---
- branch: MAIN
  date: Sun Oct 11 17:32:00 UTC 2009
  files:
  - new: '1.31'
    old: '1.30'
    path: pkgsrc/net/openvpn/Makefile
    pathrev: pkgsrc/net/openvpn/Makefile@1.31
    type: modified
  - new: '1.17'
    old: '1.16'
    path: pkgsrc/net/openvpn/distinfo
    pathrev: pkgsrc/net/openvpn/distinfo@1.17
    type: modified
  id: 20091011T173200Z.d72eb182e393f15627e9433454ca56c65d52e128
  log: |
    Update to 2.1_rc20 from 2.1_rc13:

    2009.10.01 -- Version 2.1_rc20

    * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
      redirect-gateway option by itself, without any extra parameters,
      would cause the option to be ignored.

    * Fixed build problem when ./configure --disable-server is used.

    * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).

    * Added --remote-random-hostname option.

    * Added "load-stats" management interface command to get global server
      load statistics.

    * Added new ./configure flags:

      --disable-def-auth      Disable deferred authentication
      --disable-pf            Disable internal packet filter

    * Added "setcon" directive for interoperability with SELinux (Sebastien
      Raveau).

    * Optimized PUSH_REQUEST handshake sequence to shave several seconds
      off of a typical client connection initiation.

    * The maximum number of "route" directives (specified in the config
      file or pulled from a server) can now be configured via the new
      "max-routes" directive.

    * Eliminated the limitation on the number of options that can be pushed
      to clients, including routes.  Previously, all pushed options needed
      to fit within a 1024 byte options string.

    * Added --server-poll-timeout option : when polling possible remote
      servers to connect to in a round-robin fashion, spend no more than
      n seconds waiting for a response before trying the next server.

    * Added the ability for the server to provide a custom reason string
      when an AUTH_FAILED message is returned to the client.  This
      string can be set by the server-side managment interface and read
      by the client-side management interface.

    * client-kill management interface command, when issued on server, will
      now send a RESTART message to client.
      This feature is intended to make UDP clients respond the same as TCP
      clients in the case where the server issues a RESTART message in
      order to force the client to reconnect and pull a new options/route
      list.

    2009.07.16 -- Version 2.1_rc19

    * In Windows TAP driver, refactor DHCP/ARP packet injection code to
      use a DPC (deferred procedure call) to defer packet injection until
      IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
      in the context of AdapterTransmit.  This is an attempt to reduce kernel
      stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
      observed on Vista.  Updated TAP driver version number to 9.6.

    * In configure.ac, use datadir instead of datarootdir for compatibility
      with <autoconf-2.60.

    2009.06.07 -- Version 2.1_rc18

    * Fixed compile error on ./configure --enable-small

    * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
      does not build on Windows on non-MINGW32.

    2009.05.30 -- Version 2.1_rc17

    * Reduce the debug level (--verb) at which received management interface
      commands are echoed from 7 to 3.  Passwords will be filtered.

    * Fixed race condition in management interface recv code on
      Windows, where sending a set of several commands to the
      management interface in quick succession might cause the
      latter commands in the set to be ignored.

    * Increased management interface input command buffer size
      from 256 to 1024 bytes.

    * Minor tweaks to Windows build system.

    * Added "redirect-private" option which allows private subnets
      to be pushed to the client in such a way that they don't accidently
      obscure critical local addresses such as the DHCP server address and
      DNS server addresses.

    * Added new 'autolocal' redirect-gateway flag.  When enabled, the OpenVPN
      client will examine the routing table and determine whether (a) the
      OpenVPN server is reachable via a locally connected interface, or (b)
      traffic to the server must be forwarded through the default router.
      Only add a special bypass route for the OpenVPN server if (b) is true.
      If (a) is true, behave as if the 'local' flag is specified, and do not
      add a bypass route.

      The new 'autolocal' flag depends on the non-portable test_local_addr()
      function in route.c, which is currently only implemented for Windows.
      The 'autolocal' flag will act as a no-op on platforms that have not
      yet defined a test_local_addr() function.

    * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
      more option content to be pushed from server to client).

    * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
      levels <=3) a common and usually innocuous warning.

    * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
      functionality (Alon Bar-Lev).

    * Fixed bug where the remote_X environmental variables were not being
      set correctly when the 'local' option is specifed.

    2009.05.17 -- Version 2.1_rc16

    * Windows installer changes:

      1. ifdefed out the check Windows version code which is causing
      problems on Windows 7

      2. don't define SF_SELECTED if it is already defined

      3. Use LZMA instead of BZIP2 compression for better compression

      4. Upgraded OpenSSL to 0.9.8k

    * Added the ability to read the configuration file
      from stdin, when "stdin" is given as the config
      file name.

