Log message:
Update to 9.10. From the changelog:
- Fix external browser authentication with KDE plasma-nm < 5.26.
- Always redirect stdout to stderr when spawning external browser.
- Increase default queue length to 32 packets (#582).
- Make the Wintun Layer 3 TUN driver the default on Windows (!427).
- Add support for and bundle Wintun 0.14.1 (!294).
- Fix receiving multiple packets in one TLS frame, and single packets
split across multiple TLS frames, for Array (#435).
- Fix ESP failures under Windows (#427).
- Add list-system-keys tool to assist Windows/MacOS users in setup.
- Handle idiosyncratic variation in search domain separators for all
protocols (#433, #443, !388).
- Support region selection field for Pulse authentication (!399).
- Support modified configuration packet from Pulse 9.1R16 servers
(#472, !401)
- Allow hidden form fields to be populated or converted to text fields
on the command line (#493, #489, !409)
- Support yet another strange way of encoding challenge-based 2FA for
GlobalProtect (#495, !411)
- Add --sni option (and corresponding C and Java API functions) to allow
domain-fronting connections in censored/filtered network environments
(!297, !451).
- Parrot a GlobalProtect server's software version, if present, as the
client version (!333)
- Fix NULL pointer dereference that has left Android builds broken since
v8.20 (!389).
- Fix Fortinet authentication bug where repeated SVPNCOOKIE causes
segfaults (#514, !418).
- Support F5 VPNs which encode authentication forms only in JSON, not in
HTML (#512, !431).
- Persist Windows installers for tagged builds (#463, !391).
- Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet
(#568, !456).
- Support "FTM-push" token mode for Fortinet VPNs (#555, !450).
- Send IPv6-compatible version string in Pulse IF/T session
establishment, and avoid its ESP/IP version layering idiocy on newer
servers (#506, !414)
- Add --no-external-auth option to not advertise external-browser
authentication, as a workaround for servers which behave differently
when it is advertised (#470, !398)
- Emulate MacOS-specific contents in the HIP report for GlobalProtect (!471).
- Many small improvements in server response parsing, and better logging
messages and documentation.
|
Log message:
Update to 9.01. From the changelog:
9.01:
- Fix library minor version (missing bump to 5.8).
9.00:
- Add support for AnyConnect "Session Token Re-use Anchor Protocol"
(STRAP) (#410).
- Add support for AnyConnect "external browser" SSO mode (!354).
- On Windows, fix crash on tunnel setup. (#370, 6a2ffbb)
- Bugfix RSA SecurID token decryption and PIN entry forms, broken in
v8.20. (#388, !344)
- Support Cisco's multiple-certificate authentication (!194).
- Append internal=no to GlobalProtect authentication/configuration
forms, for compatibility with servers which apparently require this to
function properly. (#246, !337)
- Revert GlobalProtect default route handling change from v8.20. (!367)
- Support split-exclude routes for Fortinet. (#394, !345)
- Add openconnect_set_useragent() function.
- Add webview callback and SAML/SSO support for AnyConnect,
GlobalProtect. (!126).
8.20:
- When the queue length (-Q option) is 16 or more, try using vhost-net
to accelerate tun device access.
- Use epoll() where available.
- Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. (#249)
- Make tncc-emulate.py work with Python 3.7+. (#152, !120)
- Emulated a newer version of GlobalProtect official clients, 5.1.5-8;
was 4.0.2-19 (!131)
- Support Juniper login forms containing both password and 2FA
token (!121)
- Explicitly disable 3DES and RC4, unless enabled with
--allow-insecure-crypto (!114)
- Add obsolete-server-crypto test (!114)
- Allow protocols to delay tunnel setup and shutdown (!117)
- Support for GlobalProtect IPv6 (!155 and !188; previous work in
d6db0ec)
- SIGUSR1 causes OpenConnect to log detailed connection information and
statistics (!154)
- Allow --servercert to be specified multiple times in order to accept
server certificates matching more than one possible fingerprint
(!162, #25)
- Add insecure debugging build mode for developers (!112)
- Demangle default routes sent as split routes by GlobalProtect (!118)
- Improve GlobalProtect login argument decoding (!143)
- Add detection of authentication expiration date, intended to allow
front-ends to cache and reuse authentication cookies/sessions (!156)
- Small bug fixes and clarification of many logging messages.
- Support more Juniper login forms, including some SSO forms (!171)
- Automatically build Windows installers for OpenConnect command-line
interface (!176)
- Restore compatibility with newer Cisco servers, by no longer sending
them the X-AnyConnect-Platform header (#101, !175)
- Add support for PPP-based protocols, currently over TLS only (!165).
- Add support for two PPP-based protocols, F5 with --protocol=f5 and
Fortinet with --protocol=fortinet (!169).
- Add experimental support for Wintun Layer 3 TUN driver under Windows
(#231, !178).
- Clean up and improve Windows routing/DNS configuration script
(vpnc-scripts!26, vpnc-scripts!41, vpnc-scripts!44).
- On Windows, reclaim needed IP addresses from down network interfaces
so that configuration script can succeed (!178).
- Fix output redirection under Windows (#229)
- More gracefully handle idle timeouts and other fatal errors for
Juniper and Pulse (!187)
- Ignore failures to fetch the Juniper/oNCP landing page if the
authentication was successful (3e779436).
- Add support for Array Networks SSL VPN (#102)
- Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm
and hardware TPM. (ed80bfac...ee1cd782)
- Add openconnect_get_connect_url() to simplify passing correct server
information to the connecting openconnect process.
(NetworkManager-openconnect #46, #53)
- Disable brittle "system policy" enforcement where it cannot be
gracefully overridden at user request. (RH#1960763).
- Pass "portal cookie" fields from GlobalProtect portal to gateway to
avoid repetition of password- or SAML-based login (!199)
- With --user, enter username supplied via command-line into all
authentication forms, not just the first. (#267, !220).
- Fix a subtle bug which has prevented ESP rekey and ESP-to-TLS fallback
from working reliably with the Juniper/oNCP protocol since v8.04.
(#322, !293).
- Fix a bug in csd-wrapper.sh which has prevented it from correctly
downloading compressed Trojan binaries since at least v8.00. (!305)
- Make Windows socketpair emulation more robust in the face of Windows's
ability to break its localhost routes. (#228, #361, !320)
- Perform proper disconnect and routes cleanup on Windows when receiving
Ctrl+C or Ctrl+Break. (#362, !323)
- Improve logging in routing/DNS configuration scripts. (!328,
vpnc-scripts!45)
- Support modified configuration packet from Pulse 9.1R14 servers
(#379, !331)
|