Skip to content
Commits on May 19, 2014
  1. @hazenme
  2. @hazenme

    Merge tag 'v2.3.4' of https://github.com/OpenVPN/openvpn into release…

    hazenme committed May 19, 2014
    …-v2.3.4
    
    OpenVPN 2.3.4
    
    2014.04.30 -- Version 2.3.4
    Arne Schwabe (1):
          Fix man page and OSCP script: tls_serial_{n} is decimal
    
    Dmitrij Tejblum (1):
          Fix is_ipv6 in case of tap interface.
    
    Gert Doering (7):
          IPv6 address/route delete fix for Win8
          Add SSL library version reporting.
          Minor t_client.sh cleanups
          Repair --multihome on FreeBSD for IPv4 sockets.
          Rewrite manpage section about --multihome
          More IPv6-related updates to the openvpn man page.
          Conditionalize calls to print_default_gateway on !ENABLE_SMALL
    
    James Yonan (2):
          Use native strtoull() with MSVC 2013.
          When tls-version-min is unspecified, revert to original versioning approach.
    
    Steffan Karger (4):
          Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
          Fix OCSP_check.sh to also use decimal for stdout verification.
          Fix build system to accept non-system crypto library locations for plugins.
          Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
    
    Yawning Angel (1):
          Fix SOCKSv5 method selection
    
    kangsterizer (1):
          Fix typo in sample build script to use LDFLAGS
Commits on Apr 30, 2014
  1. @cron2

    Preparing for release v2.3.4 (ChangeLog, version.m4)

    cron2 committed Apr 30, 2014
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
  2. @syzzer @cron2

    Make serial env exporting consistent amongst OpenSSL and PolarSSL bui…

    syzzer committed with cron2 Apr 28, 2014
    …lds.
    
    This changes the representation of the tls_serial_{n} environment variable
    from hex to decimal for PolarSSL builds, to match OpenSSL build behaviour.
    
    Because hex representation for serials makes sense too, and to ease
    transition for PolarSSL users, added tls_serial_hex_{n} that exports the
    serial in hex represenation for both crypto library backends.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <535EB49E.5090809@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8664
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
  3. @jamesyonan @cron2

    When tls-version-min is unspecified, revert to original versioning ap…

    jamesyonan committed with cron2 Apr 28, 2014
    …proach.
    
    For OpenSSL, this means to use TLSv1_(client|server)_method rather
    than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
    for specific TLS versions to disable.
    
    For PolarSSL, this means to implicitly control the TLS version via allowed
    ciphersuites.
    
    Point out off-by-default-now setting in the openvpn(8) man page.
    
    This patch is only included in the release/2.3 branch, because it's a
    stopgap measure.  2.4 will have it on-by-default, when the remaining
    handshake problems are fully debugged and solved.
    
    Signed-off-by: James Yonan <james@openvpn.net>
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: James Yonan <james@openvpn.net>
    Message-Id: <535EC5FE.6060302@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8665
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
  4. @cron2

    Conditionalize calls to print_default_gateway on !ENABLE_SMALL

    cron2 committed Apr 29, 2014
    Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, but
    the actual function wasn't compiled in #ifdef ENABLE_SMALL, so the
    combination "configure --enable-small --enable-debug" didn't work. Fix.
    
    Fix trac #397
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <1398805779-29376-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8670
    (cherry picked from commit c29e08a2f33234fb705a8323c0d9e1e07b0773fd)
Commits on Apr 29, 2014
  1. @tejblum @cron2

    Fix is_ipv6 in case of tap interface.

    tejblum committed with cron2 Feb 8, 2014
    While checking a packet on a TAP interface, is_ipv_X() in proto.c
    insist that the ethertype must be OPENVPN_ETH_P_IPV4, even if
    the protocol is IPv6. So the protocol never match, and, thus,
    mssfix doesn't work for IPv6 on TAP interface. Fix that.
    
