openvpn package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch

@@ -0,0 +1,201 @@
+From 273d10b74973d672317c0c0bd5e58897e49a94f0 Mon Sep 17 00:00:00 2001
+From: David Sommerseth <davids@openvpn.net>
+Date: Thu, 23 Mar 2017 22:50:41 +0100
+Subject: [PATCH] Re-introduce --tls-remote for Fedora EPEL-6 and EPEL-7 only
+
+This reverts commit 10ce637066f44e8ad9f4af000b8d0c2a4012236d.
+
+To avoid breaking any existing OpenVPN installations using the
+Fedora EPEL repository, this patch re-introduces this DEPRECATED
+--tls-remote option for Fedora EPEL-6 and EPEL-7 ONLY.  This is
+only considered to be an exceptional patch and will not be part
+of any upstream OpenVPN releases.
+
+Signed-off-by: David Sommerseth <davids@openvpn.net>
+---
+ Changes.rst              |  6 ++++++
+ doc/openvpn.8            | 45 +++++++++++++++++++++++++++++++++++++++
+ src/openvpn/options.c    | 55 +++++++++++++++++++++++++++++++++++++++++++-----
+ src/openvpn/ssl_verify.h |  2 ++
+ 4 files changed, 103 insertions(+), 5 deletions(-)
+
+diff --git a/Changes.rst b/Changes.rst
+index d5e12eb..a536f5b 100644
+--- a/Changes.rst
++++ b/Changes.rst
+@@ -179,6 +179,12 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+   non-standard X.509 subject formatting must be updated to the standardized
+   formatting.  See the man page for more information.
+
++  NOTE: For Fedora EPEL-6 and EPEL-7 this feature have been re-introduced
++  to maintain a possible upgrade path from v2.3 to v2.4.  All users are STRONGLY
++  encouraged to update their configurations to use ``--verify-x509-name`` ASAP.
++  The ``--tls-remote`` option WILL NOT be preserved in newer major Fedora EPEL
++  releases.
++
+ - ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
+
+ - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
+diff --git a/doc/openvpn.8 b/doc/openvpn.8
+index 0b3e1ad..44f528c 100644
+--- a/doc/openvpn.8
++++ b/doc/openvpn.8
+@@ -5349,6 +5349,51 @@ prefix will be left as\-is.  This automatic upcasing feature
+ is deprecated and will be removed in a future release.
+ .\"*********************************************************
+ .TP
++.B \-\-tls\-remote name (DEPRECATED)
++Accept connections only from a host with X509 name
++or common name equal to
++.B name.
++The remote host must also pass all other tests
++of verification.
++
++.B NOTE:
++Because tls\-remote may test against a common name prefix,
++only use this option when you are using OpenVPN with a custom CA
++certificate that is under your control.
++Never use this option when your client certificates are signed by
++a third party, such as a commercial web CA.
++
++Name can also be a common name prefix, for example if you
++want a client to only accept connections to "Server-1",
++"Server-2", etc., you can simply use
++.B \-\-tls\-remote Server
++
++Using a common name prefix is a useful alternative to managing
++a CRL (Certificate Revocation List) on the client, since it allows the client
++to refuse all certificates except for those associated
++with designated servers.
++
++.B \-\-tls\-remote
++is a useful replacement for the
++.B \-\-tls\-verify
++option to verify the remote host, because
++.B \-\-tls\-remote
++works in a
++.B \-\-chroot
++environment too.
++
++.B Please also note:
++This option is DEPRECATED.  It has been removed in upstream OpenVPN v2.4.0
++and have only been re-introduced into Fedora EPEL-6 and EPEL-7 for backwards
++compatibility purposes.  It will NOT be provided in any newer major EPEL
++releases.  So please make sure you support the new X.509 name formatting
++described with the
++.B \-\-compat\-names
++option as soon as possible by updating your configurations to use
++.B \-\-verify\-x509\-name
++instead.
++.\"*********************************************************
++.TP
+ .B \-\-verify\-x509\-name name type
+ Accept connections only if a host's X.509 name is equal to
+ .B name.
+diff --git a/src/openvpn/options.c b/src/openvpn/options.c
+index 8dee5d1..2f97442 100644
+--- a/src/openvpn/options.c
++++ b/src/openvpn/options.c
+@@ -66,7 +66,7 @@ const char title_string[] =
+ #ifdef CONFIGURE_GIT_REVISION
+     " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
