|
| 1 | +openvpn (2.6.0~git20221201-1) unstable; urgency=medium |
| 2 | + |
| 3 | + OpenVPN 2.6 has changed several defaults that might lead to connection |
| 4 | + problems, especially when the remote side runs an old OpenVPN version |
| 5 | + or cipher negotiations (NCP) are not in effect. This especially affects |
| 6 | + connecting to OpenVPN 2.3.x or earlier, and several limitations around |
| 7 | + old cryptographic algorithms and keys, mostly caused by the switch to |
| 8 | + OpenSSL 3.0 |
| 9 | + |
| 10 | + These include but are not limited to |
| 11 | + |
| 12 | + - weak SHA1 or MD5 signature on certificates |
| 13 | + - 1024 bit RSA certificates, 1024 bit DH parameters, other weak keys |
| 14 | + - Use of a legacy or deprecated cipher (e.g. 64bit block ciphers) |
| 15 | + - remote OpenVPN version not supporting TLS 1.2 or later |
| 16 | + |
| 17 | + Please read the release notes installed as |
| 18 | + /usr/share/doc/openvpn/changelog.gz. |
| 19 | + |
| 20 | + With an optional kernel module (available as package openvpn-dco-dkms) |
| 21 | + the data plane encryption/decryption is performed in kernel space, |
| 22 | + reducing page copy overhead and increasing the throughput significantly. |
| 23 | + DCO (Data Channel Offload) should work with most configurations. In |
| 24 | + case of issues, please try running OpenVPN with --disable-dco first. |
| 25 | + |
| 26 | + -- Bernhard Schmidt < [email protected]> Mon, 23 May 2022 11:04:30 +0200 |
| 27 | + |
| 28 | +openvpn (2.4.9-3) unstable; urgency=medium |
| 29 | + |
| 30 | + To ensure the functionality of OpenVPN connections during an update, |
| 31 | + OpenVPN is not restarted after the update since this version. |
| 32 | + |
| 33 | + Please restart OpenVPN or reboot the computer manually after the update. |
| 34 | + |
| 35 | + -- Jörg Frings-Fürst < [email protected]> Sat, 02 May 2020 18:14:36 +0200 |
| 36 | + |
| 37 | +openvpn (2.4.0-4) unstable; urgency=medium |
| 38 | + |
| 39 | + If you're upgrading a previous OpenVPN installation, you should check your |
| 40 | + current CRL file expiraton date. "crl-verify" option now also checks that. |
| 41 | + Regenerate your CRL file if the expiration date is in the past or your |
| 42 | + clients won't be able to connect. |
| 43 | + |
| 44 | + OpenVPN 2.4 will try to connect using IPv6 first if you're using a hostname |
| 45 | + with both A and AAAA entries, if your VPN server is still running a |
| 46 | + previous (<2.4) version a long wait may occur until your 2.4 client tries |
| 47 | + with the IPv4 address. |
| 48 | + |
| 49 | + -- Alberto Gonzalez Iniesta < [email protected]> Thu, 02 Feb 2017 14:15:42 +0100 |
| 50 | + |
| 51 | +openvpn (2.4.0-1) unstable; urgency=medium |
| 52 | + |
| 53 | + OpenVPN 2.4 removed tls-remote option. Current setups using that option |
| 54 | + will fail to work. Update your configuration to use verify-x509-name |
| 55 | + instead. |
| 56 | + |
| 57 | + -- Alberto Gonzalez Iniesta < [email protected]> Tue, 27 Dec 2016 22:50:20 +0100 |
| 58 | + |
| 59 | +openvpn (2.3~rc1-1) experimental; urgency=low |
| 60 | + |
| 61 | + auth-pam and down-root plugins renamed to: |
| 62 | + openvpn-plugin-auth-pam.so |
| 63 | + openvpn-plugin-down-root.so |
| 64 | + |
| 65 | + -- Alberto Gonzalez Iniesta < [email protected]> Tue, 06 Nov 2012 13:22:13 +0100 |
| 66 | + |