    Signed-off-by: Dmitrij Tejblum <dt@yandex.ru>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1391873629-14388-1-git-send-email-dt@yandex.ru>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8259
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit db037c20086587a609ef33127c15de080270f2cb)
Commits on Apr 27, 2014
  1. @syzzer @cron2

    Fix build system to accept non-system crypto library locations for pl…

    syzzer committed with cron2 Apr 21, 2014
    …ugins.
    
    Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
    the plugins. However, all plugins include openvpn-plugin.h, which need
    crypto/ssl headers.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398080238-19662-1-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8576
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit ea31bc680fc83946b2cc8d0c93544a1ab2a01d63)
  2. @cron2

    More IPv6-related updates to the openvpn man page.

    cron2 committed Apr 26, 2014
    Point to correct kernel version for --multihome and IPv4-mapped
    addresses (3.15, Tore Anderson).
    
    Remove old reference to http://www.greenie.net/ from the IPv6 section,
    as the code and documentation in here is more current than on that site.
    Some more additions and clarifications.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Tore Anderson <tore@fud.no>
    Message-Id: <1398511854-3609-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8642
    (cherry picked from commit 2a97e69e71d4afb9c32268890e13db19cb73196b)
  3. @syzzer @cron2

    Fix OCSP_check.sh to also use decimal for stdout verification.

    syzzer committed with cron2 Apr 27, 2014
    This is an extra fix needed on top of 959d607, which already changes the
    serial parameter to correctly use decimal representation.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398588561-18964-2-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8650
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 6ea78cbef6367590567156a20106c620fec224c9)
  4. @syzzer @cron2

    Change signedness of hash in x509_get_sha1_hash(), fixes compiler war…

    syzzer committed with cron2 Apr 27, 2014
    …ning.
    
    hash was cast from char * to unsigned char * at the return of the function.
    This patch removes the implicit cast by declaring hash as unsigned char * .
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398585348-7969-1-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8647
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit d4309c21d9cde43c777985e373242afa78afefa1)
Commits on Apr 25, 2014
  1. @cron2

    Rewrite manpage section about --multihome

    cron2 committed Apr 25, 2014
    Part of the information was confusing, part was outdated, and part was
    just not making sense.  Pointed out in trac#348.
    
    Also add note about Linux IPv4-mapped issues as per trac#306.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1398453555-19706-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8635
    (cherry picked from commit abe18c69a61b42e5ac68b77f66198fc15be99e31)
  2. @cron2

    Repair --multihome on FreeBSD for IPv4 sockets.

    cron2 committed Jan 19, 2014
    The code in link_socket_write_udp_posix_sendmsg() for the IP_RECVDESTADDR
    case was sending a too-large control message (sizeof openvpn_pktinfo,
    which is a union for IPv4+IPv6) instead of just openvpn_in4_pktinfo,
    leading to sendmsg() refusing to send the packet.
    
    Use RFC 2292 macros for alignment + size calculation.
    
    Fix trac#327
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Lazy-Ack-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1390164697-1590-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8250
    (cherry picked from commit 661d914c8732a208580b1eab167255c85da162c9)
  3. @schwabe @cron2

    Fix man page and OSCP script: tls_serial_{n} is decimal

    schwabe committed with cron2 Mar 28, 2014
    Commit 7d5e26c fixed extracting serial but did not change the format,
    which always has been decimal. This patch fixes the manpage and
    OSCP.sh script to conform with the implementation.
    Acked-by: James Yonan <james@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8409
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 959d60789b6f0bd74296600f58f626cfa9738f78)
  4. @hazenme

    openvpn: Fix paths for Android

    hazenme committed Apr 24, 2014
    Fixes location of /dev/tun and /system/xbin/iptables /system/bin/ip and /system/bin/route
  5. @hazenme
  6. @hazenme

    openvpn: Fix build

    hazenme committed Apr 24, 2014
Commits on Apr 24, 2014
  1. @hazenme
Commits on Apr 21, 2014
  1. @cron2

    Minor t_client.sh cleanups

    cron2 committed Apr 20, 2014
    - remove built tests/t_client.sh script on "make clean"
    - ignore Linux iproute2 "ssthresh <n>" output that sometimes shows up
      in "ip -6 route show" and breaks before/after comparison
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1398019261-30180-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8557
    (cherry picked from commit 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce)
  2. @jamesyonan @cron2

    Use native strtoull() with MSVC 2013.

    jamesyonan committed with cron2 Apr 21, 2014
    MSVC 2013 C library now defines strtoull() function,
    so use the native implementation when available.
    