+ #endif
+-    " " TARGET_ALIAS
++    " " TARGET_ALIAS " [Fedora EPEL patched]"
+ #ifdef ENABLE_CRYPTO
+ #if defined(ENABLE_CRYPTO_MBEDTLS)
+     " [SSL (mbed TLS)]"
+@@ -7887,12 +7887,16 @@ add_option(struct options *options,
+ #endif
+     {
+         VERIFY_PERMISSION(OPT_P_GENERAL);
+-        if (options->verify_x509_type != VERIFY_X509_NONE)
++        if (options->verify_x509_type != VERIFY_X509_NONE
++            && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN
++            && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+         {
+             msg(msglevel, "you cannot use --compat-names with --verify-x509-name");
+             goto err;
+         }
+-        msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.");
++        msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your "
++                    "configuration. This option is especially preserved for "
++                    "Fedora EPEL-6 and EPEL-7 ONLY.");
+         compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
+ #if P2MP_SERVER
+         if (p[1] && streq(p[1], "no-remapping"))
+@@ -7903,16 +7907,57 @@ add_option(struct options *options,
+     else if (streq(p[0], "no-name-remapping") && !p[1])
+     {
+         VERIFY_PERMISSION(OPT_P_GENERAL);
+-        if (options->verify_x509_type != VERIFY_X509_NONE)
++        if (options->verify_x509_type != VERIFY_X509_NONE
++            && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN
++            && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+         {
+             msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
+             goto err;
+         }
+-        msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5.");
++        msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your "
++                    "configuration. This option is especially preserved for "
++                    "Fedora EPEL-6 and EPEL-7 ONLY.");
+         compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
+         compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
+ #endif
+     }
++    else if (streq(p[0], "tls-remote") && p[1] && !p[2])
++    {
++        VERIFY_PERMISSION(OPT_P_GENERAL);
++
++        if (options->verify_x509_type != VERIFY_X509_NONE
++            && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN
++            && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
++        {
++            msg(msglevel, "you cannot use --tls-remote with --verify-x509-name");
++            goto err;
++        }
++        msg(M_WARN, "DEPRECATED OPTION: --tls-remote is espectially "
++                    "re-introduced in v2.4 for Fedora EPEL-6 and EPEL-7 only.  "
++                    "Do update your configuration now!");
++
++        if (strlen(p[1]))
++        {
++            int is_username = (!strchr(p[1], '=') || !strstr(p[1], ", "));
++            int type = TLS_REMOTE_SUBJECT_DN;
++            if (p[1][0] != '/' && is_username)
++            {
++                type = TLS_REMOTE_SUBJECT_RDN_PREFIX;
++            }
++
++            /*
++             * Enable legacy openvpn format for DNs that have not been converted
++             * yet and --x509-username-field (not containing an '=' or ', ')
++             */
++            if (p[1][0] == '/' || is_username)
++            {
++                compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
++            }
++
++            options->verify_x509_type = type;
++            options->verify_x509_name = p[1];
++        }
++    }
+     else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
+     {
+         int type = VERIFY_X509_SUBJECT_DN;
+diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
+index f2d0d6c..e244566 100644
+--- a/src/openvpn/ssl_verify.h
++++ b/src/openvpn/ssl_verify.h
+@@ -66,6 +66,8 @@ struct cert_hash_set {
+ #define VERIFY_X509_SUBJECT_DN          1
+ #define VERIFY_X509_SUBJECT_RDN         2
+ #define VERIFY_X509_SUBJECT_RDN_PREFIX  3
++#define TLS_REMOTE_SUBJECT_DN           1 + 0x100
++#define TLS_REMOTE_SUBJECT_RDN_PREFIX   3 + 0x100
+
+ #define TLS_AUTHENTICATION_SUCCEEDED  0
+ #define TLS_AUTHENTICATION_FAILED     1
+--
+2.13.5

SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch

@@ -0,0 +1,9 @@
+diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
+index bb79671e..9258f5c6 100644
+--- a/distro/systemd/tmpfiles-openvpn.conf
++++ b/distro/systemd/tmpfiles-openvpn.conf
+@@ -1,2 +1,2 @@
+-d /run/openvpn-client 0710 root root -
+-d /run/openvpn-server 0710 root root -
++d /run/openvpn-client 0750 root openvpn -
++d /run/openvpn-server 0750 root openvpn -

SOURCES/openvpn@.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
+After=network.target
+
+[Service]
+Type=notify
+PrivateTmp=true
+ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
+
+[Install]
+WantedBy=multi-user.target

SOURCES/roadwarrior-client.conf

@@ -0,0 +1,38 @@
+#########################################
+# Sample client-side OpenVPN config file
+# for connecting to multi-client server.
+#
+# Adapted from http://openvpn.sourceforge.net/20notes.html
+#
+# The server can be pinged at 10.8.0.1.
+#
+# This configuration can be used by multiple
+# clients, however each client should have
+# its own cert and key files.
+#
+# tun-style tunnel
+
+port 1194
+dev tun
+remote [my server hostname or IP address]
+
+# TLS parms
+
+tls-client
+ca sample-keys/tmp-ca.crt
+cert sample-keys/client.crt
+key sample-keys/client.key
+
+# This parm is required for connecting
+# to a multi-client server.  It tells
+# the client to accept options which
+# the server pushes to us.
+pull
+
+# Scripts can be used to do various
+# things (change nameservers, for
+# example.
+#up scripts/ifup-post
+#down scripts/ifdown-post
+
+verb 4

SOURCES/roadwarrior-server.conf

@@ -0,0 +1,67 @@
+########################################
+# Sample OpenVPN config file for
+# 2.0-style multi-client udp server
+#
+# Adapted from http://openvpn.sourceforge.net/20notes.html
+#
+# tun-style tunnel
+
+port 1194
+dev tun
+
+# Use "local" to set the source address on multi-homed hosts
+#local [IP address]
+
+# TLS parms
+tls-server
+ca sample-keys/tmp-ca.crt
+cert sample-keys/server.crt
+key sample-keys/server.key
+dh sample-keys/dh1024.pem
+
+# Tell OpenVPN to be a multi-client udp server
+mode server
+
+# The server's virtual endpoints
+ifconfig 10.8.0.1 10.8.0.2
+
+# Pool of /30 subnets to be allocated to clients.
+# When a client connects, an --ifconfig command
+# will be automatically generated and pushed back to
+# the client.
+ifconfig-pool 10.8.0.4 10.8.0.255
+
+# Push route to client to bind it to our local
+# virtual endpoint.
+push "route 10.8.0.1 255.255.255.255"
+
+# Push any routes the client needs to get in
+# to the local network.
+push "route 192.168.0.0 255.255.255.0"
+
+# Push DHCP options to Windows clients.
+push "dhcp-option DOMAIN example.com"
+push "dhcp-option DNS 192.168.0.1"
+push "dhcp-option WINS 192.168.0.1"
+
+# Client should attempt reconnection on link
+# failure.
+keepalive 10 60
+
+# Delete client instances after some period
+# of inactivity.
+inactive 600
+
+# Route the --ifconfig pool range into the
+# OpenVPN server.
+route 10.8.0.0 255.255.255.0
+
+# The server doesn't need privileges
+user openvpn
+group openvpn
+
+# Keep TUN devices and keys open across restarts.
+persist-tun
+persist-key
+
+verb 4

