OpenVPN ChangeLog
Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>

2026.04.27 -- Version 2.7.3

Selva Nair (1):
      Fixup: prompting password from management


2026.04.22 -- Version 2.7.2

Arne Schwabe (9):
      Use ASN1_BIT_STRING_get_bit to check for netscape certificate usage
      Rename key* to privkey* in cert_data.h
      Add unit test for printing various details of certificates
      OpenSSL 4.0: Make X509 objects const
      Do not access internals of ASN1_INTEGER to print hex of serial
      Try to emphasise the transition from old ovpn-dco to new ovpn module
      OpenSSL 4.0: Use X509_check_certificate_times instead of X509_cmp_time
      GHA: Add OpenSSL 4.0 build
      Ensure that buffer of freed session are not used

David Benjamin (1):
      ssl_openssl: Fix some CRL mixups

Frank Lichtenheld (3):
      doc: Remove some explanations for pre-2.3 configurations
      openvpnmsica: Fix setting of iTicks in schedule_adapter_delete
      win: Fix nrpt_dnssec flag handling

Greg Cox (1):
      Update --learn-address man page with ipv6 information

Luca Boccassi (1):
      management: add base64 multi-line input for passwords

Luis Cruz (1):
      build: Use info fetched from version.m4

Selva Nair (4):
      Log when writing username/password to TLS buffer fails
      Add unit tests for 'auth-user-pass username-only'
      verify_x509_name: Improve the error message on failure
      Inlined credentials: read missing password from management interface

Steffan Karger (1):
      tls-crypt-v2: Avoid interpreting opcode as part of WKc


2026.03.31 -- Version 2.7.1

Antonio Quartulli (1):
      options: drop useless init_gc param for init_options()

Arne Schwabe (12):
      Change stream_buf_read_setup_dowork parameter to struct steam_buf
      DCO Linux: Fix setting DCO ifmode failing on big endian archs
      Merge stream_buf_get_next and stream_buf_set_next
      AWS-LC: Add missing return and cast in ssl_tls1_PRF
      GHA: Install aws-lc under /opt/aws-lc
      Show version and double check we use the right TLS library in Github Actions
      Remove unnecessary OpenSSL init and cleanup commands in unit tests
      GHA: Cache built crypto libraries
      Use openssl_err_t typedef to deal with difference between TLS libraries
      Do not support tls_ctx_set_cert_profile on AWS-LC
      Use const specifices in extract_x509_field_ssl
      Increase default size of internal hash maps to 4 * --max-clients

Frank Lichtenheld (7):
      clang-format: Add missing InsertBraces: true
      auth-pam: fix discards 'const' qualifier from pointer target type
      GHA: Maintenance update February 2026
      buffer: Add checked_snprintf function and use it in the code
      vcpkg-ports: Review pkcs11-helper port
      systemd: Change LimitNPROC to TasksMax and increase limit
      ssl_verify_openssl: Clean up extract_x509_extension

Gert Doering (4):
      port-share: log incoming connections at verb 3 only
      rework all occurrences of 'M_ERR | M_ERRNO'
      configure.ac: adjust to native inotify support for FreeBSD 15+
      dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver

Gianmarco De Gregori (1):
      socket: restore per-connection lport override over global default

Haixiao Yan (1):
      tests: skip test execution when cross-compiling

Heiko Hund (2):
      doc: improve Windows-specific options section
      doc: fix typo with --ingore-unknown-option

Max Fillinger (1):
      Avoid unbounded allocations in pkcs11_mbedtls.c

Ralf Lici (1):
      doc: fix client-nat syntax and examples

Rudi Heitbaum (3):
      dns: fix discards 'const' qualifier from pointer target type
      ntlm: fix discards 'const' qualifier from pointer target type
      ssl_verify_openssl: use official ASN1_STRING_ API

Selva Nair (4):
      Fixup version command on management interface
      Document management client versions
      Use USER_PASS_LEN for private key password buffer size
      Add an optional username-only flag for auth-user-pass


2026.02.11 -- Version 2.7.0

Frank Lichtenheld (3):
      crypto: Do not claim we will remove support for BF-CBC in 2.7
      Update the clang-format reference version to 21.1.8
      Review Changes.rst for 2.7.0 release

Max Fillinger (1):
      Mbed TLS 4: Add more algorithms


2026.01.28 -- Version 2.7_rc6

Arne Schwabe (1):
      Silence compiler truncation warning by checking snprintf return value

Frank Lichtenheld (16):
      crypto_openssl: Fix various conversion warnings
      cryptoapi: Avoid conversion warnings
      ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku
      socket: Avoid conversion warning in get_addr_generic
      ssl_ncp: Avoid conversion warning in replace_default_in_ncp_ciphers_option
      port-share: Check return value of fork()
      openvpnserv: Fix conversion warnings in interactive.c
      openvpnserv: Factor out the string conversion from GetItfDnsDomains
      openvpnserv: Add a first unit test
      GHA: Update mbedtls to v4
      route: Fix conversion warnings on BSDs
      socket: Remove ifdef for SO_{RCV, SND}BUF
      test_openvpnserv: Make sure to include config.h
      GHA: Run openvpnserv UT for MinGW builds
      status: Avoid conversion warnings in status_read/status_printf
      manage: Do not trigger actions on management disconnect if not authenticated

