diff options
-rw-r--r-- | ChangeLog | 37 | ||||
-rw-r--r-- | Changes.rst | 23 | ||||
-rw-r--r-- | version.m4 | 4 |
3 files changed, 62 insertions, 2 deletions
@@ -1,6 +1,43 @@ OpenVPN Change Log Copyright (C) 2002-2015 OpenVPN Technologies, Inc. <sales@openvpn.net> +2016.11.02 -- Version 2.3.13 +Arne Schwabe (2): + Use AES ciphers in our sample configuration files and add a few modern 2.4 examples + Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer + +David Sommerseth (4): + t_client.sh: Make OpenVPN write PID file to avoid various sudo issues + t_client.sh: Add support for Kerberos/ksu + t_client.sh: Improve detection if the OpenVPN process did start during tests + t_client.sh: Add prepare/cleanup possibilties for each test case + +Gert Doering (5): + Do not abort t_client run if OpenVPN instance does not start. + Fix t_client runs on OpenSolaris + make t_client robust against sudoers misconfiguration + add POSTINIT_CMD_suf to t_client.sh and sample config + Fix --multihome for IPv6 on 64bit BSD systems. + +Ilya Shipitsin (1): + skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto + +Lev Stipakov (2): + Exclude peer-id from pulled options digest + Fix compilation in pedantic mode + +Samuli Seppänen (1): + Automatically cache expected IPs for t_client.sh on the first run + +Steffan Karger (6): + Fix unittests for out-of-source builds + Make gnu89 support explicit + cleanup: remove code duplication in msg_test() + Update cipher-related man page text + Limit --reneg-bytes to 64MB when using small block ciphers + Add a revoked cert to the sample keys + + 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. diff --git a/Changes.rst b/Changes.rst index b121f01..92ade04 100644 --- a/Changes.rst +++ b/Changes.rst @@ -57,6 +57,11 @@ Improved UTF-8 support Behavioral changes ------------------ +- OpenVPN will complain loudly about ciphers with 128-bits block sizes or less + +- OpenVPN will by default re-negotiate the tunnel after 64MB when used with + ciphers using cipher blocks of 128-bits or less + - Remove --enable-password-save option to configure, this is now always enabled - Disallow usage of --server-poll-timeout in --secret key mode @@ -100,6 +105,24 @@ Behavioral changes - Do not randomize resolving of IP addresses in getaddr() +Version 2.3.13 +============== + +- Enforcing a new default value for --reneg-bytes for known weaker ciphers + + Ciphers with cipher blocks less than 128 bits will now do a renegotiation + of the tunnel by default for every 64MB of data. This behaviour can be + overridden by explictly setting --reneg-bytes 0 in the configuration file, + however this is HIGHLY discouraged. + + This is to reduce the risk for SWEET32 attacks. The general recommendation + is to change the cipher to a stronger cipher. For more information see: + https://community.openvpn.net/openvpn/wiki/SWEET32 + + OpenVPN will also complain a little bit more in the logs + when such weaker ciphers is detected. + + Version 2.3.12 ============== @@ -1,9 +1,9 @@ dnl define the OpenVPN version define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) -define([PRODUCT_VERSION], [2.3.12]) +define([PRODUCT_VERSION], [2.3.13]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,3,12,0]) +define([PRODUCT_VERSION_RESOURCE], [2,3,13,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |