Merge 0643ae70f5 into dc2b11918a

Merge pull request #1933 from chipitsine/master
CI: use OPENSSL_ROOT_DIR for cirrus-ci builds
2026-04-23 15:29:26 +03:00 · 2024-01-16 23:22:43 +05:00 · 2023-12-03 14:08:34 +01:00 · 2023-12-02 22:30:26 +01:00 · 2023-12-01 17:18:40 +01:00 · 2023-11-19 10:57:28 +01:00
144 changed files with 15762 additions and 14093 deletions
@@ -1,6 +1,6 @@
 version: '{build}'

-image: Ubuntu1804
+image: Ubuntu2004

 configuration: Release

@@ -18,9 +18,8 @@ init:
  - ps: Update-AppveyorBuild -Version "build-$env:APPVEYOR_BUILD_NUMBER-$($env:APPVEYOR_REPO_COMMIT.substring(0,7))"

 install:
-  - sudo apt-get -y install libsodium-dev
+  - sudo apt-get -y install libsodium-dev libcap-ng-dev
 before_build:
-  - sh: "if [ ${APPVEYOR_REPO_TAG} == \"true\" ]; then .ci/appveyor-create-release-tarball.sh\nfi"
  - git submodule update --init --recursive
  - ./configure
 build_script:
@@ -28,13 +27,7 @@ build_script:
  - .ci/memory-leak-test.sh
 test_script:
  - .ci/appveyor-deb-install-test.sh
-  - sudo apt-get update && sudo apt-get -y install autoconf libtool liblzo2-dev libpam-dev fping unzip liblz4-dev # openvpn build deps
+  - sudo apt-get update && sudo apt-get -y install autoconf libtool liblzo2-dev libpam-dev fping unzip liblz4-dev libnl-genl-3-dev # openvpn build deps
  - sudo .ci/start-se-openvpn.sh
  - sudo .ci/run-openvpn-tests.sh

