OpenConnect 7.07 release

David Woodhouse dwmw2 at
Mon Jul 11 08:41:40 PDT 2016

It's been a while (over a year) since the 7.06 release, and it's about
time I finally pushed the button and made a new one.

The main change here is that we attempt to detect the DTLS MTU
dynamically, which led to a change in how the connection is set up. I
think we've finally sorted out the implications that had for Android
and the way we interact with vpnc-script, which is one of the reasons I
let it sit for a while before releasing it.

We also have ChromeOS support now, thanks to Kevin Cernekee.

Cameron Eagans (1):
      Fixing user cancel string capitalization

David Dindorp (2):
      Enable SNI extension with OpenSSL when version is 1.0.1g or above.
      Add a --resolve option to the CLI

David Woodhouse (76):
      Fix build without ESP
      Clean up minor cosmetic issues in configure script
      Make Juniper work on Windows
      Report errors coherently when connection fails
      Make it possible to override getaddrinfo()
      Fix socket connection error handling for Windows
      Don't always send Proxy-Authenticate: for SSPI auth
      Update translations from GNOME
      Dump unknown oNCP conf packet
      Handle fragmented KMP 301 packet in setup
      PKCS#11 URI is now published as RFC7512
      Update translations from GNOME
      Remove stray digit in API comments
      Fix typos pointed out by Anders Jonsson
      Update translations from GNOME
      Resync translations with sources
      Update translations from GNOME
      Use canonical representation of 'sí' in Spanish translation
      Update translations from GNOME
      Fix build with OpenSSL 1.1 (HEAD)
      Let OpenSSL 1.0.2 or later do the certificate vs. hostname/IP checks for us
      Fix premature termination check for GnuTLS 2.x
      Strip commas from DNS search paths
      Let TLS library build DTLS cipher list dynamically
      Allow compile-time optimisation of some GnuTLS version checks
      Clean up GnuTLS default prio string handling a little
      Fix GnuTLS priority strings
      Refer to PGP key by fingerprint, use HTTPS URI for keyserver
      Import translations from GNOME
      Kill auth_is_proxy() abomination in ntlm.c
      Fix DTLS/OpenSSL build break
      Import translations from GNOME
      Eliminate create_openssl_ui() in !HAVE_ENGINE build
      Fix build failure with DEFAULT_PRIO set
      Print GnuTLS priority string when setting it fails
      Update translations for changed string
      Resync translations with sources
      Import translations from GNOME
      Fix IPv6-only connectivity
      Allow TLS rehandshake with GnuTLS
      Fix dtls.c build for OpenSSL HEAD
      Use X509_up_ref() for OpenSSL 1.1.0+
      For OpenSSL, also require that server cert on rehandshake be identical
      Revamp OpenSSL certificate validation
      Add release version+date to API changelog
      Update API release info on tag
      Merge branch 'mtu' of
      Add note-to-self comment about adding DTLS cipher suites
      Update changelog
      Update translations from GNOME
      Do not shutdown tun if it isn't running
      Remove oncp_https_submit() function
      Update comment about own HTTP implementation
      Fix broken !HAVE_DTLS build
      Move Juniper check_cookie_success() before HTML parsing
      Import translations from GNOME
      Resync translations with sources
      Add en_US translation for another occurrence of 'cancelled'
      Update translations from GNOME
      Resync translations with sources
      Add --protocol option
      Use constant struct for protocol definitions
      Add --protocol to changelog
      Import translations from GNOME
      Fix typo in Juniper Post Sign-in Message handling
      Fix OpenSSL+libp11 crash on PKCS11_CTX_load() failure
      Be explicit which PKCS#11 provider failed to load
      Fix build against OpenSSL 1.1 HEAD
      Allow override of ${OPENSSL_CFLAGS} with manual/static build
      More OpenSSL 1.1 fixes
      Import translations from GNOME
      Import translations from GNOME
      Resync translations with sources
      Fix typo in Indonesian translation
      Note OpenSSL fixes in changelog
      Tag version 7.07

Jon DeVree (1):
      Fix use of X509_check_host

Katelyn Schiesser (1):
      Add support for Juniper's Post Sign-in Message

Kevin Cernekee (21):
      Document the remaining DTLS states
      mainloop: Fix pause/resume on gateways without DTLS
      Convert tun_is_up into an inline function
      library: Fix misspelling of "node" in openconnect_override_getaddrinfo()
      Make the library callable from C++
      NaCl: Detect systems that don't support statfs()
      NaCl: Enable libc feature test macros
      NaCl: Bypass ioctls during tunnel setup
      NaCl: Don't try to use CSD, vsyslog, or setgroups
      library: Add gateway_addr field to ip_info
      library: Add setup_tun() callback
      Fix missing -llz4 in static builds
      dtls: Fix memcmp() arguments in MTU detection code
      NaCl: Add autoconf check for IPV6_PATHMTU getsockopt() call
      Allow OC_CMD_PAUSE to abort connection attempts
      library: Add reconnected() callback
      library: Add openconnect_get_dnsname()
      library: Add openconnect_get_peer_cert_chain()
      library: Alphabetize OPENCONNECT_5_2 and OPENCONNECT_5_3 symbols
      gnutls: Load application-defined key types by URL
      dtls: Fix WIN32 build

Nikos Mavrogiannopoulos (21):
      static checks for gnutls version were made dynamic
      Allow overriding the default GnuTLS priority string
      Only enable the DTLS ciphersuites that match the ones enabled in TLS
      Added chacha20-poly1305 as a DTLS ciphersuite for gnutls
      Added openconnect_get_dtls_compression and openconnect_get_cstp_compression
      Print the compression algorithm name after DTLS is connected
      Allow processing multiple inputs from stdin in non-interactive mode
      openconnect.h: be more clear in running ant
      Delay tun device creation until DTLS has been negotiated
      Added MTU detection after DTLS channel establishment
      When using setuid() also use setgid() and setgroups()
      Added API to disable IPv6
      Use the PSK variant of CHACHA20-POLY1305
      Added .gitlab-ci.yml to allow CI builds in gitlab
      .gitlab-ci.yml: updated to compile with openssl and mingw32
      Only define detect_mtu() in gnutls code path
      Fixed compilation issues in windows
      Added openconnect_set_localname()
      openconnect: introduced the --local-hostname option
      Fixed regression with CSTP MTU handling
      Add a basic test suite

Stefan Becker (1):
      Daemonize CSD wrapper script process

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list