Home Features Getting Started Mailing List / Help Contribute Protocols VPN Server

OpenConnect VPN client

About Supported Platforms Download Packages Changelog Licence

Changelog

For full changelog entries including the latest development, see gitweb.

• OpenConnect HEAD
  • No changelog entries yet
  
  
• OpenConnect v9.12 (PGP signature) — 2023-05-20
  • Fix FreeBSD build and tests.
  • Add libopenconnect5.symbols file for Debian-style packaging (discussion).
  • Explicitly reject overly long tun device names.
  • Work around ambiguity between <json.h> from json-parser vs json-c (!476).
  • Fix symbol versioning for openconnect_set_sni().
  • Increase maximum input size from stdin (#579).
  • Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58).
  • Fix Mac OS build of os-tcp-mtu tool (#612).
  
  
• OpenConnect v9.11 (PGP signature) — 2023-05-17
  • Rebuild test suite certificate chains (which had expired: #609)
  • Fix stray (null) in URL path after Pulse authentication (4023bd95).
  • Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475).
  • Fix case sensitivity in GPST header matching (!474).
  • Add external browser support for Windows ((#553).
  
  
• OpenConnect v9.10 (PGP signature) — 2023-05-04
  • Fix external browser authentication with KDE plasma-nm < 5.26.
  • Always redirect stdout to stderr when spawning external browser.
  • Increase default queue length to 32 packets (#582).
  • Make the Wintun Layer 3 TUN driver the default on Windows (!427).
  • Add support for and bundle Wintun 0.14.1 (!294).
  • Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array (#435).
  • Fix ESP failures under Windows (#427).
  • Add list-system-keys tool to assist Windows/MacOS users in setup.
  • Handle idiosyncratic variation in search domain separators for all protocols (#433, #443, !388).
  • Support region selection field for Pulse authentication (!399).
  • Support modified configuration packet from Pulse 9.1R16 servers (#472, !401)
  • Allow hidden form fields to be populated or converted to text fields on the command line (#493, #489, !409)
  • Support yet another strange way of encoding challenge-based 2FA for GlobalProtect (#495, !411)
  • Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments (!297, !451).
  • Parrot a GlobalProtect server's software version, if present, as the client version (!333)
  • Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
  • Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
  • Support F5 VPNs which encode authentication forms only in JSON, not in HTML (#512, !431).
  • Persist Windows installers for tagged builds (#463, !391).
  • Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet (#568, !456).
  • Support "FTM-push" token mode for Fortinet VPNs (#555, !450).
  • Send IPv6-compatible version string in Pulse IF/T session establishment, and avoid its ESP/IP version layering idiocy on newer servers (#506, !414)
  • Add --no-external-auth option to not advertise external-browser authentication, as a workaround for servers which behave differently when it is advertised (#470, !398)
  • Emulate MacOS-specific contents in the HIP report for GlobalProtect (!471).
  • Many small improvements in server response parsing, and better logging messages and documentation.
  
  
• OpenConnect v9.01 (PGP signature) — 2022-04-29
  • Fix library minor version (missing bump to 5.8).
  
  
• OpenConnect v9.00 (PGP signature) — 2022-04-29
  • Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) (#410).
  • Add support for AnyConnect "external browser" SSO mode (!354).
  • On Windows, fix crash on tunnel setup. (#370, 6a2ffbb)
  • Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20. (#388, !344)
  • Support Cisco's multiple-certificate authentication (!194).
  • Append internal=no to GlobalProtect authentication/configuration forms, for compatibility with servers which apparently require this to function properly. (#246, !337)
  • Revert GlobalProtect default route handling change from v8.20. (!367)
  • Support split-exclude routes for Fortinet. (#394, !345)
  • Add openconnect_set_useragent() function.
  • Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect. (!126).
  