Gert Doering (1):
      tunnel_server(): close correct inotify fd

Heiko Hund (1):
      Prevent NULL pointer dereference with --dns-updown

Max Fillinger (1):
      Add support for Mbed TLS 4


2026.01.15 -- Version 2.7_rc5

Arne Schwabe (5):
      Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers
      Allow test-crypto to work without the --secret argument
      Fix warnings on Android about unused variables/methods
      Require script-security 2 when using unix: tun
      Correctly handle sender jumping exactly epoch_data_keys_future_count

Frank Lichtenheld (12):
      tests/unit_tests: Port to cmocka 2.0.0 API
      GHA: Maintenance update January 2026
      Update Copyright statements to 2026
      Fix building test_tls_crypt with cmocka 2.0
      configure.ac: Clean up systemd support
      socks: Replace magic "10" for socks header with macro
      socks: Fix wrong success check in socks_username_password_auth
      socket: Remove old 'dynamic remote' feature
      socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply
      ssl_verify: Fix parsing of timeout from auth pending file
      error: Remove our implementation of static_assert
      forward: Avoid conversion warning in ipv6_send_icmp_unreachable

Gert Doering (3):
      remove ENABLE_X509ALTUSERNAME conditional
      Repair interaction between DCO and persist-tun after reconnection
      OpenVPN Release 2.7_rc5


2025.12.17 -- Version 2.7_rc4

Arne Schwabe (4):
      Clarify some code in epoch with better comments
      Add a section about wolfSSL GPLv3 and point out missing TLS PRF support
      Fix dco with null cipher being enabled without auth none
      Change ssl_ctx in struct tls_options to be a pointer

Frank Lichtenheld (19):
      Documentation: Various syntax fixes and text improvements
      CMake: For VS build, switch from /W2 to /W3
      socket: Initialize struct in_addr_t in getaddr()
      GHA: Add minGW Release build
      tun: Refactor BSD write_tun/read_tun
      tun: Change return type of write_tun/read_tun to ssize_t
      Remove some obsolete references to --windows-driver
      options: Remove some verbose error messages for options deprecated in 2.4
      Correct documentation for --ns-cert-type
      buffer: Change limits for array_mult_safe
      mbuf: Add unit tests
      options: Avoid some conversion warnings
      schedule: Rework documentation for schedule_add_entry
      multi: Fix wrong sigma value in multi_push_restart_schedule_exit
      multi: Fix type handling for hashes, mostly inotify_watchers
      multi: Fix various conversion warnings
      manage: Avoid several conversion warnings by using the correct types
      buffer: Change buf_prepend and buf_advance to accept ssize_t for length
      multi: Warn about failing read in multi_process_file_closed()

Gianmarco De Gregori (2):
      mudp: fix unaligned 32-bit read when parsing peer ID
      Deprecate --fast-io option

Heiko Hund (1):
      iservice: set adapter DNS only with search domains

Klemens Nanni (1):
      Prevent crash on invalid server-ipv6 argument

Lev Stipakov (1):
      tun.c: set IPv4 address temporary on Windows

Max Fillinger (1):
      Drop Mbed TLS 2.X compatibility

Moritz Fain (1):
      PUSH_UPDATE: fix option reset logic in continuation messages

Selva Nair (2):
      Set UTF-8 as the codepage using manifest declaration
      pull-filter: improve documentation

Simon Matter (1):
      Add CAP_SYS_NICE to the positive list in systemd service files

Steffan Karger (1):
      mbedtls: gracefully exit if certificate file is NULL


2025.11.28 -- Version 2.7_rc3

Frank Lichtenheld (9):
      doc: Document potential filesystem pitfalls of client-config-dir
      GHA: Maintenance update November 2025
      GHA: Add macos-26 and remove OpenSSL 1.1 builds on macOS
      tls_crypt: Fix Coverity complaint in tls_crypt_v2_check_client_key_age
      Changes.rst: Fix various syntax errors and typos
      error: Allow status argument to check_status to be ssize_t
      Linux: Assume we have a kernel that was release in the last 15 years
      configure/CMake: Remove unused checks
      configure/CMake: Unify Windows handling

Gert Doering (4):
      Change '--multihome' behaviour regarding egress interface selection.
      extract_x509_field_ssl(): verify that X509_NAME is not NULL.
      Remove remainders of --no-name-remapping option
      OpenVPN Release 2.7_rc3

Gianmarco De Gregori (2):
      multi-socket: remove duplicated/dead code
      multi-socket: do not return tuntap flags on server-side

