OpenVPN Change Log
Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>

2022.10.27 -- Version 2.5.8

Antonio Quartulli (1):
      tls-crypt-v2: bail out if the client key is too small

Arne Schwabe (4):
      Remove useless empty line from CR_RESPONSE message
      Allow running a default configuration with TLS libraries without BF-CBC
      Change command help to match man page and implementation
      Fix OpenVPN querying user/password if auth-token with user expires

Frank Lichtenheld (2):
      t_client: Allow to force FAIL on prerequisite fails
      t_client.sh: do not require fping6

Gert Doering (1):
      Preparing release 2.5.8

Lev Stipakov (1):
      msvc: add branch name and commit hash to version output

Martin Janů (1):
      Update the replay-window backtrack log message

Selva Nair (5):
      Do not skip ERROR:/SUCCESS: response from management interface
      Fix auth-token usage with management-def-auth
      Allow a few levels of recursion in virtual_output_callback()
      Ensure --auth-nocache is handled during renegotiation
      Purge auth-token as well while purging passwords
      Do not copy auth_token username to itself


2022.05.24 -- Version 2.5.7

Antonio Quartulli (4):
      networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
      networking_iproute2: don't pass M_WARN to openvpn_execve_check()
      t_net.sh: delete dummy iface using iproute command
      auth-pam.c: add missing include limits.h

Arne Schwabe (11):
      Add insecure tls-cert-profile options
      Refactor early initialisation and uninitialisation into methods
      Allow loading of non default providers
      Add ubuntu 22.04 to Github Actions
      Add macos OpenSSL 3.0 and ASAN builds
      Add --with-openssl-engine autoconf option (auto|yes|no)
      Fix allowing/showing unsupported ciphers and digests
      Remove dependency on BF-CBC existance from test_ncp
      Add message when decoding PKCS12 file fails.
      Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
      Fix client-pending-auth error message to say ERROR instead of SUCCESS

Gert Doering (1):
      Preparing release 2.5.7

Jan Mikkelsen (1):
      cipher-negotiation.rst missing from doc/Makefile.am

Lev Stipakov (5):
      vcpkg-ports\pkcs11-helper: shorten patch filename
      msvc: adjust build options to harden binaries
      vcpkg-ports: remove openssl port
      vcpkg: switch to manifest
      Fix M_ERRNO behavior on Windows

Marc Becker (1):
      vcpkg-ports/pkcs11-helper: bump to release 1.29

Simon Rozman (1):
      tapctl: Resolve MSVC C4996 warnings


2022.03.16 -- Version 2.5.6

Antonio Quartulli (4):
      GitHub Actions: update script to same version as master
      update copyright year to 2022
      keyingmaterialexporter.c: include strings.h
      remove unused sitnl.h file

David Sommerseth (2):
      sample-plugin: New plugin for testing multiple auth plugins
      plug-ins: Disallow multiple deferred authentication plug-ins

Frank Lichtenheld (2):
      doc/Makefile: rebuild rst docs if input files change
      doc/options: clean up documentation for --proto and related options

Gert Doering (4):
      fix Changes.rst errors in 2.5.3 and 2.5.5 announcement
      Repair --inactive with 'bytes' argument larger 2Gbytes.
      Fix --mtu-disc maybe|yes on Linux.
      Preparing release 2.5.6

Ilya Shipitsin (1):
      CI: github actions: keep "pdb" in artifacts

Lev Stipakov (7):
      auth_token.c: add NULL initialization
      vcpkg-ports/pkcs11-helper: bump to release 1.28
      vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support
      msvc: cleanup
      vcpkg: link lzo statically
      vcpkg-ports/pkcs11-helper: adapt to new upstream URL
      vcpkg-ports: add openssl 1.1.1n


2021.12.14 -- Version 2.5.5

Adrian (1):
      Fix error in example firewall.sh script

Antonio Quartulli (1):
      configure: remove useless -Wno-* from default CFLAGS

Arne Schwabe (2):
      Add argv_insert_head__empty_argv__head_only to argv tests
      Move deprecation of SWEET32/64bit block size ciphers to 2.7

Gert Doering (3):
      Include --push-remove in the output of --help.
      Move '--push-peer-info' documentation from 'server' to 'client options'
      add test case(s) to notice 'openvpn --show-cipher' crashing

Ilya Shipitsin (1):
      BUILD: enable CFG and Spectre mitigation for MSVC

Lev Stipakov (12):
      Fix loading PKCS12 files on Windows
      msvc: fix product version display
      msvc: add missing header to project file
      config-msvc.h: fix OpenSSL-related defines
      contrib/vcpkg-ports: remove openssl port
      GitHub Actions: use latest working lukka/run-vcpkg
      Use network address for emulated DHCP server as a default
      Load OpenSSL config on Windows from trusted location
      ring_buffer.h: fix GCC warning about unused function
      ssh_openssl.h: remove unused declaration
      vcpkg/pkcs11-helper: compatibility with latest vcpkg
      config-msvc.h: indicate key material export support

