Log message:
*: recursive bump for icu 74.1

Log message:
*: bump for openssl 3

Log message:
net/openvpn: Update to 2.6.6

upstream change summary:

New features
------------
- set WINS server via interactive service - this adds support for
  "dhcp-option WINS 192.0.2.1" for DCO + wintun interfaces where no
  DHCP server is used (Github #373).

Log message:
net/openvpn: Update to 2.6.5

Upstream changes are bugfixes and minor improvements

Log message:
openvpn: updated to 2.6.4

Overview of changes in 2.6.4

User visible changes

License amendment: all NEW commits fall under a modified license that explicitly \ 
permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for \ 
details. Existing code will fall under the new license as soon as all \ 
contributors have agreed to the change - work ongoing.

New features

DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). \ 
This is the userland side, accepting a message from kernel, and initiating a TLS \ 
renegotiation. As of release, only implemented in FreeBSD kernel.

Bug fixes

fix pkcs#11 usage with OpenSSL 3.x and PSS signing
fix compile error on TARGET_ANDROID
fix typo in help text
manpage updates (--topology)
encoding of non-ASCII windows error messages in log + management fixed (use UTF8 \ 
"as for everything else", not ANSI codepages)

Log message:
openvpn: updated to 2.6.3

Version 2.6.3

GHA: remove Ubuntu 18.04 builds
vcpkg: request "tools" feature of openssl for MSVC build
doc: run rst2* with --strict to catch warnings
Support of DNS domain for DHCP-less drivers
Bug-fix: segfault in dco_get_peer_stats()

Log message:
revbump after textproc/icu update

Log message:
openvpn: updated to 2.6.2

Overview of changes in 2.6.2

New features

implement byte counter statistics for DCO Linux (p2mp server and client)
implement byte counter statistics for DCO Windows (client only)
'--dns server <n> address ...' now permits up to 8 v4 or v6 addresses
fix a few cases of possibly undefined behaviour detected by ASAN
add more unit tests for Windows cryptoapi interface

Bug fixes

sending of AUTH_PENDING and INFO_PRE messages fixed
Windows: do not treat "setting IPv6 interface metric failed" as fatal \ 
error on "block-dns" install - this can happen if IPv6 is disabled on \ 
the interface and is not harmful in itself
fix '--inactive' if DCO is in use NOTE: on FreeBSD, this is not working yet \ 
(missing per-peer stats)
DCO-Linux: do not print errno on netlink errors (errno is not set by NL)
SOCKS client: improve error reporting on server disconnects
DCO-Linux: fix lockups due to netlink buffer overflows on high client \ 
connect/disconnect activity. See "User visible changes" for more \ 
details of this.
fix some uses of the OpenSSL3 API for non-default providers (enable use of \ 
quantum-crypto OpenSSL provider)
fix memory leak of approx. 1600 bytes per incoming initial TLS packet
fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper (data \ 
format conversion was not done properly)
fix 'make distcheck' - unexpected side effect of 'subdir-objects'
fix ASSERT() with dynamic tls-crypt and --tls-crypt-v2

User visible changes

print (kernel) DCO version on startup - helpful for getting a more complete \ 
picture of the environment in use.
New control packets flow for data channel offloading on Linux. 2.6.2+ changes \ 
the way OpenVPN control packets are handled on Linux when DCO is active, fixing \ 
the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect \ 
activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module \ 
older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must \ 
be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in \ 
order to highlight this change and ensure that users and userspace software \ 
could easily understand which version is loaded. Attempting to use the old \ 
ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime.
The client-pending-auth management command now requires also the key id. The \ 
management version has been changed to 5 to indicate this change.
A client will now refuse a connection if pushed compression settings will \ 
contradict the setting of allow-compression as this almost always results in a \ 
non-working connection.

Log message:
openvpn: --disable-dco. Needs kernel support.

Log message:
openvpn: updated to 2.6.1

Overview of changes in 2.6.1

New features

Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically \ 
create a tls-crypt key that is used for renegotiation. This ensure that only the \ 
previously authenticated peer can do trigger renegotiation and complete \ 
renegotiations.
CryptoAPI (Windows): support issuer name as a selector. Certificate selection \ 
string can now specify a partial issuer name string as "--cryptoapicert \ 
ISSUER:<string>" where <string> is matched as a substring of \ 
the issuer (CA) name in the certificate.

User visible changes

on crypto initialization, move old "quite verbose" messages to --verb \ 
4 and only print a more compact summary about crypto and timing parameters by \ 
default
configure now enables DCO build by default on FreeBSD and Linux, which brings in \ 
a default dependency for libnl-genl (for Linux distributions that are too old to \ 
have this library, use "configure --disable-dco")
make "configure --help" output more consistent
CryptoAPI (Windows): remove support code for OpenSSL before 3.0.1 (this will not \ 
affect official OpenVPN for Windows installers, as they will always be built \ 
with OpenSSL 3.0.x)
CryptoAPI (Windows): log the selected certificate's name
"configure" now uses "subdir-objects", for automake >= \ 
1.16 (less warnings for recent-enough automake versions, will change the way .o \ 
files are created)

Bugfixes / minor improvements

fixed old IPv6 ifconfig race condition for FreeBSD 12.4
fix compile-time breakage related to DCO defines on FreeBSD 14
enforce minimum packet size for "--fragment" (avoid division by zero)
some alignment fixes to avoid unaligned memory accesses, which will bring \ 
problems on some architectures (Sparc64, some ARM versions) - found by USAN \ 
clang checker
windows source code fixes to reduce number of compile time warnings (eventual \ 
goal is to be able to compile with -Werror on MinGW), mostly related to \ 
signed/unsigned char * conversions, printf() format specifiers and unused \ 
variables.
avoid endless loop on logging with --management + --verb 6+
build (but not run) unit tests on MinGW cross compiles, and run them when \ 
building with GitHub Actions.
add unit test for parts of cryptoapi.c
add debug logging to help with diagnosing windows driver selection
disable DCO if proxy config is set via management interface
do not crash on Android if run without --management
improve documentation about cipher negotiation and OpenVPN3
for x86 windows builds, use proper calling conventions for dco-win (__stdcall)
differentiate "dhcp-option ..." options into "needs an interface \ 
with true DHCP service" (tap-windows) and "can also be installed by \ 
IPAPI or service, and can be used on non-DHCP interfaces" (wintun, dco-win)
windows interactive service: fix possible double-free if "--block-dns" \ 
installation fails due to "security products" interfering
"make dist": package ovpn_dco_freebsd.h to permit building from \ 
tarballs on FreeBSD 14