summaryrefslogtreecommitdiff
path: root/debian/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/NEWS')
-rw-r--r--debian/NEWS67
1 files changed, 67 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..bbf0054
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,67 @@
+openvpn (2.1~rc15-1) unstable; urgency=low
+
+ * The openvpn utility changed its handling of pkcs11 certificates when it
+ switched from built-in code to the pkcs11-helper library (package
+ libpkcs11-helper1 on Debian). This means that you will have to update your
+ openvpn configuration files if you are using such certificates. For
+ example, a stanza in a configuration file might previously have referred to
+ a given pkcs11 certificate like this:
+
+ pkcs11-providers /usr/lib/opensc-pkcs11.so
+ pkcs11-slot-type id
+ pkcs11-slot 0
+ pkcs11-id-type label
+ pkcs11-id "YOUR_LABEL"
+
+ This stanza has to be rewritten now in the following way:
+
+ pkcs11-providers /usr/lib/opensc-pkcs11.so
+ pkcs11-id 'YOUR_PKCS11_SERIALIZED_ID'
+
+ The pkcs11-slot, pkcs11-slot-type, pkcs11-id-type options are obsolete;
+ a long ID string that is unique for each certificate is now used as the
+ only identifier. Note that YOUR_PKCS11_SERIALIZED_ID will almost
+ certainly be different from YOUR_LABEL that you used previously with the
+ pkcs11-id option. To find out the correct serialized ID(s) for your
+ certificate(s), you have to query the pkcs11-provider library:
+
+ $ openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
+
+ The following objects are available for use.
+ Each object shown below may be used as parameter to --pkcs11-id option
+ please remember to use single quote mark.
+
+ Certificate
+ DN: /CN=YOUR_USER
+ Serial: SERIAL_NUMBER
+ Serialized id: YOUR_PKCS11_SERIALIZED_ID
+
+ You have to paste YOUR_PKCS11_SERIALIZED_ID as seen in this output into
+ your openvpn configuration file and make sure that the string is enclosed
+ in single quotation marks.
+
+ The example above assumes that your cryptographic token can be accessed
+ via the opensc-pkcs11.so library from libopensc2. If you have to use
+ another library, for example a proprietary driver from the vendor of your
+ token, then you have to adapt both the stanza in the configuration file
+ and the path given on the command line accordingly.
+
+ Florian Kulzer
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
+
+openvpn (2.1~rc9-3) unstable; urgency=low
+
+ * Calling of external commands/scripts
+
+ Starting with version 2.1~rc9, openvpn has a new option to control the
+ ability to execute external commands (--script-security).
+
+ By default (script-security 1) it will only allow the execution of
+ built-in commands (ip, ifconfig, route,...). If you require the execution
+ of external commands, such as /etc/openvpn/update-resolv-conf, you'll have
+ to include the following option in your configuration file:
+ script-security 2
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 16 Aug 2008 13:34:24 +0200
+