Max Fillinger (2):
      Don't use BF-CBC in unit tests if we don't have it
      Define have_blowfish variable in ncp unit tests

Richard T Bonhomme (1):
      doc link-options.rst: Use free open-source dynamic-DNS provider URL

Selva Nair (3):
      Fix some more wrong defines in config-msvc.h
      Ensure the current common_name is in the environment for scripts
      Require EC key support in Windows builds

Sergio E. Nemirowski (1):
      resolvconf fails with -p

Todd Zullinger (2):
      Update IRC information in CONTRIBUTING.rst
      doc/man (vpn-network-options): fix foreign_option_{n} typo

Ville Skytt (1):
      README.down-root: Fix plugin module name


2021.10.04 -- Version 2.5.4

Antonio Quartulli (3):
      route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED
      configure: search also for rst2{man, html}.py
      networking: add networking API net_addr_ll_set() and use it on Linux

Arne Schwabe (1):
      Move examples into openvpn-examples(5) man page

David Korczynski (1):
      Fix argv leaks in add_route() and add_route_ipv6()

David Sommerseth (2):
      doc: Use generic rules for man/html generation
      man: Clarify IV_HWADDR

Gert Doering (1):
      Add error reporting to get_console_input_win32().

Lev Stipakov (3):
      Fix console prompts with redirected log
      Add building man page on Windows
      GitHub Actions: remove Ubuntu 16.04 environment

Max Fillinger (1):
      Update Fox e-mail address in copyright notices

Selva Nair (1):
      Minor doc correction: tls-crypt-v2 key generation


2021.06.17 -- Version 2.5.3

Arne Schwabe (3):
      Add missing free_key_ctx for auth_token
      Add github actions
      Implement auth-token-user

David Sommerseth (1):
      Update copyrights

Lev Stipakov (8):
      openvpnmsica: properly schedule reboot in the end of installation
      msvc: add ARM64 configuration
      msvc: standalone building
      contrib/vcpkg-ports: add pkcs11-helper port
      vcpkg-ports: restore trailing whitespaces in .patch files
      GitHub actions: add MSVC build
      crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
      contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)

Matthias Andree (1):
      Fix SIGSEGV (NULL deref) receiving push "echo"

Max Fillinger (1):
      Fix build with mbedtls w/o SSL renegotiation support

Selva Nair (2):
      Improve documentation of AUTH_PENDING related directives
      Apply the connect-retry backoff to only one side of a connection


2021.04.20 -- Version 2.5.2

Arne Schwabe (10):
      Avoid generating unecessary mbed debug messages
      Restore also ping related options on a reconnect
      Cleanup print_details and add signature/ED certificate print
      Always disable TLS renegotiations
      Also restore/save route-gateway options on SIGUSR1 reconnects
      Move context_auth from context_2 to tls_multi and name it multi_state
      Fix condition to generate session keys
      Move auth_token_state from multi to key_state
      Ensure auth-token is only sent on a fully authenticated session
      Ensure key state is authenticated before sending push reply

Gert Doering (2):
      Fix potential NULL ptr crash if compiled with DMALLOC

Max Fillinger (2):
      In init_ssl, open the correct CRL path pre-chroot
      Abort if CRL file can't be stat-ed in ssl_init

Richard Bonhomme (1):
      Do not print Diffie Hellman parameters file to log file

Simon Rozman (1):
      openvpnserv: Cache last error before it is overridden

Vladislav Grishenko (1):
      Fix IPv4 default gateway with multiple route tables


2021.02.24 -- Version 2.5.1

Arne Schwabe (5):
      Fix auth-token not being updated if auth-nocache is set
      Remove auth_user_pass.wait_for_push variable
      Fix port-share option with TLS-Crypt v2
      Zero initialise msghdr prior to calling sendmesg
      Fix tls-auth mismatch OCC message when tls-cryptv2 is used.

David Sommerseth (1):
      build: Fix missing install of man page in certain environments

Domagoj Pensa (3):
      Fix too early argv freeing when registering DNS
      Remove 1 second delay before running netsh
      Skip DHCP renew with Wintun adapter

Gert Doering (6):
      Change travis build scripts to use https when fetching prerequisites.
      Fix line number reporting on config file errors after <inline> segments
      Clarify --block-ipv6 intent and direction.
      Document common uses of 'echo' directive, re-enable logging for 'echo'.
      Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
      clean up / rewrite sample-plugins/defer/simple.c

Greg Cox (5):
      Fix naming error in sample-plugins/defer/simple.c
      Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
      Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
      More explicit versioning compatibility in sample-plugins/defer/simple.c
      Explain structver usage in sample defer plugin.