| 67 | +openvpn (2.1~rc15-1) unstable; urgency=low |
| 68 | + |
| 69 | + The openvpn utility changed its handling of pkcs11 certificates when it |
| 70 | + switched from built-in code to the pkcs11-helper library (package |
| 71 | + libpkcs11-helper1 on Debian). This means that you will have to update your |
| 72 | + openvpn configuration files if you are using such certificates. For |
| 73 | + example, a stanza in a configuration file might previously have referred to |
| 74 | + a given pkcs11 certificate like this: |
| 75 | + |
| 76 | + pkcs11-providers /usr/lib/opensc-pkcs11.so |
| 77 | + pkcs11-slot-type id |
| 78 | + pkcs11-slot 0 |
| 79 | + pkcs11-id-type label |
| 80 | + pkcs11-id "YOUR_LABEL" |
| 81 | + |
| 82 | + This stanza has to be rewritten now in the following way: |
| 83 | + |
| 84 | + pkcs11-providers /usr/lib/opensc-pkcs11.so |
| 85 | + pkcs11-id 'YOUR_PKCS11_SERIALIZED_ID' |
| 86 | + |
| 87 | + The pkcs11-slot, pkcs11-slot-type, pkcs11-id-type options are obsolete; |
| 88 | + a long ID string that is unique for each certificate is now used as the |
| 89 | + only identifier. Note that YOUR_PKCS11_SERIALIZED_ID will almost |
| 90 | + certainly be different from YOUR_LABEL that you used previously with the |
| 91 | + pkcs11-id option. To find out the correct serialized ID(s) for your |
| 92 | + certificate(s), you have to query the pkcs11-provider library: |
| 93 | + |
| 94 | + $ openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so |
| 95 | + |
| 96 | + The following objects are available for use. |
| 97 | + Each object shown below may be used as parameter to --pkcs11-id option |
| 98 | + please remember to use single quote mark. |
| 99 | + |
| 100 | + Certificate |
| 101 | + DN: /CN=YOUR_USER |
| 102 | + Serial: SERIAL_NUMBER |
| 103 | + Serialized id: YOUR_PKCS11_SERIALIZED_ID |
| 104 | + |
| 105 | + You have to paste YOUR_PKCS11_SERIALIZED_ID as seen in this output into |
| 106 | + your openvpn configuration file and make sure that the string is enclosed |
| 107 | + in single quotation marks. |
| 108 | + |
| 109 | + The example above assumes that your cryptographic token can be accessed |
| 110 | + via the opensc-pkcs11.so library from libopensc2. If you have to use |
| 111 | + another library, for example a proprietary driver from the vendor of your |
| 112 | + token, then you have to adapt both the stanza in the configuration file |
| 113 | + and the path given on the command line accordingly. |
| 114 | + |
| 115 | + Florian Kulzer |
| 116 | + |
| 117 | + -- Alberto Gonzalez Iniesta < [email protected]> Thu, 30 Apr 2009 12:35:05 +0200 |
| 118 | + |
| 119 | +openvpn (2.1~rc9-3) unstable; urgency=low |
| 120 | + |
| 121 | + Calling of external commands/scripts |
| 122 | + |
| 123 | + Starting with version 2.1~rc9, openvpn has a new option to control the |
| 124 | + ability to execute external commands (--script-security). |
| 125 | + |
| 126 | + By default (script-security 1) it will only allow the execution of |
| 127 | + built-in commands (ip, ifconfig, route,...). If you require the execution |
| 128 | + of external commands, such as /etc/openvpn/update-resolv-conf, you'll have |
| 129 | + to include the following option in your configuration file: |
| 130 | + script-security 2 |
| 131 | + |
| 132 | + -- Alberto Gonzalez Iniesta < [email protected]> Sat, 16 Aug 2008 13:34:24 +0200 |
| 133 | + |
0 commit comments