-deploy:
-  description: 'automatic release'
-  provider: GitHub
-  auth_token: $(github_token)
-  on:
-    APPVEYOR_REPO_TAG: true
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-set -eux
-
-tar --exclude=.git --transform "s//SoftEtherVPN-${APPVEYOR_REPO_TAG_NAME}\//" -czf /tmp/softether-vpn-src-${APPVEYOR_REPO_TAG_NAME}.tar.gz . 
-appveyor PushArtifact /tmp/softether-vpn-src-${APPVEYOR_REPO_TAG_NAME}.tar.gz
-
@@ -1,9 +1,12 @@
 jobs:
 - job: Ubuntu_x64
  pool:
-    vmImage: ubuntu-18.04
+    vmImage: ubuntu-22.04
  steps:
-  - script: sudo apt update && sudo apt-get -y install cmake gcc g++ ninja-build libncurses5-dev libreadline-dev libsodium-dev libssl-dev make zlib1g-dev liblz4-dev
+  - checkout: self
+    submodules: true
+    persistCredentials: true
+  - script: sudo apt update && sudo apt-get -y install cmake gcc g++ ninja-build libncurses5-dev libreadline-dev libsodium-dev libssl-dev make zlib1g-dev liblz4-dev libnl-genl-3-dev
    displayName: 'Prepare environment'
  - script: "$(Build.SourcesDirectory)/.ci/azure-pipelines/linux_build.sh"
    env:
@@ -11,7 +14,7 @@ jobs:
    displayName: 'Build'
  - script: |
      .ci/appveyor-deb-install-test.sh
-      sudo apt-get -y install autoconf libtool liblzo2-dev libpam-dev fping unzip # To build OpenVPN
+      sudo apt-get -y install autoconf libtool liblzo2-dev libpam-dev fping unzip libcap-ng-dev # To build OpenVPN
      sudo BUILD_BINARIESDIRECTORY=$BUILD_BINARIESDIRECTORY .ci/start-se-openvpn.sh
      sudo BUILD_BINARIESDIRECTORY=$BUILD_BINARIESDIRECTORY .ci/run-openvpn-tests.sh
    displayName: 'Test'
@@ -3,6 +3,9 @@ jobs:
  pool:
    vmImage: macOS-latest
  steps:
+  - checkout: self
+    submodules: true
+    persistCredentials: true
  - script: brew install pkg-config cmake ninja ncurses readline libsodium openssl zlib
    displayName: 'Prepare environment'
  - script: '$(Build.SourcesDirectory)/.ci/azure-pipelines/macos_build.sh'
@@ -11,13 +11,9 @@ parameters:
 steps:
 - task: Cache@2
  inputs:
-    key: '"vcpkg-installed-windows-${{parameters.architecture}}"'
-    path: 'C:/vcpkg/installed'
+    key: '"vcpkg-manifest" | "$(Agent.OS)" | "${{parameters.vcpkgTriplet}}" | C:/vcpkg/.git/refs/heads/master'
+    path: '$(Build.BinariesDirectory)/vcpkg_installed'
  displayName: 'Environment storage'
- script: |
-    vcpkg install libsodium openssl zlib --triplet ${{parameters.vcpkgTriplet}}
-  workingDirectory: C:/vcpkg
-  displayName: 'Prepare environment'
 - script: '$(Build.SourcesDirectory)/.ci/azure-pipelines/windows_build.bat'
  env:
    ARCHITECTURE: ${{parameters.architecture}}
@@ -33,12 +29,12 @@ steps:
  inputs:
    sourceFolder: '$(Build.BinariesDirectory)'
    contents: '?(*.exe|*.se2|*.pdb)'
-    TargetFolder: '$(Build.StagingDirectory)/binaries'
+    TargetFolder: '$(Build.StagingDirectory)/binaries/${{parameters.architecture}}'
    flattenFolders: true
 - task: PublishBuildArtifacts@1
  inputs:
-    pathtoPublish: '$(Build.StagingDirectory)/binaries'
-    artifactName: 'Binaries'
+    pathtoPublish: '$(Build.StagingDirectory)/binaries/${{parameters.architecture}}'
+    artifactName: 'Binaries_${{parameters.architecture}}'
 - task: PublishBuildArtifacts@1
  inputs:
    pathtoPublish: '$(Build.StagingDirectory)/installers'
@@ -3,19 +3,25 @@ jobs:
  pool:
    vmImage: windows-latest
  steps:
+  - checkout: self
+    submodules: true
+    persistCredentials: true
  - template: "windows-steps.yml"
    parameters:
      architecture: "x64"
-      compilerPath: "C:/Program Files (x86)/Microsoft Visual Studio/2019/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe"
-      vcpkgTriplet: "x64-windows-static-md"
-      vcvarsPath: "C:/Program Files (x86)/Microsoft Visual Studio/2019/Enterprise/VC/Auxiliary/Build/vcvars64.bat"
+      compilerPath: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe"
+      vcpkgTriplet: "x64-windows-static"
+      vcvarsPath: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"
 - job: Windows_x86
  pool:
    vmImage: windows-latest
  steps:
+  - checkout: self
+    submodules: true
+    persistCredentials: true
  - template: "windows-steps.yml"
    parameters:
      architecture: "x86"
-      compilerPath: "C:/Program Files (x86)/Microsoft Visual Studio/2019/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe"
-      vcpkgTriplet: "x86-windows-static-md"
-      vcvarsPath: "C:/Program Files (x86)/Microsoft Visual Studio/2019/Enterprise/VC/Auxiliary/Build/vcvarsamd64_x86.bat"
+      compilerPath: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe"
+      vcpkgTriplet: "x86-windows-static"
+      vcvarsPath: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"
@@ -21,7 +21,7 @@ cat << EOF > tests/t_client.rc
 CA_CERT=fake
 TEST_RUN_LIST="1 2"

-OPENVPN_BASE="--remote 127.0.0.1 --config $CONFIG --auth-user-pass /tmp/auth.txt"
+OPENVPN_BASE="--config $CONFIG --auth-user-pass /tmp/auth.txt"

 RUN_TITLE_1="testing udp/ipv4"
 OPENVPN_CONF_1="--dev null --proto udp --port 1194 \$OPENVPN_BASE"
@@ -30,4 +30,6 @@ RUN_TITLE_2="testing tcp/ipv4"
 OPENVPN_CONF_2="--dev null --proto tcp --port 1194 \$OPENVPN_BASE"
 EOF

+sed -i 's/^remote.*$/remote 127.0.0.1 1194/g' /tmp/*l3*ovpn
+
 make test_scripts=t_client.sh check
@@ -2,16 +2,16 @@ FreeBSD_task:
  matrix:
    env:
      SSL: openssl
+      OPENSSL_ROOT_DIR: /usr/local
    env:
-      SSL: libressl
-    env:
-      SSL: libressl-devel
+      SSL: openssl32
+      OPENSSL_ROOT_DIR: /usr/local
    env:
      # base openssl
      SSL:
  matrix:
    freebsd_instance:
-      image_family: freebsd-12-1
+      image_family: freebsd-13-2
  prepare_script:
    - pkg install -y pkgconf cmake git libsodium $SSL
    - git submodule update --init --recursive
@@ -2,6 +2,10 @@ Hi, there!