Richard Bonhomme (1):
      Man page sections corrections

Selva Nair (1):
      Quote the domain name argument passed to the wmic command

Steffan Karger (2):
      tls-crypt-v2: fix server memory leak
      tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)


2020.10.27 -- Version 2.5.0
      (no changes relative to v2.5_rc3)

2020.10.15 -- Version 2.5_rc3
Arne Schwabe (2):
      Allow 'none' cipher being specified in --data-ciphers
      Add function for common env setting of verify user/pass calls

David Sommerseth (1):
      compat/lz4: Update to v1.9.2

Gert Doering (2):
      Fix redirecting of IPv4 default gateway if connecting over IPv6.
      Avoid passing NULL to argv_printf_cat() in temp_file error case.

Jan Seeger (1):
      Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric.

Richard Bonhomme (1):
      Improve error msg when all TAP adapters are in use 'or disabled'

Steffan Karger (1):
      networking_iproute2: fix memory leak in net_iface_mtu_set()

Vladislav Grishenko (2):
      Selectively reformat too long lines
      Speedup TCP remote hosts connections


2020.09.30 -- Version 2.5_rc2

Lev Stipakov (1):
      Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN

Selva Nair (2):
      Set DNS Domain using iservice
      Improve documentation of --username-as-common-name

Simon Rozman (4):
      netsh: Specify interfaces by index rather than name
      netsh: Clear existing IPv6 DNS servers before configuring new ones
      netsh: Delete WINS servers on TUN close
      openvpnmsica: Simplify find_adapters() to void return

Vladislav Grishenko (1):
      Fix update_time() and openvpn_gettimeofday() coexistence


2020.09.21 -- Version 2.5_rc1

David Sommerseth (4):
      man: Add missing --server-ipv6
      man: Improve --remote entry
      sample-plugins: Partially autotoolize the sample-plugins build
      build: Fix make distclean/distcheck

Gert Doering (10):
      Fix handling of 'route remote_host' for IPv6 transport case.
      Replace 'echo -n' with 'printf' in tests/t_lpback.sh
      Fix description of --client-disconnect calling convention in manpage.
      Handle NULL returns from calloc() in sample plugins.
      Fix --show-gateway for IPv6 on NetBSD/i386.
      socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
      Fix netbits setting (in TAP mode) for IPv6 on Windows.
      If IPv6 pool specification sets pool start to ::0 address, increment.
      Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths
      Fix combination of --dev tap and --topology subnet across multiple platforms.

Lev Stipakov (1):
      msvc: better support for 32bit architecture

Selva Nair (2):
      Add a remark on dropping privileges when --mlock is used
      Allow --dhcp-option in config file when windows-driver is wintun

Vladislav Grishenko (1):
      Fix fatal error at switching remotes (#629)


2020.09.10 -- Version 2.5_beta4

Gert Doering (3):
      Document that --push-remove is generally more suitable than --push-reset
      Fix error detection / abort in --inetd corner case.
      Fix TUNSETGROUP compatibility with very old Linux systems.

Lev Stipakov (1):
      openvpnmsica: make adapter renaming non-fatal

Selva Nair (1):
      In tap.c use DiInstallDevice to install the driver on a new adapter

Vladislav Grishenko (1):
      Fix best gateway selection over netlink


2020.08.31 -- Version 2.5_beta3

Arne Schwabe (1):
      Fix client NCP OCC fallback when server and client cipher are identical

2020.08.26 -- Version 2.5_beta2

Arne Schwabe (1):
      Fix client's poor man NCP fallback

Eric Thorpe (1):
      Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof

Gert Doering (2):
      Fix stack overflow in OpenSolaris NEXTADDR()
      Workaround FreeBSD 12+ race condition on tun/tap open with IPv6.

Lev Stipakov (1):
      tun.c: enable using wintun driver under SYSTEM

Magnus Kroken (2):
      doc: fix typos in cipher-negotiation.rst
      Changes.rst: fix mistyped option names

Selva Nair (1):
      Improve the documentation for --dhcp-option


2020.08.12 -- Version 2.5_beta1

Adam Ciarcin?ski (1):
      Fix subnet topology on NetBSD.

