* Performance degradation from recent commit was occurring
in PRNG.
* Allow RNG to be used in place of PRNG. For PolarSSL
at least, this change completely reverses the
polymorphic ProtoContext performance degradation
and turns it into a net performance gain.
* Added bool prng to RNG constructors to allow
the implementation to optimize for PRNG
(only PolarSSL currently supports this).
Documented different use-cases for RNG vs. PRNG
in ProtoContext:
RNG -- Random number generator.
Use-cases demand highest cryptographic strength
such as key generation.
PRNG -- Pseudo-random number generator.
Use-cases demand cryptographic strength
combined with high performance. Used for
IV and ProtoSessionID generation.
(MacLifeCycle).
Monitor connection lifecycle notifications, such as sleep, wakeup,
network-unavailable, and network-available.
Note that not all platforms define a lifecycle object. Some
platforms such as Android and iOS manage lifecycle notifications at
the service level, and they call pause(), resume(), reconnect(),
etc. as needed using the main ovpncli API.
Also, added a reason string to Pause event.
Implemented full TunClient class for Windows with TAP driver
support. For now, we use netsh (rather than TAP driver DHCP)
to set all tunnel adapter properties, as this appears to work
great on Windows 7.
IPv6 is fully supported.
Known isues:
* netsh doesn't have a command for adding DNS search domains, so
we don't support them yet.
* While we always try to remove routes and added properties from
TAP adapter instance when we close out the session, for robustness,
when we bring up TAP adapter, we should try to delete any stale
routes on interface left over from previous session.
* Right now we call netsh with system(). For security and
compatibility with Windows apps (not only console apps),
we should use CreateProcess instead.
Core: Added forceAesCbcCiphersuites config flag. When enabled,
the TLS implementation will not set a minimum TLS version for
peer negotiation (even if tls-version-min is specified), but
will instead force one of these two ciphersuites:
1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or
2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
When forceAesCbcCiphersuites is disabled, no explicit set of
ciphersuites will be forced, but the TLS minimum version will
be set to 1.0 or (or higher if tls-version-min is specified).
Also added iOS preference and cli.cpp option to control the
forceAesCbcCiphersuites flag.
Ported iOS client and OpenVPN 3 core to ARM-64.
Now building a "fat binary" with Xcode 5.0.1 that
targets arm7, arm7s, and arm64.
Outstanding issues:
* IPv6 doesn't route through tunnel on iOS7
* Client doesn't install on iOS 5.1.1.
unrecognized, ignored, or unused.
This behavior is somewhat different (by design) to 2.x branch, which
will raise a fatal exception if an unrecognized option is
encountered.
will build the app as if it was running on the simulator, i.e. with
null tun device, but will build for an actual iOS device.
OPENVPN_SSL_DEBUG defined in ovpncli.cpp is now a debug level and
can be set to an integer value (or 0 to disable).
like the rest of the core.
Added verbose() method to class SessionStats so that clients can
know whether to pass extra text data to error() virtual method.
multiple addresses will be treated as if each address was an
individual remote directive.
Fixed issue where UDP transport driver was calling socket
connect method synchronously. This can cause exceptions
to be thrown in corner cases, such as "No route to host"
on OSX/iOS for connections to IPv6 addresses when no default
IPv6 route exists on system. Refactoring UDP connect
operation to be asychronous fixes the issue.
Implemented remote-random.
Separated the functionality of replacePasswordWithSessionID
and cachePassword, and allow them to be used together,
in which case the session ID will be used as the password
until it expires or is invalidated, then the cached
password will be used to reauth.
Android: 1.1.9 build 31
* Reverted key-direction back to a default of 1.
* Raise fatal error if "fragment" option is used.
* Made TunBuilderCapture more useful as a base class for
tun construction on various platforms.
* Added disableClientCert flag at ovpncli.hpp API.
* Updated help FAQ with more details on how to
properly set key-direction, and notes about
possible network disconnect during voice calls.