summaryrefslogtreecommitdiff
path: root/Changes.rst
diff options
context:
space:
mode:
authorBernhard Schmidt <Bernhard.Schmidt@lrz.de>2018-03-04 22:55:51 +0100
committerBernhard Schmidt <Bernhard.Schmidt@lrz.de>2018-03-04 22:55:51 +0100
commit528d142b4be4618a00d506414c95485d679f7297 (patch)
tree118c2b9adb156a129bd0a04d980f00ba01fc8264 /Changes.rst
parentbd24a09dcb08e98bba26e316fd46e1b5d0590afb (diff)
parent4afa7ed562410a1170223a7bc06efb3708af6a36 (diff)
Update upstream source from tag 'upstream/2.4.5'
Update to upstream version '2.4.5' with Debian dir bfadc11012753514e3836a4dc88a94fd7d0f8314
Diffstat (limited to 'Changes.rst')
-rw-r--r--Changes.rst66
1 files changed, 62 insertions, 4 deletions
diff --git a/Changes.rst b/Changes.rst
index d5e12eb..4168d62 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -133,10 +133,6 @@ keying-material-exporter
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel.
-Mac OS X Keychain management client
- Added contrib/keychain-mcd which allows to use Mac OS X keychain
- certificates with OpenVPN.
-
Android platform support
Support for running on Android using Android's VPNService API has been added.
See doc/android.txt for more details. This support is primarily used in
@@ -325,6 +321,68 @@ Maintainer-visible changes
i386/i686 builds on RHEL5.
+Version 2.4.5
+=============
+This is primarily a maintenance release, with further improved OpenSSL 1.1
+integration, several minor bug fixes and other minor improvements.
+
+
+New features
+------------
+- The new option ``--tls-cert-profile`` can be used to restrict the set of
+ allowed crypto algorithms in TLS certificates in mbed TLS builds. The
+ default profile is 'legacy' for now, which allows SHA1+, RSA-1024+ and any
+ elliptic curve certificates. The default will be changed to the 'preferred'
+ profile in the future, which requires SHA2+, RSA-2048+ and any curve.
+
+- make CryptoAPI support (Windows) compatible with OpenSSL 1.1 builds
+
+- TLS v1.2 support for cryptoapicert (on Windows) -- RSA only
+
+- openvpnserv: Add support for multi-instances (to support multiple
+ parallel OpenVPN installations, like EduVPN and regular OpenVPN)
+
+- Use P_DATA_V2 for server->client packets too (better packet alignment)
+
+- improve management interface documentation
+
+- rework registry key handling for OpenVPN service, notably making most
+ registry values optional, falling back to reasonable defaults
+
+- accept IPv6 address for pushed "dhcp-option DNS ..."
+ (make OpenVPN 2 option compatible with OpenVPN 3 iOS and Android clients)
+
+
+Bug fixes
+---------
+- Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+
+- Fix lots of compiler warnings (format string, type casts, ...)
+
+- Fix --redirect-gateway route installation on Windows systems that have
+ multiple interfaces into the same network (e.g. Wifi and wired LAN).
+
+- Fix IPv6 interface route cleanup on Windows
+
+- reload HTTP proxy credentials when moving to the next connection profile
+
+- Fix build with LibreSSL (multiple times)
+
+- Remove non-useful warning on pushed tun-ipv6 option.
+
+- fix building with MSVC due to incompatible C constructs
+
+- autoconf: Fix engine checks for openssl 1.1
+
+- lz4: Rebase compat-lz4 against upstream v1.7.5
+
+- lz4: Fix broken builds when pkg-config is not present but system library is
+
+- Fix '--bind ipv6only'
+
+- Allow learning iroutes with network made up of all 0s
+
+
Version 2.4.4
=============
This is primarily a maintenance release, with further improved OpenSSL 1.1