Antonio Quartulli (113):
      attempt to add IPv6 route even when no IPv6 address was configured
      fix redirect-gateway behaviour when an IPv4 default route does not exist
      CRL: use time_t instead of struct timespec to store last mtime
      ignore remote-random-hostname if a numeric host is provided
      Ignore auth-nocache for auth-user-pass if auth-token is pushed
      crypto: correct typ0 in error message
      use M_ERRNO instead of explicitly printing errno
      don't print errno twice
      ntlm: avoid useless cast
      ntlm: unwrap multiple function calls
      route: improve error message
      management: preserve wait_for_push field when asking for user/pass
      tls-crypt: avoid warnings when --disable-crypto is used
      ntlm: convert binary buffers to uint8_t *
      ntlm: restyle compressed multiple function calls
      ntlm: improve code style and readability
      OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
      make function declarations C99 compliant
      remove unused functions
      use NULL instead of 0 when assigning pointers
      add missing static attribute to functions
      ntlm: avoid breaking anti-aliasing rules
      remove the --disable-multi config switch
      rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
      route: avoid definition of unused variables in certain configurations
      fix a couple of typ0s in comments and strings
      fragment.c: simplify boolean expression
      tcp-server: ensure AF family is propagated to child context
      Remove ENABLE_CRYPTO
      Remove option to disable crypto engine
      Remove ENABLE_PUSH_PEER_INFO
      Remove SSL_LIB_VER_STR
      Remove MD5SUM
      reload HTTP proxy credentials when moving to the next connection profile
      Allow learning iroutes with network made up of all 0s (only if netbits < 8)
      mbedtls: fix typ0 in comment
      manpage: fix simple typ0
      pool: restyle ipv4/ipv6 members to improve readability
      pool: convert pool 'type' to enum
      tun: ensure gc and argv are properly handled
      tun: always pass a valid tt pointer
      tun: get rid of tt->did_ifconfig member
      tun: ensure interface can be configured with IPv6 only
      add support for %lu in argv_printf and prevent ASSERT
      windows: properly configure TAP driver when no IPv4 is configured
      socket: make stream_buf_* functions static
      crypto: always reload tls-auth/crypt key contexts
      make tls-auth and tls-crypt per-connection-block options
      pf: restyle pf_c2c/addr_test() to make them 'struct context' agnostic
      merge *-inline.h files with their main header
      ensure function declarations are compiled with their definitions
      buffer_list: add functions documentation
      ifconfig-ipv6(-push): allow using hostnames
      tls-crypt: properly cast time_t to uint64_t
      implement platform generic networking API
      implement networking API for iproute2
      introduce sitnl: Simplified Interface To NetLink
      tun.c: use new networking API to handle tun interface on Linux
      travis.yml: add test for iproute2 net implementation
      route.c: use new networking API to handle routing table on Linux
      unit tests: implement test for sitnl
      t_net.sh: make bash dep explicit and run only if SITNL is compiled
      t_net.sh: properly perform sudo check and print test steps
      route.c: fix windows build by removing mismatching function parameter
      t_net.sh: fixes for the networking test script
      route.c: use sitnl to implement get_default_gateway_ipv6()
      networking/best_gw: remove useless prefixlen parameter
      sitnl: harden strncpy() by forcing arguments to have the same length
      mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free()
      networking: extend API for better memory management
      tun.c: undo_ifconfig_ipv4/6 remove useless gc argument
      networking_sitnl.c: uncrustify file
      route.c: simplify ifdef logic
      t_net.sh: wait for NO-CARRIER bit to settle before starting test
      t_net.sh: execute sleep after checking exit code of previous command
      maddr: create helper function to populate maddr object from eth_addr
      VLAN: add basic VLAN tagging support
      maddr: export VLAN ID from client context to maddr object
      VLAN: filter multicast and client-to-client unicast traffic
      is_ipv_X: add support for parsing IP header inside a 802.1q frame
      VLAN: implement support for forwarding only pre-tagged VLAN packets
      VLAN: allow forwarding tagged and untagged packets on the server TAP device
      VLAN: add documentation to manpage
      socks: use the right function when printing struct openvpn_sockaddr
      add -Wno-stringop-truncation to CFLAGS on linux
      get rid of 'broadcast' argument when configuring the tun device
      auth_token_kt: ensure key_type object is initialized
      auth.c: make cast explicit in the crypto API
      travis: compile with -Werror on Linux
      travis: fix CFLAGS assignment error and add -Werror only when compiling on Linux for Linux
      sitnl: fix failure reporting by keeping error negative
      sitnl: fix TUN/TAP confusion in error messages
      sitnl: fix ignoring EEXIST when sending a netlink command
      t_net.sh: use dummy interface instead of tun
      remove bogus file check on --genkey argument
      t_net.sh: assign MAC address directly during interface creation
      convert *_inline attributes to bool
      options: fix inlining auth-gen-token-secret file
      tls-crypt-v2: fix testing of inline key
      get rid of INLINE_FILE_TAG constant
      pool: prevent IPv6 pools to be larger than 2^16 addresses
      pool: allow to configure an IPv6-only ifconfig-pool
      allow usage of --server-ipv6 even when no --server is specified
      pool: add support for ifconfig-pool-persist with IPv6 only
      route: warn on IPv4 routes installation when no IPv4 is configured
      options: enable IPv4 redirection logic only if really required
      ipv6-pool: get rid of size constraint
      pool: remove useless 'options.h' include
      multi: skip IPv4 logic in multi_select_virtual_addr() if no pool is configured
      multi.c: use mi->cc_config instead of config variable
      options: don't leak inline'd key material in logfile
      t_net.sh: drop hard dependency on t_client.rc
      travis: don't run t_net.sh test

