Home Features Getting Started Mailing List / Help Contribute Technical stuff

OpenConnect VPN client

About Supported Platforms Download Packages Changelog

Changelog

For full changelog entries including the latest development, see gitweb.

• OpenConnect HEAD
  • No changelog entries yet
  
  
• OpenConnect v4.08 (PGP signature) — 2013-02-13
  • Fix overflow on HTTP request buffers (CVE-2012-6128)
  • Fix connection to servers with round-robin DNS with two-stage auth/connect.
  • Impose minimum MTU of 1280 bytes.
  • Fix some harmless issues reported by Coverity.
  • Improve "Attempting to connect..." message to be explicit when it's connecting to a proxy.
  
  
• OpenConnect v4.07 (PGP signature) — 2012-08-31
  • Fix segmentation fault when invoked with -p argument.
  • Fix handling of write stalls on CSTP (TCP) socket.
  
  
• OpenConnect v4.06 (PGP signature) — 2012-07-23
  • Fix default CA location for non-Fedora systems with old GnuTLS.
  • Improve error handing when vpnc-script exits with error.
  • Handle PKCS#11 tokens which won't list keys without login.
  
  
• OpenConnect v4.05 (PGP signature) — 2012-07-12
  • Use correct CSD script for Mac OS X.
  • Fix endless loop in PIN cache handling with multiple PKCS#11 tokens.
  • Fix PKCS#11 URI handling to preserve all attributes.
  • Don't forget key password on GUI reconnect.
  • Fix GnuTLS v3 build on OpenBSD.
  
  
• OpenConnect v4.04 (PGP signature) — 2012-07-05
  • Fix GnuTLS password handling for PKCS#8 files.
  
  
• OpenConnect v4.03 (PGP signature) — 2012-07-02
  • Fix --no-proxy option.
  • Fix handling of requested vs. received MTU settings.
  • Fix DTLS MTU for GnuTLS 3.0.21 and newer.
  • Support more ciphers for OpenSSL encrypted PEM keys, with GnuTLS.
  • Fix GnuTLS compatibilty issue with servers that insist on TLSv1.0 or non-AES ciphers (RH#836558).
  
  
• OpenConnect v4.02 (PGP signature) — 2012-06-28
  • Fix build failure due to unconditional inclusion of <gnutls/dtls.h>.
  
  
• OpenConnect v4.01 (PGP signature) — 2012-06-28
  • Fix DTLS MTU issue with GnuTLS.
  • Fix reconnect crash when compression is disabled.
  • Fix build on systems like FreeBSD 8 without O_CLOEXEC.
  • Add --dtls-local-port option.
  • Print correct error when /dev/net/tun cannot be opened.
  • Fix openconnect.pc pkg-config file not to require zlib.pc on systems which lack it (like RHEL5).
  
  
• OpenConnect v4.00 (PGP signature) — 2012-06-20
  • Add support for OpenSSL's odd encrypted PKCS#1 files, for GnuTLS.
  • Fix repeated passphrase retry for OpenSSL.
  • Add keystore support for Android.
  • Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12.
  • Fix library references to OpenSSL's ERR_print_errors_cb() when built against GnuTLS v2.12.
  
  
• OpenConnect v3.99 (PGP signature) — 2012-06-13
  • Enable native TPM support when built with GnuTLS.
  • Enable PKCS#11 token support when built with GnuTLS.
  • Eliminate all SSL library exposure through libopenconnect.
  • Parse split DNS information, provide $CISCO_SPLIT_DNS environment variable to vpnc-script.
  • Attempt to provide new-style MTU information to server (on Linux only, unless specified on command line).
  • Allow building against GnuTLS, including DTLS support.
  • Add --with-pkgconfigdir= option to configure for FreeBSD's benefit (fd#48743).
  
  
• OpenConnect v3.20 (PGP signature) — 2012-05-18
  • Cope with non-keepalive HTTP response on authentication success.
  • Fix progress callback with incorrect cbdata which caused KDE crash.
  
  
• OpenConnect v3.19 (PGP signature) — 2012-05-17
  • Add --config option for reading options from file.
  • Improve OpenSSL DTLS compatibility to work on Ubuntu 10.04.
  • Flush progress logging output promptly after each message.
  • Add symbol versioning for shared library (on sane platforms).
  • Add openconnect_set_cancel_fd() function to allow clean cancellation.
  • Fix corruption of URL in openconnect_parse_url() if it specifies a port number.
  • Fix inappropriate exit() calls from library code.
  • Library namespace cleanup — all symbols now have the prefix openconnect_ on platforms where symbol versioning works.
  • Fix --non-inter option so it still uses login information from command line.
  
  
• OpenConnect v3.18 (PGP signature) — 2012-04-25
  • Fix autohate breakage with --disable-nls... hopefully.
  • Fix buffer overflow in banner handling.
  
