Bug fixes

• Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is rejected by the remote side
• Ignore --keysize when NCP have resulted in a changed cipher.
• Configurations using --auth-nocache interface to provide user credentials (like NetworkManager) on client side with servers implementing authentication tokens (for example, using --auth-gen-token) will now behave correctly and not query the user for an, to them, unknown authentication token on renegotiations of the tunnel.
• Fix bug causing invalid or corrupt SOCKS port number when changing the proxy via the management interface.
• The man page should now have proper escaping of hyphens/minus characters and have seen some minor corrections.

Deprecated features

• --no-replay is deprecated and will be removed in OpenVPN 2.5.
• --keysize is deprecated in OpenVPN 2.4 and will be removed in v2.6

Security

• CVE-2017-12166: Fix bounds check for configurations using --key-method 1. Before this fix, it could allow an attacker to send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as --key-method 2 has been the default since OpenVPN 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5.

Packaging

• Add checks

Signed-off-by: Pierre-Yves <pyu@riseup.net>

Test SSL/TLS negotiations:

• sudo openvpn --config sample/sample-config-files/loopback-client (in terminal #1)
• sudo openvpn --config sample/sample-config-files/loopback-server (simultaneously in terminal #2)