    * Allow "management-client" directive to be used
      with unix domain sockets.

    * Added errors-to-stderr option.  When enabled, fatal errors
      that result in the termination of the daemon will be written
      to stderr.

    * Added optional "nogw" (no gateway) flag to --server-bridge
      to inhibit the pushing of the route-gateway parameter to
      clients.

    * Added new management interface command "pid" to show the
      process ID of the current OpenVPN process (Angelo Laub).

    * Fixed issue where SIGUSR1 restarts would fail if private
      key was specified as an inline file.

    * Added daemon_start_time and daemon_pid environmental variables.

    * In management interface, added new ">CLIENT:ESTABLISHED" notification.

    * Build fixes:

      1. Fixed some issues with C++ style comments that leaked into the code.

      2. Updated configure.ac to work on MinGW64.

      3. Updated common.h types for _WIN64.

      4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
         compilers.

      5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
         OpenVPNCryptAcquireCertificatePrivateKey to work around
         a symbol conflict in MinGW-5.1.4.

    2008.11.19 -- Version 2.1_rc15

    * Fixed issue introduced in 2.1_rc14 that may cause a
      segfault when a --plugin module is used.

    * Added server-side --opt-verify option: clients that connect
      with options that are incompatible with those of the server
      will be disconnected (without this option, incompatible
      clients would trigger a warning message in the server log
      but would not be disconnected).

    * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
      flag on the server as well as pushes it to connecting clients.

    * Minor options check fix: --no-name-remapping is a
      server-only option and should therefore generate an
      error when used on the client.

    * Added --prng option to control PRNG (pseudo-random
      number generator) parameters.  In previous OpenVPN
      versions, the PRNG was hardcoded to use the SHA1
      hash.  Now any OpenSSL hash may be used.  This is
      part of an effort to remove hardcoded references to
      a specific cipher or cryptographic hash algorithm.

    * Cleaned up man page synopsis.

    2008.11.16 -- Version 2.1_rc14

    * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
      with the goal of fixing a build issue on Fedora 9 that was
      introduced in 2.1_rc13.

    * Added additional method parameter to --script-security to preserve
      backward compatibility with system() call semantics used in OpenVPN
      2.1_rc8 and earlier.  To preserve backward compatibility use:

        script-security 3 system

    * Added additional warning messages about --script-security 2
      or higher being required to execute user-defined scripts or
      executables.

    * Windows build system changes:

      Modified Windows domake-win build system to write all openvpn.nsi
      input files to gen, so that gen can be disconnected from
      the rest of the source tree and makensis openvpn.nsi will
      still function correctly.

      Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
      (commented out by default).

      Added optional files SAMPCONF_CONF2 (second sample configuration
      file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
      build system, and may be defined in settings.in.

    * Extended Management Interface "bytecount" command
      to work when OpenVPN is running as a server.
      Documented Management Interface "bytecount" command in
      management/management-notes.txt.

    * Fixed informational message in ssl.c to properly indicate
      deferred authentication.

    * Added server-side --auth-user-pass-optional directive, to allow
      connections by clients that do not specify a username/password, when a
      user-defined authentication script/module is in place (via
      --auth-user-pass-verify, --management-client-auth, or a plugin module).

    * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:

      Calling scripts can set the KEY_NAME environmental variable to set
      the "name" X509 subject field in generated certificates.

      Modified pkitool to allow flexibility in separating the Common Name
      convention from the cert/key filename convention.

      For example:

      KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james

      will create a client certificate/key pair of james.crt/james.key
      having a Common Name of "James's Laptop" and a Name of "james".

    * Added --no-name-remapping option to allow Common Name, X509 Subject,
      and username strings to include any printable character including
      space, but excluding control characters such as tab, newline, and
      carriage-return (this is important for compatibility with external
      authentication systems).

      As a related change, added --status-version 3 format (and "status 3"
      in the management interface) which uses the version 2 format except
      that tabs are used as delimiters instead of commas so that there
      is no ambiguity when parsing a Common Name that contains a comma.

      Also, save X509 Subject fields to environment, using the naming
      convention:

      X509_{cert_depth}_{name}={value}

      This is to avoid ambiguities when parsing out the X509 subject string
      since "/" characters could potentially be used in the common name.

    * Fixed some ifconfig-pool issues that precluded it from being combined
      with --server directive.

      Now, for example, we can configure thusly:

        server 10.8.0.0 255.255.255.0 nopool
        ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0

      to have ifconfig-pool manage only a subset
      of the VPN subnet.

    * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
      config file syntax checking to allow directives for future OpenVPN
      versions to be ignored.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/net/openvpn'
  unixtime: '1255282320'
  user: jmmv