 Thank you for using SoftEther.

+If you are running SoftEther VPN 4.x (i.e. Stable Edition), please read the comparison with Developer Edition at: 
+
+https://github.com/SoftEtherVPN/SoftEtherVPN#comparison-with-stable-edition
+
 Before you submit an issue, please read the following:

 Is this a question?
@@ -26,7 +26,7 @@ jobs:
        mv /tmp/$PKGNAME .
        TARBALL=$PKGNAME.tar.xz
        tar cJf $TARBALL $PKGNAME
-        echo "::set-output name=tarball::$TARBALL"
+        echo "tarball=$TARBALL" >> $GITHUB_OUTPUT

    - name: upload tarball
      uses: actions/upload-release-asset@v1
@@ -5,16 +5,13 @@ on:
  schedule:
  - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  scan:
    runs-on: ubuntu-latest
    if: ${{ github.repository_owner == 'SoftEtherVPN' }}
-    env:
-      COVERITY_SCAN_PROJECT_NAME: 'SoftEtherVPN/SoftEtherVPN'
-      COVERITY_SCAN_BRANCH_PATTERN: '*'
-      COVERITY_SCAN_NOTIFICATION_EMAIL: 'chipitsine@gmail.com'
-      COVERITY_SCAN_BUILD_COMMAND_PREPEND: "./configure"
-      COVERITY_SCAN_BUILD_COMMAND: "make -C build"
    steps:
    - uses: actions/checkout@v2
      with:
@@ -23,8 +20,24 @@ jobs:
      run: |
        sudo apt-get update
        sudo apt-get install -y cmake gcc g++ libncurses5-dev libreadline-dev libssl-dev make zlib1g-dev libsodium-dev
-    - name: Run Coverity Scan
-      env:
-        COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+    - name: Download Coverity build tool
      run: |
-        curl -fsSL "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true
+        wget -c -N https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=SoftEtherVPN%2FSoftEtherVPN" -O coverity_tool.tar.gz
+        mkdir coverity_tool
+        tar xzf coverity_tool.tar.gz --strip 1 -C coverity_tool
+    - name: Configure
+      run: |
+        ./configure
+    - name: Build with Coverity build tool
+      run: |
+        export PATH=`pwd`/coverity_tool/bin:$PATH
+        cov-build --dir cov-int make -C build
+    - name: Submit build result to Coverity Scan
+      run: |
+        tar czvf cov.tar.gz cov-int
+        curl --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
+          --form email=chipitsine@gmail.com \
+          --form file=@cov.tar.gz \
+          --form version="Commit $GITHUB_SHA" \
+          --form description="Build submitted via CI" \
+          https://scan.coverity.com/builds?project=SoftEtherVPN%2FSoftEtherVPN
@@ -0,0 +1,33 @@
+name: Fedora/Rawhide
+
+on:
+  schedule:
+    - cron: "0 0 25 * *"
+  push:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build_and_test:
+    strategy:
+      matrix:
+        cc: [ gcc, clang ]
+    name: ${{ matrix.cc }}
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:rawhide
+    steps:
+    - uses: actions/checkout@v1
+      with:
+        submodules: true
+    - name: Install dependencies
+      run: |
+        dnf -y install git cmake ncurses-devel openssl-devel libsodium-devel readline-devel zlib-devel gcc-c++ clang
+    - name: Compile with ${{ matrix.cc }}
+      run: |
+        export CC=${{ matrix.cc }}
+        ./configure
+        make -C build
+
@@ -0,0 +1,28 @@
+on: [push, pull_request, workflow_dispatch]
+
+permissions:
+  contents: read
+
+jobs:
+  build_and_test:
+    strategy:
+      matrix:
+        os: [macos-13, macos-12, macos-11]
+    name: ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v1
+      with:
+        submodules: true
+    - name: Install dependencies
+      run: |
+        brew install libsodium
+    - name: Compile 
+      run: |
+        ./configure
+        make -C build
+    - name: Test 
+      run: |
+        otool -L build/vpnserver
+        .ci/memory-leak-test.sh
+
@@ -0,0 +1,23 @@
+name: alpine/musl
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  musl:
+      name: gcc
+      runs-on: ubuntu-latest
+      container:
+        image: alpine:latest
+      steps:
+      - uses: actions/checkout@v1
+        with:
+          submodules: true
+      - name: Install dependencies
+        run: apk add binutils --no-cache build-base readline-dev openssl-dev ncurses-dev git cmake zlib-dev libsodium-dev gnu-libiconv 
+      - name: Configure
+        run: ./configure
+      - name: make 
+        run: make -C build
@@ -0,0 +1,16 @@
+on: [push, pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+      runs-on: ubuntu-latest
+      steps:
+      - uses: actions/checkout@v1
+        with:
+          submodules: true
+      - name: Check
+        run: |
+          cd developer_tools/stbchecker
+          dotnet run ../../src/bin/hamcore
@@ -2,6 +2,7 @@
 .cproject
 .project
 .settings/
+.vs/
 Makefile
 /src/bin/*
 !/src/bin/hamcore/
@@ -1,32 +1,3 @@
-.ubuntu: &ubuntu_def
-  variables:
-    CMAKE_VERSION: 3.9.6
-  except:
-    changes:
-      - .appveyor.yml
-      - .travis.yml
-      - .azure-pipelines.yml
-      - .cirrus.yml
-  before_script:
-    - REPOSITORY="$PWD" && cd ..
-    - apt-get update && apt-get install -y dpkg-dev wget g++ gcc libncurses5-dev libreadline-dev libsodium-dev libssl-dev make zlib1g-dev git file
-    - wget https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}.tar.gz && tar -xzf cmake-${CMAKE_VERSION}.tar.gz
-    - cd cmake-${CMAKE_VERSION} && ./bootstrap && make install
-    - cd "$REPOSITORY" && git submodule update --init --recursive
-  script:
-    - ./configure
-    - make package -C build
-    - dpkg -i build/softether-vpn*.deb
-    - .ci/memory-leak-test.sh
-
-trusty:      
-  <<: *ubuntu_def
-  image: ubuntu:trusty
-
-precise:
-  <<: *ubuntu_def
-  image: ubuntu:precise
-
 # illumos gitlab-runner maintained by @hww3
 build_illumos:
  only:
@@ -38,23 +9,3 @@ build_illumos:
    - CMAKE_FLAGS="-DCMAKE_PREFIX_PATH=/opt/local -DCMAKE_CXX_FLAGS=-m64 -DCMAKE_C_FLAGS=-m64" ./configure
    - gmake -C build

