Changelog For full changelog entries including the latest development, see gitweb. OpenConnect HEAD Fix ASN.1 encoding of TPMv2 ECDSA signatures with GnuTLS < 3.6.0 Handle Pulse configuration packets that cannot fit in a single TLS frame (#617, !480). Send operating system information to Pulse servers (!481). Change default user-agent string to be compatible with newer Cisco servers ( #544, #593, #602, #618, #635, #657, #662, #665, !497). Fix bug which has caused GlobalProtect split-include IPv6 routes to be broken since v9.00 (64f0c03d). Sort GlobalProtect gateways according to portal's regionalized priority list (#663, !495). openconnect_disable_dtls() allows to disable DTLS unless it is already connected (#697) Enable DTLSv1.0 to continue working with OpenSSL v3.1.0 and newer (!504, !536). Fix bug that caused OpenConnect to incorrectly log the remaining time until a re-key or periodic Trojan incorrect (#677, !539) OpenConnect v9.12 (PGP signature) — 2023-05-20 Fix FreeBSD build and tests. Add libopenconnect5.symbols file for Debian-style packaging (discussion). Explicitly reject overly long tun device names. Work around ambiguity between <json.h> from json-parser vs json-c (!476). Fix symbol versioning for openconnect_set_sni(). Increase maximum input size from stdin (#579). Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58). Fix Mac OS build of os-tcp-mtu tool (#612). OpenConnect v9.11 (PGP signature) — 2023-05-17 Rebuild test suite certificate chains (which had expired: #609) Fix stray (null) in URL path after Pulse authentication (4023bd95). Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475). Fix case sensitivity in GPST header matching (!474). Add external browser support for Windows ((#553). OpenConnect v9.10 (PGP signature) — 2023-05-04 Fix external browser authentication with KDE plasma-nm < 5.26. Always redirect stdout to stderr when spawning external browser. Increase default queue length to 32 packets (#582). Make the Wintun Layer 3 TUN driver the default on Windows (!427). Add support for and bundle Wintun 0.14.1 (!294). Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array (#435). Fix ESP failures under Windows (#427). Add list-system-keys tool to assist Windows/MacOS users in setup. Handle idiosyncratic variation in search domain separators for all protocols (#433, #443, !388). Support region selection field for Pulse authentication (!399). Support modified configuration packet from Pulse 9.1R16 servers (#472, !401) Allow hidden form fields to be populated or converted to text fields on the command line (#493, #489, !409) Support yet another strange way of encoding challenge-based 2FA for GlobalProtect (#495, !411) Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments (!297, !451). Parrot a GlobalProtect server's software version, if present, as the client version (!333) Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389). Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418). Support F5 VPNs which encode authentication forms only in JSON, not in HTML (#512, !431). Persist Windows installers for tagged builds (#463, !391). Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet (#568, !456). Support "FTM-push" token mode for Fortinet VPNs (#555, !450). Send IPv6-compatible version string in Pulse IF/T session establishment, and avoid its ESP/IP version layering idiocy on newer servers (#506, !414) Add --no-external-auth option to not advertise external-browser authentication, as a workaround for servers which behave differently when it is advertised (#470, !398) Emulate MacOS-specific contents in the HIP report for GlobalProtect (!471). Many small improvements in server response parsing, and better logging messages and documentation. OpenConnect v9.01 (PGP signature) — 2022-04-29 Fix library minor version (missing bump to 5.8). OpenConnect v9.00 (PGP signature) — 2022-04-29 Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) (#410). Add support for AnyConnect "external browser" SSO mode (!354). On Windows, fix crash on tunnel setup. (#370, 6a2ffbb) Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20. (#388, !344) Support Cisco's multiple-certificate authentication (!194). Append internal=no to GlobalProtect authentication/configuration forms, for compatibility with servers which apparently require this to function properly. (#246, !337) Revert GlobalProtect default route handling change from v8.20. (!367) Support split-exclude routes for Fortinet. (#394, !345) Add openconnect_set_useragent() function. Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect. (!126). OpenConnect v8.20 (PGP signature) — 2022-02-20 When the queue length (-Q option) is 16 or more, try using vhost-net to accelerate tun device access. Use epoll() where available. Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. (#249) Make tncc-emulate.py work with Python 3.7+. (#152, !120) Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 (#176, !131) Support Juniper login forms containing both password and 2FA token (!121) Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto (!114) Add obsolete-server-crypto test (!114) Allow protocols to delay tunnel setup and shutdown (!117) Support for GlobalProtect IPv6 (!155 and !188; previous work in d6db0ec) SIGUSR1 causes OpenConnect to log detailed connection information and statistics (!154) Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint (!162, #25) Add insecure debugging build mode for developers (!112) Demangle default routes sent as split routes by GlobalProtect (!118) Improve GlobalProtect login argument decoding (!143) Add detection of authentication expiration date, intended to allow front-ends to cache and reuse authentication cookies/sessions (!156) Small bug fixes and clarification of many logging messages. Support more Juniper login forms, including some SSO forms (!171) Automatically build Windows installers for OpenConnect command-line interface (!176) Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header (#101, !175) Add support for PPP-based protocols, currently over TLS only (!165). Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet (!169). Add experimental support for Wintun Layer 3 TUN driver under Windows (#231, !178). Clean up and improve Windows routing/DNS configuration script (vpnc-scripts!26, vpnc-scripts!41, vpnc-scripts!44). On Windows, reclaim needed IP addresses from down network interfaces so that configuration script can succeed (!178). Fix output redirection under Windows (#229) More gracefully handle idle timeouts and other fatal errors for Juniper and Pulse (!187) Ignore failures to fetch the Juniper/oNCP landing page if the authentication was successful (3e779436). Add support for Array Networks SSL VPN (#102) Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. (ed80bfac...ee1cd782) Add openconnect_get_connect_url() to simplify passing correct server information to the connecting openconnect process. (NetworkManager-openconnect #46, #53) Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. (RH#1960763). Pass "portal cookie" fields from GlobalProtect portal to gateway to avoid repetition of password- or SAML-based login (!199) With --user, enter username supplied via command-line into all authentication forms, not just the first. (#267, !220). Fix a subtle bug which has prevented ESP rekey and ESP-to-TLS fallback from working reliably with the Juniper/oNCP protocol since v8.04. (#322, !293). Fix a bug in csd-wrapper.sh which has prevented it from correctly downloading compressed Trojan binaries since at least v8.00. (!305) Make Windows socketpair emulation more robust in the face of Windows's ability to break its localhost routes. (#228, #361, !320) Perform proper disconnect and routes cleanup on Windows when receiving Ctrl+C or Ctrl+Break. (#362, !323) Improve logging in routing/DNS configuration scripts. (!328, vpnc-scripts!45) Support modified configuration packet from Pulse 9.1R14 servers (#379, !331) OpenConnect v8.10 (PGP signature) — 2020-05-14 Install bash completion script to ${datadir}/bash-completion/completions/openconnect. Improve compatibility of csd-post.sh trojan. Update Android build dependencies and bump API level to support Android 10. Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823). OpenConnect v8.09 (PGP signature) — 2020-04-29 Add bash completion support. Give more helpful error in case of Pulse servers asking for TNCC. Sanitize non-canonical Legacy IP network addresses (!97) Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105). Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91) Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP. (!89 GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms (!95, !93, !90) Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED (#123). OpenConnect v8.08 (PGP signature) — 2020-04-06 Fix check of pin-sha256: public key hashes to be case sensitive (#116). Don't give non-functioning stderr to CSD trojan scripts. Fix crash with uninitialised OIDC token. OpenConnect v8.07 (PGP signature) — 2020-04-04 Don't abort Pulse connection when server-provided certificate MD5 doesn't match. Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks. Don't abort connection if CSD wrapper script returns non-zero (for now). Make --passtos work for protocols that use ESP, in addition to DTLS. Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. OpenConnect v8.06 (PGP signature) — 2020-03-31 Implement EAP-TTLS fragmentation. Fix Windows build with MSYS2 (#74). Allow custom stoken rcfile to be specified (#71). Periodic HIP checking for GlobalProtect, and cross-protocol API (!56). Ciphersuite priority override options (!71). Clearer GlobalProtect debugging/SAML output (!66, !69). Explain experimental Pulse support for servers where Juniper oNCP is disabled (!48). Ignore missing Cisco CSD stub and simply CSD subprocess invocation (!77, !74). Pass IDLE_TIMEOUT to vpnc-script (!67). Windows line-ending flexibility for standard input (!78). Disable DTLS for GnuTLS versions between 3.6.3 and 3.6.13 inclusive due to GnuTLS #960. Add RFC6750 Bearer token support (!70). OpenConnect v8.05 (PGP signature) — 2019-09-12 Fix GlobalProtect ESP stall (!55). Fix HTTP chunked encoding buffer overflow (CVE-2019-16239). OpenConnect v8.04 (PGP signature) — 2019-08-09 Rework DTLS MTU detection. (#10) Add Pulse Connect Secure support. OpenSSL build fixes (!51). Add HMAC-SHA256-128 (RFC4868) support for ESP. Support IPv6 in ESP. Translate user-visible strings from openconnect_get_supported_protocols(). Fix proxy username/password handling to allow special characters and escaping. OpenConnect v8.03 (PGP signature) — 2019-05-18 Fix detection of utun support on OS X (#18). Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384. Fix Solaris 11.4 build by properly detecting memset_s(). Fix recognition of OTP password fields (#24). OpenConnect v8.02 (PGP signature) — 2019-01-16 Fix GNU/Hurd build. Discover vpnc-script in default packaged location on FreeBSD/OpenBSD. Support split-exclude routes for GlobalProtect. Fix GnuTLS builds without libtasn1. Fix DTLS support with OpenSSL 1.1.1+. Add Cisco-compatible DTLSv1.2 support. Invoke script with reason=attempt-reconnect before doing so. OpenConnect v8.01 (PGP signature) — 2019-01-05 Fix memset_s() arguments. Fix OpenBSD build. OpenConnect v8.00 (PGP signature) — 2019-01-05 Clear form submissions (which may include passwords) before freeing (CVE-2018-20319). Allow form responses to be provided on command line. Add support for SSL keys stored in TPM2. Fix ESP rekey when replay protection is disabled. Drop support for GnuTLS older than 3.2.10. Fix --passwd-on-stdin for Windows to not forcibly open console. Fix portability of shell scripts in test suite. Add Google Authenticator TOTP support for Juniper. Add RFC7469 key PIN support for cert hashes. Add protocol method to securely log out the Juniper session. Relax requirements for Juniper hostname packet response to support old gateways. Add API functions to query the supported protocols. Verify ESP sequence numbers and warn even if replay protection is disabled. Add support for Palo Alto Networks (PAN) GlobalProtect VPN protocol (--protocol=gp). Reorganize listing of command-line options, and include information on supported protocols. SIGTERM cleans up the session similarly to SIGINT. OpenConnect v7.08 (PGP signature) — 2016-12-13 Add SHA256 support for server cert hashes. Enable DHE ciphers for Cisco DTLS. Increase initial oNCP configuration buffer size. Reopen CONIN$ when stdin