  
• OpenConnect v8.20 (PGP signature) — 2022-02-20
  • When the queue length (-Q option) is 16 or more, try using vhost-net to accelerate tun device access.
  • Use epoll() where available.
  • Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. (#249)
  • Make tncc-emulate.py work with Python 3.7+. (#152, !120)
  • Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 (#176, !131)
  • Support Juniper login forms containing both password and 2FA token (!121)
  • Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto (!114)
  • Add obsolete-server-crypto test (!114)
  • Allow protocols to delay tunnel setup and shutdown (!117)
  • Support for GlobalProtect IPv6 (!155 and !188; previous work in d6db0ec)
  • SIGUSR1 causes OpenConnect to log detailed connection information and statistics (!154)
  • Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint (!162, #25)
  • Add insecure debugging build mode for developers (!112)
  • Demangle default routes sent as split routes by GlobalProtect (!118)
  • Improve GlobalProtect login argument decoding (!143)
  • Add detection of authentication expiration date, intended to allow front-ends to cache and reuse authentication cookies/sessions (!156)
  • Small bug fixes and clarification of many logging messages.
  • Support more Juniper login forms, including some SSO forms (!171)
  • Automatically build Windows installers for OpenConnect command-line interface (!176)
  • Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header (#101, !175)
  • Add support for PPP-based protocols, currently over TLS only (!165).
  • Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet (!169).
  • Add experimental support for Wintun Layer 3 TUN driver under Windows (#231, !178).
  • Clean up and improve Windows routing/DNS configuration script (vpnc-scripts!26, vpnc-scripts!41, vpnc-scripts!44).
  • On Windows, reclaim needed IP addresses from down network interfaces so that configuration script can succeed (!178).
  • Fix output redirection under Windows (#229)
  • More gracefully handle idle timeouts and other fatal errors for Juniper and Pulse (!187)
  • Ignore failures to fetch the Juniper/oNCP landing page if the authentication was successful (3e779436).
  • Add support for Array Networks SSL VPN (#102)
  • Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. (ed80bfac...ee1cd782)
  • Add openconnect_get_connect_url() to simplify passing correct server information to the connecting openconnect process. (NetworkManager-openconnect #46, #53)
  • Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. (RH#1960763).
  • Pass "portal cookie" fields from GlobalProtect portal to gateway to avoid repetition of password- or SAML-based login (!199)
  • With --user, enter username supplied via command-line into all authentication forms, not just the first. (#267, !220).
  • Fix a subtle bug which has prevented ESP rekey and ESP-to-TLS fallback from working reliably with the Juniper/oNCP protocol since v8.04. (#322, !293).
  • Fix a bug in csd-wrapper.sh which has prevented it from correctly downloading compressed Trojan binaries since at least v8.00. (!305)
  • Make Windows socketpair emulation more robust in the face of Windows's ability to break its localhost routes. (#228, #361, !320)
  • Perform proper disconnect and routes cleanup on Windows when receiving Ctrl+C or Ctrl+Break. (#362, !323)
  • Improve logging in routing/DNS configuration scripts. (!328, vpnc-scripts!45)
  • Support modified configuration packet from Pulse 9.1R14 servers (#379, !331)
  
  
• OpenConnect v8.10 (PGP signature) — 2020-05-14
  • Install bash completion script to ${datadir}/bash-completion/completions/openconnect.
  • Improve compatibility of csd-post.sh trojan.
  • Update Android build dependencies and bump API level to support Android 10.
  • Fix potential buffer overflow with GnuTLS describing local certs (CVE-2020-12823).
  
  
• OpenConnect v8.09 (PGP signature) — 2020-04-29
  • Add bash completion support.
  • Give more helpful error in case of Pulse servers asking for TNCC.
  • Sanitize non-canonical Legacy IP network addresses (!97)
  • Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105).
  • Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well. (!91)
  • Disable Nagle's algorithm for TLS sockets, to improve interactivity when tunnel runs over TCP rather than UDP. (!89
  • GlobalProtect: more resilient handling of periodic HIP check and login arguments, and predictable naming of challenge forms (!95, !93, !90)
  • Work around PKCS#11 tokens which forget to set CKF_LOGIN_REQUIRED (#123).
  
  
• OpenConnect v8.08 (PGP signature) — 2020-04-06
  • Fix check of pin-sha256: public key hashes to be case sensitive (#116).
  • Don't give non-functioning stderr to CSD trojan scripts.
  • Fix crash with uninitialised OIDC token.
  
  
• OpenConnect v8.07 (PGP signature) — 2020-04-04
  • Don't abort Pulse connection when server-provided certificate MD5 doesn't match.
  • Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks.
  • Don't abort connection if CSD wrapper script returns non-zero (for now).
  • Make --passtos work for protocols that use ESP, in addition to DTLS.
  • Convert tncc-wrapper.py to Python 3, and include modernized tncc-emulate.py as well.
  
  
• OpenConnect v8.06 (PGP signature) — 2020-03-31
  • Implement EAP-TTLS fragmentation.
  • Fix Windows build with MSYS2 (#74).
  • Allow custom stoken rcfile to be specified (#71).
  • Periodic HIP checking for GlobalProtect, and cross-protocol API (!56).
  • Ciphersuite priority override options (!71).
  • Clearer GlobalProtect debugging/SAML output (!66, !69).
  • Explain experimental Pulse support for servers where Juniper oNCP is disabled (!48).
  • Ignore missing Cisco CSD stub and simply CSD subprocess invocation (!77, !74).
  • Pass IDLE_TIMEOUT to vpnc-script (!67).
  • Windows line-ending flexibility for standard input (!78).
  • Disable DTLS for GnuTLS versions between 3.6.3 and 3.6.13 inclusive due to GnuTLS #960.
  • Add RFC6750 Bearer token support (!70).
  