SPECS/openvpn.spec

@@ -0,0 +1,259 @@
+%define _hardened_build 1
+#define prerelease rc22
+
+# Build conditionals
+# tests_long - Enabled by default, enables long running tests in %%check
+%bcond_without tests_long
+
+Name:              openvpn
+Version:           2.4.6
+Release:           1%{?prerelease:.%{prerelease}}%{?dist}
+Summary:           A full-featured SSL VPN solution
+URL:               https://community.openvpn.net/
+Source0:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
+Source1:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
+Source2:           roadwarrior-server.conf
+Source3:           roadwarrior-client.conf
+# Deprecated systemd unit file.  Will be removed in Fedora 27
+Source5:           openvpn@.service
+# Upstream signing key
+Source6:           gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
+Patch0:            0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch
+Patch50:           openvpn-2.4-change-tmpfiles-permissions.patch
+License:           GPLv2
+BuildRequires:     gnupg2
+BuildRequires:     gcc
+BuildRequires:     systemd-devel
+BuildRequires:     lzo-devel
+BuildRequires:     lz4-devel
+BuildRequires:     openssl-devel
+BuildRequires:     pkcs11-helper-devel >= 1.11
+BuildRequires:     pam-devel
+BuildRequires:     libselinux-devel
+# For the perl_default_filter macro
+BuildRequires:     perl-macros
+%{?systemd_requires}
+# For /sbin/ip.
+BuildRequires:     iproute
+Requires:          iproute
+Requires(pre):     /usr/sbin/useradd
+Requires(post):    systemd-sysv
+Requires(post):    systemd-units
+Requires(preun):   systemd-units
+Requires(postun):  systemd-units
+
+# Filter out the perl(Authen::PAM) dependency.
+# No perl dependency is really needed at all.
+%{?perl_default_filter}
+
+%description
+OpenVPN is a robust and highly flexible tunneling application that uses all
+of the encryption, authentication, and certification features of the
+OpenSSL library to securely tunnel IP networks over a single UDP or TCP
+port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
+for compression.
+
+%package devel
+Group:             Applications/Internet
+Summary:           Development headers and examples for OpenVPN plug-ins
+
+%description devel
+OpenVPN can be extended through the --plugin option, which provides
+possibilities to add specialized authentication, user accounting,
+packet filtering and related features.  These plug-ins need to be
+written in C and provides a more low-level and information rich access
+to similar features as the various script-hooks.
+
+
+%prep
+gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
+%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
+%patch0 -p1
+%patch50 -p1
+
+sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
+
+# %%doc items shouldn't be executable.
+find contrib sample -type f -perm /100 \
+    -exec chmod a-x {} \;
+
+%build
+%configure \
+    --enable-iproute2 \
+    --with-crypto-library=openssl \
+    --enable-pkcs11 \
+    --enable-selinux \
+    --enable-systemd \
+    --enable-x509-alt-username \
+    --docdir=%{_pkgdocdir} \
+    SYSTEMD_UNIT_DIR=%{_unitdir} \
+    TMPFILES_DIR=%{_tmpfilesdir} \
+    IPROUTE=/sbin/ip
+%{__make}
+
+%check
+# Test Crypto:
+./src/openvpn/openvpn --genkey --secret key
+./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
+
+%if %{with tests_long}
+# Randomize ports for tests to avoid conflicts on the build servers.
+cport=$[ 50000 + ($RANDOM % 15534) ]
+sport=$[ $cport + 1 ]
+sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
+    -e 's/^\(lport\) .*$/\1 '$cport'/' \
+    < sample/sample-config-files/loopback-client \
+    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
+sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
+    -e 's/^\(lport\) .*$/\1 '$sport'/' \
+    < sample/sample-config-files/loopback-server \
+    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+
+pushd sample
+# Test SSL/TLS negotiations (runs for 2 minutes):
+../src/openvpn/openvpn --config \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
+../src/openvpn/openvpn --config \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+wait
+popd
+
+rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+%endif
+
+%install
+%{__make} install DESTDIR=$RPM_BUILD_ROOT
+find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
+mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
+cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
+
+# Create some directories the OpenVPN package should own
+mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
+mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
+
+# DEPRECATED openvpn@.service ... this unit file will be removed in EPEL8