-#
-# flawfinder
-# see https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
-#
-sast:
-  image: docker:stable
-  variables:
-    DOCKER_DRIVER: overlay2
-  allow_failure: true
-  services:
-    - docker:stable-dind
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
-  artifacts:
-    paths: [gl-sast-report.json]
@@ -38,25 +38,6 @@ matrix:
      before_install:
        - sudo apt-get -y install libsodium-dev
        - bash .ci/build-libressl.sh > build-deps.log 2>&1 || (cat build-deps.log && exit 1)
-    - env: LABEL="check stb files"
-      os: linux
-      language: csharp
-      mono: none
-      dotnet: 2.2.203
-      before_install:
-        - true
-      script:
-        - cd developer_tools/stbchecker
-        - dotnet run ../../src/bin/hamcore
-    - os: osx
-      compiler: clang
-      before_install:
-        - brew install libsodium
-      script:
-        - ./configure
-        - make -C build
-        - otool -L build/vpnserver
-        - .ci/memory-leak-test.sh

 cache:
  directories:
@@ -52,6 +52,8 @@ DEVELOPMENT BOARD MEMBERS:
  - Ilya Shipitsin
    https://github.com/chipitsine

+  - Yihong Wu
+    https://github.com/domosekai

 SPECIAL CONTRIBUTORS:

@@ -13,6 +13,13 @@ if (BUILD_NUMBER LESS 5180)
 		"For detailed info: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1392#issuecomment-867348281")
 endif()

+#
+# Link MSVC runtime statically
+# this should be revisited after installer migration to MSI
+#
+cmake_policy(SET CMP0091 NEW)
+set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>")
+
 project("SoftEther VPN"
  VERSION "5.02.${BUILD_NUMBER}"
  LANGUAGES C
@@ -36,9 +43,19 @@ if(EXISTS "${TOP_DIRECTORY}/.git" AND NOT EXISTS "${TOP_DIRECTORY}/src/libhamcor
    message (FATAL_ERROR "Submodules are not initialized. Run\n\tgit submodule update --init --recursive")
 endif()

+if(WIN32 AND VCPKG_TARGET_TRIPLET AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
+  message (FATAL_ERROR "vcpkg not installed or integrated with Visual Studio. Install it and run\n\tvcpkg integrate install")
+endif()
+
 if(UNIX)
  include(GNUInstallDirs)

