openvpn Secure IP/Ethernet tunnel daemon
2.4.7 security =123

Maintainer: mandree@FreeBSD.org
Port Added: 2002-06-24 16:19:12
Last Update: 2019-02-21 19:30:52
SVN Revision: 493524
Also Listed In: net
License: GPLv2

OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private networks
using an encrypted tunnel over the internet. It can operate over UDP or TCP,
can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
server can handle many clients.

WWW: https://openvpn.net/index.php/open-source.html

SVNWeb : Homepage : PortsMon

Pseudo-pkg-plist information, but much better, from make generate-plist
Expand this list (14 items)

1. /usr/local/share/licenses/openvpn-2.4.7/catalog.mk
2. /usr/local/share/licenses/openvpn-2.4.7/LICENSE
3. /usr/local/share/licenses/openvpn-2.4.7/GPLv2
4. include/openvpn-plugin.h
5. include/openvpn-msg.h
6. lib/openvpn/plugins/openvpn-plugin-auth-pam.so
7. lib/openvpn/plugins/openvpn-plugin-down-root.so
8. man/man8/openvpn.8.gz
9. sbin/openvpn
10. sbin/openvpn-client
11. libexec/openvpn-client.up
12. libexec/openvpn-client.down
13. @postexec /usr/sbin/service ldconfig restart > /dev/null
14. @postunexec /usr/sbin/service ldconfig restart > /dev/null
Collapse this list.

Dependency line: openvpn>0:security/openvpn

Conflicts:

• CONFLICTS_INSTALL:
  • openvpn-2.[!4].*
  • openvpn-[!2].*
  • openvpn-beta-[0-9]*
  • openvpn-devel-[0-9]*
  • openvpn-mbedtls-[0-9]*

Conflicts Matches:

There are no Conflicts Matches for this port. This is usually an error.

---

To install the port: cd /usr/ports/security/openvpn/ && make install clean
To add the package: pkg install openvpn

PKGNAME: openvpn

There is no flavor information for this port.

distinfo:

TIMESTAMP = 1550775398
SHA256 (openvpn-2.4.7.tar.xz) = a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648
SIZE (openvpn-2.4.7.tar.xz) = 953116

---

Slave ports

1. security/openvpn-mbedtls

---

NOTE: FreshPorts displays only information on required and default dependencies. Optional dependencies are not covered.

Build dependencies:

1. pkgconf>=1.3.0_1 : devel/pkgconf

Runtime dependencies:

1. easy-rsa>=0 : security/easy-rsa

Library dependencies:

1. liblzo2.so : archivers/lzo2
2. liblz4.so : archivers/liblz4

This port is required by:

for Build

1. security/openvpn-auth-ldap
2. security/openvpn-auth-script

for Run

1. security/kovpn^*
2. security/openvpn-admin
3. security/openvpn-auth-radius

* - deleted ports are only shown under the This port is required by section. It was harder to do for the Required section. Perhaps later...

---

Configuration Options

===> The following configuration options are available for openvpn-2.4.7:
     DOCS=on: Build and/or install documentation
     EASYRSA=on: Install security/easy-rsa RSA helper package
     EXAMPLES=on: Build and/or install examples
     LZ4=on: LZ4 compression support
     PKCS11=off: Use security/pkcs11-helper
     SMALL=off: Build a smaller executable with fewer features
     TEST=on: Build and/or run tests
     TUNNELBLICK=off: Tunnelblick XOR scramble patch (READ HELP!)
     X509ALTUSERNAME=off: Enable --x509-username-field (OpenSSL only)
====> SSL protocol support: you have to select exactly one of them
     OPENSSL=on: SSL/TLS support via OpenSSL
     MBEDTLS=off: SSL/TLS via mbedTLS
===> Use 'make config' to modify these settings

---

USES:

cpe libtool pkgconfig shebangfix tar:xz ssl

---

Master Sites:

1. https://build.openvpn.net/downloads/releases/
2. https://swupdate.openvpn.org/community/releases/

• 2016-12-27

  Affects: users of security/openvpn, security/openvpn-polarssl

  Author: Matthias Andree <mandree@FreeBSD.org>

  Reason: 
    The OpenVPN ports have been updated to the new upstream release v2.4,
    and their predecessors preserved as openvpn23 and openvpn23-polarssl,
    respectively.  Note that for the new v2.4 release, the
    openvpn-polarssl port has been renamed to openvpn-mbedtls to match the
    upstream library's new name.
  