is redirected on Windows. Improve support for point-to-point routing on Windows. Check for non-resumed DTLS sessions which may indicate a MiTM attack. Add TUNIDX environment variable on Windows. Fix compatibility with Pulse Secure 8.2R5. Fix IPv6 support in Solaris. Support DTLS automatic negotiation. Support --key-password for GnuTLS PKCS#11 PIN. Support automatic DTLS MTU detection with OpenSSL. Drop support for combined GnuTLS/OpenSSL build. Update OpenSSL to allow TLSv1.2, improve compatibility options. Remove --no-cert-check option. It was being (mis)used. Fix OpenSSL support for PKCS#11 EC keys without public key. Support for final OpenSSL 1.1 release. Fix polling/retry on "tun" socket when buffers full. Fix AnyConnect server-side MTU setting. Fix ESP replay detection. Allow build with LibreSSL (for fetishists only; do not use this as DTLS is broken). Add certificate torture test suite. Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL. Fix integer overflow issues with ESP packet replay detection. Add --pass-tos option as in OpenVPN. Support rôle selection form in Juniper VPN. Support DER-format certificates, add certificate format torture tests. For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option. Support Juniper "Pre Sign-in Message". OpenConnect v7.07 (PGP signature) — 2016-07-11 More fixes for OpenSSL 1.1 build. Support Juniper "Post Sign-in Message". Add --protocol option. Fix ChaCha20-Poly1305 cipher suite to reflect final standard. Add ability to disable IPv6 support via library API. Set groups appropriately when using setuid(). Automatic DTLS MTU detection. Support SSL client certificate authentication with Juniper servers. Revamp SSL certificate validation for OpenSSL and stop supporting OpenSSL older than 0.9.8. Fix handling of multiple DNS search domains with Network Connect. Fix handling of large configuration packets for Network Connect. Enable SNI when built with OpenSSL (1.0.1g or later). Add --resolve and --local-hostname options to command line. OpenConnect v7.06 (PGP signature) — 2015-03-17 Fix openconnect.pc breakage after liboath removal. Refactor Juniper Network Connect receive loop. Fix some memory leaks. Add Bosnian translation. OpenConnect v7.05 (PGP signature) — 2015-03-10 Fix alignment issue which broke LZS compression on ARM etc. Support HTTP authentication to servers, not just proxies. Work around Yubikey issue with non-ASCII passphrase set on pre-KitKat Android. Add SHA256/SHA512 support for OATH. Remove liboath dependency. Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2. Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711). Fix build with OpenSSL HEAD (OpenSSL 1.1.x). Preliminary support for Juniper SSL VPN. OpenConnect v7.04 (PGP signature) — 2015-01-25 Change default behaviour to enable only stateless compression. Add --compression argument and openconnect_set_compression_mode(). Add support for LZS compression (compatible with latest Cisco ASA and ocserv). Add support for LZ4 compression (compatible with ocserv). OpenConnect v7.03 (PGP signature) — 2015-01-09 Android build infrastructure updates, including 64-bit support. Clean up handling of incoming packets. Fix issue with two-stage (i.e. NetworkManager) connection to servers with trick DNS (RH#1179681). Stop using static variables for received packets. OpenConnect v7.02 (PGP signature) — 2014-12-19 Add PKCS#11 support for OpenSSL. Fix handling of select options in openconnect_set_option_value(). OpenConnect v7.01 (PGP signature) — 2014-12-07 Try harder to find a PKCS#11 key to match a given certificate. Handle 'Connection: close' from proxies correctly. Warn when MTU is set too low (<1280) to permit IPv6 connectivity. Add support for X-CSTP-DynDNS, to trigger DNS lookup on each reconnect. OpenConnect v7.00 (PGP signature) — 2014-11-27 Add support for GnuTLS 3.4 system: keys including Windows certificate store. Add support for HOTP/TOTP keys from Yubikey NEO devices. Add ---no-system-trust option to disable default certificate authorities. Improve libiconv and libintl detection. Stop calling setenv() from library functions. Support utun driver on OS X. Change library API so string ownership