Heiko Hund (9):
      iservice: fix buffer size in call to FormatMessage
      iservice: make sure buffer size is not zero
      iservice: make sure registry string is terminated
      iservice: check for NULL pointer
      iservice: fix calculation of converted domains size
      iservice: return correct size when domains are truncated
      iservice: handle ignoring itf domains correctly
      iservice: fix off by one error
      iservice: rename one_glyph to glyph_size

Lev Stipakov (1):
      interactive.c: harden pipe handling against misbehaving clients

Marco Baffo (1):
      route: handle default gateway (net_gateway) and nexthop towards VPN server separately

Max Fillinger (1):
      Add option to check tls-crypt-v2 key timestamps

Ralf Lici (1):
      dco: process messages immediately after read

Selva Nair (3):
      vcpkg-ports/pkcs11-helper: bump version to 1.31
      Harden interactive service pipe
      Restrict access to the service pipe to SYSTEM and owner


2025.11.17 -- Version 2.7_rc2

Antonio Quartulli (4):
      test_networking: use appropriate assert helpers
      unit_tests: prefer proper cmocka assert helpers
      init: make some functions static
      options: remove --opt-verify functionality

Arne Schwabe (3):
      Do not underestimate number of encrypted/decrypted AEAD blocks
      Fix construction of invalid pointer in tls_pre_decrypt
      Fix memcmp check for the hmac verification in the 3way handshake being inverted

Frank Lichtenheld (17):
      manage: Correctly handle port 65535 in man_kill
      pkcs11_openssl: Silence a conversion warning
      Enable -Wtype-limits by default (via -Wextra)
      ssl: Change tls_send_payload size argument to size_t
      openssl_compat: Avoid conversion warning for SSL_get_negotiated_group
      pkcs11: Avoid some conversion warnings
      ssl: change return type of calc_control_channel_frame_overhead to size_t
      otime: Fix various conversion warnings
      interval: Fix conversion warning
      forward: Change context_reschedule_sec sec argument to time_t
      tls_crypt: Avoid some conversion warnings
      ssl: Fix conversion warning in tls_prepend_opcode_v1
      ssl: Change update argument of compute_earliest_wakeup to time_t
      ssl: Clean up type handling in write_string()
      ssl: Clean up type handling in export_user_keying_material()
      ssl: Clean up type handling in parse_early_negotiation_tlvs()
      ssl_pkt: Avoid conversion warnings

Gert Doering (5):
      FreeBSD DCO: repair incoming 'delete peer' notifications in p2p client mode
      dco_freebsd.c: add D_DCO_DEBUG messages for counters and notifications
      dco_freebsd: implement dco_get_peer_stats()
      FreeBSD DCO: repair --inactive
      dco_freebsd.c: fix integer warnings

Heiko Hund (7):
      iservice: fix DNS address list generation
      msvc: fix struct initialization for v19 compilers
      iservice: validate config path better
      win: remove checks for PATHCCH_ENSURE_TRAILING_SLASH
      iservice: validate config path case-insensitive
      iservice: make sure directories have trailing backslash
      iservice: use saved iface index to restore metric

Lev Stipakov (5):
      tapctl: use better wording for adapters
      tapctl: factor out command handlers
      recursive routing: fixes and clean-ups
      tapctl: make output of 'list' and 'create' commands more verbose
      tapctl: refactor 'create' command

Marco Baffo (1):
      PUSH_UPDATE server: update reporting_addr after ifconfig update

Mikhail Khachaiants (1):
      socket: reject mismatched address family in get_addr_generic

Selva Nair (2):
      openvpnserv: Disallow stdin as config unless user is authorized
      Use correct undo_list when clearing DNS addresses


2025.10.29 -- Version 2.7_rc1

Antonio Quartulli (1):
      sitnl: set FD_CLOEXEC on socket to prevent abuse

Arne Schwabe (12):
      Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
      Avoid possible race condition that kill OpenVPN itself
      Add ASSERT to afunix code that dev_node is always set up the way we expect
      Warn if push is used without --mode server/--server/--server-bridge
      Fix logic when pushed cipher triggers tun reopen and ignore more options
      Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled
      Remove --memstats feature
      clean up environment variable handling in verify_user_pass_script
      fix key_state_gen_auth_control_files probably checking file creation
      Fix warnings about conversion from int to unsigned char/uint8_t
      Ensure return value of snprintf is correctly checked
      Ensure that get_sigtype always return non-NULL

Christian Kujau (2):
      doc: Fix hyperlinks in openvpn(8)
      doc: HTTPS upgrades and URL fixes throughout the tree

