will build the app as if it was running on the simulator, i.e. with
null tun device, but will build for an actual iOS device.
OPENVPN_SSL_DEBUG defined in ovpncli.cpp is now a debug level and
can be set to an integer value (or 0 to disable).
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0", "1.1", or "1.2". If 'or-highest' is specified
and version is not recognized, we will only accept the highest TLS
version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.3 or-highest -- require that the peer
connect at TLS 1.3 or higher, however if the local SSL
implementation doesn't support TLS 1.3 (as it wouldn't in 2013
since TLS 1.3 doesn't exist yet), reduce the minimum required
version to the highest version supported by the local SSL
implementation (such as TLS 1.2). This is intended to allow
client configurations to target higher TLS versions that are
supported on the server, even if some older clients don't
support these versions yet.
where if more than one instance of an option exists, and
a single instance of the option is required, use the last
instance. Previously we would raise an exception in this case.
like the rest of the core.
Added verbose() method to class SessionStats so that clients can
know whether to pass extra text data to error() virtual method.
with repeating replay errors if server sends data channel packets
immediately after KeyContext goes ACTIVE but before tun object in
ClientProto is initialized.
the cert chain from Keychain Identities.
Note that this solution is still not ideal because the iOS keychain
appears unable to import a PKCS#12 file as a bundle. It only
imports the leaf cert/key and ignores the rest.
So for this fix to be effective, each of the root and intermediate
certs in the PKCS#12 file must be manually extracted and separately
imported as .crt files.
MERGE from -r8632 https://svn.openvpn.net/projects/openvpn/cs/openvpn/ovpn3.ios101
modifications due to server push will not persist across client
instantiations.
Added RCCopyable object, a variation on RC that allows copying and
assignment.
OpenVPN 1.1.11 build 43 (Android)
Fixed issue with NTLM proxy authentication where connections
through Squid proxies would produce the error "NTLM phase-2
Content-Length is not zero".
OpenVPN 1.1.10 build 42 (Android)
Change to memcmp_secure: declare memory regions as volatile
to avoid potential compiler optimizations from leaking
timing info.
multiple addresses will be treated as if each address was an
individual remote directive.
Fixed issue where UDP transport driver was calling socket
connect method synchronously. This can cause exceptions
to be thrown in corner cases, such as "No route to host"
on OSX/iOS for connections to IPv6 addresses when no default
IPv6 route exists on system. Refactoring UDP connect
operation to be asychronous fixes the issue.
Implemented remote-random.
Core: Log but don't raise a fatal error on connections where
server pushes an invalid route or dhcp-option. In this case,
the offending pushed directive will be ignored.
tun semantics, however this code has not been enabled yet on iOS
because it breaks in several ways:
1. network available/unavailable detection appears to break when
tun interface is kept alive across transport connection sessions.
2. plugin session persistence appears to fail when these lines are not
executed immediately after transport pause/resume:
VPNTunnelSetStatus(tunnelRef, kVPNTunnelStatusReasserting, 0);
VPNTunnelClearConfiguration(tunnelRef)
iOS Core change: change pause/reconnect delay to 3 seconds (from 2)
to reduce flapping.
1. route all DNS requests through pushed DNS server if no added
search domains.
2. route selected DNS requests through pushed DNS server if at
least one added search domain.
On Android, apparently there is no selective DNS routing, so all
DNS requests will be routed through pushed DNS server, if at least
one exists.
With redirect-gateway on both platforms, all DNS requests are always
routed through the VPN.