+  #
+  # use rpath for locating installed libraries
+  #
+  set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
+  set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+
  include(CheckIncludeFile)
  Check_Include_File(sys/auxv.h HAVE_SYS_AUXV)
  if(EXISTS "/lib/systemd/system")
@@ -0,0 +1,141 @@
+{
+  "environments": [ { "BuildNumber": "5180" } ],
+  "configurations": [
+    {
+      "name": "x64-native",
+      "description": "Target x64 with 64-bit compiler",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "inheritEnvironments": [ "clang_cl_x64_x64" ],
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "variables": [
+        {
+          "name": "BUILD_NUMBER",
+          "value": "${env.BuildNumber}",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_C_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/x64/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/x64/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "VCPKG_TARGET_TRIPLET",
+          "value": "x64-windows-static",
+          "type": "STRING"
+        }
+      ]
+    },
+    {
+      "name": "x86-on-x64",
+      "description": "Target x86 with 64-bit compiler",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "inheritEnvironments": [ "clang_cl_x86_x64" ],
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "variables": [
+        {
+          "name": "BUILD_NUMBER",
+          "value": "${env.BuildNumber}",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_C_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/x64/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/x64/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "VCPKG_TARGET_TRIPLET",
+          "value": "x86-windows-static",
+          "type": "STRING"
+        }
+      ]
+    },
+    {
+      "name": "x64-on-x86",
+      "description": "Target x64 with 32-bit compiler",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "inheritEnvironments": [ "clang_cl_x64" ],
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "variables": [
+        {
+          "name": "BUILD_NUMBER",
+          "value": "${env.BuildNumber}",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_C_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "VCPKG_TARGET_TRIPLET",
+          "value": "x64-windows-static",
+          "type": "STRING"
+        }
+      ]
+    },
+    {
+      "name": "x86-native",
+      "description": "Target x86 with 32-bit compiler",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "inheritEnvironments": [ "clang_cl_x86" ],
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "variables": [
+        {
+          "name": "BUILD_NUMBER",
+          "value": "${env.BuildNumber}",
+          "type": "STRING"
+        },
+        {
+          "name": "CMAKE_C_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "CMAKE_CXX_COMPILER",
+          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
+          "type": "FILEPATH"
+        },
+        {
+          "name": "VCPKG_TARGET_TRIPLET",
+          "value": "x86-windows-static",
+          "type": "STRING"
+        }
+      ]
+    }
+  ]
+}
@@ -1,2 +1 @@
 liberapay: softether
-custom: https://salt.bountysource.com/teams/softether-vpn
@@ -12,9 +12,9 @@
 - [BOARD MEMBERS OF THIS REPOSITORY](#board-members-of-this-repository)
 - [SOFTETHER VPN ADVANTAGES](#softether-vpn-advantages)
 - [Installation](#installation)
-  * [For Ubuntu](#for-ubuntu)
  * [For FreeBSD](#for-freebsd)
-  * [From binary installers:](#from-binary-installers)
+  * [For Windows](#for-windows)
+  * [From binary installers (stable channel)](#from-binary-installers-stable-channel)
  * [Build from Source code](#build-from-source-code)
 - [About HTML5-based Modern Admin Console and JSON-RPC API Suite](#about-html5-based-modern-admin-console-and-json-rpc-api-suite)
  * [Built-in SoftEther VPN Server HTML5 Ajax-based Web Administration Console](#built-in-softether-vpn-server-html5-ajax-based-web-administration-console)
@@ -34,6 +34,8 @@ Stable Edition is available on
 https://github.com/SoftEtherVPN/SoftEtherVPN_Stable
 which the non-developer user can stable use.

+Please note that [some features](#comparison-with-stable-edition) are not available in Stable Edition.
+
 Source code packages (.zip and .tar.gz) and binary files of Stable Edition are also available:  
 https://www.softether-download.com/

@@ -72,7 +74,7 @@ world's most powerful and easy-to-use multi-protocol VPN software.
 SoftEther VPN runs on Windows, Linux, Mac, FreeBSD and Solaris.

 SoftEther VPN supports most of widely-used VPN protocols
-including SSL-VPN, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP
+including SSL-VPN, WireGuard, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 and EtherIP
 by the single SoftEther VPN Server program.

 More details on https://www.softether.org/.
@@ -105,6 +107,7 @@ https://github.com/chipitsine

 - Supporting all popular VPN protocols by the single VPN server:
  SSL-VPN (HTTPS)
+  WireGuard
  OpenVPN
  IPsec
  L2TP
@@ -139,17 +142,37 @@ https://github.com/chipitsine
  releasing the build.
 - More details at https://www.softether.org/.