Frank Lichtenheld (18):
      test_dhcp: Start a dhcp helper functions UT
      CONTRIBUTING: Update outdated/obsolete information
      schedule: Fix conversion warning
      win32: Change some APIs to use DWORD instead of size_t
      dhcp: Clean up type handling of write_dhcp_*
      init: Fix datav2_enabled check in options import
      socket: Wrap winsock functions to avoid common conversion warnings
      proxy: factor out recv_char code common with socks proxy
      proxy: factor out send code common with socks proxy
      push_util: Make send_push_update static
      ssl_util: Fix conversion warning in get_num_elements
      push_util: Fix conversion warnings
      multi: Fix wrong usage of mroute_extract_openvpn_sockaddr
      mroute: Remove unused mask argument of mroute_get_in*
      gremlin: Avoid some conversion warnings
      crypto_backend: Change len argument of md_ctx_update to size_t
      mudp/mtcp: Remove -Wconversion pragmas
      manage: Change kill_by_addr to use better types for port/proto

Gert Doering (3):
      remove redundant PULL_DEFINED() macro definition
      zeroize struct image in packet_id_persist_save() before writing to disk
      OpenVPN Release 2.7_rc1

Heiko Hund (2):
      iservice: use interface index with netsh
      iservice: check return value of MultiByteToWideChar

Joshua Rogers (1):
      tcp: apply CLOEXEC to accepted socket, not listener

Lev Stipakov (1):
      interactive.c: add the upper bound for startupdata size

Marco Baffo (2):
      PUSH_UPDATE server: remove old IP(s) from vhash after sending a message containing ifconfig(-ipv6)
      PUSH_UPDATE server: invalid read bug-fix and unit-tests improvements

Max Fillinger (1):
      Zeroize tls-crypt-v2 client keys

Ralf Lici (5):
      options: warn and ignore --reneg-bytes/pkts when DCO is enabled
      dco-freebsd: store peer stats directly in c2
      dco: remove dco_read/write_bytes from dco_context_t
      dco-freebsd: fix peer stats storage on client instances
      management: ensure consistent BYTECOUNT timing on server

Selva Nair (3):
      pkcs11_management_id_get: Free certificate object after use
      Canonicalize config_dir before comparing with the config file location
      Add -lpathcch for mingw32 builds using autotools

Steffan Karger (1):
      Remove perf.c/perf.h


2025.10.13 -- Version 2.7_beta3

Arne Schwabe (2):
      Allowing installing FreeBSD routes with interface instead of next-hop
      Allow route_ipv6_match_host to be used outside of route.c

Frank Lichtenheld (33):
      GHA: Dependency updates September 2025
      comp-lz4: Fix types in call to LZ4_decompress_safe
      dco_win: In dco_new_key, document size assumptions for the integer casts
      dco_linux: Fix -Wconversion warnings
      ssl_openssl: Use uint16_t internally for TLS versions
      dco: Change sd argument to dco_new_peer from int to socket_descriptor_t
      crypto_epoch: Clean up type handling in ovpn_expand_label()
      route: Fix a unused-but-set-variable warning on OpenBSD
      platform: Do not assume uid_t/gid_t are signed
      mtu: Trivial -Wconversion fix
      Review CMocka assertion usage
      dhcp: Fix conversion warnings
      COPYING: Remove licenses for software bundled in the Windows client
      sitnl: Clean up type handling
      options: Factor out parsing code to separate options_parse.c
      unit_tests: Remove useless wrapping for argv/buffer tests
      crypto: Make some casts to int explicit
      test_options_parse: Start new UT for options_parse.c
      buffer: Fix buf_parse eating input
      test_options_parse: Add test for read_config_string
      vlan: Remove -Wconversion override
      GHA: Run options_parse test for MinGW
      test_options_parse: Do not use uintmax_t instead of LargestIntegralType
      proto: Clean up conversion warnings related to checksum macros
      test_options_parse: Remove --wrap
      lzo: Fix conversion warning
      options_util: Fix conversion warning in atoi_constrained
      options: Review use of positive_atoi vs atoi_constrained
      console: Simplify query_user_add interface
      socks: Fix conversion warnings with MinGW
      Move build_dhcp_options_string from tun to dhcp
      dhcp: Replace DHCP Option types with defines
      test_user_pass: Check fatal errors for empty username/password

Lev Stipakov (4):
      dco-win: fix broken ASSERT in dco_new_key
      dco-win: support for epoch data channel
      Preserve ifconfig(_ipv6)_local across reconnect
      Make recursive routing check more fine-grained

Marco Baffo (4):
      PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled
      PUSH_UPDATE server: bug-fix, reset buffer after processing
      PUSH_UPDATE server: check IV_PROTO before sending the message to the client
      redirect-gateway: only redirect traffic through TUN if address families match

Selva Nair (1):
      Fix PIN cache time in test_pkcs11.c

Steffan Karger (1):
      Document that tls-crypt-v2 can be used in connection profile


2025.09.25 -- Version 2.7_beta2

Antonio Quartulli (1):
      dco: add standard mi prefix handling to multi_process_incoming_dco()