Arne Schwabe (124):
      Set tls-cipher restriction before loading certificates
      Print ec bit details, refuse management-external-key if key is not RSA
      Replace buffer backed strings for management_android_control with simple stack variables
      Treat dhcp-option DNS6 and DNS identical
      show the right string for key-direction
      Add MTU to Android IFCONFIG6 control command
      Properly free tuntap struct on android when emulating persist-tun
      Add OpenSSL compat definition for RSA_meth_set_sign
      Skip error about ioctl(SIOCGIFCONF) failed on Android
      Factor out convert_tls_list_to_openssl method
      Remove AUTO_USERID feature
      Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR
      Add support for tls-ciphersuites for TLS 1.3
      Add better support for showing TLS 1.3 ciphersuites in --show-tls
      Use right function to set TLS1.3 restrictions in show-tls
      Refuse mbed TLS external key with non RSA certificates
      Add message explaining early TLS client hello failure
      Add tls-crypt-v2 to the list of supported inline options
      Implement block-ipv6
      Fallback to password authentication when auth-token fails
      Fix loading inline tls-crypt-v2 keys with mbed TLS
      Refactor tls_crypt_v2_write_server_key_file into crypto.c
      Add send_control_channel_string_dowork variant
      Rename tls_crypt_v2_read_keyfile into generic pem_read_key_file
      Fix poll.h logic in syshead.h
      Write key to stdout if filename is not given
      Implement --genkey type keyfile syntax and migrate tls-crypt-v2
      Add generate_ephemeral_key that allows a random ephermal key
      Remove -no-cpp-precomp flag from Darwin builds
      Fix check if iface name is set
      Adjust Android code after sitnl patch merge
      Rewrite auth-token-gen to be based on HMAC based tokens
      Implement a permanent session id in auth-token
      Sent indication that a session is expired to clients
      Implement unit tests for auth-gen-token
      Make tls_version_max return the actual maximum version
      Add support for OpenSSL TLS 1.3 when using management-external-key
      Document tls-ciphersuites also in --help output
      Only announce IV_NCP=2 when we are willing to support these ciphers
      Add strsep compat function
      Implement dynamic NCP negotiation
      Warn about insecure ciphers also in init_key_type
      Move NCP related function into a seperate file and add unit tests
      Normalise ncp-ciphers option and restrict it to 127 bytes
      Fetch OpenSSL versions via source/old links
      Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
      Fix off-by-one in tls-crypt-v2 client wrapping with custom metadata
      Fix OpenSSL 1.1.1 not using auto elliptic curve selection
      Refactor counting number of element in a : delimited list into function
      Minor style change to improve code style
      Another round of uncrustify code cleanup.
      Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
      Add tls-crypt-v2 test writing metadata
      Use crypto library functions for const time memcmp when possible
      Fix session id in env missing first byte
      Document reneweal mechanic of auth-token in manual
      Fix session id and initial timestamp not being preserved
      Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2
      Refuse server mode on Android
      Add .git-blame-ignore-revs with reformat commits
      Make cipher_kt_name always return normalised cipher name
      Make cipher_kt_get also accept OpenVPN config cipher name
      Implement parsing and sending INFO and INFO_PRE control messages
      Implement support for signalling IV_SSO to server
      Implement sending response to challenge via CR_RESPONSE
      Implement sending AUTH_PENDING challenges to clients
      Implement forwarding client CR_RESPONSE messages to management
      Add unit test for cipher name translations
      Make compression asymmetric by default and add warnings
      Reformat files using uncrustify
      Remove parameter config from multi_client_connect_mda
      Remove push_reply_deferred variable
      Remove did_open_context, defined and connection_established_flag
      merge key_state->authenticated and key_state->auth_deferred
      Simplify multi_connection_established.
      Deprecate ncp-disable and add improved ncp to Changes.rst
      Make key_state->authenticated more state machine like
      Extract process_incoming_push_reply from process_incoming_push_msg
      Removed unused definition
      Code cleanup: remove superflous variable
      Move protocol option negotiation from push_prepare to new function
      Generate data channel keys after connect options have been parsed
      Cleanup: Remove special case code for old poor man's NCP.
      Allow changing fallback cipher from ccd files/client-connect
      client-connect: Change cas_context from int to enum
      client-connect: Move adding inotify watch into its own function
      reformat multi_client_generate_tls_keys according to uncrustify
      client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect
      Remove CAS_PARTIAL state
      client-connect: Use inotify for the deferred client-connect status file
      client-connect: Implement deferred connect support for plugin API v2
      Drop support for OpenSSL 1.0.1
      Require AEAD support in the crypto library
      Remove key-method 1
      Remove ENABLE_OCC #define
      Implement tls-groups option to specify eliptic curves/groups
      Avoid sending --cipher to clients not supporting NCP
      Indicate that a client is in pull mode in IV_PROTO
      Deprecate --inetd
      Include utun device number in utun error messages
      Simplify calling logic of check_connection_established_dowork
      Avoid sending push request after receving push reply
      Rename ncp-ciphers to data-ciphers
      Add a note that ncp-ciphers is replaced by data-ciphers
      client-connect: Add documentation for the deferred client connect feature
      Rework NCP compability logic and drop BF-CBC support by default
      Document different behaviour of dynamic cipher negotiation
      Minor cleanup in push.c
      Clean up a number of leftover C89 initialisations in ssl.c
      Remove buf argument from link_socket_set_outgoing_addr
      Remove a number of check/do_work wrapper calls from coarse_timers
      Split pf_check_reload check and check timer in process_coarse_timers
      Rename check_ping_restart_dowork to trigger_ping_timeout_signal
      Eliminate check_fragment function
      Eliminate check_incoming_control_channel wrapper function
      Eliminate check_tls wrapper function
      Merge check_coarse_timers and check_coarse_timers_dowork
      Skip existing interfaces on opening the first available utun on macOS
      Move parsing IV_PROTO to separate function
      Remove S_OP_NORMAL key state.
      Document comp-lzo no and compress being incompatible
      Refactor/Reformat tls_pre_decrypt
      Cleanup tls_pre_decrypt_lite and tls_pre_encrypt
      Improve sections about older OpenVPN clients in cipher-negotiation.rst