  
• OpenConnect v3.17 (PGP signature) — 2012-04-20
  • Work around time() brokenness on Solaris.
  • Fix interface plumbing on Solaris 10.
  • Provide asprintf() function for (unpatched) Solaris 10.
  • Make vpnc-script mandatory, like it is for vpnc
  • Don't set Legacy IP address on tun device; let vpnc-script do it.
  • Detect OpenSSL even without pkg-config.
  • Stop building static library by default.
  • Invoke vpnc-script with "pre-init" reason to load tun module if necessary.
  
  
• OpenConnect v3.16 (PGP signature) — 2012-04-08
  • Fix build failure on Debian/kFreeBSD and Hurd.
  • Fix memory leak of deflated packets.
  • Fix memory leak of zlib state on CSTP reconnect.
  • Eliminate memcpy() calls on packets from DTLS and tunnel device.
  • Use I_LINK instead of I_PLINK on Solaris to plumb interface for Legacy IP.
  • Plumb interface for IPv6 on Solaris, instead of expecting vpnc-script to do it.
  • Refer to vpnc-script and help web pages in openconnect output.
  • Fix potential crash when processing libproxy results.
  • Be more conservative in detecting libproxy without pkg-config.
  
  
• OpenConnect v3.15 (PGP signature) — 2011-11-25
  • Fix for reading multiple packets from Solaris tun device.
  • Call bindtextdomain() to ensure that translations are found in install path.
  
  
• OpenConnect v3.14 (PGP signature) — 2011-11-08
  • Move executable to $prefix/sbin.
  • Fix build issues on OSX, OpenIndiana, DragonFlyBSD, OpenBSD, FreeBSD & NetBSD.
  • Fix non-portable (void *) arithmetic.
  • Make more messages translatable.
  • Attempt to make NLS support more portable (with fewer dependencies).
  
  
• OpenConnect v3.13 (PGP signature) — 2011-09-30
  • Add --cert-expire-warning option.
  • Give visible warning when server dislikes client SSL certificate.
  • Add localisation support.
  • Fix build on Debian systems where dtls1_stop_timer() is not available.
  • Fix libproxy detection.
  • Enable a useful set of compiler warnings by default.
  • Fix various minor compiler warnings.
  
  
• OpenConnect v3.12 — 2011-09-12
  • Fix DTLS compatibility with ASA firmware 8.4.1(11) and above.
  • Fix build failures on GNU Hurd, on systems with ancient OpenSSL, and on Debian.
  • Add --pid-file option.
  • Print SHA1 fingerprint with server certificate details.
  
  
• OpenConnect v3.11 — 2011-07-20
  • Add Android.mk file for Android build support
  • Add logging support for Android, in place of standard syslog().
  • Switch back to using TLSv1, but without extensions.
  • Make TPM support optional, dependent on OpenSSL ENGINE support.
  
  
• OpenConnect v3.10 — 2011-06-30
  • Switch to using GNU autoconf/automake/libtool.
  • Produce shared library for authentication.
  • Improve library API to make life easier for C++ users.
  • Be more explicit about requiring pkg-config.
  • Invoke script with reason=reconnect on CSTP reconnect.
  • Add --non-inter option to avoid all user input.
  
  
• OpenConnect v3.02 — 2011-04-19
  • Install man page in make install target.
  • Add openconnect_vpninfo_free() to libopenconnect.
  • Clear cached peer_addr to avoid reconnecting to wrong host.
  
  
• OpenConnect v3.01 — 2011-03-09
  • Add libxml2 to pkg-config requirements.
  
  
• OpenConnect v3.00 — 2011-03-09
  • Create libopenconnect.a for GUI authentication dialog to use.
  • Remove auth-dialog, which now lives in the network-manager-openconnect package.
  • Cope with more entries in authentication forms.
  • Add --csd-wrapper option to wrap CSD trojan.
  • Report error and abort if CA file cannot be opened.
  
  
• OpenConnect v2.26 — 2010-09-22
  • Fix potential crash on relative HTTP redirect.
  • Use correct TUN/TAP device node on Android.
  • Check client certificate expiry date.
  • Implement CSTP and DTLS rekeying (both by reconnecting CSTP).
  • Add --force-dpd option to set minimum DPD interval.
  • Don't print webvpn cookie in debug output.
  • Fix host selection in NetworkManager auth dialog.
  • Use SSLv3 instead of TLSv1; some servers (or their firewalls) don't accept any ClientHello options.
  • Never include address family prefix on script-tun connections.
  
  
• OpenConnect v2.25 — 2010-05-15
  • Always validate server certificate, even when no extra --cafile is provided.
  • Add --no-cert-check option to avoid certificate validation.
  • Check server hostname against its certificate.
  • Provide text-mode function for reviewing and accepting "invalid" certificates.
  • Fix libproxy detection on NetBSD.
  
  
• OpenConnect v2.24 — 2010-05-07
  • Forget preconfigured password after a single attempt; don't retry infinitely if it's failing.
  • Set $CISCO_BANNER environment variable when running script.
  • Better handling of passphrase failure on certificate files.
  • Fix NetBSD build (thanks to Pouya D. Tafti).
  • Fix DragonFly BSD build.
  
