Ported iOS client and OpenVPN 3 core to ARM-64.
Now building a "fat binary" with Xcode 5.0.1 that
targets arm7, arm7s, and arm64.
Outstanding issues:
* IPv6 doesn't route through tunnel on iOS7
* Client doesn't install on iOS 5.1.1.
passwords (i.e. POLARSSL_ERR_X509_PASSWORD_REQUIRED
and POLARSSL_ERR_X509_PASSWORD_MISMATCH).
Our private PolarSSL patch set has been reduced down to
only polarssl-minicrypto.patch.
Extended vars-android to fully set up NDK environment.
Added new test profile autopkp8v2.ovpn using PKCS#5 v2.0
private key.
tls-version-min directive:
setenv opt tls-version-min 1.2 or-highest
In 3.0 core, properly set OPENVPN_VERSION to 3.0.
Updated make-community to automatically push at
end of build.
unrecognized, ignored, or unused.
This behavior is somewhat different (by design) to 2.x branch, which
will raise a fatal exception if an unrecognized option is
encountered.
if input and output were pointing to the same memory, as is often
the case with PolarSSL calls.
Removed minicrypto files (such as Blowfish) that are no longer used.
parameters in include/polarssl/openvpn-polarssl.h which is then
included by config.h.
Previously we passed configuration parameters via
polarssl/CMakeLists.txt, but this creates a problem in that
the calling app can include headers from include/polarssl and
not get the right configuration parameters.
will build the app as if it was running on the simulator, i.e. with
null tun device, but will build for an actual iOS device.
OPENVPN_SSL_DEBUG defined in ovpncli.cpp is now a debug level and
can be set to an integer value (or 0 to disable).
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0", "1.1", or "1.2". If 'or-highest' is specified
and version is not recognized, we will only accept the highest TLS
version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.3 or-highest -- require that the peer
connect at TLS 1.3 or higher, however if the local SSL
implementation doesn't support TLS 1.3 (as it wouldn't in 2013
since TLS 1.3 doesn't exist yet), reduce the minimum required
version to the highest version supported by the local SSL
implementation (such as TLS 1.2). This is intended to allow
client configurations to target higher TLS versions that are
supported on the server, even if some older clients don't
support these versions yet.
where if more than one instance of an option exists, and
a single instance of the option is required, use the last
instance. Previously we would raise an exception in this case.
like the rest of the core.
Added verbose() method to class SessionStats so that clients can
know whether to pass extra text data to error() virtual method.
with repeating replay errors if server sends data channel packets
immediately after KeyContext goes ACTIVE but before tun object in
ClientProto is initialized.
the cert chain from Keychain Identities.
Note that this solution is still not ideal because the iOS keychain
appears unable to import a PKCS#12 file as a bundle. It only
imports the leaf cert/key and ignores the rest.
So for this fix to be effective, each of the root and intermediate
certs in the PKCS#12 file must be manually extracted and separately
imported as .crt files.
MERGE from -r8632 https://svn.openvpn.net/projects/openvpn/cs/openvpn/ovpn3.ios101
modifications due to server push will not persist across client
instantiations.
Added RCCopyable object, a variation on RC that allows copying and
assignment.
OpenVPN 1.1.11 build 43 (Android)
Fixed issue with NTLM proxy authentication where connections
through Squid proxies would produce the error "NTLM phase-2
Content-Length is not zero".
OpenVPN 1.1.10 build 42 (Android)
Change to memcmp_secure: declare memory regions as volatile
to avoid potential compiler optimizations from leaking
timing info.
multiple addresses will be treated as if each address was an
individual remote directive.
Fixed issue where UDP transport driver was calling socket
connect method synchronously. This can cause exceptions
to be thrown in corner cases, such as "No route to host"
on OSX/iOS for connections to IPv6 addresses when no default
IPv6 route exists on system. Refactoring UDP connect
operation to be asychronous fixes the issue.
Implemented remote-random.
Core: Log but don't raise a fatal error on connections where
server pushes an invalid route or dhcp-option. In this case,
the offending pushed directive will be ignored.