Bertrand Bonnefoy-Claudet (1):
      Fix typo in error message: "optione" -> "option"

Christian Ehrhardt (1):
      systemd: extend CapabilityBoundingSet for auth_pam

Christian Hesse (7):
      man: fix formatting for alternative option
      systemd: Use automake tools to install unit files
      systemd: Do not race on RuntimeDirectory
      systemd: Add more security feature for systemd units
      Clean up plugin path handling
      plugin: Remove GNUism in openvpn-plugin.h generation
      fix typo in notification message

Christopher Schenk (3):
      Set the correct mtu on windows based systems
      Log a note if someone wants to set a MTU below 1280 on IPv6
      Unified success messages for setting mtu

Conrad Hoffmann (2):
      Use provided env vars in up/down script.
      Document down-root plugin usage in client.down

David Sommerseth (64):
      docs: Further enhance the documentation related to SWEET32
      man: Remove references to no longer present IV_RGI6 peer-info
      build: Ensure Changes.rst is shipped and installed as a doc file
      management: >REMOTE operation would overwrite ce change indicator
      management: Remove a redundant #ifdef block
      git: Merge .gitignore files into a single file
      systemd: Move the READY=1 signalling to an earlier point
      dev-tools: Simple tool which automates rebasing LZ4 compat library
      dev-tools: lz4-rebaser tool carried a typo
      plugin: Improve the handling of default plug-in directory
      cleanup: Remove faulty env processing functions
      auth-token: Ensure tokens are always wiped on de-auth
      docs: Fixed man-page warnings discoverd by rpmlint
      Make --cipher/--auth none more explicit on the risks
      Require minimum OpenSSL 1.0.1
      Fix broken ./configure on systems without openssl.pc
      plugin: Fix documentation typo for type_mask
      plugin: Export secure_memzero() to plug-ins
      crypto: Enable SHA256 fingerprint checking in --verify-hash
      copyright: Update GPLv2 license texts
      dev-tools: Script generating the source releases in an automated fashion
      auth-token with auth-nocache fix broke --disable-crypto builds
      doc: The CRL processing is not a deprecated feature
      cleanup: Move write_pid() to where it is being used
      contrib: Remove keychain-mcd code
      cleanup: Move init_random_seed() to where it is being used
      Highlight deprecated features
      Use consistent version references
      docs: Replace all PolarSSL references to mbed TLS
      systemd: Ensure systemd shuts down OpenVPN in a proper way
      systemd: Enable systemd's auto-restart feature for server profiles
      lz4: Move towards a newer LZ4 API
      lz4: Fix confused version check
      lz4: Fix broken builds when pkg-config is not present but system library is
      Remove references to keychain-mcd in Changes.rst
      lz4: Rebase compat-lz4 against upstream v1.7.5
      systemd: Add and ship README.systemd
      Update copyright to include 2018 plus company name change
      man: Add .TQ groff support macro
      man: Reword --management to prefer unix sockets over TCP
      management: Warn if TCP port is used without password
      plugin: Export base64 encode and decode functions
      build: Fix build warnings related to get_random()
      build: Fix another compile warning in console_systemd.c
      cleanup: Remove RPM openvpn.spec build approach
      docs: Update INSTALL
      build: Package missing mock_msg.h
      auth-token: Fix building with --disable-server
      auth-token: Fix compiler complaints with --disable-management
      Improve the comments related to auth-token-hmac patches
      Documented all the argv related code with minor refactoring
      build: Remove --disable-server from ./configure
      options: Fix failing inline tls-auth/crypt with persist-key
      options: Restore --tls-crypt-v2 inline file capability
      doc/man: convert openvpn.8 to split-up .rst files
      doc/man: Mark compression options as deprecated
      doc/man: Adopt compression documentation
      doc/man: Documentation for --bind-dev / VRFs on Linux
      doc/man: Add misssing renegotiation.rst to Makefile.am
      Remove --no-iv
      doc/man: Do not install man *.rst files
      travis: Fix make distcheck failure
      Remove --ifconfig-pool-linear
      Remove --client-cert-not-required

Domagoj Pensa (2):
      Fix linking issues on MinGW
      Skip DNS address validation