  
• OpenConnect v8.05 (PGP signature) — 2019-09-12
  • Fix GlobalProtect ESP stall (!55).
  • Fix HTTP chunked encoding buffer overflow (CVE-2019-16239).
  
  
• OpenConnect v8.04 (PGP signature) — 2019-08-09
  • Rework DTLS MTU detection. (#10)
  • Add Pulse Connect Secure support.
  • OpenSSL build fixes (!51).
  • Add HMAC-SHA256-128 (RFC4868) support for ESP.
  • Support IPv6 in ESP.
  • Translate user-visible strings from openconnect_get_supported_protocols().
  • Fix proxy username/password handling to allow special characters and escaping.
  
  
• OpenConnect v8.03 (PGP signature) — 2019-05-18
  • Fix detection of utun support on OS X (#18).
  • Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384.
  • Fix Solaris 11.4 build by properly detecting memset_s().
  • Fix recognition of OTP password fields (#24).
  
  
• OpenConnect v8.02 (PGP signature) — 2019-01-16
  • Fix GNU/Hurd build.
  • Discover vpnc-script in default packaged location on FreeBSD/OpenBSD.
  • Support split-exclude routes for GlobalProtect.
  • Fix GnuTLS builds without libtasn1.
  • Fix DTLS support with OpenSSL 1.1.1+.
  • Add Cisco-compatible DTLSv1.2 support.
  • Invoke script with reason=attempt-reconnect before doing so.
  
  
• OpenConnect v8.01 (PGP signature) — 2019-01-05
  • Fix memset_s() arguments.
  • Fix OpenBSD build.
  
  
• OpenConnect v8.00 (PGP signature) — 2019-01-05
  • Clear form submissions (which may include passwords) before freeing (CVE-2018-20319).
  • Allow form responses to be provided on command line.
  • Add support for SSL keys stored in TPM2.
  • Fix ESP rekey when replay protection is disabled.
  • Drop support for GnuTLS older than 3.2.10.
  • Fix --passwd-on-stdin for Windows to not forcibly open console.
  • Fix portability of shell scripts in test suite.
  • Add Google Authenticator TOTP support for Juniper.
  • Add RFC7469 key PIN support for cert hashes.
  • Add protocol method to securely log out the Juniper session.
  • Relax requirements for Juniper hostname packet response to support old gateways.
  • Add API functions to query the supported protocols.
  • Verify ESP sequence numbers and warn even if replay protection is disabled.
  • Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
  • Reorganize listing of command-line options, and include information on supported protocols.
  • SIGTERM cleans up the session similarly to SIGINT.
  
  
• OpenConnect v7.08 (PGP signature) — 2016-12-13
  • Add SHA256 support for server cert hashes.
  • Enable DHE ciphers for Cisco DTLS.
  • Increase initial oNCP configuration buffer size.
  • Reopen CONIN$ when stdin is redirected on Windows.
  • Improve support for point-to-point routing on Windows.
  • Check for non-resumed DTLS sessions which may indicate a MiTM attack.
  • Add TUNIDX environment variable on Windows.
  • Fix compatibility with Pulse Secure 8.2R5.
  • Fix IPv6 support in Solaris.
  • Support DTLS automatic negotiation.
  • Support --key-password for GnuTLS PKCS#11 PIN.
  • Support automatic DTLS MTU detection with OpenSSL.
  • Drop support for combined GnuTLS/OpenSSL build.
  • Update OpenSSL to allow TLSv1.2, improve compatibility options.
  • Remove --no-cert-check option. It was being (mis)used.
  • Fix OpenSSL support for PKCS#11 EC keys without public key.
  • Support for final OpenSSL 1.1 release.
  • Fix polling/retry on "tun" socket when buffers full.
  • Fix AnyConnect server-side MTU setting.
  • Fix ESP replay detection.
  • Allow build with LibreSSL (for fetishists only; do not use this as DTLS is broken).
  • Add certificate torture test suite.
  • Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL.
  • Fix integer overflow issues with ESP packet replay detection.
  • Add --pass-tos option as in OpenVPN.
  • Support rôle selection form in Juniper VPN.
  • Support DER-format certificates, add certificate format torture tests.
  • For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option.
  • Support Juniper "Pre Sign-in Message".
  
