| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This is to make sure that with 2022Q3 branching off of this
version, the package will look newer and flush out the old
package, with MBEDTLS and TUNNELBLICK options now removed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeBSD-related changes from Changes.rst:
- Limited OpenSSL 3.0 support
OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies
on the compatiblity layer and full OpenSSL 3.0 support is coming with
OpenVPN 2.6. Only features that impact usage directly have been
backported:
``--tls-cert-profile insecure`` has been added to allow selecting the
lowest OpenSSL security level (not recommended, use only if you must).
OpenSSL 3.0 no longer supports the Blowfish (and other deprecated)
algorithm by default and the new option ``--providers`` allows loading
the legacy provider to renable these algorithms. Most notably,
reading of many PKCS#12 files encrypted with the RC2 algorithm fails
unless ``--providers legacy default`` is configured.
The OpenSSL engine feature ``--engine`` is not enabled by default
anymore if OpenSSL 3.0 is detected.
- print OpenSSL error stack if decoding PKCS12 file fails
- fix PATH_MAX build failure in auth-pam.c
- fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
detailed changes: https://github.com/OpenVPN/openvpn/releases/tag/v2.5.7
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There has been a report of sporadic man-page rebuilds on OpenZFS.
While the patch order is correct, we do not intend to rebuild the
manpage (after a nobody -> openvpn change, for instance), and
we also patch the output files. So just remove the source patch.
This should go without any functional changes, so ships without
bumping PORTREVISION.
There is an upstream ticket reporting a missing source file
in the tarball. https://community.openvpn.net/openvpn/ticket/1461
Reported by: Jan Martin Mikkelsen
PR: 263116
|
|
|
|
| |
...forgotten in previous commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256
Somewhat related to and obsoletes:
PR: 262626
Security: 45a72180-a640-11ec-a08b-85298243e224
Security: CVE-2022-0547
Security: https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
MFH: 2022Q1
|
|
|
|
|
|
| |
Also bump dependent ports for library version change.
PR: 255084
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bugfixes (FreeBSD-specific):
* improve "make check" to notice if "openvpn --show-cipher" crashes
* improve argv unit tests
* ensure unit tests work with mbedTLS builds without BF-CBC ciphers
* include "--push-remove" in the output of "openvpn --help"
* fix "resolvconf -p" invocation in example "up" script
* fix "common_name" environment for script calls when
"--username-as-common-name" is in effect (Trac #1434)
Documentation:
* move "push-peer-info" documentation from "server options" to "client"
(where it belongs)
* correct "foreign_option_{n}" typo in manpage
* update IRC information in CONTRIBUTING.rst (libera.chat)
* README.down-root: fix plugin module name
|
|
|
|
|
|
|
| |
Bump PORTREVISION.
PR: 260352
Reported by: Marcin Wojtas
|
| |
|
|
|
|
| |
While here, shorten LZO_DESC to fit 80x24 dialogs.
|
|
|
|
|
|
|
|
|
| |
...now that mbedTLS metadata was fixed to show the actual situation
for mbedTLS 2.x.y, that it's either Apache License 2.0, or
GNU General Public License 2.0 or any later version.
While here, also mark the main port with mbedTLS option enabled to
record it's going to lose the mbedTLS option end of March 2022.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After reviewing licenses again,
- mark mbedTLS broken for now, since it uses the Apache License 2.0,
which is incompatible with the GPLv2 (OpenVPN does not employ the
"or any later version" escape hatch). This will be handed to the
OpenVPN-devel mailing list for review.
- block out the combination of LZO with LibreSSL, since OpenVPN
only has a linking exception for OpenSSL itself. Remedy is
to either forgo LibreSSL, or to disable the LZO option, which
requires proper configuration on either end. The maintainer's
recommendation is to compile with OpenSSL instead.
Bump PORTREVISION in spite of unchanged contents to flush out old
packages.
MFH: 2021Q4
|
|
|
|
|
|
| |
mbedTLS is obsolete through its lack of TLS v1.3 support
OpenVPN-mbedtls does not work on 14-CURRENT.
=> remove this port and the MBEDTLS option end 2022Q1.
|
|
|
|
|
|
|
|
|
| |
The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").
Approved by: portmgr (blanket)
|
|
|
|
|
| |
for security/openvpn-devel:
Approved by: Gert Doering (maintainer)
|
|
|
|
| |
to portclippy-reported standard ordering
|
|
|
|
| |
PR: 259384
|
|
|
|
|
|
|
| |
adds openvpn-examples(5) manual page
Changelog:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-254
|
|
|
|
|
|
|
|
|
| |
While here, add a warning banner about libressl support status,
and clean up a leftover INSTALL_DATA workaround no longer needed.
Patch suggested and
Reported by: Franco Fichtner <franco@opnsense.org>
PR: 256744
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst
FreeBSD relevant changes:
Bugfixes
* disable connect-retry backoff for p2p (--secret) instances (Trac #1010, #1384)
* fix build with mbedtls w/o SSL renegotiation support
* fix small memory leak in free_key_ctx for auth_token
* Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409) -
-> in FreeBSD ports, already fixed in 2.5.2_2 (PORTREVISION 2).
User-visible Changes
* update copyright messages in files and --version output
New features
* add --auth-token-user option (for --auth-token deployments without --auth-user-pass in client config)
|
|
|
|
|
| |
PR: 256331
Reported by: peo@nethead.se
|
|
|
|
|
|
|
|
|
| |
Bump PORTREVISION as we change the pkg-plist.
(Includes -mbedtls port variant.)
PR: 255946
Based on a patch by and
Reported by: Mikael Urankar (mikael@)
|
|
|
|
|
|
|
|
| |
Changelog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-252
Security: CVE-2020-15078
Security: efb965be-a2c0-11eb-8956-1951a8617e30
MFH: 2021Q2
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build runs a sanity to check that libssl and libcrypto are linked
only once, to catch mismatches in SSL providers to libpkcs11-helper
and openvpn itself. In order to assist the operator to find out
which libraries pull in differing versions of libcrypto or libssl,
run ldd -a in the error path. (Not run normally, not PORTREVISION bump.)
PR: 254323 (related)
Notes:
svn path=/head/; revision=568617
|
|
|
|
|
|
|
|
|
| |
Changelog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-251
MFH: 2021Q1 (point-level bugfix update)
Notes:
svn path=/head/; revision=566502
|
|
|
|
|
|
|
|
|
|
|
|
| |
...see ports/UPDATING or the
ChangeLog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25
Avoid LibreSSL (IGNORE_SSL).
INSTALL_DATA -> INSTALL_MAN for documentation.
Rearrange Makefile according to portclippy.
Notes:
svn path=/head/; revision=553713
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some systems apparently format output of ifconfig lo0 similar to
"inet6 ::1/128" instead of 12.1's "inet6 ::1 prefixlen 128". This
confuses the test script, so strip the slash and trailing prefixlen
off.
Since that bug affects the build-time test suite and its occurrence
breaks the build, no PORTREVISION bump needed.
Reported by: des@
Notes:
svn path=/head/; revision=551609
|
|
|
|
| |
Notes:
svn path=/head/; revision=542434
|
|
|
|
|
|
|
|
| |
...configured the official way, not hacky (which failed in openvpn-devel
because it broke some configure tests).
Notes:
svn path=/head/; revision=542426
|
|
|
|
|
|
|
|
|
|
|
| |
* 098edbb1 2020-05-20 | Switch assertion failure to returning false [Jeremy Evans]
* fc029714 2020-05-30 | pool: prevent IPv6 pools to be larger than 2^16 addresses [Antonio Quartulli]
* 38b46e6b 2020-02-20 | Persist management-query-remote and proxy prompts [Selva Nair]
MFH: 2020Q2 (blanket approval for stability fixes)
Notes:
svn path=/head/; revision=537129
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arne Schwabe's OpenSSL fix for Debian Bug#958296
"Fix tls_ctx_client/server_new leaving error on OpenSSL error stack"
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958296> [1]
Selva Nair's auth-pam fixes
"Parse static challenge response in auth-pam plugin"
"Accept empty password and/or response in auth-pam plugin"
Re-diff (with make makepatch) older patches.
Reported by: Jonas Andradas via Debian BTS
Obtained from: Arne Schwabe, Selva Nair <https://github.com/OpenVPN/openvpn/tree/release/2.4>
MFH: 2020Q2 (blanket for backporting reliability fixes)
Notes:
svn path=/head/; revision=534272
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the same time, remove ASYNC_PUSH_LIBS workaround from [1].