Emmanuel Deloget (20):
      OpenSSL: check for the SSL reason, not the full error
      OpenSSL: don't use direct access to the internal of X509_STORE_CTX
      OpenSSL: don't use direct access to the internal of SSL_CTX
      OpenSSL: don't use direct access to the internal of X509_STORE
      OpenSSL: don't use direct access to the internal of X509_OBJECT
      OpenSSL: don't use direct access to the internal of RSA_METHOD
      OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
      OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
      OpenSSL: don't use direct access to the internal of X509
      OpenSSL: don't use direct access to the internal of EVP_PKEY
      OpenSSL: don't use direct access to the internal of RSA
      OpenSSL: don't use direct access to the internal of DSA
      OpenSSL: force meth->name as non-const when we free() it
      OpenSSL: don't use direct access to the internal of EVP_MD_CTX
      OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
      OpenSSL: don't use direct access to the internal of HMAC_CTX
      OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
      OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
      OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
      OpenSSL: check EVP_PKEY key types before returning the pkey

Eric Thorpe (1):
      Fix Building Using MSVC

Fabian Knittel (7):
      client-connect: Split multi_connection_established into separate functions
      client-connect: Refactor multi_client_connect_source_ccd
      client-connect: Move multi_client_connect_setenv into early_setup
      client-connect: Refactor to use return values instead of modifying a passed-in flag
      client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop
      client-connect: Add deferred support to the client-connect script handler
      client-connect: Add deferred support to the client-connect v1 plugin handler

Gert Doering (50):
      Remove IV_RGI6=1 peer-info signalling.
      Add openssl_compat.h to openvpn_SOURCES
      Fix '--dev null'
      Fix installation of IPv6 host route to VPN server when using iservice.
      Make ENABLE_OCC no longer depend on !ENABLE_SMALL
      Fix NCP behaviour on TLS reconnect.
      Remove erroneous limitation on max number of args for --plugin
      proxy.c refactoring: remove always-NULL gc parameter
      Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
      Fix potential 1-byte overread in TCP option parsing.
      Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
      Update Changes.rst with relevant info for 2.4.3 release.
      Remove warning on pushed tun-ipv6 option.
      Fix removal of on-link prefix on windows with netsh
      Fix potential double-free() in Interactive Service (CVE-2018-9336)
      Add %d, %u and %lu tests to test_argv unit tests.
      Extend push-remove to also handle 'ifconfig'.
      Print lzo_init() return code in case of errors
      Uncrustify sample-plugin sources according to code style
      uncrustify openvpnserv/ sources
      uncrustify openvpn/ sources
      Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
      Stop complaining about IPv6 routes without gateway address.
      Copy one byte less in strncpynt()
      Remove cmocka submodule, rely on system-wide installation instead.
      Increase listen() backlog queue to 32
      repair tap mode on OpenSolaris/OpenIndiana
      Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
      OpenSolaris/OpenIllumos: use /bin/bash if available for test scripts.
      Force combinationation of --socks-proxy and --proto UDP to use IPv4.
      Uncrustify the tests/unit_tests/ part of our tree.
      Change client side of t_lpback.sh configs to use inline material.
      Simplify pool size handling, fix possible array overrun on pool reading.
      Change timestamps in file-based logging to ISO 8601 time format.
      Depreciation warning for --topology net30 on servers with IPv4 pools.
      Convert plugin/auth-pam.c from stderr logging to plugin_log().
      Add c1ff8f247f91c88a2df5502eeedf42857f9a6831 (engine, pool, SSO) to .git-blame-ignore-revs
      Linux: do not change --txqueuelen OS default if not configured.
      Fix 'engine' unit test on FreeBSD (specifically 'not GNU make')
      t_client.sh: correctly report all failed instances in summary
      Remove --writepid file on program exit.
      Handle connecting clients without NCP or OCC without crashing.
      Add deferred authentication support to plugin-auth-pam
      Separate handling of non-deferred return values for client-connect-scripts.
      Repair --inetd
      Fix sequence of events for async plugin v1 handler.
      Abort client-connect handler loop after first handler sets 'disable'.
      Add depreciation notice for --ncp-disable to protocol-options.rst
      Changes.rst updates in preparation to 2.5_beta1
      Preparing release 2.5_beta1

Gert van Dijk (7):
      Warn that DH config option is only meaningful in a tls-server context
      Add generated openvpn.doxyfile to .gitignore
      manpage: improve description of --status and --status-version
      Add negotiated cipher to status file format 2 and 3
      Minor reliability layer documentation fixes
      Make second parameter to reliable_send_purge() const
      Remove unneeded newline in debug message in reliable.c

Gisle Vanem (2):
      Crash in options.c
      Wrong FILETYPE in .rc files

Guido Vranken (6):
      refactor my_strupr
      Fix 2 memory leaks in proxy authentication routine
      Fix memory leak in add_option() for option 'connection'
      Ensure option array p[] is always NULL-terminated
      Fix a null-pointer dereference in establish_http_proxy_passthru()
      Prevent two kinds of stack buffer OOB reads and a crash for invalid input data