  
• OpenConnect v7.07 (PGP signature) — 2016-07-11
  • More fixes for OpenSSL 1.1 build.
  • Support Juniper "Post Sign-in Message".
  • Add --protocol option.
  • Fix ChaCha20-Poly1305 cipher suite to reflect final standard.
  • Add ability to disable IPv6 support via library API.
  • Set groups appropriately when using setuid().
  • Automatic DTLS MTU detection.
  • Support SSL client certificate authentication with Juniper servers.
  • Revamp SSL certificate validation for OpenSSL and stop supporting OpenSSL older than 0.9.8.
  • Fix handling of multiple DNS search domains with Network Connect.
  • Fix handling of large configuration packets for Network Connect.
  • Enable SNI when built with OpenSSL (1.0.1g or later).
  • Add --resolve and --local-hostname options to command line.
  
  
• OpenConnect v7.06 (PGP signature) — 2015-03-17
  • Fix openconnect.pc breakage after liboath removal.
  • Refactor Juniper Network Connect receive loop.
  • Fix some memory leaks.
  • Add Bosnian translation.
  
  
• OpenConnect v7.05 (PGP signature) — 2015-03-10
  • Fix alignment issue which broke LZS compression on ARM etc.
  • Support HTTP authentication to servers, not just proxies.
  • Work around Yubikey issue with non-ASCII passphrase set on pre-KitKat Android.
  • Add SHA256/SHA512 support for OATH.
  • Remove liboath dependency.
  • Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2.
  • Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711).
  • Fix build with OpenSSL HEAD (OpenSSL 1.1.x).
  • Preliminary support for Juniper SSL VPN.
  
  
• OpenConnect v7.04 (PGP signature) — 2015-01-25
  • Change default behaviour to enable only stateless compression.
  • Add --compression argument and openconnect_set_compression_mode().
  • Add support for LZS compression (compatible with latest Cisco ASA and ocserv).
  • Add support for LZ4 compression (compatible with ocserv).
  
  
• OpenConnect v7.03 (PGP signature) — 2015-01-09
  • Android build infrastructure updates, including 64-bit support.
  • Clean up handling of incoming packets.
  • Fix issue with two-stage (i.e. NetworkManager) connection to servers with trick DNS (RH#1179681).
  • Stop using static variables for received packets.
  
  
• OpenConnect v7.02 (PGP signature) — 2014-12-19
  • Add PKCS#11 support for OpenSSL.
  • Fix handling of select options in openconnect_set_option_value().
  
  
• OpenConnect v7.01 (PGP signature) — 2014-12-07
  • Try harder to find a PKCS#11 key to match a given certificate.
  • Handle 'Connection: close' from proxies correctly.
  • Warn when MTU is set too low (<1280) to permit IPv6 connectivity.
  • Add support for X-CSTP-DynDNS, to trigger DNS lookup on each reconnect.
  
  
• OpenConnect v7.00 (PGP signature) — 2014-11-27
  • Add support for GnuTLS 3.4 system: keys including Windows certificate store.
  • Add support for HOTP/TOTP keys from Yubikey NEO devices.
  • Add ---no-system-trust option to disable default certificate authorities.
  • Improve libiconv and libintl detection.
  • Stop calling setenv() from library functions.
  • Support utun driver on OS X.
  • Change library API so string ownership is never transferred.
  • Support new NDIS6 TAP-Windows driver shipped with OpenVPN 2.3.4.
  • Support using PSKC (RFC6030) token files for HOTP/TOTP tokens.
  • Support for updating HOTP token storage when token is used.
  • Support for reading OTP token data from a file.
  • Add full character set handling for legacy non-UTF8 systems (including Windows).
  • Fix legacy (i.e. not XML POST) submission of non-ASCII form entries (even in UTF-8 locales).
  • Add support for 32-bit Windows XP.
  • Avoid retrying without XML POST, when we failed to even reach the server.
  • Fix off-by-one in parameter substitution in error messages.
  • Improve reporting when GSSAPI auth requested but not compiled in.
  • Fix parsing of split include routes on Windows.
  • Fix crash on invocation with --token-mode but no --token-secret.
  
  
• OpenConnect v6.00 (PGP signature) — 2014-07-08
  • Support SOCKS proxy authentication (password, GSSAPI).
  • Support HTTP proxy authentication (Basic, Digest, NTLM and GSSAPI).
  • Download XML profile in XML POST mode.
  • Fix a couple of bugs involving DTLS rekeying.
  • Fix problems seen when building or connecting without DTLS enabled.
  • Fix tun error handling on Windows hosts.
  • Skip password prompts when using PKCS#8 and PKCS#12 certificates with empty passwords.
  • Fix several minor memory leaks and error paths.
  • Update several Android dependencies, and make the download process more robust.
  