Arne Schwabe (1):
      Switch test_ssl certificate from RSA 2048 to secp384r1

Frank Lichtenheld (22):
      openvpn_PRF: Change API to use size_t for lengths
      ssl_common: Make sure ssl flags are treated as unsigned
      options: Factor out usages of strtoll and atoll
      ps: Clean up conversion warnings in journal_add function
      events: Make sure rwflags are treated as unsigned
      manage: Change command_line_* API to use size_t for lengths
      Introduce msglvl_t to unify msglevel type handling
      socket: Change resolve flags to unsigned int
      list: Make types of hash elements consistent
      ssl: Fix -Wconversion warnings in pem_password_callback
      ssl_verify: Change backend_x509_* functions to size_t for lengths
      Handle return type of EVP_MD_size
      Clean up conversion warnings related to base64_{en, de}code
      configure.ac: Make ACL_CHECK_ADD_COMPILE_FLAGS append instead of prepend
      Enable a subset of -Wextra
      socks: factor out socks_proxy_recv_char()
      multi_io_init: simplify
      dns: Fix bug in error handling when talking to script
      Enable -Wconversion -Wno-sign-conversion by default
      Make unit tests -Wconversion clean
      ps: Fix conversion warnings related to send/recv return values
      event: Silence conversion warning in tv_to_ms_timeout

Gert Doering (5):
      replace assert() calls with ASSERT()
      remove newline characters at the end of msg() calls
      dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message
      fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
      Fix t_net.sh / networking_testdriver after 'broadcast' change

Gianmarco De Gregori (2):
      Multi-socket win: avoid repeated socket_set()
      Fix multi-socket and dco-win interaction

Lev Stipakov (5):
      Preserve --dhcp-option values from local config
      win: replace wmic invocation with powershell
      openvpnserv: Fix writing messages to the event log
      GHA: collect more artifacts for mingw builds
      Validate DNS parameters

Marco Baffo (1):
      push-update-server: comment about buf_string_compare_advance() usage in send_single_push_update()

Max Fillinger (1):
      Rename Fox Crypto to Sentyron in copyright notices

Sebastian Marsching (1):
      Bugfix: Set broadcast address on interface.


2025.09.04 -- Version 2.7_beta1

Arne Schwabe (1):
      Check message id/acked ids too when doing sessionid cookie checks

Frank Lichtenheld (27):
      Update text of GPL to latest version from FSF
      Update GPL header in all source files to current recommended version
      Define a .clang-format file for the project
      Disable clang-format for some code parts
      Update git-pre-commit-uncrustify.sh to handle clang-format
      GHA: enable -Werror for mbedTLS v3 and AWS LC builds
      Reformat the whole project with clang-format
      Fix build error with clang-cl on latest Windows SDK
      clang-format: Switch to ColumnLimit 0
      Add clang-format reformat commit to .git-blame-ignore-revs
      Remove uncrustify config and reformat-all.sh
      buffer: remove unused function buf_write_alloc_prepend
      t_client.sh: Do not wait 3 seconds for OpenVPN to come up
      Collect trivial conversion fixes
      options: Fix --hash-size virtual argument
      Clean up documentation for --tun-mtu-max
      comp: Make sure comp flags are treated as unsigned
      crypto: Make sure crypto flags are treated as unsigned
      options: Make sure option types are treated as unsigned
      route: Make sure various route flags are treated as unsigned
      socket: Create socket_util with non-socket functions
      Add new unit test module test_socket
      socket_util: Clean up conversion warnings in add_in6_addr
      manage: Make sure various management flags are treated as unsigned
      forward: Make sure pip flags are treated as unsigned
      options: Introduce atoi_constrained and review usages of atoi_warn
      ssl_openssl: Fix type of sslopts argument to SSL_CTX_set_options

Gert Doering (3):
      Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
      Introduce env variables to communicate desired gateway redirection to NM.
      OpenVPN Release 2.7_beta1

Gianmarco De Gregori (1):
      dco: avoid printing mi prefix on debug messages

Heiko Hund (1):
      dns: fix systemd dns-updown script

Ilia Shipitsin (1):
      GHA: limit 'Deploy Doxygen documentation' to main repo only

Lev Stipakov (3):
      Log setting DNS via NRPT
      dco-win: add support for multipeer stats
      Refactor management bytecount tracking

Marco Baffo (1):
      PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages

Ralf Lici (3):
      management: resync timer on bytecount interval change
      dco_linux: validate tun interface before fetching stats
      management: stop bytecount on client disconnection

Samuli Seppänen (2):
      Add sample FFDH parameters file and use that in t_server_null tests


2025.07.31 -- Version 2.7_alpha3

Antonio Quartulli (10):
      README.dco: update Linux instructions
      dco_linux: fix case statement by using proper error value
      dco_linux: use M_FATAL instead of M_ERR in netlink error code paths
      dco_linux: rearrange functions
      multi: store multi_context address inside top instance
      dco: only pass struct context to init function
      dco_linux: factor out netlink notification code
      dco_linux: fix async message reception
      multi: make some multi_*() functions static
      dco_linux: clean up PEER_GET trigger and parser

Arne Schwabe (1):
      Cleanup/simplify mbed TLS related define from autoconf

Christian Schürmann (1):
      Replace deprecated OpenSSL.crypto.load_crl

Frank Lichtenheld (8):
      packet_id: Fix build with --disable-debug
      Fix new doxygen warnings about using @return in void functions
      Fix compiler warning in reliable.c with --disable-debug
      reliable: Review and fix gc_arena usage
      configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
      GHA: Dependency updates July 2025
      plugins: Clean up -Wconversion warnings
      options: Simplify function setenv_foreign_option

Gert Doering (3):
      mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs
      unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
      OpenVPN Release 2.7_alpha3

Gianmarco De Gregori (2):
      Route: add support for user defined routing table
      Multi-socket: Fix assert triggered by stale peer-id reuse

Heiko Hund (9):
      dns: add updown script for macOS
      fix macOS dns-updown handling of parallel full redirects
      run forced --dns-updown without --script-security
      dns: create NRPT registry key if it doesn't exist
      dns: do not run updown scripts with lwipovpn
      prevent search domain races with macOS dns-updown
      move macOS dns-updown common code into functions
      mac dns: compare servers before restoring backup
      mac dns: do not run dns-updown in parallel

Kristof Provost (3):
      dco: support float notifications on FreeBSD
      dco-freebsd: always enable float notification support
      dco-freebsd: pass address scope to the kernel

Lev Stipakov (4):
      Fix broken DHCP options
      Fix --dns options for TAP adapter
      Fix DNS options duplication on PUSH_UPDATE
      Fix wrong byte order of --dns server

Marco Baffo (3):
      PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime.
      PUSH_UPDATE: Added remove_option() and do_update().
      PUSH_UPDATE: Added update_option() function.

Ralf Lici (5):
      dco linux: avoid redefining ovpn enums
      dco linux: avoid sending local port to ovpn
      dco: Add support for float notifications
      improve float collision logging
      add flag to print addresses in a consistent format during float

Samuli Seppänen (2):
      t_server_null: add multi-socket testing
      t_server_null: match test numbers with server numbers

Terrance (1):
      Update systemd service name param to match command

rein.vanbaaren (1):
      Added PQE to WolfSSL


2025.06.18 -- Version 2.7_alpha2

Antonio Quartulli (1):
      dco_linux: enable extended netlink error reporting

Arne Schwabe (1):
      Add missing header in unit tests Makefile.am

Frank Lichtenheld (6):
      Remove contrib/pull-resolv-conf
      Update copyright statements to 2025
      Do not segfault on missing --dh in server config
      Delete old sample-windows file and obsolete Windows sample handling
      t_server_null: Test different permutations of --dh
      Fix various badly placed comments in preparation for reformat

Gert Doering (1):
      OpenVPN Release 2.7_alpha2

Gianmarco De Gregori (1):
      Multi-socket: local_list clean-up

Heiko Hund (2):
      fix typo in haikuos dns-updown script
      dns: deal with --dhcp-options when --dns is active

Max Fillinger (2):
      Use mbedtls_ssl_export_keying_material()
      mbedtls: Allow TLS 1.3 if available

Ralf Lici (1):
      Preserve socket protocol during float processing

Samuli Seppänen (1):
      t_server_null: print error when server startup fails


2025.05.28 -- Version 2.7_alpha1

5andr0 (1):
      Implement server_poll_timeout for socks

Alexander von Gluck (4):
      Haiku: Introduce basic platform / tun support
      Haiku: Add calls to manage routing table
      Haiku: change del to delete in route command. del is undocumented
      Haiku: Fix short interface path length

Antonio Quartulli (32):
      disable DCO if --secret is specified
      dco: properly re-initialize dco_del_peer_reason
      dco: bail out when no peer-specific message is delivered
      dco: improve comment about hidden debug message
      dco: print proper message in case of transport disconnection
      dco_linux: update license for ovpn_dco_linux.h
      Update issue templates
      Avoid warning about missing braces when initialising key struct
      dco: don't use NetLink to exchange control packets
      dco: print version to log if available
      dco-linux: remove M_ERRNO flag when printing netlink error message
      multi: don't call DCO APIs if DCO is disabled
      dco-freebsd: use m->instances[] instead of m->hash
      dco-linux: implement dco_get_peer_stats{, multi} API
      configure.ac: fix typ0 in LIBCAPNG_CFALGS
      dco: fix crash when --multihome is used with --proto tcp
      dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
      event/multi: add event_arg object to make event handling more generic
      pass link_socket object to i/o functions
      io_work: convert shift argument to uintptr_t
      io_work: pass event_arg object to event handler in case of socket event
      sitnl: replace NLMSG_TAIL macro with noinline function
      override ai_family if 'local' numeric address was specified
      Adapt socket handling to support listening on multiple sockets
      allow user to specify 'local' multiple times in config files
      dco_linux: extend netlink error cb with extra info
      man: extend --persist-tun section
      dco: pass remoteaddr only for UDP peers
      socket: use remote proto when creating client sockets
      dco_linux: fix peer stats parsing with new ovpn kernel module
      socket: don't transfer bind family to socket in case of ANY address
      dco_linux: avoid bogus text when netlink message is not parsed

