This release contains bugfixes in the MTU handling for peer-id (TLS floating), so if you connect to a server that supports it you should install this upgrade.

In addition TLS version negotiation is re-enabled by default, so that users benefit from the stronger and better crypto of TLSv1.1 and TLSv1.2, without having to add 'tls-version-min' to their config files. If you encounter any connection issues please see the documentation for --tls-version-min and --tls-version-max options.

There are also a number of small bug fixes and enhancements. A full list of changes is available here

The I602 and I002 Windows installers bundle OpenSSL 1.0.1o which fixes some security vulnerabilities. While the vulnerabilities don't seem to affect OpenVPN or can be mitigated, it is still recommended to upgrade Windows clients.

If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.freenode.net). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.freenode.net).

OpenVPN 2.3.7 Change Log

Alexander Pyhalov (1):
      Default gateway can't be determined on illumos/Solaris platforms

Arne Schwabe (1):
      Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4

David Sommerseth (6):
      autotools: Fix wrong ./configure help screen default values
      down-root plugin: Replaced system() calls with execve()
      down-root: Improve error messages
      plugin, down-root: Fix compiler warnings
      sockets: Remove the limitation of --tcp-nodelay to be server-only
      plugins, down-root: Code style clean-up

David Woodhouse (2):
      pkcs11: Load p11-kit-proxy.so module by default
      Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present

Felix Janda (1):
      Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary

Gert Doering (18):
      New approach to handle peer-id related changes to link-mtu (2.3 version)
      Fix incorrect use of get_ipv6_addr() for iroute options.
      Print helpful error message on --mktun/--rmtun if not available.
      explain effect of --topology subnet on --ifconfig
      Add note about file permissions and --crl-verify to manpage.
      repair --dev null breakage caused by db950be85d37
      assume res_init() is always there.
      Correct note about DNS randomization in openvpn.8
      Disallow usage of --server-poll-timeout in --secret key mode.
      slightly enhance documentation about --cipher
      Enforce "serial-tests" behaviour for tests/Makefile
      Revert "Enforce "serial-tests" behaviour for tests/Makefile"
      On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
      Use configure.ac hack to apply serial_test AM option only if supported.
      Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
      Move res_init() call to inner openvpn_getaddrinfo() loop
      Fix FreeBSD ifconfig for topology subnet tunnels.
      Preparing for release v2.3.7 (ChangeLog, version.m4)

Guy Yur (1):
      Fix --redirect-private in --dev tap mode.

Jan Just Keijser (1):
      include ifconfig_ environment variables in --up-restart env set

Jonathan K. Bullard (1):
      Fix null pointer dereference in options.c

Lev Stipakov (1):
      Fix mssfix default value in connection_list context

Matthias Andree (1):
      Manual page update for Re-enabled TLS version negotiation.

Mike Gilbert (1):
      Include systemd units in the source tarball (make dist)

Robert Fischer (1):
      Updated manpage for --rport and --lport

Samuli Seppänen (2):
      Properly escape dashes on the man-page
      Improve documentation in --script-security section of the man-page

Steffan Karger (14):
      Really fix '--cipher none' regression
      Update doxygen (a bit)
      Set tls-version-max to 1.1 if cryptoapicert is used
      Account for peer-id in frame size calculation
      Disable SSL compression
      Fix frame size calculation for non-CBC modes.
      Allow for CN/username of 64 characters (fixes off-by-one)
      Remove unneeded parameter 'first_time' from possibly_become_daemon()
      Re-enable TLS version negotiation by default
      Remove size limit for files inlined in config
      Improve --tls-cipher and --show-tls man page description
      Re-read auth-user-pass file on (re)connect if required
      Clarify --capath option in manpage
      Call daemon() before initializing crypto library