+# Comparison with Stable Edition
+
+| Protocol | Stable Edition (SE) | Developer Edition (DE) | Comment |
+| --- | --- | --- | --- |
+| SSL-VPN | ✅ | ✅ | |
+| OpenVPN | ✅ | ✅ | AEAD mode is supported in DE only. |
+| IPsec | ✅ | ✅ | |
+| L2TP | ✅ | ✅ | |
+| MS-SSTP | ✅ | ✅ | |
+| L2TPv3 | ✅ | ✅ | |
+| EtherIP | ✅ | ✅ | |
+| WireGuard | ❌ | ✅ | |
+| IKEv2 | ❌ | ❌ | |
+
+| Feature | Stable Edition (SE) | Developer Edition (DE) | Comment |
+| --- | --- | --- | --- |
+| Password Authentication | ✅ | ✅ | |
+| RADIUS / NT Authentication | ✅ | ✅ | |
+| Certificate Authentication | ⚠️ | ✅ | SE supports the feature in SSL-VPN only. |
+| IPv6-capable VPN Tunnel | ⚠️ | ✅ | SE supports IPv6 in L2 VPN tunnels only. |
+| IPv4 Route Management | ✅ | ✅ | Windows clients only |
+| IPv6 Route Management | ❌ | ✅ | Windows clients only |
+| TLS Server Verification | ⚠️ | ✅ | In SE you need to specify the exact certificate or CA to verify. DE can perform standard TLS verification and use the system CA store. |
+| Dual-stack Name Resolution | ⚠️ | ✅ | SE attempts in IPv6 only after IPv4 has failed. |
+| ECDSA Certificates Import | ❌ | ✅ | |
+| Runs on Windows XP and Earlier | ✅ | ❌ | |
+| Compatible with SoftEther VPN 1.0 | ✅ | ❌ | |
+| AES-NI Hardware Acceleration | ⚠️ |  ✅ | SE requires [intel_aes_lib](https://software.intel.com/sites/default/files/article/181731/intel-aesni-sample-library-v1.2.zip) to enable AES-NI, so x86 only. In DE, enabled by default as long as processor supports it (at least x86 and ARM). |

 # Installation

-## For Ubuntu
-
-Launchpad PPA maintained by [Dmitry Verkhoturov](https://github.com/paskal):
-
-[Daily builds](https://code.launchpad.net/~paskal-07/+archive/ubuntu/softethervpn) (latest released tag)
-
-[Nightly builds](https://code.launchpad.net/~paskal-07/+archive/ubuntu/softethervpn-nightly)
-
 ## For FreeBSD

 SoftEther VPN in FreeBSD Ports Collection is maintained by
@@ -178,7 +201,12 @@ sysrc softether_server_enable=yes
 Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softether-devel/) and
 [RTM version](https://www.freshports.org/security/softether/) are available on FreeBSD.

-## From binary installers:
+## For Windows
+
+[Nightly builds](https://dev.azure.com/SoftEther-VPN/SoftEther%20VPN/_build?definitionId=6)
+(choose appropriate platform, then find binaries or installers as artifacts)
+
+## From binary installers (stable channel)

 Those can be found under https://www.softether-download.com/
 There you can also find SoftEtherVPN source code in zip and tar formats.
@@ -236,19 +264,19 @@ SoftEther VPN Project distributes the up-to-date source code
 on all the following open-source repositories:

  - GitHub
-    https://github.com/SoftEtherVPN/SoftEtherVPN/
+    https://github.com/SoftEtherVPN/SoftEtherVPN

        $ git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git

  - GitLab (mirrored from GitHub)
-    https://gitlab.com/SoftEther/SoftEtherVPN/
+    https://gitlab.com/SoftEther/VPN

-        $ git clone https://gitlab.com/SoftEther/SoftEtherVPN.git
+        $ git clone https://gitlab.com/SoftEther/VPN.git

-  - Codeberg (mirrored from GitHub)
-    https://codeberg.org/softether/vpn
+  - OneDev (mirrored from GitHub)
+    https://code.onedev.io/SoftEther/VPN

-        $ git clone https://codeberg.org/softether/vpn.git
+        $ git clone https://code.onedev.io/SoftEther/VPN.git

 We hope that you can reach one of the above URLs at least!

@@ -261,7 +289,7 @@ Please send patches to us through GitHub.

 # DEAR SECURITY EXPERTS

-If you find a bug or a security vulnerability please kindly inform us
+If you find a bug or a security vulnerability please [kindly inform](https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/new) us
 about the problem immediately so that we can fix the security problem
 to protect a lot of users around the world as soon as possible.

