OpenVPN Release 2.7_rc4

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_rc4" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.

Notable changes rc3 -> rc4 are:
    - Windows interactive service: do not configure adapter DNS if
      there are no search-domains but there are resolve-domains (which
      get resolved via NRPT rules) - GH: OpenVPN/openvpn#473
    - improve documentation and error messages for a number of deprecated
      options
    - improve documentation for not-really-deprecated-yet ``--ns-cert-type``
    - Windows IPv4 configuration with netsh.exe: ensure addresses are added
      with "store=active" (ensure proper cleanup) - GH: OpenVPN/openvpn#915
    - Windows: set UTF8 code page in openvpn.exe manifest, to make cert/key
      loading work again for files with non-ASCII characters in their file
      name (GH: OpenVPN/openvpn#920)
    - tun.c: unify read_tun()/write_tun() functions for all BSD platforms
    - more type conversion related cleanups
    - add NULL check before freeaddrinfo() call, which might lead to a
      crash on OpenBSD (GH: OpenVPN/openvpn#930)
    - add NULL check to mbedtls handling of external and inline certificates
    - add check for auth none / cipher none on FreeBSD DCO
    - add CAP_SYS_NICE to positive list in Linux systemd unit files
      (GH: OpenVPN/openvpn#834)
    - drop mbedtls 2.x support  (which is end of life, and work on mbedtls 4
      is much simplified by not having to take care of 2.x compat as well)
    - PUSH_UPDATE: bugfix for the client side where split/continued messages
      (due to large number of "route" statements) would not correctly handle
      the full set of routes.  Add unit test.  (GH: OpenVPN/openvpn#925)
    - new unit test module for mbuf handling
    - deprecate --fast-io option (it got partially broken by the multisocket
      implementation, and the benefits of the existing implementation did
      not outweigh the extra code complexity to make it work again)
    - change the ssl_ctx in struct tls_options to be a pointer - this is
      a shared data structure between various contexts, but previously it
      was shallow-copied, leading to needless CRL reloading - and when
      working on implementing the new OpenSSL CRL API, to segfaults
      (the existing code works, as these new APIs are not used yet).

Signed-off-by: Gert Doering <gert@greenie.muc.de>

ChangeLog

@@ -1,6 +1,65 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.12.17 -- Version 2.7_rc4
+
+Arne Schwabe (4):
+      Clarify some code in epoch with better comments
+      Add a section about wolfSSL GPLv3 and point out missing TLS PRF support
+      Fix dco with null cipher being enabled without auth none
+      Change ssl_ctx in struct tls_options to be a pointer
+
+Frank Lichtenheld (19):
+      Documentation: Various syntax fixes and text improvements
+      CMake: For VS build, switch from /W2 to /W3
+      socket: Initialize struct in_addr_t in getaddr()
+      GHA: Add minGW Release build
+      tun: Refactor BSD write_tun/read_tun
+      tun: Change return type of write_tun/read_tun to ssize_t
+      Remove some obsolete references to --windows-driver
+      options: Remove some verbose error messages for options deprecated in 2.4
+      Correct documentation for --ns-cert-type
+      buffer: Change limits for array_mult_safe
+      mbuf: Add unit tests
+      options: Avoid some conversion warnings
+      schedule: Rework documentation for schedule_add_entry
+      multi: Fix wrong sigma value in multi_push_restart_schedule_exit
+      multi: Fix type handling for hashes, mostly inotify_watchers
+      multi: Fix various conversion warnings
+      manage: Avoid several conversion warnings by using the correct types
+      buffer: Change buf_prepend and buf_advance to accept ssize_t for length
+      multi: Warn about failing read in multi_process_file_closed()
+
+Gianmarco De Gregori (2):
+      mudp: fix unaligned 32-bit read when parsing peer ID
+      Deprecate --fast-io option
+
+Heiko Hund (1):
+      iservice: set adapter DNS only with search domains
+
+Klemens Nanni (1):
+      Prevent crash on invalid server-ipv6 argument
+
+Lev Stipakov (1):
+      tun.c: set IPv4 address temporary on Windows
+
+Max Fillinger (1):
+      Drop Mbed TLS 2.X compatibility
+
+Moritz Fain (1):
+      PUSH_UPDATE: fix option reset logic in continuation messages
+
+Selva Nair (2):
+      Set UTF-8 as the codepage using manifest declaration
+      pull-filter: improve documentation
+
+Simon Matter (1):
+      Add CAP_SYS_NICE to the positive list in systemd service files
+
+Steffan Karger (1):
+      mbedtls: gracefully exit if certificate file is NULL
+
+
 2025.11.28 -- Version 2.7_rc3
 
 Frank Lichtenheld (9):

Changes.rst

@@ -338,6 +338,11 @@ User-visible Changes
   (force egress = ingress interface) can be achieved with the new
   ``--multihome same-interface`` sub-option.
 
+- Windows ``openvpn.exe`` binary manifest now sets code page UTF8 - which
+  has no direct effect on OpenVPN itself, but this repairs OpenSSL file
+  loading for key/cert files with non-ASCII characters in their file names
+  (GH: OpenVPN/openvpn#920).
+
 Deprecated features
 -------------------
 ``--opt-verify`` feature removed

version.m4

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_rc3])
+define([PRODUCT_VERSION_PATCH], [_rc4])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])