  
• OpenConnect v2.23 — 2010-04-09
  • Support "Cisco Secure Desktop" trojan in NetworkManager auth-dialog.
  • Support proxy in NetworkManager auth-dialog.
  • Add --no-http-keepalive option to work around Cisco's incompetence.
  • Fix build on Debian/kFreeBSD.
  • Fix crash on receiving HTTP 404 error.
  • Improve workaround for server certificates lacking SSL_SERVER purpose, so that it also works with OpenSSL older than 0.9.8k.
  
  
• OpenConnect v2.22 — 2010-03-07
  • Fix bug handling port numbers above 9999.
  • Ignore "Connection: Keep-Alive" in HTTP/1.0 to work around server bug with certificate authentication.
  • Handle non-standard port (and full URLs) when used with NetworkManager.
  • Cope with relative redirect and form URLs.
  • Allocate HTTP receive buffer dynamically, to cope with arbitrary size of content.
  • Fix server cert SHA1 comparison to be case-insensitive.
  • Fix build on Solaris and OSX (strndup(), AI_NUMERICSERV).
  • Fix exit code with --background option.
  
  
• OpenConnect v2.21 — 2010-01-10
  • Fix handling of HTTP 1.0 responses with keepalive (RH#553817).
  • Fix case sensitivity in HTTP headers and hostname comparison on redirect.
  
  
• OpenConnect v2.20 — 2010-01-04
  • Fix use-after-free bug in NetworkManager authentication dialog (RH#551665).
  • Allow server to be specified with https:// URL, including port and pathname (which Cisco calls 'UserGroup')
  • Support connection through HTTP and SOCKS proxies.
  • Handle HTTP redirection with port numbers.
  • Handle HTTP redirection with IPv6 literal addresses.
  
  
• OpenConnect v2.12 — 2009-12-07
  • Fix buffer overflow when generating useragent string.
  • Cope with idiotic schizoDNS configurations by not repeating DNS lookup for VPN server on reconnects.
  • Support DragonFlyBSD. Probably.
  
  
• OpenConnect v2.11 — 2009-11-17
  • Add IPv6 support for FreeBSD.
  • Support "split tunnel" mode for IPv6 routing.
  • Fix bug where client certificate's MD5 was only given to the CSD trojan if a PKCS#12 certificate was used.
  
  
• OpenConnect v2.10 — 2009-11-04
  • OpenSolaris support.
  • Preliminary support for IPv6 connectivity.
  • Fix session shutdown on exit.
  • Fix reconnection when TCP connection is closed.
  • Support for "Cisco Secure Desktop" idiocy.
  • Allow User-Agent: to be specified on command line.
  • Fix session termination on disconnect.
  • Fix recognition of certificates from OpenSSL 1.0.0.
  
  
• OpenConnect v2.01 — 2009-06-24
  • Fix bug causing loss of DTLS (and lots of syslog spam about it) after a CSTP reconnection.
  • Don't apply OpenSSL certificate chain workaround if we already have "extra" certificates loaded (e.g. from a PKCS#12 file).
  • Load "extra" certificates from .pem files too.
  • Fix SEGV caused by freeing certificates after processing cert chain.
  
  
• OpenConnect v2.00 — 2009-06-03
  • Add OpenBSD and FreeBSD support.
  • Build with OpenSSL-0.9.7 (Mac OS X, OpenBSD, etc.)
  • Support PKCS#12 certificates.
  • Automatic detection of certificate type (PKCS#12, PEM, TPM).
  • Work around OpenSSL trust chain issues (RT#1942).
  • Allow PEM passphrase to be specified on command line.
  • Allow PEM passphrase automatically generated from the fsid of the file system on which the certificate is stored.
  • Fix certificate comparisons (in NM auth-dialog and --servercert option) to use SHA1 fingerprint, not signature.
  • Fix segfault in NM auth-dialog when changing hosts.
  
  
• OpenConnect v1.40 — 2009-05-27
  • Fix validation of server's SSL certificate when NetworkManager runs openconnect as an unprivileged user (which can't read the real user's trust chain file).
  • Fix double-free of DTLS Cipher option on reconnect.
  • Reconnect on SSL write errors
  • Fix reporting of SSL errors through syslog/UI.
  
  
• OpenConnect v1.30 — 2009-05-13
  • NetworkManager auth-dialog will now cache authentication form options.
  
  
• OpenConnect v1.20 — 2009-05-08
  • DTLS cipher choice fixes.
  • Improve handling of authentication group selection.
  • Export more information to connection script.
  • Add --background option to dæmonize after connection.
  • Detect TCP connection closure.
  
  
• OpenConnect v1.10 — 2009-04-01
  • NetworkManager UI rewrite with many improvements.
  • Support for "UserGroups" where a single server offers multiple configurations according to the URL used to connect.
  
  
• OpenConnect v1.00 — 2009-03-18
  • First non-beta release.