  
• OpenConnect v5.99 (PGP signature) — 2014-03-05
  • Add RFC4226 HOTP token support.
  • Tolerate servers closing connection uncleanly after HTTP/1.0 response (Ubuntu #1225276).
  • Add support for IPv6 split tunnel configuration.
  • Add Windows support with MinGW (tested with both IPv6 and Legacy IP with latest vpnc-script-win.js)
  • Change library API to support updating the auth form when the authgroup is changed (Ubuntu #1229195).
  • Change --os mac to --os mac-intel, to match the identifier used by Cisco clients.
  • Add new API functions to support invoking the VPN mainloop directly from an application.
  • Add JNI interface and sample Java application.
  • Fix junk in --cookieonly output when CSD is enabled.
  • Enable TOTP, stoken, and JNI support in the Android builds.
  • Add --pfs option to enforce perfect forward secrecy.
  • Enable elliptic curves with GnuTLS 3.2.9+, where there is a workaround for certain firewalls that fail with client hellos between 256 and 512 bytes.
  • Add padding when sending password, to avoid leakage of password and username length.
  • Add support for DTLS 1.2 and AES-GCM when connecting to ocserv.
  • Add support for server name indication when compiled with GnuTLS 3.2.9+.
  
  
• OpenConnect v5.03 (PGP signature) — 2014-02-03
  • Fix crash on --authenticate due to freeing --cafile option in argv.
  
  
• OpenConnect v5.02 (PGP signature) — 2014-01-01
  • Fix XML POST issues with authgroups by falling back to old style login.
  • Fix --cookie-on-stdin with cookies from ocserv.
  • Fix reconnection to wrong host after redirect.
  • Reduce limit of queued packets on DTLS socket, to fix VoIP latency.
  • Fix Solaris build breakage due to missing <string.h> includes.
  • Include path in <group-access> node.
  • Include supporting CA certificates from PKCS#11 tokens (with GnuTLS 3.2.7+).
  • Fix possible heap overflow if MTU is increased on reconnection (CVE-2013-7098).
  
  
• OpenConnect v5.01 (PGP signature) — 2013-06-01
  • Attempt to handle <client-cert-request> in aggregate auth mode.
  • Don't include X-Aggregate-Auth: header in fallback mode.
  • Enable AES256 mode for DTLS with GnuTLS (RH#955710).
  • Add --dump-http-traffic option for debugging.
  • Be more permissive in parsing XML forms.
  • Use original URL when falling back to non-XML POST mode.
  • Add --no-xmlpost option to revert to older, compatible behaviour.
  • Close connection before falling back to non-xmlpost mode (RH#964650).
  • Improve error handling when server closes connection (Debian #708928).
  
  
• OpenConnect v5.00 (PGP signature) — 2013-05-15
  • Use GnuTLS by default instead of OpenSSL.
  • Avoid using deprecated gnutls_pubkey_verify_data() function.
  • Fix compatibility issues with XML POST authentication.
  • Fix memory leaks on realloc() failure.
  • Fix certificate validation problem caused by hostname canonicalisation.
  • Add RFC6238 TOTP token support using liboath.
  • Replace --stoken option with more generic --token-mode and --token-secret options.
  
  
• OpenConnect v4.99 (PGP signature) — 2013-02-07
  • Add --os switch to report a different OS type to the gateway.
  • Support new XML POST format.
  • Add SecurID token support using libstoken.
  
  
• OpenConnect v4.08 (PGP signature) — 2013-02-13
  • Fix overflow on HTTP request buffers (CVE-2012-6128)
  • Fix connection to servers with round-robin DNS with two-stage auth/connect.
  • Impose minimum MTU of 1280 bytes.
  • Fix some harmless issues reported by Coverity.
  • Improve "Attempting to connect..." message to be explicit when it's connecting to a proxy.
  
  
• OpenConnect v4.07 (PGP signature) — 2012-08-31
  • Fix segmentation fault when invoked with -p argument.
  • Fix handling of write stalls on CSTP (TCP) socket.
  
  
• OpenConnect v4.06 (PGP signature) — 2012-07-23
  • Fix default CA location for non-Fedora systems with old GnuTLS.
  • Improve error handing when vpnc-script exits with error.
  • Handle PKCS#11 tokens which won't list keys without login.
  