Changelog (high-level):
https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-249
Git changelog, marking the three fixes that were already in 2.4.8_3
as cherry-picks with a 1, 2, or 3 instead of "*" to correspond
with the PORTREVISION, and those with "-" that are specific to other systems,
say, Windows.
* 9b0dafca 2020-04-16 | Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst) (tag: v2.4.9) [Gert Doering]
3 f7b318f8 2020-04-15 | Fix illegal client float (CVE-2020-11810) [Lev Stipakov]
* 9bb285e3 2020-03-13 | Fix broken async push with NCP is used [Lev Stipakov]
- 5f8a9df1 2020-02-12 | Allow unicode search string in --cryptoapicert option [Selva Nair]
- 4658b3b6 2020-02-12 | Skip expired certificates in Windows certificate store [Selva Nair]
* df5ea7f1 2020-02-19 | Fix possible access of uninitialized pipe handles [Selva Nair]
* 1d9e0be2 2020-02-19 | Fix possibly uninitialized return value in GetOpenvpnSettings() [Selva Nair]
* 5ee76a8f 2020-03-28 | Fix OpenSSL 1.1.1 not using auto elliptic curve selection [Arne Schwabe]
* ed925c0a 2020-04-07 | OpenSSL: Fix --crl-verify not loading multiple CRLs in one file [Maxim Plotnikov]
* 2fe84732 2020-03-30 | When auth-user-pass file has no password query the management interface (if available). [Selva Nair]
* 908eae5c 2020-04-03 | Move querying username/password from management interface to a function [Selva Nair]
* 15bc476f 2020-04-02 | Fix OpenSSL error stack handling of tls_ctx_add_extra_certs [Arne Schwabe]
* 22df79bb 2020-04-01 | Fetch OpenSSL versions via source/old links [Arne Schwabe]
* 0efbd8e9 2020-03-31 | mbedTLS: Make sure TLS session survives move [Tom van Leeuwen]
* 33395693 2020-03-25 | docs: Add reference to X509_LOOKUP_hash_dir(3) [WGH]
* 7d19b2bb 2019-10-21 | Fix OpenSSL private key passphrase notices [Santtu Lakkala]
2 8484f37a 2020-03-14 | Fix building with --enable-async-push in FreeBSD [Lev Stipakov]
* 69bbfbdf 2020-02-18 | Swap the order of checks for validating interactive service user [Selva Nair]
* 0ba4f916 2019-11-09 | socks: use the right function when printing struct openvpn_sockaddr [Antonio Quartulli]
1 3bd91cd0 2019-10-30 | Fix broken fragmentation logic when using NCP [Lev Stipakov]
PR: 244286 [1]
MFH: 2020Q2 (patchlevel bugfix release)
Notes:
svn path=/head/; revision=531957
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from another
address and with same peer-id, this would cause client to float to that new
address.
The net effect of this behaviour is that the VPN session for the "victim
client" is broken. Since the "attacker client" does not have suitable keys,
it can not inject or steal VPN traffic from the other session. The time
window is small and it can not be used to attack a specific client's session,
unless some other way is found to make it disconnect and reconnect first.
This fix is inherited by the openvpn-mbedtls slave port.
Obtained from: Lev Stipakov (OpenVPN)
MFH: 2020Q2 (blanket security patch)
Security: CVE-2020-11810
Security: 8604121c-7fc2-11ea-bcac-7781e90b0c8f
Notes:
svn path=/head/; revision=531837
|
|
|
|
|
|
|
|
|
| |
upstreamed for 2.4.9. [info: Lev Stipakov]
PR: 244286
Notes:
svn path=/head/; revision=528550
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When enabled, pulls in devel/libinotify, and
adds --enable-async-push to configure.
In contrast to garga@'s proposal, uses
ASYNC_PUSH_LIBS instead of a patch file.
PR: 244286
Submitted by: garga@
Notes:
svn path=/head/; revision=526692
|
|
|
|
|
|
|
|
| |
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18975.html
Notes:
svn path=/head/; revision=524180
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In that situation, add ./configure --enable-compression-stub.
While here, rearrange Makefile and use _ENABLE rather than _OFF
tags for the options.