Heiko Hund (3):
      re-implement argv_printf_*()
      argv: do fewer memory re-allocations
      Add gc_arena to struct argv to save allocations

Hilko Bengen (1):
      Do not set pkcs11-helper 'safe fork mode'

Hristo Venev (1):
      Fix extract_x509_field_ssl for external objects, v2

Ilya Shipitsin (18):
      Resolve several travis-ci issues
      github: Add PR template with contributor related information
      travis-ci: add 'make distcheck' to test scenario, V2
      travis-ci: remove unused files
      v4, travis-ci: add 2 mingw "build only" configurations
      travis-ci: added gcc and clang openssl-1.1.0 builds
      travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
      travis-ci: update pkcs11-helper to 1.22
      travis-ci: add brew cache, remove ccache
      travis-ci: modify openssl build script to support openssl-1.1.0
      travis-ci: cleanup, refactor, upgrade ssl libraries
      travis-ci: add "linux-ppc64le" to build matrix
      travis-ci: change trusty image to xenial
      travis-ci: update osx to xcode9.4 and modernize brew management
      configure.ac: fix compile-time error in argv_testdriver
      travis-ci: fix osx builds
      travis-ci: update components versions
      travis-ci: add arm64, s390x builds.

James Bekkema (2):
      Resolves small IV_GUI_VER typo in the documentation.
      Adds support for setting the default IPv6 gateway for routes using the route-ipv6-gateway option.

James Bottomley (7):
      autoconf: Fix engine checks for openssl 1.1
      openssl: add engine method for loading the key
      crypto_openssl: add initialization to pick up local configuration
      crypto_openssl: add include for openssl/conf.h
      Add unit tests for engine keys
      Fix make distcheck for new engine key unit test
      engine-key tests: make check_engine_keys.sh work with --enable-small

Jan Just Keijser (1):
      Added support for DHCP option 119 (dns search suffix list) for Windows.

Jeremie Courreges-Anglas (5):
      Cast time_t to long long in order to print it.
      Print time_t as long long and suseconds_t as long
      Cast and print another suseconds_t as long
      Use long long to format time_t-related environment variables
      Fix build with LibreSSL

Jeremy Evans (1):
      Switch assertion failure to returning false

Jonathan K. Bullard (1):
      Clarify and expand management interface documentation

Jonathan Tooker (1):
      Fix various spelling mistakes

Joost Rijneveld (1):
      Make return code external tls key match docs

Jrmie Courrges-Anglas (2):
      Fix an unaligned access on OpenBSD/sparc64
      Missing include for socket-flags TCP_NODELAY on OpenBSD

Kyle Evans (1):
      tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.

Lev Stipakov (46):
      win: support for Visual Studio 2017
      Refactor NCP-negotiable options handling
      init.c: refine functions names and description
      openvpnserv: clarify return values type
      crypto.h: remove unused function declaration
      interactive.c: fix usage of potentially uninitialized variable
      options.c: fix broken unary minus usage
      Introduce openvpn_swprintf() with nul termination guarantee
      Wrap openvpn_swprintf into Windows define
      test_tls_crypt.c: fix global-buffer-overflow found by AddressSanitizer
      crypto_openssl.c: fix heap-buffer-overflow found by AddressSanitizer
      Fix various compiler warnings
      Fix broken fragment/mssfix with NCP
      crypto.c: fix Visual Studio build
      tun.h: change tun_set() return value type to void
      tun.h: remove TUN_PASS_BUFFER define
      tapctl: add optional 'hardware id' parameter
      vcxproj: add missing source files
      push.c: fix Visual Studio build
      Visual Studio: make it easier to build with VS
      msvc: OpenSSL 1.1.x support
      travis: add Visual Studio build
      Visual Studio: upgrade project files to VS2019
      wintun: add --windows-driver config option
      wintun: implement opening wintun device
      travis: bump MSVC to 2019
      travis: bump clang version
      wintun: ring buffers based I/O
      wintun: interactive service support
      wintun: set adapter properties via interactive service
      wintun: clear adapter settings on tun close
      tun.c: refactor open_tun() implementation
      tun.c: do not add/remove on-link IPv4 route on tun open/close
      options.c: do not force route delay when not using DHCP
      configure.ac: simplify AC_CHECK_FUNCS statements
      cryptoapi.c: fix run-time check failure in msvc debugger
      interactive.c: remove unused function
      tun.c: fix 'use after free' error
      Fix building with --enable-async-push in FreeBSD
      Fix broken async push with NCP is used
      Fix illegal client float (CVE-2020-11810)
      msvc: fix various level2 warnings
      tap.c: fix adapter renaming
      Improve Windows version detection with manifest
      wintun: remove SYSTEM elevation hack
      Fix compilation with --disable-lzo and --disable-lz4

Matthias Andree (3):
      Make openvpn-plugin.h self-contained again.