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.x     | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+Please use [github security reporting](https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/new)
@@ -2,7 +2,7 @@

  <PropertyGroup>
    <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
+    <TargetFramework>net7.0</TargetFramework>
  </PropertyGroup>

  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
@@ -2210,7 +2210,7 @@ Name | Type | Description
 `NoUdpAcceleration_bool` | `boolean` | Client Option Parameters: Do not use UDP acceleration mode if the value is true
 `AuthType_u32` | `number` (enum) | Authentication type<BR>Values:<BR>`0`: Anonymous authentication<BR>`1`: SHA-0 hashed password authentication<BR>`2`: Plain password authentication<BR>`3`: Certificate authentication
 `Username_str` | `string` (ASCII) | User name
-`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(UpperCase(username_ascii_string) + password_ascii_string).
+`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(password_ascii_string + UpperCase(username_ascii_string)).
 `PlainPassword_str` | `string` (ASCII) | Plaintext Password. Valid only if ClientAuth_AuthType_u32 == PlainPassword (2).
 `ClientX_bin` | `string` (Base64 binary) | Client certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
 `ClientK_bin` | `string` (Base64 binary) | Client private key of the certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
@@ -2352,7 +2352,7 @@ Name | Type | Description
 `NoUdpAcceleration_bool` | `boolean` | Client Option Parameters: Do not use UDP acceleration mode if the value is true
 `AuthType_u32` | `number` (enum) | Authentication type<BR>Values:<BR>`0`: Anonymous authentication<BR>`1`: SHA-0 hashed password authentication<BR>`2`: Plain password authentication<BR>`3`: Certificate authentication
 `Username_str` | `string` (ASCII) | User name
-`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(UpperCase(username_ascii_string) + password_ascii_string).
+`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(password_ascii_string + UpperCase(username_ascii_string)).
 `PlainPassword_str` | `string` (ASCII) | Plaintext Password. Valid only if ClientAuth_AuthType_u32 == PlainPassword (2).
 `ClientX_bin` | `string` (Base64 binary) | Client certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
 `ClientK_bin` | `string` (Base64 binary) | Client private key of the certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
@@ -2537,7 +2537,7 @@ Name | Type | Description
 `NoUdpAcceleration_bool` | `boolean` | Client Option Parameters: Do not use UDP acceleration mode if the value is true
 `AuthType_u32` | `number` (enum) | Authentication type<BR>Values:<BR>`0`: Anonymous authentication<BR>`1`: SHA-0 hashed password authentication<BR>`2`: Plain password authentication<BR>`3`: Certificate authentication
 `Username_str` | `string` (ASCII) | User name
-`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(UpperCase(username_ascii_string) + password_ascii_string).
+`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(password_ascii_string + UpperCase(username_ascii_string)).
 `PlainPassword_str` | `string` (ASCII) | Plaintext Password. Valid only if ClientAuth_AuthType_u32 == PlainPassword (2).
 `ClientX_bin` | `string` (Base64 binary) | Client certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
 `ClientK_bin` | `string` (Base64 binary) | Client private key of the certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
@@ -8,7 +8,7 @@

  <ItemGroup>
    <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="2.10.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
  </ItemGroup>