  
• OpenConnect v4.05 (PGP signature) — 2012-07-12
  • Use correct CSD script for Mac OS X.
  • Fix endless loop in PIN cache handling with multiple PKCS#11 tokens.
  • Fix PKCS#11 URI handling to preserve all attributes.
  • Don't forget key password on GUI reconnect.
  • Fix GnuTLS v3 build on OpenBSD.
  
  
• OpenConnect v4.04 (PGP signature) — 2012-07-05
  • Fix GnuTLS password handling for PKCS#8 files.
  
  
• OpenConnect v4.03 (PGP signature) — 2012-07-02
  • Fix --no-proxy option.
  • Fix handling of requested vs. received MTU settings.
  • Fix DTLS MTU for GnuTLS 3.0.21 and newer.
  • Support more ciphers for OpenSSL encrypted PEM keys, with GnuTLS.
  • Fix GnuTLS compatibility issue with servers that insist on TLSv1.0 or non-AES ciphers (RH#836558).
  
  
• OpenConnect v4.02 (PGP signature) — 2012-06-28
  • Fix build failure due to unconditional inclusion of <gnutls/dtls.h>.
  
  
• OpenConnect v4.01 (PGP signature) — 2012-06-28
  • Fix DTLS MTU issue with GnuTLS.
  • Fix reconnect crash when compression is disabled.
  • Fix build on systems like FreeBSD 8 without O_CLOEXEC.
  • Add --dtls-local-port option.
  • Print correct error when /dev/net/tun cannot be opened.
  • Fix openconnect.pc pkg-config file not to require zlib.pc on systems which lack it (like RHEL5).
  
  
• OpenConnect v4.00 (PGP signature) — 2012-06-20
  • Add support for OpenSSL's odd encrypted PKCS#1 files, for GnuTLS.
  • Fix repeated passphrase retry for OpenSSL.
  • Add keystore support for Android.
  • Support TPM, and also additional checks on PKCS#11 certs, even with GnuTLS 2.12.
  • Fix library references to OpenSSL's ERR_print_errors_cb() when built against GnuTLS v2.12.
  
  
• OpenConnect v3.99 (PGP signature) — 2012-06-13
  • Enable native TPM support when built with GnuTLS.
  • Enable PKCS#11 token support when built with GnuTLS.
  • Eliminate all SSL library exposure through libopenconnect.
  • Parse split DNS information, provide $CISCO_SPLIT_DNS environment variable to vpnc-script.
  • Attempt to provide new-style MTU information to server (on Linux only, unless specified on command line).
  • Allow building against GnuTLS, including DTLS support.
  • Add --with-pkgconfigdir= option to configure for FreeBSD's benefit (fd#48743).
  
  
• OpenConnect v3.20 (PGP signature) — 2012-05-18
  • Cope with non-keepalive HTTP response on authentication success.
  • Fix progress callback with incorrect cbdata which caused KDE crash.
  
  
• OpenConnect v3.19 (PGP signature) — 2012-05-17
  • Add --config option for reading options from file.
  • Improve OpenSSL DTLS compatibility to work on Ubuntu 10.04.
  • Flush progress logging output promptly after each message.
  • Add symbol versioning for shared library (on sane platforms).
  • Add openconnect_set_cancel_fd() function to allow clean cancellation.
  • Fix corruption of URL in openconnect_parse_url() if it specifies a port number.
  • Fix inappropriate exit() calls from library code.
  • Library namespace cleanup — all symbols now have the prefix openconnect_ on platforms where symbol versioning works.
  • Fix --non-inter option so it still uses login information from command line.
  
  
• OpenConnect v3.18 (PGP signature) — 2012-04-25
  • Fix autohate breakage with --disable-nls... hopefully.
  • Fix buffer overflow in banner handling.
  
  
• OpenConnect v3.17 (PGP signature) — 2012-04-20
  • Work around time() brokenness on Solaris.
  • Fix interface plumbing on Solaris 10.
  • Provide asprintf() function for (unpatched) Solaris 10.
  • Make vpnc-script mandatory, like it is for vpnc
  • Don't set Legacy IP address on tun device; let vpnc-script do it.
  • Detect OpenSSL even without pkg-config.
  • Stop building static library by default.
  • Invoke vpnc-script with "pre-init" reason to load tun module if necessary.
  
  
• OpenConnect v3.16 (PGP signature) — 2012-04-08
  • Fix build failure on Debian/kFreeBSD and Hurd.
  • Fix memory leak of deflated packets.
  • Fix memory leak of zlib state on CSTP reconnect.
  • Eliminate memcpy() calls on packets from DTLS and tunnel device.
  • Use I_LINK instead of I_PLINK on Solaris to plumb interface for Legacy IP.
  • Plumb interface for IPv6 on Solaris, instead of expecting vpnc-script to do it.
  • Refer to vpnc-script and help web pages in openconnect output.
  • Fix potential crash when processing libproxy results.
  • Be more conservative in detecting libproxy without pkg-config.
  
