v2.6.9

Security fixes:

• Windows Installer: fix CVE-2023-7235 where installing to a non-default
  directory could lead to a local privilege escalation. Reported by Will Dormann.

New features:

• Add support for building with mbedTLS 3.x.x
• New option --force-tls-key-material-export to only accept clients
  that can do TLS keying material export to generate session keys
  (mostly an internal option to better deal with TLS 1.0 PRF failures).
• Windows: bump vcpkg-ports/pkcs11-helper to 1.30
• Log incoming SSL alerts in easier to understand form and move logging
  from --verb 8 to --verb 3.
• protocol_dump(): add support for printing --tls-crypt packets

User visible changes:

• License change is now complete, and all code has been re-licensed
  under the new license (still GPLv2, but with new linking exception
  for Apache2 licensed code). See COPYING for details.

  Code that could not be re-licensed has been removed or rewritten.

• The original code for the --tls-export-cert feature has been removed
  (due to the re-licensing effort) and rewritten without looking at the
  original code. Feature-compatibility has been tested by other developers,
  looking at both old and new code and documentation, so there should
  not be a user-visible change here.

• IPv6 route addition/deletion are now logged on the same level (3) as
  for IPv4. Previously IPv6 was always logged at --verb 1.

• Better handling of TLS 1.0 PRF failures in the underlying SSL library
  (e.g. on some FIPS builds) - this is now reported on startup, and
  clients before 2.6.0 that can not use TLS EKM to generate key material
  are rejected by the server. Also, error messages are improved to see
  what exactly failed.

Notable bug fixes:

• FreeBSD: for servers with multiple clients, reporting of peer traffic
  statistics would fail due to insufficient buffer space (#487)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.8...v2.6.9

v2.6.8

User visible changes

• Windows: print warning if pushed options require DHCP (e.g. DOMAIN-SEARCH) and driver in use does not use DHCP (wintun, dco).

Bug fixes

• SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF state (Github ​#449) - the new sanity check function introduced in 2.6.7 sometimes tried to use a NULL pointer after an unsuccessful TLS handshake
• Windows: --dns option did not work when tap-windows6 driver was used, because internal flag for "apply DNS option to DHCP server" wasn't set (Github ​#447)
• Windows: fix status/log file permissions, caused by regression after changing to CMake build system (Github: ​#454, Trac: ​#1430)
• Windows: fix --chdir failures, also caused by error in CMake build system (Github ​#448)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.7...v2.6.8

v2.6.7

Security Fixes

• ​CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github ​#400, ​#417)
  ​
• CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. (Github ​#400, ​#417).

User visible changes

• DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco.

• Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.

• add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.

• add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).

• --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again)

• warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations)

New features

• DCO-WIN: get and log driver version (for easier debugging).

• print "peer temporary key details" in TLS handshake

• log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios)

• add CMake build system for MinGW and MSVC builds

• remove old MSVC build system

• improve cmocka unit test building for Windows

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.6...v2.6.7

v2.6.6

User visible changes

• OCC exit messages are now logged more visibly
  (Github #391)

• OpenSSL error messages are now logged with more details (for example,
  when loading a provider fails, which .so was tried, and why did it fail)
  (Github #361)

• print a more user-friendly message when tls-crypt-v2 client auth fails

• packaging now includes all documentation in the tarball

New features

• set WINS server via interactive service - this adds support for
  "dhcp-option WINS 192.0.2.1" for DCO + wintun interfaces where no
  DHCP server is used (Github #373).

Bug fixes / Code cleanup

• route.c was sometimes ignoring return values of add_route3()
  (found by coverity)

• ntlm: clarify use of buffer in case of truncated NTLM challenge,
  no actual code change (reported by Trial of Bits, TOB-OVPN-14)

• pkcs11_openssl.c: disable unused code (found by coverity)

• options.c: do not hide variable from parent scope (found by coverity)

• configure: fix typo in LIBCAPNG_CFALGS (Github #371)

• ignore IPv6 route deletion request on Android, reduce IPv4 route-related
  message verbosity on Android

• manage.c: document missing KID parameter of "client-pending-auth"
  (new addition in da083c3 (2.6.2)) in manage interface help text

• vpn-network-options.rst: fix typo of "dhcp-option" (Github #313)

• tun.c/windows: quote WMIC call to set DHCP/DNS domain with hyphen
  (Github #363)

• fix CR_RESPONSE management message using wrong key_id

• work around false positive compiler warnings with MinGW 12

• work around false positive compiler warnings with GCC 12.2.0

• fix more compiler warnings on FreeBSD

• test_tls_crypt: improve cmocka testing portability

• dco-linux: fix counter print format (signed/unsigned)

• packaging: include everything that is needed for a MSVC build in tarballs
  (Github #344)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.5...v2.6.6