    Signed-off-by: James Yonan <james@openvpn.net>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1398064204-26476-3-git-send-email-james@openvpn.net>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8561
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 6b8e2f4a8143a7260a06b6999dcb21c4c72fc620)
Commits on Apr 18, 2014
  1. @cron2

    Add SSL library version reporting.

    cron2 committed Apr 13, 2014
    Print the version of the SSL and LZO library (if any) used.
    
    SSL library version is also sent as IV_SSL=<version> to the server if
    --push-peer-info is enabled.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <20140416152456.GI16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
    (cherry picked from commit 1ec984b154aa3247ef58c9d44e7e477880b632b1)
Commits on Apr 13, 2014
  1. @cron2

    IPv6 address/route delete fix for Win8

    cron2 committed Apr 13, 2014
    Use "store=active" for IPv6 address and route deletion - seems to be
    required on Windows 8 and up, and not doing it will break OpenVPN
    reconnection (old addresses are not properly deleted, thus address can
    not be configured on connect).
    
    Reported-by: Cedric <cedric+openvpn@bgtn.net>
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Cedric Tabary <cedric+openvpn@bgtn.net>
    Message-Id: <20140413170648.GU16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8499
    (cherry picked from commit 4b4fac9184fcea1eab4f4223309211780cee188a)
  2. @cron2

    Fix SOCKSv5 method selection

    Yawning Angel committed with cron2 Mar 10, 2014
    So, RFC 1928 doesn't say anything about the METHODS field in the Method
    Selection message being ordered in terms of preference or anything, and
    the server is free to pick any of the METHODS offered by the client.
    
    Always sending a Method Selection message with NO AUTHENTICATION REQUIRED
    and USERNAME/PASSWORD set is broken on two fronts:
    
     * If the OpenVPN client can't handle the server picking USERNAME/PASSWORD
       due to the credentials being missing, it shouldn't offer it to the
    server.
    
     * If the OpenVPN client has credentials, then it should always attempt to
       authenticate.  This is a security product.  "You can misconfigure it and
       it will work" is not acceptable.  Setting a username/password when the
       SOCKS server doesn't require/support that as an option is the user not
       configuring it correctly, and should be treated as such.
    
    Also verify that the SOCKS server returned the auth that was requested.
    
    URL: OpenVPN/openvpn#14
    Fix trac #377, trac #148
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20140413130102.GR16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8488
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 2903eba5dfe35c981329a833845e24de3882161a)
  3. @kangsterizer @cron2

    Fix typo in sample build script to use LDFLAGS

    kangsterizer committed with cron2 Apr 13, 2014
    Came in as github pull request #15
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-By: Arne Schwabe <arne@rfc2549.org>
    (cherry picked from commit a95358af543b9106f4ef481e4556d1d03459d058)
Commits on Apr 8, 2014
  1. @cron2

    Preparing for v2.3.3 (ChangeLog, version.m4)

    cron2 committed Apr 8, 2014
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits on Mar 23, 2014
  1. @syzzer @cron2

    Add openssl-specific common cipher list names to ssl.c.

    syzzer committed with cron2 Mar 1, 2014
    This adds a number of commonly used cipher list names to ssl.c, which makes
    OpenVPN not give a "translation not found" warning when using these.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8316
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 0146fd00c3bd70a470290be7be27ee75db2db63b)
  2. @cron2

    Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions

    cron2 committed Mar 23, 2014
    058e889 introduced using SSL_OP_NO_TICKET, leading to build failures on
    systems that could build 2.3.2 fine.  Inside the 2.3 release train, we
    do not want to change requirements, so for those build environments, ignore
    missing SSL_OP_NO_TICKET.  2.4 will require more recent OpenSSL, though.
    
