OpenVPN Release 2.7.1

version.m4, ChangeLog, Changes.rst

Signed-off-by: Gert Doering <gert@greenie.muc.de>

ChangeLog

@@ -1,6 +1,68 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
 
+2026.03.31 -- Version 2.7.1
+
+Antonio Quartulli (1):
+      options: drop useless init_gc param for init_options()
+
+Arne Schwabe (12):
+      Change stream_buf_read_setup_dowork parameter to struct steam_buf
+      DCO Linux: Fix setting DCO ifmode failing on big endian archs
+      Merge stream_buf_get_next and stream_buf_set_next
+      AWS-LC: Add missing return and cast in ssl_tls1_PRF
+      GHA: Install aws-lc under /opt/aws-lc
+      Show version and double check we use the right TLS library in Github Actions
+      Remove unnecessary OpenSSL init and cleanup commands in unit tests
+      GHA: Cache built crypto libraries
+      Use openssl_err_t typedef to deal with difference between TLS libraries
+      Do not support tls_ctx_set_cert_profile on AWS-LC
+      Use const specifices in extract_x509_field_ssl
+      Increase default size of internal hash maps to 4 * --max-clients
+
+Frank Lichtenheld (7):
+      clang-format: Add missing InsertBraces: true
+      auth-pam: fix discards 'const' qualifier from pointer target type
+      GHA: Maintenance update February 2026
+      buffer: Add checked_snprintf function and use it in the code
+      vcpkg-ports: Review pkcs11-helper port
+      systemd: Change LimitNPROC to TasksMax and increase limit
+      ssl_verify_openssl: Clean up extract_x509_extension
+
+Gert Doering (4):
+      port-share: log incoming connections at verb 3 only
+      rework all occurrences of 'M_ERR | M_ERRNO'
+      configure.ac: adjust to native inotify support for FreeBSD 15+
+      dco_freebsd: use AF_LOCAL sockets for ioctl() communication with DCO driver
+
+Gianmarco De Gregori (1):
+      socket: restore per-connection lport override over global default
+
+Haixiao Yan (1):
+      tests: skip test execution when cross-compiling
+
+Heiko Hund (2):
+      doc: improve Windows-specific options section
+      doc: fix typo with --ingore-unknown-option
+
+Max Fillinger (1):
+      Avoid unbounded allocations in pkcs11_mbedtls.c
+
+Ralf Lici (1):
+      doc: fix client-nat syntax and examples
+
+Rudi Heitbaum (3):
+      dns: fix discards 'const' qualifier from pointer target type
+      ntlm: fix discards 'const' qualifier from pointer target type
+      ssl_verify_openssl: use official ASN1_STRING_ API
+
+Selva Nair (4):
+      Fixup version command on management interface
+      Document management client versions
+      Use USER_PASS_LEN for private key password buffer size
+      Add an optional username-only flag for auth-user-pass
+
+
 2026.02.11 -- Version 2.7.0
 
 Frank Lichtenheld (3):

Changes.rst

@@ -1,3 +1,72 @@
+Overview of changes in 2.7.1
+============================
+Bugfixes
+--------
+- Fix usage of ``--lport`` inside a ``<connection>`` block - this got
+  broken with the multi-socket patchset (GH OpenVPN/openvpn#995)
+
+- Do not try to run auto-pam unit test when cross-compiling.
+
+- Do not break private-key passphrases of length >= 64
+  (GH OpenVPN/openvpn#993)
+
+- Fix obscure ASSERT() crash on TCP connects with TAP and no ip config.
+
+- Make DCO work on FreeBSD systems that have no IPv4 support in kernel
+  (FreeBSD PR 286263)
+
+- Make DCO work on Linux on big endian systems (namely, MIPS and PowerPC)
+  (GH OpenVPN/ovpn-dco#96)
+
+New features
+------------
+- Add a new ``username-only`` flag argument to ``--auth-user-pass`` which
+  will now make OpenVPN only query for username and send a dummy password
+  to the server.  This is only useful if auth schemes are used on the
+  server side that will do some sort of external challenge base on username,
+  and not password authentication.  See discussion in GH OpenVPN/openvpn#501
+  (starting Jan 30, 2024).
+
+- Increase default sizing of internal hash maps to ``4 * --max-clients``.
+  The default used to be ``256`` with a ``--max-clients`` default of
+  1024 - this is bad for performance, while the memory savings are
+  minimal.  On a very memory constrained system, reduce ``--max-clients``.
+
+Long-term code maintenance
+--------------------------
+- Work on OpenSSL 4.0 API support, reducing use of ASN1_STRING members.
+
+- Remove obsolete OpenSSL 1.0.x support code from unit tests.
+
+- Improve documentation of management client versioning, replace magic
+  numbers in the code with an enum type.
+
+- Fixup responses to management interface ``version`` command (for >= 4).
+
+- Make ``--enable-async-push`` work on FreeBSD 15 (which has native
+  inotify support, and consequently no libinotify.pc anymore)
+
+- Adjust some code parts to new "const" handling on string function
+  returns (ISO C23, as implemented by glibc 2.43 and newer).
+
+- Remove erroneous usage of ``M_ERR | M_ERRNO`` throughout the code.
+
+
+User-visible Changes
+--------------------
+- When compiled with the AWS-LC SSL library, using ``--tls-cert-profile``
+  will now print a run-time warning - the library does not support it,
+  so it would silently do nothing.
+
+- Systemd unit files: change LimitNPROC to TasksMax and increase limit
+  (GH: OpenVPN/openvpn#929)
+
+- Documentation improvements.
+
+- port-share: log incoming connections at ``verb 3``, not on ``error``
+  level anymore (GH: OpenVPN/openvpn#976).
+
+
 Overview of changes in 2.7
 ==========================
 New features

version.m4

@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [.0])
+define([PRODUCT_VERSION_PATCH], [.1])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,7,0,0])
+define([PRODUCT_VERSION_RESOURCE], [2,7,1,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])