OpenConnect 9.20 release
David Woodhouse
dwmw2 at infradead.org
Sat Jun 13 12:38:29 PDT 2026
In the words of the inimitable Granny Weatherwax, "I aten't dead!".
It's been... too long since the last release, and there have been a
bunch of fixes and improvements which people have been waiting for, and
which have been cherry-picked into distro packages.
Thanks especially to Dimitri Papadopoulos for a sustained cleanup
effort.
There are more issues and merge requests to be handled, but it seemed
sensible to get a release out the door first.
Highlights:
• Fix Cisco AnyConnect STRAP channel bindings with TLSv1.3 (#659).
• Change default user-agent string to be compatible with newer Cisco
servers (#544, #593, #602, #618, #635, #657, #662, #665).
• Support JavaScript redirects from Fortinet 7.4.x.
• Fix GlobalProtect config-parsing bug that misidentified IPv6
split-include routes as split-exclude.
• Handle Pulse configuration packets up to 1 MiB (#617), and fix
short reads during packet reassembly (#456).
• Support otpauth:// URI format for HOTP/TOTP token secrets, and
honour non-default TOTP periods from PSKC or otpauth:// (#843).
• Fix Cisco DTLS MTU detection.
• Handle additional oNCP framing variations.
• Numerous Windows/Wintun improvements including better adapter name
handling, memory leak fixes, and NSIS installer generation from
MSYS2/MinGW builds.
• Support --external-browser flag on Windows.
https://www.infradead.org/openconnect/download/openconnect-9.20.tar.gz
https://www.infradead.org/openconnect/download/openconnect-9.20.tar.gz.asc
Antonio Borneo (2):
auth.c: minor fix in comment
csd-wrapper: remove trailing part from URL
Art Pinch (1):
Correctly report Android and iOS for globalprotect
Arthur Khachaturov (3):
android: bump dependencies
android: update download mirrors
android: update ci
Audric Schiltknecht (1):
Fix invalid reset of URL variable in csd-wrapper
Ben Walsh (4):
tests: Fix socat hang in ppp-over-tls
pulse: Allow short reads from ssl_nonblock_read
pulse: Make some constants unsigned
pulse: Add integration test
Benjamin Loison (1):
Correct a typo in `trojans/hipreport.sh`
Brahmajit Das (1):
Fix implicit declaration of function 'malloc'
Charles Lane (1):
Fix CI pipeline failures
Claudio Ferreira Filho (1):
gnutls: Initialize PKCS#11 modules explicitly
Daniel Lenski (26):
Stricter chunked-encoding error detection
CI: Allow Android jobs to fail (error → warning)
Log attributes for proxy auto-config (PAC) in Pulse configuration
Handle Pulse main config packets up to 1 MiB
Update changelog
OpenConnect should report the client operating system to Pulse servers
Update changelog
More comments on contents of hard-coded oNCP packets
Replace broken link with Wayback Machine link
Fix juniper-auth test
Request help with the interpretation of F5 URIs in the docs
Shim for renaming of GNUTLS_NO_EXTENSIONS in GnuTLS v3.8.1
Update docs on implementing new protocols
GlobalProtect SAML completion pages sometimes have the SAML fields only in comments
Bugfix GP XML config: always include portal
Change default user-agent string to be compatible with newer Cisco servers
Real GlobalProtect SAML authentication forms won't work without JavaScript
Send 'cas-support=yes' in GlobalProtect prelogin request
Update changelog
Modify `fake-gp-server.py` to add regionalized priority-rules to the gateway list
Update changelog
Update changelog
Update changelog
GP server may send only a Legacy IP client address, but both Legacy and IPv6 magic addresses for ESP
Add a fake IPSEC/ESP configuration to fake-gp-server.py
Update changelog
Daniel Loxtermann (1):
Fix GlobalProtect config-parsing bug that misidentified IPv6 split-include routes as split-exclude
David Woodhouse (35):
Update translations from GNOME
Don't use bash for symbols test
Fix TPMv2 ECDSA signature ASN.1
Fix changelog entry for Pulse OS reporting
Import translations from GNOME
Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP with TLSv1.3
Accept multiple --resolve arguments
Use libsocket_wrapper for juniper-sso-auth test
Allow tests to run over IPv6 as well as Legacy IP
tests: Don't recreate sockdir after cleanup()
tests: set SOCKET_WRAPPER_DIR_ALLOW_ORIG
Resync translations with sources
Update translations from GNOME
Update en_GB and en_US translations
Add corrected string for Slovenian
Fix missing newline in Slovenian translation
Fix typo in sockwrap workaround
Fix OpenSSL build without engine.h
Handle yet more oNCP framing idiocy
Update translations from GNOME
Fix Cisco DTLS MTU detection
Import translations from GNOME
Reinstate field_name translations
Reinstate re-use translations
Import translations from GNOME
Import translations from GNOME
pulse: Clean up short read handling and add changelog
oath: Support non-default TOTP period from PSKC token data
oath: Support otpauth:// URI format for HOTP/TOTP token secrets
script: Fix const-discard warning in prepare_script_env()
tests: Fix cookify() for newer werkzeug in F5 and Fortinet fake servers
tests: Add oath-token test for HOTP/TOTP token formats
Fix const-discard warnings from strchr/strrchr calls
tests: Port fake-cisco-server.py from removed pyOpenSSL PKCS7 API
Tag version 9.20
Dimitri Papadopoulos Orfanos (53):
Remove duplicate paragraph from docs
Update supported protocols
Use suggested package summary everywhere
Fix broken link to Juniper PDF
Bump fallback GlobalProtect version number
Remove spurious "cscript "
Get rid of the trailing new line added by ctime()