is never transferred. Support new NDIS6 TAP-Windows driver shipped with OpenVPN 2.3.4. Support using PSKC (RFC6030) token files for HOTP/TOTP tokens. Support for updating HOTP token storage when token is used. Support for reading OTP token data from a file. Add full character set handling for legacy non-UTF8 systems (including Windows). Fix legacy (i.e. not XML POST) submission of non-ASCII form entries (even in UTF-8 locales). Add support for 32-bit Windows XP. Avoid retrying without XML POST, when we failed to even reach the server. Fix off-by-one in parameter substitution in error messages. Improve reporting when GSSAPI auth requested but not compiled in. Fix parsing of split include routes on Windows. Fix crash on invocation with --token-mode but no --token-secret. OpenConnect v6.00 (PGP signature) — 2014-07-08 Support SOCKS proxy authentication (password, GSSAPI). Support HTTP proxy authentication (Basic, Digest, NTLM and GSSAPI). Download XML profile in XML POST mode. Fix a couple of bugs involving DTLS rekeying. Fix problems seen when building or connecting without DTLS enabled. Fix tun error handling on Windows hosts. Skip password prompts when using PKCS#8 and PKCS#12 certificates with empty passwords. Fix several minor memory leaks and error paths. Update several Android dependencies, and make the download process more robust. OpenConnect v5.99 (PGP signature) — 2014-03-05 Add RFC4226 HOTP token support. Tolerate servers closing connection uncleanly after HTTP/1.0 response (Ubuntu #1225276). Add support for IPv6 split tunnel configuration. Add Windows support with MinGW (tested with both IPv6 and Legacy IP with latest vpnc-script-win.js) Change library API to support updating the auth form when the authgroup is changed (Ubuntu #1229195). Change --os mac to --os mac-intel, to match the identifier used by Cisco clients. Add new API functions to support invoking the VPN mainloop directly from an application. Add JNI interface and sample Java application. Fix junk in --cookieonly output when CSD is enabled. Enable TOTP, stoken, and JNI support in the Android builds. Add --pfs option to enforce perfect forward secrecy. Enable elliptic curves with GnuTLS 3.2.9+, where there is a workaround for certain firewalls that fail with client hellos between 256 and 512 bytes. Add padding when sending password, to avoid leakage of password and username length. Add support for DTLS 1.2 and AES-GCM when connecting to ocserv. Add support for server name indication when compiled with GnuTLS 3.2.9+. OpenConnect v5.03 (PGP signature) — 2014-02-03 Fix crash on --authenticate due to freeing --cafile option in argv. OpenConnect v5.02 (PGP signature) — 2014-01-01 Fix XML POST issues with authgroups by falling back to old style login. Fix --cookie-on-stdin with cookies from ocserv. Fix reconnection to wrong host after redirect. Reduce limit of queued packets on DTLS socket, to fix VoIP latency. Fix Solaris build breakage due to missing <string.h> includes. Include path in <group-access> node. Include supporting CA certificates from PKCS#11 tokens (with GnuTLS 3.2.7+). Fix possible heap overflow if MTU is increased on reconnection (CVE-2013-7098). OpenConnect v5.01 (PGP signature) — 2013-06-01 Attempt to handle <client-cert-request> in aggregate auth mode. Don't include X-Aggregate-Auth: header in fallback mode. Enable AES256 mode for DTLS with GnuTLS (RH#955710). Add --dump-http-traffic option for debugging. Be more permissive in parsing XML forms. Use original URL when falling back to non-XML POST mode. Add --no-xmlpost option to revert to older, compatible behaviour. Close connection before falling back to non-xmlpost mode (RH#964650). Improve error handling when server closes connection (Debian #708928). OpenConnect v5.00 (PGP signature) — 2013-05-15 Use GnuTLS by default instead of OpenSSL. Avoid using deprecated gnutls_pubkey_verify_data() function. Fix compatibility issues with XML POST authentication. Fix memory leaks on realloc() failure. Fix certificate validation problem caused by hostname canonicalisation. Add RFC6238 TOTP token support using liboath. Replace --stoken option with more generic --token-mode and --token-secret options. OpenConnect v4.99 (PGP signature) — 2013-02-07 Add --os switch to report a different OS type to the gateway. Support new XML POST format. Add SecurID token support using libstoken. OpenConnect v4.08 (PGP signature) — 2013-02-13 Fix overflow on HTTP request buffers (CVE-2012-6128) Fix connection to servers with round-robin DNS with two-stage auth/connect. Impose minimum MTU of 1280 bytes. Fix some harmless issues reported by Coverity. Improve "Attempting to connect..." message to be explicit when it's connecting to a proxy. OpenConnect v4.07 (PGP signature) — 2012-08-31 Fix segmentation fault when invoked with -p argument. Fix handling of write stalls on CSTP (TCP) socket. OpenConnect v4.06 (PGP signature) — 2012-07-23 Fix default CA location for non-Fedora systems with old GnuTLS. Improve error handing when vpnc-script exits with error. Handle PKCS#11 tokens which won't list keys without login. OpenConnect v4.05 (PGP signature) — 2012-07-12 Use correct CSD script for Mac OS X. Fix endless loop in PIN cache handling with multiple PKCS#11 tokens. Fix PKCS#11 URI handling to preserve all attributes. Don't forget key password on GUI reconnect. Fix GnuTLS v3 build on OpenBSD. OpenConnect v4.04 (PGP signature) — 2012-07-05 Fix GnuTLS password handling for PKCS#8 files. OpenConnect v4.03 (PGP signature) — 2012-07-02 Fix --no-proxy option. Fix handling of requested vs. received MTU settings. Fix DTLS MTU for GnuTLS 3.0.21 and newer. Support more ciphers for OpenSSL encrypted PEM keys, with GnuTLS. Fix GnuTLS compatibility issue with servers that insist on TLSv1.0 or non-AES ciphers (RH#836558). OpenConnect v4.02 (PGP signature) — 2012-06-28 Fix build failure due to unconditional inclusion of <gnutls/dtls.h>. OpenConnect v4.01 (PGP signature) — 2012-06-28 Fix DTLS MTU issue with GnuTLS. Fix reconnect crash when compression is disabled. Fix build on systems like FreeBSD 8 without O_CLOEXEC. Add --dtls-local-port option. Print correct error when /dev/net/tun cannot be opened. Fix openconnect.pc pkg-config file not to require zlib.pc on systems which lack it (like RHEL5). OpenConnect v4.00 (PGP signature) — 2012-06-20 Add support for OpenSSL's odd encrypted PKCS#1 files, for GnuTLS. Fix repeated passphrase retry for OpenSSL. Add keystore support for Android. Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12. Fix library references to OpenSSL's ERR_print_errors_cb() when built against GnuTLS v2.12. OpenConnect v3.99 (PGP signature) — 2012-06-13 Enable native TPM support when built with GnuTLS. Enable PKCS#11 token support when built with GnuTLS. Eliminate all SSL library exposure through libopenconnect. Parse split DNS information, provide $CISCO_SPLIT_DNS environment variable to vpnc-script. Attempt to provide new-style MTU information to server (on Linux only, unless specified on command line). Allow building against GnuTLS, including DTLS support. Add --with-pkgconfigdir= option to configure for FreeBSD's benefit (fd#48743). OpenConnect v3.20 (PGP signature) — 2012-05-18 Cope with non-keepalive HTTP response on authentication success. Fix progress callback with incorrect cbdata which caused KDE crash. OpenConnect v3.19 (PGP signature) — 2012-05-17 Add --config option for reading options from file. Improve OpenSSL DTLS compatibility to work on Ubuntu 10.04. Flush progress logging output promptly after each message. Add symbol versioning for shared library (on sane platforms). Add openconnect_set_cancel_fd() function to allow clean cancellation. Fix corruption of URL in openconnect_parse_url() if it specifies a port number. Fix inappropriate exit() calls from library code. Library namespace cleanup — all symbols now have the prefix openconnect_ on platforms where symbol versioning works. Fix --non-inter option so it still uses login information from command line. OpenConnect v3.18 (PGP signature) — 2012-04-25 Fix autohate breakage with --disable-nls... hopefully. Fix buffer overflow in banner handling. OpenConnect v3.17 (PGP signature) — 2012-04-20 Work around time() brokenness on Solaris. Fix interface plumbing on Solaris 10. Provide asprintf() function for (unpatched) Solaris 10. Make vpnc-script