  
• OpenConnect v3.15 (PGP signature) — 2011-11-25
  • Fix for reading multiple packets from Solaris tun device.
  • Call bindtextdomain() to ensure that translations are found in install path.
  
  
• OpenConnect v3.14 (PGP signature) — 2011-11-08
  • Move executable to $prefix/sbin.
  • Fix build issues on OSX, OpenIndiana, DragonFlyBSD, OpenBSD, FreeBSD & NetBSD.
  • Fix non-portable (void *) arithmetic.
  • Make more messages translatable.
  • Attempt to make NLS support more portable (with fewer dependencies).
  
  
• OpenConnect v3.13 (PGP signature) — 2011-09-30
  • Add --cert-expire-warning option.
  • Give visible warning when server dislikes client SSL certificate.
  • Add localisation support.
  • Fix build on Debian systems where dtls1_stop_timer() is not available.
  • Fix libproxy detection.
  • Enable a useful set of compiler warnings by default.
  • Fix various minor compiler warnings.
  
  
• OpenConnect v3.12 — 2011-09-12
  • Fix DTLS compatibility with ASA firmware 8.4.1(11) and above.
  • Fix build failures on GNU Hurd, on systems with ancient OpenSSL, and on Debian.
  • Add --pid-file option.
  • Print SHA1 fingerprint with server certificate details.
  
  
• OpenConnect v3.11 — 2011-07-20
  • Add Android.mk file for Android build support
  • Add logging support for Android, in place of standard syslog().
  • Switch back to using TLSv1, but without extensions.
  • Make TPM support optional, dependent on OpenSSL ENGINE support.
  
  
• OpenConnect v3.10 — 2011-06-30
  • Switch to using GNU autoconf/automake/libtool.
  • Produce shared library for authentication.
  • Improve library API to make life easier for C++ users.
  • Be more explicit about requiring pkg-config.
  • Invoke script with reason=reconnect on CSTP reconnect.
  • Add --non-inter option to avoid all user input.
  
  
• OpenConnect v3.02 — 2011-04-19
  • Install man page in make install target.
  • Add openconnect_vpninfo_free() to libopenconnect.
  • Clear cached peer_addr to avoid reconnecting to wrong host.
  
  
• OpenConnect v3.01 — 2011-03-09
  • Add libxml2 to pkg-config requirements.
  
  
• OpenConnect v3.00 — 2011-03-09
  • Create libopenconnect.a for GUI authentication dialog to use.
  • Remove auth-dialog, which now lives in the network-manager-openconnect package.
  • Cope with more entries in authentication forms.
  • Add --csd-wrapper option to wrap CSD trojan.
  • Report error and abort if CA file cannot be opened.
  
  
• OpenConnect v2.26 — 2010-09-22
  • Fix potential crash on relative HTTP redirect.
  • Use correct TUN/TAP device node on Android.
  • Check client certificate expiry date.
  • Implement CSTP and DTLS rekeying (both by reconnecting CSTP).
  • Add --force-dpd option to set minimum DPD interval.
  • Don't print webvpn cookie in debug output.
  • Fix host selection in NetworkManager auth dialog.
  • Use SSLv3 instead of TLSv1; some servers (or their firewalls) don't accept any ClientHello options.
  • Never include address family prefix on script-tun connections.
  
  
• OpenConnect v2.25 — 2010-05-15
  • Always validate server certificate, even when no extra --cafile is provided.
  • Add --no-cert-check option to avoid certificate validation.
  • Check server hostname against its certificate.
  • Provide text-mode function for reviewing and accepting "invalid" certificates.
  • Fix libproxy detection on NetBSD.
  
  
• OpenConnect v2.24 — 2010-05-07
  • Forget preconfigured password after a single attempt; don't retry infinitely if it's failing.
  • Set $CISCO_BANNER environment variable when running script.
  • Better handling of passphrase failure on certificate files.
  • Fix NetBSD build (thanks to Pouya D. Tafti).
  • Fix DragonFly BSD build.
  
  
• OpenConnect v2.23 — 2010-04-09
  • Support "Cisco Secure Desktop" trojan in NetworkManager auth-dialog.
  • Support proxy in NetworkManager auth-dialog.
  • Add --no-http-keepalive option to work around Cisco's incompetence.
  • Fix build on Debian/kFreeBSD.
  • Fix crash on receiving HTTP 404 error.
  • Improve workaround for server certificates lacking SSL_SERVER purpose, so that it also works with OpenSSL older than 0.9.8k.
  
