Access Server 2.9 versions
Notice
Release date: Nov 16, 2021
Fixed a TLS session token validity period security issue (CVE-2020-15074).
Notice
Release date: Sep 23, 2021
Fixed cross-site scripting security issue CVE-2021-3824 on the web interface. Thanks to Daniel Matsumoto.
Fixed a bug where VPN connection amount might be miscounted, particularly when RADIUS with external 2FA is used.
Fixed a bug when a specific web service debug flag was set in as.conf.
Fixed a bug with certificate check failing when using External PKI.
Fixed a regression with offline activation on command line.
Fixed a regression with downloading connection profiles and bundled installers when using host-checking.
Updated library jQuery to v3.6.0.
Released bundled clients package v19 with Connect v3.3.1.4000 for macOS.
Released bundled clients package v20 with Connect v3.3.2.2475 for Windows.
Notice
Release date: Aug 19, 2021
Added ability in admin web interface to configure OpenVPN data channel encryption algorithm.
Added compatibility option for legacy OpenVPN clients that do not indicate their cipher capability.
Added ability to specify custom HTTP headers using the command line.
Improved profile generation (removed blank line) to avoid issue with a specific vendor device.
Improved speed of sacli command line tool.
Fixed a bug with unexpected or missing content in web-ssl directory.
Fixed a bug where auto-login profile generation privilege was not inherited from the default group.
Fixed a bug with MFA enrollment on the admin web interface in a cluster.
Fixed a bug with setting the subscription enforcement order configuration key.
Fixed a bug with setting the subscription connection limit configuration key.
Fixed a bug with GROUP_SELECT=True in post_auth scripts.
Fixed a bug with handling certificates that have no common name at all.
Fixed a bug where heap comparison warning would get logged on too many parallel connections.
Removed mention of Linux client-side scripting from admin web interface.
Released bundled clients package v18 with Connect v3.3.0.3924 for macOS.
Notice
Release date: Aug 3, 2021
Changed default TLS rekey value to 1 hour for increased security.
Improved web interface handling of long names for CA and user management.
Improved command line tool error handling of incorrect passed flags.
Fixed a TLS session token validity period security issue.
Fixed a regression where auto-login users wouldn't get auto-login bundled installers.
Fixed a regression in XML-RPC API calls used for remote control of the Access Server.
Fixed an issue where local_cc_limit setting wouldn't work upon a failover event.
Fixed a regression where the user permissions page would not paginate correctly.
Notice
Release date: Jul 8, 2021
Improved TLS control channel security setting upgrade logic when old configuration is loaded.
Improved handling of 1024-bit CA. A warning will show how to upgrade to a more secure CA.
Improved web certificate handling and corrected an issue with (re)loading self-signed certs correctly.
Improved ovpn-init handling of command line parameters regarding bit-size specification.
Added ability to require MFA for auto-login profiles - requires Connect v3.3 or recent OpenVPN 2 client.
Fixed a bug where sacli commands for generating profiles would erroneously generate compat type profiles.
Fixed a bug with local MySQL database server default socket setting on CentOS/Red Hat OS.
Fixed a bug with generating correct TLS Cryptv2 profiles for legacy (compat) clients.
Fixed a bug with MFA when using dynamic challenge and Connect v3.3.
Fixed a regression when XML-RPC would not work with admin and client web services on separate ports.
Fixed a regression with MFA enrollment for new users.
Fixed a regression where auto-login profile generation privilege was not inherited from a group.
Fixed a regression where certain cleanup tasks after stopping Access Server were not executed.
Notice
Release date: Jun 22, 2021
Fixed a regression with bypass_route setting in user/group properties.
Fixed a regression where the virtual shared IP would not be correctly cleaned up after a failover event.
Fixed a bug where the cluster API web service would not adhere to custom cipher suite strings.
Added a separate setting for the cluster API web service's TLS settings and cipher suite string.
Improved the default cipher suite string for the web services to be more secure.
Improved the detection and messaging for missing AES instruction sets.
Released bundled clients package v17 with Connect v3.3.1.2222 for Windows.
Notice
Release date: Jun 15, 2021
New features:
Converted Access Server from Python2 to Python3.
Added compatibility to run in an operating system with FIPS restricted mode.
Added ability to generate and download profiles for users from the Admin UI directly.
Added ability to add comments/device info to profiles that are generated.
Added capability for Elliptic Curve type VPN and web certificates.
Added EKU type certificate verification with remote-tls to replace deprecated ns-cert-type.
Added automatic server CA certificate renewal.
Added functionality to migrate gracefully to a new PKI structure.
Added per-device VPN certificate functionality.
Added support for control channel security TLS-crypt (v1 and v2) which can be used by recent clients.
Added server-locked v2 profiles, compatible with open source OpenVPN.
Added functionality that adds all users that log in successfully to User Permissions.
Added performance warning to status overview when AES hardware acceleration is not present.
Added separate software repository for Amazon Linux 2 operating system.
Bug fixes and improvements:
Improved VPN certificate management.
Improved MySQL connectivity with SSL encryption security and certificates.
Improved self-signed certificate generation to meet stricter requirements (particularly on macOS).
Improved database session handling to be more resilient to transient issues.
Fixed a bug whereby unenrolled Google Authenticator 2FA users could still import profile via REST API.
Fixed an issue where VPN client had to do 2FA twice in a row with server-locked profiles in a cluster.
Fixed a bug where blocking a user connected through server-locked profile didn’t stop active connections.
Fixed an issue where SHA256 fingerprint was not shown correctly on web server certificate overview.
Fixed a bug where clients with server-locked profiles could not connect if web services were set to TLS 1.3.
Removed ‘comp-lzo’ setting in profiles with graceful backwards compatibility.
Removed ‘forward_compatible’ option in profiles in favor of more sensible options to retain compatibility.
Removed TLS renegotiation capability on all platforms with OpenSSL 1.1.0 or above.
Updated post_auth scripts to be Python2/Python3 compatible (including Duo Security script).
Updated LDAP group mapping script to solve issue when LDAP server reports no group name.
Updated LDAP3 library to version 2.81.
Updated ovpn-init with more selection options for type of VPN and web certificates.
Updated OpenVPN2 core to version 2.5.2 plus latest patches.
Updated End-User License Agreement (EULA).
Important notes:
Dropped support for operating system Ubuntu 16 due to it being end-of-life.
Dropped support for operating system Debian 9 due to it being end-of-life.
For Amazon Linux 2 we now use a separate software repository. Use the new repository for installations and upgrades for Amazon Linux 2.
MySQL caching_sha2_password or sha256_password functions are not supported on Ubuntu 20 and Debian 10 due to missing support in the distribution provided libraries for MariaDB caused by possible licensing issues in regards to OpenSSL. Normal authentication methods other than those mentioned work as expected. See also this commit.
Updated End-User License Agreement (EULA). You will be asked to accept again on the Admin UI.
Post_auth scripts may need to be updated for Python3 compatibility. Scripts on our site are updated.
This release will update your VPN certificate structure. The upgrade process will take care of this automatically.
Due to changes to the databases, rolling back from this version to an older version now requires restoring a database backup.