Get rid of non-reentrant functions
Fix resource leak identified by Coverity Scan
Fix dead code identified by Coverity Scan
Fix resource leak identified by Coverity Scan
script_setenv: fix append with val == NULL
Get rid of repeated "reading" in comment
Update .mailmap
Remove extraneous period from the documentation
Include <libxml/tree.h> from a single place
Avoid warnings while building the NSIS installer
Be lenient when parsing HTTP chunk-size
main() signature compliant with C standard
Update URL of OpenConnect-gui home page
Fix compiler warnings when buliding on AppVeyor
Move <stdlib.h> around, match existing ordering
Force the Windows script host to use the JScript engine
Search wintun.dll in the application directory only
Verbose socat logs for debugging, Add '-4' to listen on Legacy IP (for sockwrap)
Add automake/autoconf to requirements
style: switch and while are not functions
Address compiler warnings (ics-openconnect build)
Fix CI deprecation warning
Pass extra warning flags to the compiler
Remove duplicate strdup() calls
Create new process group for script
Consistency between tun.c and script.c
Fix links to Open Build Service
Fix typos found by codespell
Fix indentation
Remove spurious colon in error message
android: bump dependencies
android: use tar consistently
Fix resource leaks identified by Coverity Scan
Fix typo
Use openconnect_vpninfo_free() to release resources
pulse: improve readability of debug output
openconnect-cli-ubuntu → openconnect-cli-ubuntu18
Fix shell issues found by Qlty CLI
Address static analysis warning
Address static analysis warning
Address static analysis warning
Address static analysis warning
Address static analysis warning
Address static analysis warning
Manual fixes based on clang static analysis
CI: Add CentOS 10 and Ubuntu 26.04
Imple Lee (1):
fix URL to Open Build Service
James Anderson (1):
Cisco AnyConnect: add copyright string header
Jan-Michael Brummer (3):
GlobalProtect: Add priority-rule set support
Support js redirects from Fortinet 7.4.x
Move localname setter to openconnect_vpninfo_new
Jeremy Erazo (1):
Avoid unsafe snprintf cursor arithmetic.
Joey Korkames (1):
fix: (autoconf) ensure if_tun.h is importable on FreeBSD
Jon DeVree (1):
Force final newline in xmlstarlet
Luca Boccassi (3):
Update Debian packaging from Salsa repo
OBS: switch to new top-level namespace network:vpn:openconnect
OBS: do not include build revision in version.c in deb builds
Magnus Ihse Bursie (3):
Set SIGPIPE to SIG_IGN.
Remove sa_ignore
Update changelog
Marios Paouris (15):
Added WINEPATH to fix MinGW CI tests
MinGW build improvements
Don't package extra installed files for mingw rpms
Added wintun.h and Makefile.dlldeps on distribution
Verbose reporting on reading adapter name failure. Added test to exercise wintun max adapter name
Increase adapter name to the maximum size allowed by Wintun
Added test with all non-ASCII chars
Generate the NSIS installer when building on MSYS2/MinGW
Rework adapter search.
Fix memory leaks. openconnect__win32_strerror returns a malloc\'ed string
Use hostname as Wintun ifname (if ifname not specified), v2
Improved adapter name generation when no adapter name is specified.
Bugfix for check_address_conflicts call
Don't use adapters of unknown type when an explicit interface is requested
Use the initialization value to check if tun_is_up
Mike Gilbert (3):
bad_dtls_test: set security level to 0
openssl: load the "legacy" provider when insecure-crypto is allowed
ci: do not XFAIL auth-certificate for Fedora/OpenSSL
Nikos Mavrogiannopoulos (17):
.gitlab-ci.yml: update fedora build to 38
decompress_and_queue_packet: removed dead assignment
.gitlab-ci.yml: added centos 8 and 9 stream builds
.gitlab-ci.yml: enabled address sanitizer checks
wintun: Use it from the CI image when available
.gitlab-ci.yml: make bad_dtls_test XFAIL in fedora mingw
www: updated links to ocserv web pages
.gitlab-ci.yml: specify the toolchain image used
nsis: create self-contained nsi file
Use latest fedora (39) for CI
configure.ac: print external browser and vpnc script
openconnect_disable_dtls: allow disabling DTLS unless already connected
openssl-dtls: set security level to zero when negotiating DTLS 1.0 or earlier
.gitlab-ci.yml: use fedora39 for all builds
openssl-dtls: use DTLS 1.2 for PSK-NEGOTIATE
.gitlab-ci.yml: use saas-linux-small-amd64 as tag
socat: added a timeout to ensure that it exits eventually
Nils Kühme (1):
Merge branch 'update-globalprotect-version' into 'master'
Paul Schyska (1):
Initialize 'vpninfo->authgroup' to allow 'xmlpost_initial_req' to set '<group-select>'
Rahul Rameshbabu (3):
cstp: Check if cookies is NULL in sso_detect_done
Support --external-browser flag on _WIN32 systems
cstp: Check if uri is NULL in sso_detect_done
Simon Ser (1):
http: print proper log message on empty response
Stefan Bühler (1):
Don't default form action to '/' in AnyConnect/OpenConnect XML form handling (fixes #737)
Timothee 'TTimo' Besset (2):
include <libxml/parser.h> : fix xmlReadMemory build error
use the unsigned printf qualifier for size_t : fixes MinGW{32,64} build
Vincent Magnin (1):
fix for #802
Wade Cline (1):
Fix logging of rekey / trojan invocation delay
stever kevin (1):
Update Chinese translation (zh_CN)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5069 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20260613/865686db/attachment.p7s>
More information about the openconnect-devel
mailing list