+install -D -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_unitdir}/
+
+# Package installs into %%{_pkgdocdir} directly
+# Add various additional files
+cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
+
+# Remove some files which does not really belong here
+rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
+rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
+rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
+
+%pre
+getent group openvpn &>/dev/null || groupadd -r openvpn
+getent passwd openvpn &>/dev/null || \
+    /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
+        -d /etc/openvpn openvpn
+
+%post
+%systemd_post openvpn-client@\*.service
+%systemd_post openvpn-server@\*.service
+
+%preun
+%systemd_preun openvpn-client@\*.service
+%systemd_preun openvpn-server@\*.service
+
+%postun
+%systemd_postun_with_restart openvpn-client@\*.service
+%systemd_postun_with_restart openvpn-server@\*.service
+%systemd_postun_with_restart openvpn@\*.service
+
+
+%files
+%{_pkgdocdir}
+%exclude %{_pkgdocdir}/README.IPv6
+%exclude %{_pkgdocdir}/README.mbedtls
+%exclude %{_pkgdocdir}/sample/sample-plugins
+%{_mandir}/man8/%{name}.8*
+%{_sbindir}/%{name}
+%{_libdir}/%{name}/
+%{_unitdir}/%{name}@.service
+%{_unitdir}/%{name}-client@.service
+%{_unitdir}/%{name}-server@.service
+%{_tmpfilesdir}/%{name}.conf
+%config %dir %{_sysconfdir}/%{name}/
+%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
+%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
+%attr(0750,-,openvpn) %{_rundir}/%{name}-client
+%attr(0750,-,openvpn) %{_rundir}/%{name}-server
+%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
+
+%files devel
+%{_pkgdocdir}/sample/sample-plugins
+%{_includedir}/openvpn-plugin.h
+%{_includedir}/openvpn-msg.h
+
+
+%changelog
+* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
+- Updating to upstream, openvpn-2.4.6
+
+* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
+- Updating to upstream, openvpn-2.4.5
+- Package upstream ChangeLog, which contains a bit more details than Changes.rst
+- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
+  added gcc to BuildRequires.
+- Excluded not relevant file, README.mbedtls
+- Package upstream version of README.systemd
+- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
+- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
+- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
+
+* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
+- Fix systemd executions/requirements
+
+* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
+- Update to upstream openvpn-2.4.4
+- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}
+- Build against Fedora EPEL lz4 compression library
+- Build with long running test cases
+- Use %%{name} instead of the openvpn string in a few directory paths
+
+* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
+- Updating to upstream openvpn-2.4.3
+- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
+- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
+- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
+- Fix remote-triggerable memory leaks {CVE-2017-7521}
+- Ensure OpenVPN systemd services are restarted upon upgrades
+- Verify PGP signature of source tarball as part of package building
+
+* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
+- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
+- Install and take ownership of /var/lib/openvpn (rhbz#922786)
+- Re-enable --enable-x509-alt-username (rhbz#1443942)
+
+* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
+- Update to upstream openvpn-2.4.2
+
+* Mon Apr 3 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
+- Splitting out -devel files into a separate package
+- Removed several contrib and sample files which makes is not
+  strictly needed in this package.
+- Use systemd-rpm macros (rhbz#850257)
+- Updated openvpn@.service to use Type=notify instead of Type=forking (rhbz#1435831)
+  BEWARE: openvpn@.service is DEPRECATED.
+- Added README.systemd describing new systemd unit files (openvpn-client/server@.service)
+- Lots of packaging cleanups
+- build: Enable tests runs by default, long running tests can
+  be disabled with "--without tests_long"
+- build: Removed defined %%{plugins} macro not in use
+
+* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
+- Updating to upstream release, v2.4.1
+- Removed no-functional ./configure options
+- Use upstream tmfiles.d/openvpn
+- Package newer openvpn-client/server@.service unit files
+- Fedora EPEL exception: Re-introduce --tls-remote feature
+- Package management-notes.txt, describing the management interface
+
+* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
+- 2.4.0.