It's been a while (over a year) since the 7.06 release, and it's about time I finally pushed the button and made a new one. The main change here is that we attempt to detect the DTLS MTU dynamically, which led to a change in how the connection is set up. I think we've finally sorted out the implications that had for Android and the way we interact with vpnc-script, which is one of the reasons I let it sit for a while before releasing it. We also have ChromeOS support now, thanks to Kevin Cernekee. ftp://ftp.infradead.org/pub/openconnect/openconnect-7.07.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-7.07.tar.gz.asc Cameron Eagans (1): Fixing user cancel string capitalization David Dindorp (2): Enable SNI extension with OpenSSL when version is 1.0.1g or above. Add a --resolve option to the CLI David Woodhouse (76): Fix build without ESP Clean up minor cosmetic issues in configure script Make Juniper work on Windows Report errors coherently when connection fails Make it possible to override getaddrinfo() Fix socket connection error handling for Windows Don't always send Proxy-Authenticate: for SSPI auth Update translations from GNOME Dump unknown oNCP conf packet Handle fragmented KMP 301 packet in setup PKCS#11 URI is now published as RFC7512 Update translations from GNOME Remove stray digit in API comments Fix typos pointed out by Anders Jonsson Update translations from GNOME Resync translations with sources Update translations from GNOME Use canonical representation of 's?' in Spanish translation Update translations from GNOME Fix build with OpenSSL 1.1 (HEAD) Let OpenSSL 1.0.2 or later do the certificate vs. hostname/IP checks for us Fix premature termination check for GnuTLS 2.x Strip commas from DNS search paths Let TLS library build DTLS cipher list dynamically Allow compile-time optimisation of some GnuTLS version checks Clean up GnuTLS default prio string handling a little Fix GnuTLS priority strings Refer to PGP key by fingerprint, use HTTPS URI for keyserver Import translations from GNOME Kill auth_is_proxy() abomination in ntlm.c Fix DTLS/OpenSSL build break Import translations from GNOME Eliminate create_openssl_ui() in !HAVE_ENGINE build Fix build failure with DEFAULT_PRIO set Print GnuTLS priority string when setting it fails Update translations for changed string Resync translations with sources Import translations from GNOME Fix IPv6-only connectivity Allow TLS rehandshake with GnuTLS Fix dtls.c build for OpenSSL HEAD Use X509_up_ref() for OpenSSL 1.1.0+ For OpenSSL, also require that server cert on rehandshake be identical Revamp OpenSSL certificate validation Add release version+date to API changelog Update API release info on tag Merge branch 'mtu' of https://github.com/nmav/openconnect-mine Add note-to-self comment about adding DTLS cipher suites Update changelog Update translations from GNOME Do not shutdown tun if it isn't running Remove oncp_https_submit() function Update comment about own HTTP implementation Fix broken !HAVE_DTLS build Move Juniper check_cookie_success() before HTML parsing Import translations from GNOME Resync translations with sources Add en_US translation for another occurrence of 'cancelled' Update translations from GNOME Resync translations with sources Add --protocol option Use constant struct for protocol definitions Add --protocol to changelog Import translations from GNOME Fix typo in Juniper Post Sign-in Message handling Fix OpenSSL+libp11 crash on PKCS11_CTX_load() failure Be explicit which PKCS#11 provider failed to load Fix build against OpenSSL 1.1 HEAD Allow override of ${OPENSSL_CFLAGS} with manual/static build More OpenSSL 1.1 fixes Import translations from GNOME Import translations from GNOME Resync translations with sources Fix typo in Indonesian translation Note OpenSSL fixes in changelog Tag version 7.07 Jon DeVree (1): Fix use of X509_check_host Katelyn Schiesser (1): Add support for Juniper's Post Sign-in Message Kevin Cernekee (21): Document the remaining DTLS states mainloop: Fix pause/resume on gateways without DTLS Convert tun_is_up into an inline function library: Fix misspelling of "node" in openconnect_override_getaddrinfo() Make the library callable from C++ NaCl: Detect systems that don't support statfs() NaCl: Enable libc feature test macros NaCl: Bypass ioctls during tunnel setup NaCl: Don't try to use CSD, vsyslog, or setgroups library: Add gateway_addr field to ip_info library: Add setup_tun() callback Fix missing -llz4 in static builds dtls: Fix memcmp() arguments in MTU detection code NaCl: Add autoconf check for IPV6_PATHMTU getsockopt() call Allow OC_CMD_PAUSE to abort connection attempts library: Add reconnected() callback library: Add openconnect_get_dnsname() library: Add openconnect_get_peer_cert_chain() library: Alphabetize OPENCONNECT_5_2 and OPENCONNECT_5_3 symbols gnutls: Load application-defined key types by URL dtls: Fix WIN32 build Nikos Mavrogiannopoulos (21): static checks for gnutls version were made dynamic Allow overriding the default GnuTLS priority string Only enable the DTLS ciphersuites that match the ones enabled in TLS Added chacha20-poly1305 as a DTLS ciphersuite for gnutls Added openconnect_get_dtls_compression and openconnect_get_cstp_compression Print the compression algorithm name after DTLS is connected Allow processing multiple inputs from stdin in non-interactive mode openconnect.h: be more clear in running ant Delay tun device creation until DTLS has been negotiated Added MTU detection after DTLS channel establishment When using setuid() also use setgid() and setgroups() Added API to disable IPv6 Use the PSK variant of CHACHA20-POLY1305 Added .gitlab-ci.yml to allow CI builds in gitlab .gitlab-ci.yml: updated to compile with openssl and mingw32 Only define detect_mtu() in gnutls code path Fixed compilation issues in windows Added openconnect_set_localname() openconnect: introduced the --local-hostname option Fixed regression with CSTP MTU handling Add a basic test suite Stefan Becker (1): Daemonize CSD wrapper script process -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5760 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160711/ef8d075d/attachment.bin>