  

• 2013-01-13

  Affects: users of security/openvpn*

  Author: mandree@FreeBSD.org

  Reason: 
    security/openvpn has been upgraded to the IPv6-capable v2.3.0.
    This upgrade moves easy-rsa into a separate package in
    security/easy-rsa that is pre-selected as default run-time dependency,
    and changes installed file layout a bit.
  
    security/openvpn22 retains the prior OpenVPN 2.2.2 version.
    If you want to continue using this version, use one of these commands:
  
    # portmaster -o security/openvpn22 security/openvpn
      or
    # portupgrade -o security/openvpn22 security/openvpn
      or
    # pkg set -o security/openvpn:security/openvpn22
  
    security/openvpn20 has been marked deprecated and to be removed
    in half a year's time.  Please migrate to a newer version soonish.
  
  

• 2010-01-07

  Affects: users of security/openvpn*

  Author: mandree@FreeBSD.org

  Reason: 
    security/openvpn has been moved to security/openvpn20 and upgraded to 2.0.9.
    security/openvpn has been upgraded to 2.1.1, and security/openvpn-devel has
    been removed.
  
    Regular upgrades of the security/openvpn port should succeed without
    manual intervention, but if you want to stick to openvpn 2.0 or if you
    had been using openvpn-devel, manual intervention is needed, as
    follows:
  
    If you'd been using the security/openvpn-devel port, please use one of
    these commands for upgrading:
  
      portmaster -m-DDISABLE_CONFLICTS -o security/openvpn security/openvpn-devel
  
      portupgrade -m-DDISABLE_CONFLICTS -o security/openvpn security/openvpn-devel
  
    If you want to stick to openvpn 2.0, please use one of these two
    upgrade commands:
  
      portmaster -m-DDISABLE_CONFLICTS -o security/openvpn20 security/openvpn
  
      portupgrade -m-DDISABLE_CONFLICTS -o security/openvpn20 security/openvpn
  
  

• port moved here from security/openvpn23 on 2017-04-10
  REASON: Has expired: Replaced by new upstream release 2.4.x
  
  
• port moved here from security/openvpn20 on 2013-07-11
  REASON: Has expired: Superseded by security/openvpn
  

security/openvpn[-mbedtls] update to OpenVPN 2.4.7

Upstream release announcement:
"This is primarily a maintenance release with bugfixes and improvements.
One of the big things is enhanced TLS 1.3 support

Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that."

Move USES up to please portlint.

Change summary:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-247>

Detailed change list:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.7>

- Add LICENSE_FILE
- Update WWW

Approved by:	portmgr blanket

Update security/mbedtls to 2.13.0 and bump dependent ports.

Update security/mbedtls to 2.12.0 and bump dependent ports.

MFH:		2018Q3
Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02

Update security/mbedtls to 2.9.0 and bump dependent ports.

Only sleep in ports if BATCH/PACKAGE_BUILDING are not defined.

Sponsored by:	Absolight

Update to new upstream bugfix release 2.4.6.

While here, warn and sleep for 10 s when building against LibreSSL.

Remove some cruft.

Change summary:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-246>

Changelog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.6>

Reported by:	portscout

Update security/mbedtls to 2.8.0 and bump dependent ports.

MFH:		2018Q2
Security:	https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released

Fix build with LibreSSL 2.4.6

PR:		226568
Reported by:	Ralf van der Enden
Obtained from:	faminebadger <https://community.openvpn.net/openvpn/ticket/1038>

Update to new upstream bugfix release 2.4.5.