mandatory, like it is for vpnc Don't set Legacy IP address on tun device; let vpnc-script do it. Detect OpenSSL even without pkg-config. Stop building static library by default. Invoke vpnc-script with "pre-init" reason to load tun module if necessary. OpenConnect v3.16 (PGP signature) — 2012-04-08 Fix build failure on Debian/kFreeBSD and Hurd. Fix memory leak of deflated packets. Fix memory leak of zlib state on CSTP reconnect. Eliminate memcpy() calls on packets from DTLS and tunnel device. Use I_LINK instead of I_PLINK on Solaris to plumb interface for Legacy IP. Plumb interface for IPv6 on Solaris, instead of expecting vpnc-script to do it. Refer to vpnc-script and help web pages in openconnect output. Fix potential crash when processing libproxy results. Be more conservative in detecting libproxy without pkg-config. OpenConnect v3.15 (PGP signature) — 2011-11-25 Fix for reading multiple packets from Solaris tun device. Call bindtextdomain() to ensure that translations are found in install path. OpenConnect v3.14 (PGP signature) — 2011-11-08 Move executable to $prefix/sbin. Fix build issues on OSX, OpenIndiana, DragonFlyBSD, OpenBSD, FreeBSD & NetBSD. Fix non-portable (void *) arithmetic. Make more messages translatable. Attempt to make NLS support more portable (with fewer dependencies). OpenConnect v3.13 (PGP signature) — 2011-09-30 Add --cert-expire-warning option. Give visible warning when server dislikes client SSL certificate. Add localisation support. Fix build on Debian systems where dtls1_stop_timer() is not available. Fix libproxy detection. Enable a useful set of compiler warnings by default. Fix various minor compiler warnings. OpenConnect v3.12 — 2011-09-12 Fix DTLS compatibility with ASA firmware 8.4.1(11) and above. Fix build failures on GNU Hurd, on systems with ancient OpenSSL, and on Debian. Add --pid-file option. Print SHA1 fingerprint with server certificate details. OpenConnect v3.11 — 2011-07-20 Add Android.mk file for Android build support Add logging support for Android, in place of standard syslog(). Switch back to using TLSv1, but without extensions. Make TPM support optional, dependent on OpenSSL ENGINE support. OpenConnect v3.10 — 2011-06-30 Switch to using GNU autoconf/automake/libtool. Produce shared library for authentication. Improve library API to make life easier for C++ users. Be more explicit about requiring pkg-config. Invoke script with reason=reconnect on CSTP reconnect. Add --non-inter option to avoid all user input. OpenConnect v3.02 — 2011-04-19 Install man page in make install target. Add openconnect_vpninfo_free() to libopenconnect. Clear cached peer_addr to avoid reconnecting to wrong host. OpenConnect v3.01 — 2011-03-09 Add libxml2 to pkg-config requirements. OpenConnect v3.00 — 2011-03-09 Create libopenconnect.a for GUI authentication dialog to use. Remove auth-dialog, which now lives in the network-manager-openconnect package. Cope with more entries in authentication forms. Add --csd-wrapper option to wrap CSD trojan. Report error and abort if CA file cannot be opened. OpenConnect v2.26 — 2010-09-22 Fix potential crash on relative HTTP redirect. Use correct TUN/TAP device node on Android. Check client certificate expiry date. Implement CSTP and DTLS rekeying (both by reconnecting CSTP). Add --force-dpd option to set minimum DPD interval. Don't print webvpn cookie in debug output. Fix host selection in NetworkManager auth dialog. Use SSLv3 instead of TLSv1; some servers (or their firewalls) don't accept any ClientHello options. Never include address family prefix on script-tun connections. OpenConnect v2.25 — 2010-05-15 Always validate server certificate, even when no extra --cafile is provided. Add --no-cert-check option to avoid certificate validation. Check server hostname against its certificate. Provide text-mode function for reviewing and accepting "invalid" certificates. Fix libproxy detection on NetBSD. OpenConnect v2.24 — 2010-05-07 Forget preconfigured password after a single attempt; don't retry infinitely if it's failing. Set $CISCO_BANNER environment variable when running script. Better handling of passphrase failure on certificate files. Fix