version 1.0pre3 Oct 31 2000
- * New protocol
- * Use public/private key cryptography (fixes security hole)
- * Spanish translation of the program and the manual
- * Use OpenSSL crypto library for all cryptography
- * Support for multiple subnets per tinc daemon
- * Support for universal tun/tap device
- * No longer depends on GMP
+
+* The protocol has been redesigned, and although some details are
+ still under discussion, this is secure. Care has been taken to
+ resist most, if not all, attacks.
+
+* Unfortunately this protocol is not compatible with earlier versions,
+ nor are earlier versions compatible with this version. Because the
+ older protocol has huge security flaws, we feel that not
+ implementing backwards compatibility is justified.
+
+* Some data about the protocol:
+
+ * It uses public/private RSA keys for authentication (this is the
+ actual fix for the security hole).
+
+ * All cryptographic functions have been taken out of tinc, instead
+ it uses the OpenSSL library functions.
+
+ * Offers support for multiple subnets per tinc daemon.
+
+* New is also the support for the universal tun/tap device. This
+ means better portability to FreeBSD and Solaris.
+
+* tinc is tested to compile on Solaris, Linux x86, Linux alpha.
+
+* tinc now uses the OpenSSL library for cryptographic operations.
+ More information on getting and installing OpenSSL is in the manual.
+ This also means that the GMP library is no longer required.
+
+* Further, thanks to Enrique Zanardi, we have Spanish messages; Matias
+ Carrasco provided us with a Spanish translation of the manual.
+
+
+What still needs to be done before 1.0:
+
+* Documentation. Especially since the protocol has changed, and a lot
+ of configuration directives have been added.
+
+
+
version 1.0pre2 May 31 2000
- * Internationalized, Dutch translation available
- * Many sanity checks on the meta protocol added
+
+* This version has been internationalized; and a Dutch translation has
+ been included.
+
+* Two configuration variables have been added:
+ * VpnMask - the IP network mask for the entire VPN, not just our
+ subnet (as given by MyVirtualIP). The Redhat and Debian packages
+ use this variable in their system startup scripts, but it is
+ ignored by tinc.
+ * Hostnames - if set to `yes', look up the names of IP addresses
+ trying to connect to us. Default set to `no', to prevent lockups
+ during lookups.
+
+* The system startup scripts for Debian and Redhat use
+ /etc/tinc/nets.boot to find out which networks need to be started
+ during system boot.
+
+* Fixes to prevent denial of service attacks by sending random data
+ after connecting (and even when the connection has been established),
+ either random garbage or just nonsensical protocol fields.
+
+* tinc will retry to connect upon startup, does not quit if it doesn't
+ work the first time.
+
+* Hosts that are disconnected implicitly if we lose a connection get
+ deleted from the internal list, to prevent hogging eachother with
+ add and delete requests when the connection is restored.
+
+
+What still needs to be done before 1.0:
+
+* Documentation.
+* Failover ConnectTo lines, try another one if the first doesn't work.
+
+
+
version 1.0pre1 May 12 2000
* New meta-protocol
projects / oweals / tinc.git / commitdiff