Change summary:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-245>

Changelog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.5>

While here, add a sanity check that traps inconsistent linkage,
if, for instance, the PKCS#11 helper has been built with a different
OPENSSL library version than OpenVPN.

Update security/mbedtls to 2.7.1.

PR:		226550
MFH:		2018Q1

- Update security/polarssl13 to 1.3.22.
- Update security/mbedtls to 2.7.0 and bump dependent ports.

MFH:		2018Q1
Security:	https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

Do not abuse INSTALL_MAN when installing documentation, examples, and
other miscellaneous files that are not actually manual pages (part 2).

Add missing conflicts

OpenVPN[-mbedtls] security update to 2.4.4

Upstream maintainers write: "This release includes a large number of small
fixes and enhancements. There is also an important security fix for legacy
setups that may still be using key-method 1. As that option was deprecated
12 years ago we estimate that not many production setups are affected in
practice."

Security information:
<https://community.openvpn.net/openvpn/wiki/CVE-2017-12166>

Change Summary:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-244>

Changes as Git shortlog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.4>

Given the low impact, let's forget about MFHing this three days before
2017Q3 becomes EOL and relieved by 2017Q4.

Reported by:	portscout
Security:	CVE-2017-12166
Security:	3dd6ccf4-a3c6-11e7-a52e-0800279f2ff8

OpenVPN security update to 2.4.3

OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances.

Compared to OpenVPN 2.4.2 there are several bugfixes and one major
feature: support for building with OpenSSL 1.1.

MFH:		2017Q3 (preapproved by Xin Li)
Security:	9f65d382-56a4-11e7-83e3-080027ef73ec
Security:	CVE-2017-7508
Security:	CVE-2017-7512
Security:	CVE-2017-7520
Security:	CVE-2017-7521
Security:	CVE-2017-7522

Switch MASTER_SITES from http to https URI scheme.

OpenVPN update to 2.4.2 (security fixes)

ChangeLog:
<https://github.com/OpenVPN/openvpn/blob/v2.4.2/Changes.rst#version-242>

Details:
<https://github.com/OpenVPN/openvpn/releases/tag/v2.4.2>

Security Announcement:
<https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits>

Reported by:	Samuli Seppanen
Security:	04cc7bd2-3686-11e7-aa64-080027ef73ec
Security:	CVE-2017-7478
Security:	CVE-2017-7479
MFH:		2017Q2

Update to openvpn release 2.4.1

This contains predominently bugfixes and compatibility with
newer OpenSSL/LibreSSL.

Remove one patch that had been cherry-picked from upstream, no longer
needed.

Summary:
https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-241
Changes: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

Fix build with LibreSSL 2.5.1.

PR:		217140
Submitted by:	brnrd@
Obtained from:	Olivier Wahrenberger, via upstream maintainers review

Flag conflict between PKCS11 and MBEDTLS in OPTIONS.

OpenVPN update to v2.4.0, old version in openvpn23*.

OpenVPN has been updated to v2.4.0.
Changes: <https://github.com/OpenVPN/openvpn/blob/v2.4.0/Changes.rst>

openvpn-polarssl has been renamed to openvpn-mbedtls to match the TLS
library's change of name.

The prior versions of the openvpn ports have been preserved in openvpn23
and openvpn23-polarssl, respectively, and are set to expire 2017-03-31.

Upgrade to new upstream bugfix release 2.3.14.

Drop files/extra-patch-fix-subnet and corresponding OPTION, since this
is now part of the upstream release.

Changelog:	<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.14>

Experimental patch for topology subnet.

Added as an extra patch behind an option that defaults to ON so people
can still opt out, this is slated for an upcoming 2.3.14 release that
is, however, not yet scheduled.

PR:		207831 (related)
Obtained from:	Gert Doering, via upstream Git repository 446ef5bda4cdc75d

Upgrade to upstream bugfix release 2.3.13.

ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13>

Fix self-tests in poudriere, make them more robust [1].

The self-tests used to fail in poudriere with dependency cycles in
Makefile that weren't visible earlier. Conditionally change ALL_TARGET
to check (do not use all check, that would require gmake) if the TEST
option is set (default), or set TEST_TARGET if the TEST option is unset.

While I am unable to reproduce 212146 claiming the self-tests fail on an
IPv6-disabled host, and I believe it's a red herring masking a local
configuration issue, doubt sed(1) and add blanks, and be sure to add the
"proto" earlier. The reporter didn't mention his OS version.

No PORTREVISION bump since the default build is unaffected.

PR:		212146 [1]

Make self-test the TEST option, support make test. Enabled by default.

NB: This is a critical port with many users, and the test is low on
resources, it takes two minutes idling, waiting for timers to expire.

Replace former ".if ... post-build:" by "post-build-TEST-on: test".
Replace former post-build by "TEST_TARGET=check".

Add a temporary (9 months or so-ish) compatibility wrapper to move
people from the prior port-specific WITHOUT_CHECK to WITHOUT=TEST or
OPTIONS_UNSET=TEST. Uses WARNING+= to make user aware of the change.

While here, shorten the POLARSSL_DESC help message.

Requested by:	brnrd@
Differential Revision:	D7507 (sort-of)

Update Tunnelblick XOR patch.

PR:		212136
Submitted by:	Franco Fichtner

Fix build with tunnelblick patch.

Sponsored by:	Absolight

Update to new upstream bugfix release 2.3.12, add "stats" to rc script.

* Upstream changes:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12>
* The cmocka-based unit tests are currently disabled, too much hassle
  and deps to get them running.
* Add patch-configure to drop the unit-test related warnings.
* Extend run control script to understand the "stats" argument, to send
  SIGUSR2 to the process, contributed by Anton Yuzhaninov (with one
  additional line fold).
* Drop patch-629baad8, no longer needed.
* Refresh other patches with make clean extract do-patch makepatch

Fix PolarSSL-based builds.

The upstream backported a change from the master branch that fixes the
PolarSSL-based builds to go with the PolarSSL 1.3.X built-in defaults.

Add a patch picked from the upstream's release/2.3 branch.
Remove the BROKEN= line and conditional.

No PORTREVISION bump because the patch only affects an option that was
formerly marked BROKEN.

(TRYBROKEN users need to force a rebuild and reinstallation manually.)

Security upgrade to OpenVPN 2.3.11, breaking POLARSSL option.

Quoting upstream maintainers' release notes:
"This release fixes two vulnerabilities: a port-share bug with DoS
potential and a buffer overflow by user supplied data when using pam
authentication. In addition a number of small fixes and improvements are
included."

WARNING: this upgrade breaks the PolarSSL-based build due to an
oversight in the cipher suite selection hardening, crashing
PolarSSL-based builds with a 0-pointer deferences.
Marking port BROKEN if POLARSSL is set.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

One more fix for /usr/sbin/service -R.

Work around 10.3-RELEASE's service(8) shortcomings

PR:		208534
Reported by:	allan@saddi.com

Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u.

With hat:	portmgr
Sponsored by:	Absolight

Add an 'up' script for resolvconf integration, ...

contributed by Bapt@, but not yet touched up.
Needs proper license notice and documentation.
Therefore not yet linked to the build/install.

Upgrade to new upstream release 2.3.10.

Now requires PolarSSL/mbedTLS 1.3.X with X >= 8, PolarSSL 1.2 is EOL.
Match help text to the change.

Make sure the build uses the local unpacked includes before the system
includes, such that portmaster/portupgrade upgrades for PolarSSL work if
2.3.9 or older is pre-installed on the build system.

Update to new upstream release 2.3.9.

Removes the PW_SAVE option, the upstream code always permits saving
passwords to files now (so the feature is always enabled).

ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.9>

Add optional extra patch for Tunnelblick obfuscation.

Adds a --scramble method to the executable but not documentation.
Requires careful review of implications before enabling, and has not
been accepted upstream.  https://tunnelblick.net/cOpenvpn_xorpatch.html

PR:		200215
Submitted by:	Franco Fichtner

Handle OpenSSL/PolarSSL options in the right way,

such that it is maintainable if we add more SSL libs in the future.

To fix fall-out from r399858 and r399982.

Fix build without POLARSSL.

Pointy hat to:	mat
Sponsored by:	Absolight

Use options helpers.

Sponsored by:	Absolight

Bugfix upgrade to new upstream release 2.3.8.

ChangeLog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.8

By default libtool replaces -export-symbols <file> with -retain-symbols-file
<file> on ELF systems, but this doesn't really do what -export-symbols is
meant to do.  On GNU ELF systems it converts <file> to a simple version
script first and then uses -version-script instead of -retain-symbols-file.
Let USES=libtool patch libtool scripts to do this on all systems with GNU
ld(1).

Bump PORTREVISION on all ports where the build log contains -export-symbols.

audio/calf: This port builds a module that now exports only one function,
but it also builds a number of executables that link to this module and
expect to see other functions.  Because it's already a bit dodgy to link to
a module (libtool warns about this) let the module continue to export only
one function and instead build an ordinary library from the same source that
the executables can link to.  Fix a number of other issues in the same

Add an openvpn-polarssl that selects PolarSSL for its default TLS provider.

Update to new upstream release 2.3.7.

Fixes
PR:		194745

Add experimental patch by Gert Doring to fix PR #194745.
Must be enabled through the options framework ("make config").

PR:		194745

+ Update patch set for crypto engine fix [1].
  Change option name so it is presented anew, default disabled.

+ Add openvpn-client wrapper script and up/down scripts to trigger
  resolvconf, with minor edits. [2]

+ Set proper PLUGIN_LIBDIR so that plugins in the default directory can
  be found with relative paths.

+ Compile shipped plugins with -fPIC.

PR:		195004 [1]
PR:		199529 [2]
Submitted by:	yuri@rawbw.com [2]
Obtained from:	https://community.openvpn.net/openvpn/ticket/480#comment:21

Specify library version when depending on libpolarssl and switch ports to
PolarSSL 1.3 when they fail to build with 1.2.

Add an experimental patch for bug #195004.
Needs to be enabled through a port option.

PR: 195004

Add a X509ALTUSERNAME port option to enable the --x509-username-field
run-time option.

Bump PORTREVISION.

PR:		198896
Submitted by:	bastian+freebsd.org@waldi.eu.org

Add CPE data.

Requested by:	des

Security Update to 2.3.6.

Approved by:	so
MFH:		2014Q4
Security:	23ab5c3e-79c3-11e4-8b1e-d050992ecde8

Add three patches from Git to unwedge the build after certs expired,
and two other fixes (bumping PORTREVISION):

44294568 Fix assertion error when using --cipher none
e9b07dc9 Fix to --shaper documentation on the man-page
b77c27a1 Modernize sample keys and sample configs

Upgrade to new upstream release 2.3.5.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

While here, drop @dirrm from pkg-plist.

Add DOCS to OPTIONS_DEFINE to ports that check for PORT_OPTIONS:MDOCS.

Update to new upstream release 2.3.4.
Changes:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.4>

Add USES=libtool and drop .la files.

Upgrade to new upstream 2.3.3 release. Misc bugfixes.

Changes:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.3>

Note that PKCS#11 helper support requires a pkcs11-helper upgrade from
<http://www.freebsd.org/cgi/query-pr.cgi?pr=188442> to be committed.

Fix several compilation issues where the upstream's configure script
required pkg-config, for instance, the PKCS11 option.

Submitted by:	mat@

- Repair PKCS11 option [1].
- Use the opportunity to simplify Makefile: leverage some of the
  OptionsNG and Staging features, removing our homebrew predecessors.
- QA: Strip .so libraries, fix shebang paths in samples.

Obtained from:	<https://forums.freebsd.org/viewtopic.php?f=7&t=44866> [1]

Fix self-tests and their non-fatal auto-skip on RedPorts.

Add patch-tests__t_cltsrv.sh to properly skip self-tests when no
inet/inet6 addresses are available, and to properly use udp6 when only
inet6 is available (for instance, on RedPorts).

Drop patch-src__openvpn__syshead.h, had already been integrated upstream.

PR:		ports/185439 (related)

Convert from port-specific to official STAGEDIR support.

Add NO_STAGE all over the place in preparation for the staging support (cat:
security)

Update to new upstream release

2013.05.31 -- Version 2.3.2
Arne Schwabe (3):
      Only print script warnings when a script is used. Remove stray mention of
script-security system.
      Move settings of user script into set_user_script function
      Move checking of script file access into set_user_script

Davide Brini (1):
      Provide more accurate warning message

Gert Doering (2):
      Fix NULL-pointer crash in route_list_add_vpn_gateway().
      Fix problem with UDP tunneling due to mishandled pktinfo structures.

security upgrade to OpenVPN 2.3.1; upstream release notes are

  "This release adds supports for PolarSSL 1.2. It also adds a fix to
  prevent potential side-channel attacks by switching to a constant-time
  memcmp when comparing HMACs in the openvpn_decrypt function. In
  addition, it contains several bugfixes and documentation updates, as
  well as some minor enhancements."

Full ChangeLog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

The port upgrade also offers an option to use the GPLv2+-licensed
PolarSSL instead of OpenSSL (which brings in a license mix).

PR:		ports/177517
Reviewed by:	miwi
Approved by:	portmgr (miwi)
Security:	92f30415-9935-11e2-ad4c-080027ef73ec

- When installing from port, do not tamper with permissions of other files
  in ${PREFIX}/sbin and ${PREFIX}/lib. [1]

- Do not install plugin .la/.so files with the executable bit set, they
  are not executable.

PR:		ports/175434 [1]
Submitted by:	Benjamin Lorenz [1]

- Fix NOPORTDOCS regression [1], by installing to DESTDIR= and then installing
from
  there, rather than tweaking the Makefiles.
- Move examples to EXAMPLESDIR, and heed NOPORTEXAMPLES
- Remove a leftover SUB_LIST addition.
- Switch comment to my FreeBSD e-mail address.
- Use PORTDOCS=* and PORTEXAMPLES=* to remove pkg-plist cruft
- Sort PORT_OPTIONS .ifs and stuff.

PR:		ports/175283 [1]
Submitted by:	Alexey Markov [1]

Add a new security/easy-rsa package that contains the bits that got
split out of OpenVPN prior to the current 2.3.0 release, and make that
security/openvpn RUN_DEPENDS on it. Also update UPDATING record.

OpenVPN changes, upgrades and fixes:

- Upgrade security/openvpn to v2.3.0 (changes installed layout a bit),
  splitting and re-diffing patches.
- Retain v2.2.2 as security/openvpn22
- Mark security/openvpn20 as deprecated and to expire 6 months from now
- Fix TCP_NODELAY option (openvpn 2.3, 2.2), see
  <http://community.openvpn.net/openvpn/ticket/158>
- Fix PassTOS option (openvpn 2.2, 2.0), see
  http://community.openvpn.net/openvpn/ticket/135

- Convert to OptionsNG
- Strip Makefile header
- Drop LIB_DEPENDS ABI versions

Move the rc.d scripts of the form *.sh.in to *.in

Where necessary add $FreeBSD$ to the file

No PORTREVISION bump necessary because this is a no-op

In the rc.d scripts, change assignments to rcvar to use the
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().

In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.

Update to new upstream release v2.2.2.

Changelog:
http://openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html

Remove more tags from pkg-descr files fo the form:

- Name
em@i.l

or variations thereof. While I'm here also fix some whitespace and other
formatting errors, including moving WWW: to the last line in the file.

Update and demote CONFLICTS to CONFLICTS_INSTALL.

Use required_modules rather than _precmd.

To fix failures with 'restart'.

Reported by: Miroslav Lachman

Fix skipping t_cltsrv when IP missing. Really this time.

Cause was a   trap "... ; exit 1" 0   shell construct that needs to be
cancelled for the exit 77 to take effect. trap 0 inserted to that end.

Fix NOPORTDOCS support, though differently than suggested

Reported by: pgollucci
PR:          ports/159610

Skip self-test more readily without addresses.

- Turn off self-tests on pointyhat, they fail

Reported by:    pointyhat

Avoid jamming the build if the jail is without address, skip self-test.

Update to upstream release 2.2.1.

NOTE: the easy-rsa/2.0 openssl.cnf file has been removed and replaced by
an openssl-0.9.8.cnf and an openssl-1.0.0.cnf file.

Changelog URL:
http://openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html

Patch hardwired gcc to ${CC}, fixing clang-ports builds [1].
Use full ${MAKE} environment from do-build, for consistency.

Found by: -exp run [1].

Remove painful examples of foo="", with particular prejudice against
constructions that parse out to [ -z "$foo" ] && foo=""

These are bad examples that get copied and pasted into new code, so the
hope is that with less bad examples there will be less need for me to
bring this up in review.

In a few of these files all that were changed were comments so that next
time I search for these patterns I won't trip on the file for no reason.

In a few places, add $FreeBSD$

No functional changes, so no PORTREVISION bumps

Remove support for lzo-1.

Update to 2.2.0. Add LICENSE (GPLv2). Add a local mirror of the distfile (file
has been uploaded and will propagate soonish).

Changelog:
http://openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html

Streamline a bit:
- remove subshell to use basename, and use ## substitution [1]
- remove FreeBSD 5.X compatibility comment [1]
- remove FreeBSD 5.X compatibility code

The parts marked with [1] above were
Submitted by: dougb (Doug Barton)

Switch to XZ distribution format.

Update to new upstream release 2.1.4.
Update MASTER_SITES.

Submitted by: Eric F. Crist <ecrist@secure-computing.net>
PR: ports/151962

Update to 2.1.3

No functional changes, but avoids 'have you seen new release'
type mail flood. :)

Update to new upstream version 2.1.2.

Contains various bugfixes and improvements.

Add openvpn-beta-[0-9]* to CONFLICTS variable.

Submitted by: Eric F. Crist
PR: ports/149617

Support /etc/rc.d/openvpn softrestart
to send SIGUSR1 (rather than SIGHUP) to OpenVPN processes.

Suggested by: Nick Hibma (in private email)

Fix bashisms (source FILE -> . FILE)
replace shebang-lines /bin/bash -> /bin/sh
bump portrevision (changed files)

based on:
PR: ports/147472
Submitted by: Olli Hauer <ohauer@gmx.de>

Approved by: miwi (mentor)

RC_SUBR_SUFFIX has not been needed for a long time now, all supported
versions of FreeBSD now use /etc/rc.subr and rc.d scripts without .sh
appended to the script name.

Begin the process of deprecating sysutils/rc_subr by
s#. %%RC_SUBR%%#. /etc/rc.subr#

Move security/openvpn to security/openvpn20 (after previous repocopy).
Update security/openvpn20 to 2.0.9, revising pkg-message.

Move security/openvpn-devel to security/openvpn and
update security/openvpn to 2.1.1.

Remove security/openvpn-devel, adding a MOVED entry.

Update security/Makefile to remove openvpn-devel and add openvpn20 to
SUBDIRS.

Add a UPDATING entry for this shuffle.  Currently without upgrade
instructions since neither portupgrade nor portmaster are up to the
task (because of the CONFLICTS).

Approved by:  garga@ (mentor)

Fix a few "bad example" problems in the rc.d scripts that have been
propogated by copy and paste.

1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).

No PORTREVISION bumps because all of these changes are noops.

- Add logging knob

PR:             ports/130893
Submitted by:   Michael Scheidell <scheidell@secnap.net>
Approved by:    Matthias Andree <matthias.andree@gmx.de> (maintainer)

Update CONFIGURE_ARGS for how we pass CONFIGURE_TARGET to configure script.
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.

To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.

To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.

Changes to Mk/*:
 - Add runtime detection magic in bsd.port.mk

11 vulnerabilities affecting 150 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities

Last updated:
2019-03-22 04:09:33