summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Added 'dir' flag to "crl-verify" (see man page for info).James Yonan2011-04-267-61/+96
| | | | | | | | | | | | | | Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list if not running in server mode (these functions are only useful for TLS/SSL servers). Modified openvpn_snprintf to return false on overflow, and true otherwise. When AUTH_FAILED,... is received, log the full string. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7213 e7ae566f-a301-0410-adde-c780ea21d3b5
* Revert r7092 and r7151, i.e. remove --enable-osxipconfigJames Yonan2011-04-263-35/+1
| | | | | | | | | | configure option. ipconfig on Mac has certain behavior that makes it unsuitable for use by OpenVPN to configure tun/tap interface. Version 2.1.3u git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7191 e7ae566f-a301-0410-adde-c780ea21d3b5
* Version 2.1.3tJames Yonan2011-04-261-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7152 e7ae566f-a301-0410-adde-c780ea21d3b5
* For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfigJames Yonan2011-04-261-1/+11
| | | | | | | | | | command on failure once every second for up to 15 seconds. This is necessary to work around an issue observed on OSX 10.5 where the ipconfig command sometimes fails if executed immediately after the tun device open. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7151 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed bug in port-share that could cause port share process toJames Yonan2011-04-262-1/+4
| | | | | | | | | | | | | | | | | | | | | | crash with output like this: TCP connection established with 85.190.0.3:41781 85.190.0.3:41781 SIGTERM[soft,port-share-redirect] received, client-instance exiting MANAGEMENT: TCP recv error: Socket operation on non-socket MANAGEMENT: Client disconnected MANAGEMENT: Triggering management exit Exiting due to fatal error EVENT: epoll_ctl EPOLL_CTL_MOD failed, sd=6: Bad file descriptor (errno=9) Then an error like this for every incoming connection that should be proxied: 76.120.71.74:55302 PORT SHARE: sendmsg failed -- unable to communicate with background process (6,8,-1,-1): Connection refused (errno=111) Version 2.1.3s git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7127 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed bug that incorrectly placed stricter TCP packet replay rules onJames Yonan2011-04-266-14/+15
| | | | | | | | | | | | | | UDP sessions when the client daemon was running in UDP/TCP adaptive mode, and transitioned from TCP to UDP. The bug would cause a single dropped packet in UDP mode to trigger a barrage of packet replay errors followed by a disconnect and reconnect. Version 2.1.3r git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added more packet ID debug info at debug level 3 for debuggingJames Yonan2011-04-266-28/+142
| | | | | | | | | false positive packet replays. Version 2.1.3q. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7109 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added ./configure --enable-osxipconfig option for Mac OS X which willJames Yonan2011-04-263-2/+26
| | | | | | | | | | enable the use of ipconfig (instead of ifconfig) for configuring the IP address and netmask of the tun/tap adapter. Version 2.1.3p git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7092 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added "auth-token" client directive, which is intended to beJames Yonan2011-04-2611-13/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pushed by server, and that is used to offer a temporary session token to clients that can be used in place of a password on subsequent credential challenges. This accomplishes the security benefit of preventing caching of the real password while offering most of the advantages of password caching, i.e. not forcing the user to re-enter credentials for every TLS renegotiation or network hiccup. auth-token does two things: 1. if password caching is enabled, the token replaces the previous password, and 2. if the management interface is active, the token is output to it: >PASSWORD:Auth-Token:<token> Also made a minor change to HALT/RESTART processing when password caching is enabled. When client receives a HALT or RESTART message, and if the message text contains a flags block (i.e. [FFF]:message), if flag 'P' (preserve auth) is present in flags, don't purge the Auth password. Otherwise do purge the Auth password. Version 2.1.3o git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5
* win/sign.py now accepts an optional tap-dir argument.James Yonan2011-04-261-4/+8
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7086 e7ae566f-a301-0410-adde-c780ea21d3b5
* Version 2.1.3nJames Yonan2011-04-261-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7069 e7ae566f-a301-0410-adde-c780ea21d3b5
* Client will now try to reconnect if no push reply receivedJames Yonan2011-04-264-3/+20
| | | | | | | within handshake-window seconds. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7066 e7ae566f-a301-0410-adde-c780ea21d3b5
* Extended "client-kill" management interface command (server-side)James Yonan2011-04-267-19/+53
| | | | | | | | | | | | | | | | | | | | to accept an optional message string. The message string format is: RESTART|HALT,<human-readable-message> RESTART will tell the client to restart (i.e. SIGUSR1). HALT will tell the client to exit (i.e. SIGTERM). On the client, human-readable-message will be communicated via management interface: >NOTIFY,<severity>,<type>,<human-readable-message>" Version 2.1.3m git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7063 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed bug introduced in r7031 that might cause this error message:James Yonan2011-04-261-6/+16
| | | | | | | PORT SHARE: sendmsg failed (unable to communicate with background process) git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7062 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed issue where a client might receive multiple push replies fromJames Yonan2011-04-263-2/+14
| | | | | | | | | | | a server if it sent multiple push requests due to the server being slow to respond. This could cause the client to process pushed options twice, leading to duplicate pushed routes, among other issues. The fix, implemented server-side, is to reply only once to a push request even if multiple requests are received. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7060 e7ae566f-a301-0410-adde-c780ea21d3b5
* env_filter_match now includes the serial number of all certsJames Yonan2011-04-261-1/+1
| | | | | | | in chain (as tls_serial_n vars), rather than only tls_serial_0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7055 e7ae566f-a301-0410-adde-c780ea21d3b5
* Reduce log verbosity at level 3, with a focus on removing excessive log ↵James Yonan2011-04-256-27/+33
| | | | | | | | verbosity generated by port-share activity. Version 2.1.3k git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7033 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added optional journal directory argument to "port-share" directive, for ↵James Yonan2011-04-258-33/+131
| | | | | | reporting client IP origins of proxied connections. git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7031 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added --enable-lzo-stub configure option to build an OpenVPN client without ↵James Yonan2011-04-257-14/+85
| | | | | | | | | | | | | | | | LZO, but that has limited interoperability with LZO-enabled servers. Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when client was built with --enable-lzo-stub configure option. This tells the server that the client lacks LZO capabilities, so the server should turn off LZO compression for this client via "lzo no". Added "setenv PUSH_PEER_INFO" option having the same effect as "push-peer-info". Version 2.1.3j git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7023 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added "client-nat" option for stateless, one-to-oneJames Yonan2011-02-1815-17/+490
| | | | | | | | | NAT on the client side. Version 2.1.3i. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6944 e7ae566f-a301-0410-adde-c780ea21d3b5
* Properly handle certificate serial numbers > 32 bits.James Yonan2011-02-142-4/+12
| | | | | | | Version 2.1.3h git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6931 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixes to r6925.James Yonan2011-02-141-3/+3
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6927 e7ae566f-a301-0410-adde-c780ea21d3b5
* Implemented get_default_gateway_mac_addr for Mac OS X (previously,James Yonan2011-02-143-59/+125
| | | | | | | | | | | | | | was only defined for Windows and Linux). This enables OS X to report the MAC address of the default gateway to the server for ID purposes when client-side --push-peer-info option is specified. Also, minor fix to OS X get_default_gateway function: * include net/route.h directly rather than selectively paste stuff from it into route.c git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6925 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed minor compile issue triggered on builds whereJames Yonan2011-01-181-1/+1
| | | | | | | MANAGEMENT_DEF_AUTH is not enabled. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6830 e7ae566f-a301-0410-adde-c780ea21d3b5
* * added --management-up-down option to allow management interfaceJames Yonan2011-01-106-21/+55
| | | | | | | | | | | | to be notified of tunnel up/down events. * pulled --ip-win32 options will be suppressed on the client if --route-nopull option is specified. Version 2.1.3f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added --x509-track option.James Yonan2011-01-0510-4/+186
| | | | | | | Version 2.1.3e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6780 e7ae566f-a301-0410-adde-c780ea21d3b5
* Misc fixes to r6708.James Yonan2010-12-138-51/+72
| | | | | | | | Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
* Minor addition of logging info before and afterJames Yonan2010-12-102-1/+3
| | | | | | | | | execution of Windows net commands. Version 2.1.3d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6712 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added "management-external-key" option. This option can be usedJames Yonan2010-12-0910-59/+433
| | | | | | | | | | | | | | | | | | | | | | | | | | | instead of "key" in client mode, and allows the client to run without the need to load the actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: >RSA_SIGN:[BASE64_DATA] The management interface client should then sign BASE64_DATA using the private key and return the signature as follows: rsa-sig [BASE64_SIG_LINE] . . . END This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixes to prevent compile breakage when --disable-crypto is used.James Yonan2010-11-162-5/+2