Aquila Macedo (1):
      doc: Correct typos in multiple documentation files

Arne Schwabe (190):
      Fix connection cookie not including address and fix endianness in test
      Fix unit test of test_pkt on little endian Linux
      Disable DCO when TLS mode is not used
      Ignore connection attempts while server is shutting down
      Improve debug logging of DCO swap key message and Linux dco_new_peer
      Trigger a USR1 if dco_update_keys fails
      Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range
      Ensure that argument to parse_line has always space for final sentinel
      Improve documentation on user/password requirement and unicodize function
      Eliminate or comment empty blocks and switch fallthrough
      Remove unused gc_arena
      Fix corner case that might lead to leaked file descriptor
      Deprecate NTLMv1 proxy auth method.
      Use include "buffer.h" instead of include <buffer.h>
      Ensure that dco keepalive and mssfix options are also set in pure p2p mode
      Make management password check constant time
      Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL
      Move dco_installed back to link_socket from link_socket.info.actual
      Do not set nl socket buffer size
      Also drop incoming dco packet content when dropping the packet
      Improve logging when seeing a message for an unkown peer
      Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions
      Replace custom min macro and use more C99 style in man_remote_entry_get
      Replace realloc with new gc_realloc function
      Add connect-freq-initial option to limit initial connection responses
      Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled
      Deprecate OCC checking
      Workaround: make ovpn-dco more reliable
      Fix unaligned access in auth-token
      Update LibreSSL to 3.7.0 in Github actions
      Add printing USAN stack trace on github actions
      Fix LibreSSL not building in Github Actions
      Add missing stdint.h includes in unit tests files
      Combine extra_tun/frame parameter of frame_calculate_payload_overhead
      Update the last sections in the man page to a be a bit less outdated
      Add building unit tests with mingw to github actions
      Revise the cipher negotiation info about OpenVPN3 in the man page
      Exit if a proper message instead of segfault on Android without management
      Use proper print format/casting when converting msg_channel handle
      Reduce initialisation spam from verb <= 3 and print summary instead
      Dynamic tls-crypt for secure soft_reset/session renegotiation
      Set netlink socket to be non-blocking
      Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
      Fix memory leaks in open_tun_dco()
      Fix memory leaks in HMAC initial packet generation
      Use key_state instead of multi for tls_send_payload parameter
      Make sending plain text control message session aware
      Only update frame calculation if we have a valid link sockets
      Improve description of compat-mode
      Simplify --compress parsing in options.c
      Refuse connection if server pushes an option contradicting allow-compress
      Add 'allow-compression stub-only' internally for DCO
      Parse compression options and bail out when compression is disabled
      Remove unused variable line
      Add Apache2 linking with for new commits
      Fix compile error on TARGET_ANDROID
      Fix use-after-free with EVP_CIPHER_free
      Remove key_type argument from generate_key_random
      add basic CMake based build
      Avoid unused function warning/error on FreeBSD (and potientially others)
      Do not blindly assume python3 is also the interpreter that runs rst2html
      Only add -Wno-stringop-truncation on supported compilers
      fix warning with gcc 12.2.0 (compiler bug?)
      Fix CR_RESPONSE mangaement message using wrong key_id
      Print a more user-friendly error when tls-crypt-v2 client auth fails
      Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
      Mock openvpn_exece on win32 also for test_tls_crypt
      Check if the -wrap argument is actually supported by the platform's ld
      Revert commit 423ced962d
      Implement using --peer-fingerprint without CA certificates
      show extra info for OpenSSL errors
      Remove ability to use configurations without TLS by default
      Add warning for the --show-groups command that some groups are missing
      Print peer temporary key details
      Add warning if a p2p NCP client connects to a p2mp server
      Remove openssl engine method for loading the key
      Add undefined and abort on error to clang sanitize builds
      Add --enable-werror to all platforms in Github Actions
      Remove saving initial frame code
      Double check that we do not use a freed buffer when freeing a session
      Fix using to_link buffer after freed
      Remove CMake custom compiler flags for RELEASE and DEBUG build
      Do not check key_state buffers that are in S_UNDEF state
      Remove unused function prototype crypto_adjust_frame_parameters
      Introduce report_command_status helper function
      Log SSL alerts more prominently
      Remove unused/unneeded/add missing defines from configure/cmake
      Document tls-exit option mainly as test option
      Remove dead remains of extract_x509_field_test
      Replace character_class_debug with proper unit test
      Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
      Fix check_session_buf_not_used using wrong index
      Add missing check for nl_socket_alloc failure
      Add check for nice in cmake config
      Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror
      Remove compat versionhelpers.h and remove cmake/configure check for it
      Rename state_change to continue_tls_process
      Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c
