW flag to openvpn.h for
  debugging (1.4.1.2).
* Silenced spurious configure warnings (1.4.1.2).
* Backed out --dev-name patch, modified --dev
  to offer equivalent functionality (1.4.1.4).
* Added an optional parameter to --daemon and
  --inetd to support the passing of a custom
  program name to the system logger (1.4.1.5).
* Add compiled-in options to the program title
  (1.4.1.5).
* Coded the beginnings of a WIN32 port (1.4.1.5).
* Succeeded in porting to Win32 Mingw environment
  and running loopback tests (1.4.1.6).  Still
  need a kernel driver for full Win32
  functionality.
* Fixed a bug in error.h where
  HAVE_CPP_VARARG_MACRO_GCC was misspelled.
  This would have caused a significant slowdown
  of OpenVPN when built by compilers that
  lack ISO C99 vararg macros (1.4.1.6).
* Created an init script for Gentoo Linux
  in ./gentoo directory (1.4.1.6).

2003.05.15 -- Version 1.4.1

* Modified the Linux 2.4 TUN/TAP open code to
  fall back to the 2.2 TUN/TAP interface if the
  open or ioctl fails.
* Fixed bug when --verb is set to 0 and non-fatal
  socket errors occur, causing 100% CPU utilization.
  Occurs on platorms where
  EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
  such as Linux 2.4.
* Fixed typo in tun.c that was preventing
  OpenBSD build.
* Added --enable-mtu-dynamic configure option
  to enable --mtu-dynamic experimental option.
	
2003.05.07 -- Version 1.4.0

* Added --replay-persist feature to allow replay
  protection across sessions.
* Fixed bug where --ifconfig could not be used
  with --tun-mtu.
* Added --tun-mtu-extra parameter to deal with
  the situation where a read on a TUN/TAP device
  returns more data than the device's MTU size.
* Fixed bug where some IPv6 support code for
  Linux was not being properly ifdefed out for
  Linux 2.2, causing compile errors.
* Added OPENVPN_EXIT_STATUS_x codes to
  openvpn.h to control which status value
  openvpn returns to its caller (such as
  a shell or inetd/xinetd) for various conditions.
* Added OPENVPN_DEBUG_COMMAND_LINE flag to
  openvpn.h to allow debugging in situations
  where stdout, stderr, and syslog cannot be used
  for message output, such as when OpenVPN is
  instantiated by inetd/xinetd.
* Removed owner-execute permission from file
  created by static key generator (Herbert Xu
  and Alberto Gonzalez Iniesta).
* Added --passtos option to allow IPv4 TOS bits
  to be passed from TUN/TAP input packets to
  the outgoing UDP socket (Craig Knox).
* Added code to prevent open socket file descriptors
  from being accessible to called scripts.
* Added --dev-name option (Christian Lademann).
* Added --mtu-disc option for manual control
  over MTU options.
* Show OS MTU value on UDP socket write failures
  (linux only).
* Numerous build system and portability
  fixes (Matthias Andree).
* Added better sensing of compiler support for
  variable argument macros, including (a) gcc
  style, (b) ISO C 1999 style, and (c) no support.
* Removed generated files from CVS.  Note INSTALL
  file for new CVS build commands.
* Changed all internal _* symbols to x_*
  for C standards compliance.
* Added TUN/TAP open code to cycle dynamically
  through unit numbers until it finds a free
  unit (based on code from Thomas Gielfeldt
  and VTun).
* Added dynamic MTU and fragmenting infrastructure
  (Experimental).  Rebuild with FRAGMENT_ENABLE
  defined to enable.
* Minor changes to SSL/TLS negotiation, use
  exponential backoff on retransmits, and use
  a smaller MTU size (note that no protocol
  changes have been made which would break
  compatibility with 1.3.x).
* Added --enable-strict-options flag
  to ./configure.  This option will cause
  a more strict check for options compatibility
  between peers when SSL/TLS negotiation is used,
  but should only be used when both OpenVPN peers