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <20140322183508.GZ16637@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8384
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits on Mar 17, 2014
  1. @jamesyonan @cron2

    Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disab…

    jamesyonan committed with cron2 Mar 16, 2014
    …le TLS stateless session resumption.
    
    OpenVPN doesn't want or need SSL session renegotiation or
    resumption, as it handles renegotiation on its own.
    
    For this reason, OpenVPN always disables the SSL session cache:
    
    SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF)
    
    However, even with the above code, stateless session resumption
    is still possible unless explicitly disabled with the
    SSL_OP_NO_TICKET flag.  This patch does this.
    
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8346
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 25f4d4b49bff342fd9dd54cd22f14c9de49e9f8b)
  2. @schwabe @cron2

    Introduce safety check for http proxy options

    schwabe committed with cron2 Mar 17, 2014
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1395061013-1802-1-git-send-email-arne@rfc2549.org>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8353
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 087b510365d9aad8f656a8fb0cc07d51511be9d0)
Commits on Jan 23, 2014
  1. @cron2

    Fix "." in description of utun.

    Thomas Veerman committed with cron2 Jan 23, 2014
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 66ff10ef5197b6c70429a15e572aeb2d4073b470)
Commits on Jan 16, 2014
  1. @cron2

    Replace copied structure elements with including <net/route.h>

    cron2 committed Jan 13, 2014
    The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies
    of structures from <net/route.h> (struct rt_msghdr in particular).
    
    OpenBSD changed some structure elements, making OpenVPN incompatible,
    depending on the specific OpenBSD version.  Clean up: remove copied
    definitions, replace by including <net/route.h> directly - this could
    not be done originally due to a conflict with "struct route" in OpenVPN
    and <net/route.h>, cleaned up by the previous commit.
    
    Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles
    with no warnings, and "openvpn --show-gateway" works, which is the only
    part of the code that uses the structures in question).
    
    Fix trac #340
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
    (cherry picked from commit 615fb9ef36310f85fd6171301128a12740444455)
  2. @cron2

    Rename 'struct route' to 'struct route_ipv4'

    cron2 committed Jan 13, 2014
    To fix trac #340, we need to rename our "struct route" to avoid a
    collision with "struct route" from <net/route.h> on *BSD.
    
    No functional changes.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1389650074-18455-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8231
    (cherry picked from commit b57e005b8f232760081875937a53e8e7d235faa6)
Commits on Jan 12, 2014
  1. @cron2

    Document issue with --chroot, /dev/urandom and PolarSSL.

    cron2 committed Jan 11, 2014
    See trac#218
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
    Message-Id: <1389441036-12538-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8213
    (cherry picked from commit b238a1f2d4b2cdcfc844689b33fd3ac43ed31c1c)
Commits on Jan 9, 2014
  1. @cron2

    Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=

    cron2 committed Jan 9, 2014
    Use shorter variable name to signal the same thing (see f3a2cd255a3bc73)
    to save space in the buffer used by the collective IV_ info sent to server.
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1389296891-1487-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/8183
    (cherry picked from commit 7efaca734b8d633441ec3d7def2a2768864dedcf)
  2. @cron2

    Make code and documentation for --remote-random-hostname consistent.

    cron2 committed Nov 17, 2013
    Documentation examples, description and code were disagreeing on what
    this option actually does.  Now they will all agree that it will
    *prepend* a random-byte string to the hostname name before resolving
    to work around DNS caching (needs a "*" wildcard record in the zone).
    
    Fix trac #143
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
    URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
    (cherry picked from commit 7de8f3f322c1a1c13022a0243267624930dac5c9)
Something went wrong with that request. Please try again.