      Fix building mbed TLS with CMake and allow specifying custom directories
      Extend the error message when TLS 1.0 PRF fails
      Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
      Check PRF availability on initialisation and add --force-tls-key-material-export
      Make it more explicit and visible when pkg-config is not found
      Clarify that the tls-crypt-v2-verify has a very limited env set
      Move get_tmp_dir to win32-util.c and error out on failure
      Implement the --tls-export-cert feature
      Use mingw compile definition also to unit tests
      Add test_ssl unit test and test export of PEM to file
      Remove conditional text for Apache2 linking exception
      Fix ssl unit tests on OpenSSL 1.0.2
      Ensure that all unit tests use unbuffered stdout and stderr
      Allow unit tests to fall back to hard coded location
      Add unit test for encrypting/decrypting data channel
      Print SSL peer signature information in handshake debug details
      Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
      Turn dead list test code into unit test
      Use snprintf instead of sprintf for get_ssl_library_version
      Fix snprintf/swnprintf related compiler warnings
      Add bracket in fingerprint message and do not warn about missing verification
      Match ifdef for get_sigtype function with if ifdef of caller
      Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex
      Add missing EVP_KDF_CTX_free in ssl_tls1_PRF
      Replace macos11 with macos14 in github runners
      Remove openvpn_snprintf and similar functions
      Repeat the unknown command in errors from management interface
      Only run coverity scan in OpenVPN/OpenVPN repository
      Support OpenBSD with cmake
      Workaround issue in LibreSSL crashing when enumerating digests/ciphers
      Remove OpenSSL 1.0.2 support
      Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL
      Allow the TLS session to send out TLS alerts
      Properly handle null bytes and invalid characters in control messages
      Allow trailing \r and \n in control channel message
      Add Ubuntu 24.04 runner to Github Actions
      Implement support for AEAD tag at the end
      Remove check for anonymous unions from configure and cmake config
      Make read/write_tun_header static
      Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin
      Move to common backend_driver type in struct tuntap
      Introduce DRIVER_AFUNIX backend for use with lwipovpn
      Change dev null to be a driver type instead of a special mode of tun/tap
      Use print_tun_backend_driver instead of custom code to print type
      Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap
      Ensure that the AF_UNIX socket pair has at least 65k of buffer space
      Fix check for CMake not detecting struct cmsg
      Remove null check after checking for checking for did_open_tun
      Remove a large number of unused structs and functions
      Remove unused methods write_key/read_key
      Refuse clients if username or password is longer than USER_PASS_LEN
      Move should_trigger_renegotiation into its own function
      Change --reneg-bytes and --reneg-packets to 64 bit counters
      Use XOR instead of concatenation for calculation of IV from implicit IV
      Trigger renegotiation of data key if getting close to the AEAD usage limit
      Implement HKDF expand function based on RFC 8446
      Split init_key_ctx_bi into send/recv init
      Move initialisation of implicit IVs to init_key_ctx_bi methods
      Change internal id of packet id to uint64
      Add small unit test for buf_chomp
      Add building/testing with msbuild and the clang compiler
      Ensure that Python3 is available
      Change API of init_key_ctx to use struct key_parameters
      Allow DEFAULT in data-ciphers and report both expanded and user set option
      Do not attempt to decrypt packets anymore after 2**36 failed decryptions
      Add methods to read/write packet ids for epoch data
      Implement methods to generate and manage OpenVPN Epoch keys
      Rename aead-tag-at-end to aead-epoch
      Improve peer fingerprint documentation
      Remove comparing username to NULL in tls_lock_username
      Print warnings/errors when numerical parameters cannot be parsed
      Add unit tests for atoi parsing options helper
      Improve error reporting from AF_UNIX tun/tap support
      Fix typo in positive_atoi
      Fix oversight of link socket code change in Android code path
      Implement epoch key data format
      Extend the unit test for data channel packets with aead limit tests
      Add (fake) Android cmake building
      Add android build to Github Actions
      Reconnect when TCP is on use on network-change management command
      Implement override-username
      Fix incorrect condition for checking password related check
      Directly use _countof in array initialisation
      Improve documentation for override-username
      Mention address if not unspecific on DNS failure
      Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
      Allow tls-crypt-v2 to be setup only on initial packet of a session
      Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid
      Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username
      Also print key agreement when printing negotiated details
      Fix mbed TLS key exporter functionality in 3.6.x and cmake
      Make --dh none behaviour default if not specified

Ben Boeckel (1):
      console_systemd: remove the timeout when using 'systemd-ask-password'

Christoph Schug (1):
      Update documentation references in systemd unit files

Corubba Smith (3):
      Support IPv6 towards port-share proxy receiver
      Document x509-username-fields oid usage
      Remove x509-username-fields uppercasing

David Sommerseth (4):