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6656 e7ae566f-a301-0410-adde-c780ea21d3b5
* In verify_callback, the subject var should be freed by OPENSSL_free,James Yonan2010-11-162-3/+3
| | | | | | | not free, since it is allocated by OpenSSL. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6655 e7ae566f-a301-0410-adde-c780ea21d3b5
* Version 2.1.3bJames Yonan2010-10-281-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6585 e7ae566f-a301-0410-adde-c780ea21d3b5
* Make base64.h have the same conditional compilation expression asJames Yonan2010-10-241-1/+1
| | | | | | | base64.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6569 e7ae566f-a301-0410-adde-c780ea21d3b5
* Implement challenge/response authentication support in client mode,James Yonan2010-10-247-24/+229
| | | | | | | | | | | | | | | | | | where credentials are entered from stdin. This capability is compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled by default). Challenge/response support was previously implemented for creds that are queried via the management interface. In this case, the challenge message will be returned as a custom client-reason-text string (see management-notes.txt for more info) on auth failure. Also, see the comments in misc.c above get_auth_challenge() for info on the OpenVPN challenge/response protocol. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed initialization bug in route_list_add_default_gatewayJames Yonan2010-10-231-0/+2
| | | | | | | (Gert Doering). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6566 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added --proto-force directive.James Yonan2010-09-015-2/+35
| | | | | | | Version 2.1.3a git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6424 e7ae566f-a301-0410-adde-c780ea21d3b5
* Don't configure Linux tun/tap txqueuelen setting if OpenVPNJames Yonan2010-08-311-1/+1
| | | | | | | txqueuelen directive is set to 0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6420 e7ae566f-a301-0410-adde-c780ea21d3b5
* Allow PKCS12 file content to be included inline in configuration file,James Yonan2010-08-293-10/+39
| | | | | | | rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
* Attempt to fix issue where domake-win build system was not properlyv2.1.3James Yonan2010-08-2011-203/+191
| | | | | | | | | | | | | signing drivers and .exe files. Added win/tap_span.py for building multiple versions of the TAP driver and tapinstall binaries using different DDK versions to span from Win2K to Win7 and beyond. Version 2.1.3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6404 e7ae566f-a301-0410-adde-c780ea21d3b5
* Windows security issue:v2.1.2James Yonan2010-08-154-3/+116
| | | | | | | | | | | | | | | | | | | Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity Version 2.1.2 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added warning about tls-remote in man page.James Yonan2010-08-101-0/+7
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6384 e7ae566f-a301-0410-adde-c780ea21d3b5
* Distribute win directory (Python/MSVC-based build system)James Yonan2010-08-091-1/+2
| | | | | | | in "make dist" tarball. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6382 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added "net stop dnscache" and "net start dnscache" in frontJames Yonan2010-07-276-8/+34
| | | | | | | of existing --register-dns commands. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6352 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed an issue where application payload transmissions on theJames Yonan2010-07-276-12/+54
| | | | | | | | | | TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. Version 2.1.1n git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6350 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed typo: missing comment close.James Yonan2010-07-261-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6347 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added win/build_exe.py script, which is similar toJames Yonan2010-07-162-21/+38
| | | | | | | | win/build_all.py except that it doesn't build the TAP drivers or tapinstall. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6306 e7ae566f-a301-0410-adde-c780ea21d3b5
* Added --register-dns option for Windows.James Yonan2010-07-169-11/+79
| | | | | | | | | | Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection. Version 2.1.1m. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6304 e7ae566f-a301-0410-adde-c780ea21d3b5
* Implemented multi-address DNS expansion on the network field of routeJames Yonan2010-07-124-16/+85
| | | | | | | | | | | | commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection. Version 2.1.1l git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6291 e7ae566f-a301-0410-adde-c780ea21d3b5
* Version 2.1.1kJames Yonan2010-07-101-1/+1
| | | | git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6285 e7ae566f-a301-0410-adde-c780ea21d3b5
* Fixed bug in proxy fallback capability where openvpn.exe couldJames Yonan2010-07-102-18/+22
| | | | | | | | core dump if http-proxy-fallback-disable command was issued in response to ">PROXY:NEED_NOW management" interface notification. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6284 e7ae566f-a301-0410-adde-c780ea21d3b5
generated by cgit (git 2.34.1) at 2025-05-17 11:28:28 +0000