ocserv/NEWS

* Version 0.2.3 (unreleased)

- Added X-CSTP-License header to client reply for mobile client
  compatibility. Patch by Kevin Cernekee.
- When a new connection presents a cookie of an existing session
  the previous session is disconnected (and its IP is hijacked).
- If udp-port is unset or set to zero then the server will not listen
  for UDP sessions.
- When using PAM allow it to update the username.


* Version 0.2.2 (released 2013-11-23)

- The system http-parser library is used if present instead of the bundled.
- The system libopts library is used if autogen is present.
- Added --http-debug option to ocserv.
- Added support for AES-GCM under DTLS 1.2 (requires GnuTLS 3.2.7).
- More precise MTU calculation (needed in AES-GCM ciphersuites)
- Do not use an MTU larger than the one initially proposed to openconnect.


* Version 0.2.1 (released 2013-11-06)

- Added configuration directives 'rx-data-per-sec' and 'tx-data-per-sec' to allow
  setting bandwidth limitations globally or per group/user.
- Call setgroups() after setgid() to avoid propagation of supplementary groups
  to the unprivileged worker processes.
- If a system's libopts is available as well as automake then the system's 
  libopts will be used.
- Added --pid-file command line option to ocserv. This overrides any
  configured pid-file.
- The ocserv binary is now installed in sbin instead of bin.


* Version 0.2.0 (released 2013-10-31)

- Added configuration directives 'config-per-user' and 'config-per-group'.
  They allow loading an additional configuration file per user or per
  group from a directory.
- Added the ipv6-prefix configuration option to replace ipv6-netmask. The
  new option accepts IPv6 subnet prefixes.
- Added the 'iroute' configuration directive, applicable only to group or
  user configuration files. It allows setting routes on the server based on
  the connected client.
- Corrected authentication using only certificates.
- The UDP file descriptor from main to workers is forwarded once per minute
  to avoid a duplicate DTLS client hello message tearing the worker's session.
- Corrected client disconnection issues when connect-script was specified.


* Version 0.1.7 (released 2013-10-25)

- Instead of suggesting different DTLS and CSTP MTU values, suggest a single
  value to the peer. That avoids issues with openconnect which reads one of
  the suggested values and ignores the other.
- Added config option "output-buffer" to allow selecting between high throughput 
  or low latency (following similar openconnect change).
- Enabled config option "mtu".
- Configuration file parsing was modified to allow detecting mispellings of
  directives and unknown options.


* Version 0.1.6 (released 2013-09-02)

- Avoid a crash on the configuration file parser when non-ascii
  characters are present. Reported by Artem Ivantsov.


* Version 0.1.5 (released 2013-07-15)

- More robust support of PAM by allowing more than one factor 
  authentication. In practice this allows authentication with more than
  one password (e.g., with a permanent one and an one time password), as
  well as changing the password.
- Cookies are no longer stored in the server side. The server is now
  stateless. A randomly generated key is used to encrypt and authenticate
  the cookies sent to the client.
- Added test suite. It requires "make check" to be run as root (in order
  to be able to run the server).
- Bypass the AnyConnect auto-download mechanism. Patch by Kevin Cernekee.
- Unescape HTML-formatted passwords, or usernames. Reported by P.H. Vos.


* Version 0.1.4 (released 2013-06-15)

- On DTLS ensure that sent packets will not exceed the MTU.


* Version 0.1.3 (released 2013-06-12)

- Updated HTTP header parsing to correct issues seen with openconnect 3.20.
- seccomp will no longer force an exit if system calls cannot be disabled.
  Patch by Faidon Liambiotis.
- Added support for Salsa20 + UMAC ciphers.
- Will now check X-CSTP-Address-Type header and will not send address types
  that were not requested.
- X-CSTP-MTU and DTLS-MTU now contain the expected (but pretty non-sensical)
  values.


* Version 0.1.2 (released 2013-05-07)

- Several updates to allow compilation in FreeBSD.
- Allow prior to leasing an IP to ping it in order to check if it is in use.
- ocpasswd accepts options to lock and unlock users.
- Several updates to allow CISCO's anyconnect clients to connect to this
  server.


* Version 0.1.1 (released 2013-04-03)

- MTU discovery was simplified.
- Removed support for TLS session tickets to strengthen the
  notion of privilege separation.


* Version 0.1.0 (released 2013-03-23)

- Corrected issue with ocsp-response configuration field.
- Added ability to specify multiple certificate and key pairs.
- Added support for TLS session tickets.
- Added the "plain" authentication option, which allows a simple password
  file format. The ocpasswd tool can be used to generate entries for this
  file.
- The private key operations are performed on a special process to
  prevent loss of the private key in case of compromise of a worker
  process.


* Version 0.0.2 (released 2013-03-05)

- Updated HTTP protocol handling (fixes issue with openconnect < 4). 
  Reported by Mike Miller.
- Use TCP wrappers (libwrap) when present.
- Fixed issue with the 'local' keyword in DNS server.
- Added configuration options 'user-profile' and 'always-require-cert' to 
  enable non-openconnect clients to connect. They are enabled with
  the configure option --enable-anyconnect-compat.
- Allow setting a rate limit on the number of connections.
- Allow setting a reconnection delay time after a failed authentication
  attempt (added min-reauth-time option).
- Eliminated memory leaks.
- Auto-detect xml content for username and password (fixes interoperability
  with newer openconnect versions).


* Version 0.0.1 (released 2013-02-20)

- First public release