Submitted by: Daniel Engberg
Differential Revision: https://reviews.freebsd.org/D23190
Notes:
svn path=/head/; revision=524178
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upstream release integrated two FreeBSD patches by Kyle Evans and me,
which are herewith dropped from the port.
Upstream release banner
"This is primarily a maintenance release with minor bugfixes and improvements."
High-level changes:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248>
Manually filtered FreeBSD-related excerpt from Git log: v2.4.7..v2.4.8:
- mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() [Antonio Quartulli]
- openssl: Fix compilation without deprecated OpenSSL 1.1 APIs [Rosen Penev]
- Force combinationation of --socks-proxy and --proto UDP to use IPv4. [Gert Doering]
- Ignore --pull-filter for --mode server [Richard Bonhomme]
- Fix typo in NTLM proxy debug message [Mykola Baibuz]
- tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. [Kyle Evans]
- Handle PSS padding in cryptoapicert [Selva Nair]
- Fix regression, reinstate LibreSSL support. [Matthias Andree]
- Increase listen() backlog queue to 32 [Gert Doering]
- Wrong FILETYPE in .rc files [Gisle Vanem]
- Do not set pkcs11-helper 'safe fork mode' [Hilko Bengen]
- man: correct the description of --capath and --crl-verify regarding CRLs [Michal Soltys]
- Fix various compiler warnings [Lev Stipakov]
- build: Package missing mock_msg.h [David Sommerseth]
- cmocka: use relative paths [Steffan Karger]
- docs: Update INSTALL [David Sommerseth]
- Better error message when script fails due to script-security setting [Selva Nair]
- Fix documentation of tls-verify script argument [Thomas Quinot]
Detailed changes:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8>
Build tests in poudriere and in a live system succeeded on:
11.2-RELEASE 1102000 arm64.aarch64
11.2-RELEASE 1102000 mips.mips64
11.2-RELEASE-p14 i386
11.3-RELEASE-p3 amd64
12.0-RELEASE-p10 i386
12.0-RELEASE-p6 amd64
12.0-RELEASE-p10 amd64 (live)
MFH: 2019Q4
Notes:
svn path=/head/; revision=516218
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(I use a different patch than what was submitted by pizzamig@,
and have sent our patch upstream.)
Remove IGNORE_SSL.
While here, remove USE_LDCONFIG to fix a portlint complaint,
and fix a typo in a Makefile comment.
PR: 238382
Reported by: pizzamig@
Notes:
svn path=/head/; revision=511397
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks!
Also sent upstream for inclusion today,
https://sourceforge.net/p/openvpn/mailman/message/36757480/ and
https://sourceforge.net/p/openvpn/mailman/message/36757481/
PR: 240306
Submitted by: kevans@
Notes:
svn path=/head/; revision=511348
|
|
|
|
| |
Notes:
svn path=/head/; revision=508909
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
based on discussion at ports@ [1]. As VPN softwares are put in different
physical category net and security. This is a little bit confusing. Let's
give them new virtual category net-vpn.
[1] https://lists.freebsd.org/pipermail/freebsd-ports/2019-April/115915.html
PR: 239395
Submitted by: myself
Approved by: portmgr (mat)
Differential Revision: https://reviews.freebsd.org/D21174
Notes:
svn path=/head/; revision=508887
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream maintainers are massively pushing back against patches
offered so far with valid and concrete technical reasons and unsuitability
of the LibreSSL version API that will create a maintenance nightmare.
(And LibreSSL abusing the OpenSSL API.)
PR: 238382
Submitted by: pizzamig
Notes:
svn path=/head/; revision=506516
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream release announcement:
"This is primarily a maintenance release with bugfixes and improvements.
One of the big things is enhanced TLS 1.3 support
Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that."
Move USES up to please portlint.
Change summary:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-247>
Detailed change list:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.7>
Notes:
svn path=/head/; revision=493524
|
|
|
|
|
|
|
|
|
| |
- Update WWW
Approved by: portmgr blanket
Notes:
svn path=/head/; revision=484182
|
|
|
|
| |
Notes:
svn path=/head/; revision=479770
|
|
|
|
|
|
|
|
| |
MFH: 2018Q3
Security: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
Notes:
svn path=/head/; revision=476834
|