Log message:
openvpn: --disable-dco. Needs kernel support.

Log message:
openvpn: updated to 2.6.1

Overview of changes in 2.6.1

New features

Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically \ 
create a tls-crypt key that is used for renegotiation. This ensure that only the \ 
previously authenticated peer can do trigger renegotiation and complete \ 
renegotiations.
CryptoAPI (Windows): support issuer name as a selector. Certificate selection \ 
string can now specify a partial issuer name string as "--cryptoapicert \ 
ISSUER:<string>" where <string> is matched as a substring of \ 
the issuer (CA) name in the certificate.

User visible changes

on crypto initialization, move old "quite verbose" messages to --verb \ 
4 and only print a more compact summary about crypto and timing parameters by \ 
default
configure now enables DCO build by default on FreeBSD and Linux, which brings in \ 
a default dependency for libnl-genl (for Linux distributions that are too old to \ 
have this library, use "configure --disable-dco")
make "configure --help" output more consistent
CryptoAPI (Windows): remove support code for OpenSSL before 3.0.1 (this will not \ 
affect official OpenVPN for Windows installers, as they will always be built \ 
with OpenSSL 3.0.x)
CryptoAPI (Windows): log the selected certificate's name
"configure" now uses "subdir-objects", for automake >= \ 
1.16 (less warnings for recent-enough automake versions, will change the way .o \ 
files are created)

Bugfixes / minor improvements

fixed old IPv6 ifconfig race condition for FreeBSD 12.4
fix compile-time breakage related to DCO defines on FreeBSD 14
enforce minimum packet size for "--fragment" (avoid division by zero)
some alignment fixes to avoid unaligned memory accesses, which will bring \ 
problems on some architectures (Sparc64, some ARM versions) - found by USAN \ 
clang checker
windows source code fixes to reduce number of compile time warnings (eventual \ 
goal is to be able to compile with -Werror on MinGW), mostly related to \ 
signed/unsigned char * conversions, printf() format specifiers and unused \ 
variables.
avoid endless loop on logging with --management + --verb 6+
build (but not run) unit tests on MinGW cross compiles, and run them when \ 
building with GitHub Actions.
add unit test for parts of cryptoapi.c
add debug logging to help with diagnosing windows driver selection
disable DCO if proxy config is set via management interface
do not crash on Android if run without --management
improve documentation about cipher negotiation and OpenVPN3
for x86 windows builds, use proper calling conventions for dco-win (__stdcall)
differentiate "dhcp-option ..." options into "needs an interface \ 
with true DHCP service" (tap-windows) and "can also be installed by \ 
IPAPI or service, and can be used on non-DHCP interfaces" (wintun, dco-win)
windows interactive service: fix possible double-free if "--block-dns" \ 
installation fails due to "security products" interfering
"make dist": package ovpn_dco_freebsd.h to permit building from \ 
tarballs on FreeBSD 14

Log message:
openvpn: updated to 2.5.8

Overview of changes in 2.5.8

New features

allow running a default configuration with TLS libraries without BF-CBC (even if \ 
TLS cipher negotiation would not actually use BF-CBC, the long-term \ 
compatibility "default cipher BF-CBC" would trigger an error on such \ 
TLS libraries)

User-visible Changes

add git branch name + commit ID to OpenVPN version string on MSVC builds (windows)

Testing Enhancements

t_client.sh: if fping is found and fping6 is not, assume we have fping 4.0 and \ 
up, and call "fping -6" for IPv6 ping tests
t_client.sh: allow to force FAIL on prerequisite fails, so a CI environment will \ 
no longer "silently skip" t_client runs if fping (etc) can not be \ 
found, but will error out

Bugfixes

``--auth-nocache'' was not always correctly clearing username+password after a \ 
renegotiation
ensure that auth-token received from server is cleared if requested by the \ 
management interface ("forget password" or automatically via \ 
``--management-forget-disconnect'')
in a setup without username+password, but with auth-token and \ 
auth-token-username pushed by the server, OpenVPN would start asking for \ 
username+password on token expiry. Fix.
using --auth-token together with --management-client-auth (on the server) would \ 
lead to TLS keys getting out of sync and client being disconnected. Fix.
management interface would sometimes get stuck if client and server try to write \ 
something simultaneously. Fix by allowing a limited level of recursion in \ 
virtual_output_callback()
fix management interface not returning ERROR:/SUCCESS: response on "signal \ 
SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
make man page agree with actual code on replay-window backtrag log message
remove useless empty line from CR_RESPONSE message

Log message:
*: bump PKGREVISION for libunistring shlib major bump

Log message:
*: recursive PKGREVISION bump for mbedtls shlib major increases

Log message:
openvpn*: Update to 2.5.7

Upstream changes: bugfixes

Log message:
openvpn: updated to 2.5.6

OpenVPN 2.5.6.
This is mostly a bugfix release including one security fix ("Disallow \ 
multiple deferred authentication plug-ins.", CVE: 2022-0547).

Log message:
openvpn: updated to 2.5.5

Overview of changes in 2.5.5
============================

User-visible Changes
--------------------
- SWEET32/64bit cipher deprecation change was postponed to 2.7

- Windows: use network address for emulated DHCP server as default
  this enables use of a /30 subnet, which is needed when connecting
  to OpenVPN Cloud.

- require EC support in windows builds
  (this means it's no longer possible to build a Windows OpenVPN binary
  with an OpenSSL lib without EC support)

New features
------------
- Windows build: use CFG and Spectre mitigations on MSVC builds

- bring back OpenSSL config loading to Windows builds.
  OpenSSL config is loaded from %installdir%\SSL\openssl.cfg
  (typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists.

  This is important for some hardware tokens which need special
  OpenSSL config for correct operation.

Bugfixes
--------
- Windows build: enable EKM

- Windows build: improve various vcpkg related build issues

- Windows build: fix regression related to non-writeable status files

- Windows build: fix regression that broke OpenSSL EC support

- Windows build: fix "product version" display (2.5..4 -> 2.5.4)

- Windows build: fix regression preventing use of PKCS12 files

- improve "make check" to notice if "openvpn --show-cipher" \ 
crashes

- improve argv unit tests

- ensure unit tests work with mbedTLS builds without BF-CBC ciphers

- include "--push-remove" in the output of "openvpn --help"

- fix error in iptables syntax in example firewall.sh script

- fix "resolvconf -p" invocation in example "up" script

- fix "common_name" environment for script calls when
  "--username-as-common-name" is in effect

Documentation
-------------
- move "push-peer-info" documentation from "server options" \ 
to "client"
  (where it belongs)

- correct "foreign_option_{n}" typo in manpage

- update IRC information in CONTRIBUTING.rst (libera.chat)

- README.down-root: fix plugin module name

Log message:
revbump for icu and libffi

Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch