@@ -1,6 +1,22 @@

 OpenVPN Change Log

 Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

+2009.11.12 -- Version 2.1_rc21

+

+* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address

+  CVE-2009-3555.  Note that OpenVPN has never relied on the session

+  renegotiation capabilities that are built into the SSL/TLS protocol,

+  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation

+  completely) will not adversely affect OpenVPN mid-session SSL/TLS

+  renegotation or any other OpenVPN capabilities.

+

+* Added additional session renegotiation hardening.  OpenVPN has always

+  required that mid-session renegotiations build up a new SSL/TLS

+  session from scratch.  While the client certificate common name is

+  already locked against changes in mid-session TLS renegotiations, we

+  now extend this locking to the auth-user-pass username as well as all

+  certificate content in the full client certificate chain.

+

 2009.10.01 -- Version 2.1_rc20

 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the

@@ -22,7 +22,7 @@

 ;!define OPENVPN_XGUI_DIR "../ovpnxml"

 # Prebuilt libraries.  DMALLOC is optional.

-!define OPENSSL_DIR	  "../openssl-0.9.8k"

+!define OPENSSL_DIR	  "../openssl-0.9.8l"

 !define LZO_DIR		  "../lzo-2.02"

 !define PKCS11_HELPER_DIR "../pkcs11-helper"

 ;!define DMALLOC_DIR	  "../dmalloc-5.4.2"

@@ -1,5 +1,5 @@

 dnl define the OpenVPN version

-define(PRODUCT_VERSION,[2.1_rc20a])

+define(PRODUCT_VERSION,[2.1_rc21])

 dnl define the TAP version

 define(PRODUCT_TAP_ID,[tap0901])

 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])