  
• OpenConnect v2.22 — 2010-03-07
  • Fix bug handling port numbers above 9999.
  • Ignore "Connection: Keep-Alive" in HTTP/1.0 to work around server bug with certificate authentication.
  • Handle non-standard port (and full URLs) when used with NetworkManager.
  • Cope with relative redirect and form URLs.
  • Allocate HTTP receive buffer dynamically, to cope with arbitrary size of content.
  • Fix server cert SHA1 comparison to be case-insensitive.
  • Fix build on Solaris and OSX (strndup(), AI_NUMERICSERV).
  • Fix exit code with --background option.
  
  
• OpenConnect v2.21 — 2010-01-10
  • Fix handling of HTTP 1.0 responses with keepalive (RH#553817).
  • Fix case sensitivity in HTTP headers and hostname comparison on redirect.
  
  
• OpenConnect v2.20 — 2010-01-04
  • Fix use-after-free bug in NetworkManager authentication dialog (RH#551665).
  • Allow server to be specified with https:// URL, including port and pathname (which Cisco calls 'UserGroup')
  • Support connection through HTTP and SOCKS proxies.
  • Handle HTTP redirection with port numbers.
  • Handle HTTP redirection with IPv6 literal addresses.
  
  
• OpenConnect v2.12 — 2009-12-07
  • Fix buffer overflow when generating useragent string.
  • Cope with idiotic schizoDNS configurations by not repeating DNS lookup for VPN server on reconnects.
  • Support DragonFlyBSD. Probably.
  
  
• OpenConnect v2.11 — 2009-11-17
  • Add IPv6 support for FreeBSD.
  • Support "split tunnel" mode for IPv6 routing.
  • Fix bug where client certificate's MD5 was only given to the CSD trojan if a PKCS#12 certificate was used.
  
  
• OpenConnect v2.10 — 2009-11-04
  • OpenSolaris support.
  • Preliminary support for IPv6 connectivity.
  • Fix session shutdown on exit.
  • Fix reconnection when TCP connection is closed.
  • Support for "Cisco Secure Desktop" idiocy.
  • Allow User-Agent: to be specified on command line.
  • Fix session termination on disconnect.
  • Fix recognition of certificates from OpenSSL 1.0.0.
  
  
• OpenConnect v2.01 — 2009-06-24
  • Fix bug causing loss of DTLS (and lots of syslog spam about it) after a CSTP reconnection.
  • Don't apply OpenSSL certificate chain workaround if we already have "extra" certificates loaded (e.g. from a PKCS#12 file).
  • Load "extra" certificates from .pem files too.
  • Fix SEGV caused by freeing certificates after processing cert chain.
  
  
• OpenConnect v2.00 — 2009-06-03
  • Add OpenBSD and FreeBSD support.
  • Build with OpenSSL-0.9.7 (Mac OS X, OpenBSD, etc.)
  • Support PKCS#12 certificates.
  • Automatic detection of certificate type (PKCS#12, PEM, TPM).
  • Work around OpenSSL trust chain issues (RT#1942).
  • Allow PEM passphrase to be specified on command line.
  • Allow PEM passphrase automatically generated from the fsid of the file system on which the certificate is stored.
  • Fix certificate comparisons (in NM auth-dialog and --servercert option) to use SHA1 fingerprint, not signature.
  • Fix segfault in NM auth-dialog when changing hosts.
  
  
• OpenConnect v1.40 — 2009-05-27
  • Fix validation of server's SSL certificate when NetworkManager runs openconnect as an unprivileged user (which can't read the real user's trust chain file).
  • Fix double-free of DTLS Cipher option on reconnect.
  • Reconnect on SSL write errors
  • Fix reporting of SSL errors through syslog/UI.
  
  
• OpenConnect v1.30 — 2009-05-13
  • NetworkManager auth-dialog will now cache authentication form options.
  
  
• OpenConnect v1.20 — 2009-05-08
  • DTLS cipher choice fixes.
  • Improve handling of authentication group selection.
  • Export more information to connection script.
  • Add --background option to dæmonize after connection.
  • Detect TCP connection closure.
  
  
• OpenConnect v1.10 — 2009-04-01
  • NetworkManager UI rewrite with many improvements.
  • Support for "UserGroups" where a single server offers multiple configurations according to the URL used to connect.
  
  
• OpenConnect v1.00 — 2009-03-18
  • First non-beta release.