OpenConnect v7.08 (PGP signature) — 2016-12-13 Add SHA256 support for server cert hashes. Enable DHE ciphers for Cisco DTLS. Increase initial oNCP configuration buffer size. Reopen CONIN$ when stdin is redirected on Windows. Improve support for point-to-point routing on Windows. Check for non-resumed DTLS sessions which may indicate a MiTM attack. Add TUNIDX environment variable on Windows. Fix compatibility with Pulse Secure 8.2R5. Fix IPv6 support in Solaris. Support DTLS automatic negotiation. Support --key-password for GnuTLS PKCS#11 PIN. Support automatic DTLS MTU detection with OpenSSL. Drop support for combined GnuTLS/OpenSSL build. Update OpenSSL to allow TLSv1.2, improve compatibility options. Remove --no-cert-check option. It was being (mis)used. Fix OpenSSL support for PKCS#11 EC keys without public key. Support for final OpenSSL 1.1 release. Fix polling/retry on "tun" socket when buffers full. Fix AnyConnect server-side MTU setting. Fix ESP replay detection. Allow build with LibreSSL (for fetishists only; do not use this as DTLS is broken). Add certificate torture test suite. Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL. Fix integer overflow issues with ESP packet replay detection. Add --pass-tos option as in OpenVPN. Support rôle selection form in Juniper VPN. Support DER-format certificates, add certificate format torture tests. For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option. Support Juniper "Pre Sign-in Message".