NetBSD build (thanks to Pouya D. Tafti). Fix DragonFly BSD build. OpenConnect v2.23 — 2010-04-09 Support "Cisco Secure Desktop" trojan in NetworkManager auth-dialog. Support proxy in NetworkManager auth-dialog. Add --no-http-keepalive option to work around Cisco's incompetence. Fix build on Debian/kFreeBSD. Fix crash on receiving HTTP 404 error. Improve workaround for server certificates lacking SSL_SERVER purpose, so that it also works with OpenSSL older than 0.9.8k. OpenConnect v2.22 — 2010-03-07 Fix bug handling port numbers above 9999. Ignore "Connection: Keep-Alive" in HTTP/1.0 to work around server bug with certificate authentication. Handle non-standard port (and full URLs) when used with NetworkManager. Cope with relative redirect and form URLs. Allocate HTTP receive buffer dynamically, to cope with arbitrary size of content. Fix server cert SHA1 comparison to be case-insensitive. Fix build on Solaris and OSX (strndup(), AI_NUMERICSERV). Fix exit code with --background option. OpenConnect v2.21 — 2010-01-10 Fix handling of HTTP 1.0 responses with keepalive (RH#553817). Fix case sensitivity in HTTP headers and hostname comparison on redirect. OpenConnect v2.20 — 2010-01-04 Fix use-after-free bug in NetworkManager authentication dialog (RH#551665). Allow server to be specified with https:// URL, including port and pathname (which Cisco calls 'UserGroup') Support connection through HTTP and SOCKS proxies. Handle HTTP redirection with port numbers. Handle HTTP redirection with IPv6 literal addresses. OpenConnect v2.12 — 2009-12-07 Fix buffer overflow when generating useragent string. Cope with idiotic schizoDNS configurations by not repeating DNS lookup for VPN server on reconnects. Support DragonFlyBSD. Probably. OpenConnect v2.11 — 2009-11-17 Add IPv6 support for FreeBSD. Support "split tunnel" mode for IPv6 routing. Fix bug where client certificate's MD5 was only given to the CSD trojan if a PKCS#12 certificate was used. OpenConnect v2.10 — 2009-11-04 OpenSolaris support. Preliminary support for IPv6 connectivity. Fix session shutdown on exit. Fix reconnection when TCP connection is closed. Support for "Cisco Secure Desktop" idiocy. Allow User-Agent: to be specified on command line. Fix session termination on disconnect. Fix recognition of certificates from OpenSSL 1.0.0. OpenConnect v2.01 — 2009-06-24 Fix bug causing loss of DTLS (and lots of syslog spam about it) after a CSTP reconnection. Don't apply OpenSSL certificate chain workaround if we already have "extra" certificates loaded (e.g. from a PKCS#12 file). Load "extra" certificates from .pem files too. Fix SEGV caused by freeing certificates after processing cert chain. OpenConnect v2.00 — 2009-06-03 Add OpenBSD and FreeBSD support. Build with OpenSSL-0.9.7 (Mac OS X, OpenBSD, etc.) Support PKCS#12 certificates. Automatic detection of certificate type (PKCS#12, PEM, TPM). Work around OpenSSL trust chain issues (RT#1942). Allow PEM passphrase to be specified on command line. Allow PEM passphrase automatically generated from the fsid of the file system on which the certificate is stored. Fix certificate comparisons (in NM auth-dialog and --servercert option) to use SHA1 fingerprint, not signature. Fix segfault in NM auth-dialog when changing hosts. OpenConnect v1.40 — 2009-05-27 Fix validation of server's SSL certificate when NetworkManager runs openconnect as an unprivileged user (which can't read the real user's trust chain file). Fix double-free of DTLS Cipher option on reconnect. Reconnect on SSL write errors Fix reporting of SSL errors through syslog/UI. OpenConnect v1.30 — 2009-05-13 NetworkManager auth-dialog will now cache authentication form options. OpenConnect v1.20 — 2009-05-08 DTLS cipher choice fixes. Improve handling of authentication group selection. Export more information to connection script. Add --background option to dæmonize after connection. Detect TCP connection closure. OpenConnect v1.10 — 2009-04-01 NetworkManager UI rewrite with many improvements. Support for "UserGroups" where a single server offers multiple configurations according to the URL used to connect. OpenConnect v1.00 — 2009-03-18 First non-beta release.