 </Project>
@@ -1,6 +1,6 @@
 {
  "name": "vpnrpc",
-  "version": "1.0.0",
+  "version": "1.0.1",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
@@ -54,12 +54,6 @@
      "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=",
      "dev": true
    },
-    "big.js": {
-      "version": "5.2.2",
-      "resolved": "https://registry.npmjs.org/big.js/-/big.js-5.2.2.tgz",
-      "integrity": "sha512-vyL2OymJxmarO8gxMr0mhChsO9QGwhynfuu4+MHTAW6czfq9humCB7rKpUjDd9YUiDPU4mzpyupFSvOClAwbmQ==",
-      "dev": true
-    },
    "brace-expansion": {
      "version": "1.1.11",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
@@ -123,42 +117,20 @@
      "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=",
      "dev": true
    },
-    "core-util-is": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",
-      "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=",
-      "dev": true
-    },
    "diff": {
      "version": "3.5.0",
      "resolved": "https://registry.npmjs.org/diff/-/diff-3.5.0.tgz",
      "integrity": "sha512-A46qtFgd+g7pDZinpnwiRJtxbC1hpgf0uzP3iG89scHk0AUC7A1TGxf5OiiOUv/JMZR8GOt8hL900hV0bOy5xA==",
      "dev": true
    },
-    "emojis-list": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/emojis-list/-/emojis-list-2.1.0.tgz",
-      "integrity": "sha1-TapNnbAPmBmIDHn6RXrlsJof04k=",
-      "dev": true
-    },
    "enhanced-resolve": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-4.1.0.tgz",
-      "integrity": "sha512-F/7vkyTtyc/llOIn8oWclcB25KdRaiPBpZYDgJHgh/UHtpgT2p2eldQgtQnLtUvfMKPKxbRaQM/hHkvLHt1Vng==",
+      "version": "5.12.0",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.12.0.tgz",
+      "integrity": "sha512-QHTXI/sZQmko1cbDoNAa3mJ5qhWUUNAq3vR0/YiD379fWQrcfuoX1+HW2S0MTt7XmoPLapdaDKUtelUSPic7hQ==",
      "dev": true,
      "requires": {
-        "graceful-fs": "^4.1.2",
-        "memory-fs": "^0.4.0",
-        "tapable": "^1.0.0"
-      }
-    },
-    "errno": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/errno/-/errno-0.1.7.tgz",
-      "integrity": "sha512-MfrRBDWzIWifgq6tJj60gkAwtLNb6sQPlcFrSOflcP1aFmmruKQ2wRnze/8V6kgyz7H3FF8Npzv78mZ7XLLflg==",
-      "dev": true,
-      "requires": {
-        "prr": "~1.0.1"
+        "graceful-fs": "^4.2.4",
+        "tapable": "^2.2.0"
      }
    },
    "escape-string-regexp": {
@@ -209,9 +181,9 @@
      }
    },
    "graceful-fs": {
-      "version": "4.1.15",
-      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.1.15.tgz",
-      "integrity": "sha512-6uHUhOPEBgQ24HM+r6b/QwWfZq+yiFcipKFrOFiBEnWdy5sdzYoi+pJeQaPI5qOLRFqWmAXUPQNsielzdLoecA==",
+      "version": "4.2.10",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz",
+      "integrity": "sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==",
      "dev": true
    },
    "has-flag": {
@@ -242,12 +214,6 @@
      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
      "dev": true
    },
-    "isarray": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
-      "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=",
-      "dev": true
-    },
    "js-tokens": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
@@ -264,76 +230,47 @@
        "esprima": "^4.0.0"
      }
    },
-    "json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+    "lru-cache": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
+      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
      "dev": true,
      "requires": {
-        "minimist": "^1.2.0"
-      }
-    },
-    "loader-utils": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz",
-      "integrity": "sha512-fkpz8ejdnEMG3s37wGL07iSBDg99O9D5yflE9RGNH3hRdx9SOwYfnGYdZOUIZitN8E+E2vkq3MUMYMvPYl5ZZA==",
-      "dev": true,
-      "requires": {
-        "big.js": "^5.2.2",
-        "emojis-list": "^2.0.0",
-        "json5": "^1.0.1"
-      }
-    },
-    "memory-fs": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/memory-fs/-/memory-fs-0.4.1.tgz",
-      "integrity": "sha1-OpoguEYlI+RHz7x+i7gO1me/xVI=",
-      "dev": true,
-      "requires": {
-        "errno": "^0.1.3",
-        "readable-stream": "^2.0.1"
+        "yallist": "^4.0.0"
      }
    },
    "micromatch": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.2.tgz",
-      "integrity": "sha512-y7FpHSbMUMoyPbYUSzO6PaZ6FyRnQOpHuKwbo1G+Knck95XVU4QAiKdGEnj5wwoS7PlOgthX/09u5iFJ+aYf5Q==",
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
+      "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
      "dev": true,
      "requires": {
-        "braces": "^3.0.1",
-        "picomatch": "^2.0.5"
+        "braces": "^3.0.2",
+        "picomatch": "^2.3.1"
      }
    },
    "minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
      "dev": true,
      "requires": {
        "brace-expansion": "^1.1.7"
      }
    },
    "minimist": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
-      "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz",
+      "integrity": "sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==",
      "dev": true
    },
    "mkdirp": {
-      "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
-      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
+      "version": "0.5.6",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz",
+      "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==",
      "dev": true,
      "requires": {
-        "minimist": "0.0.8"
-      },
-      "dependencies": {
-        "minimist": {
-          "version": "0.0.8",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
-          "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=",
-          "dev": true
-        }
+        "minimist": "^1.2.6"
      }
    },
    "once": {
@@ -352,44 +289,17 @@
      "dev": true
    },
    "path-parse": {
-      "version": "1.0.6",
-      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz",
-      "integrity": "sha512-GSmOT2EbHrINBf9SR7CDELwlJ8AENk3Qn7OikK4nFYAu3Ote2+JYNVvkpAEQm3/TLNEJFD/xZJjzyxg3KBWOzw==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
      "dev": true
    },
    "picomatch": {
-      "version": "2.0.7",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.0.7.tgz",
-      "integrity": "sha512-oLHIdio3tZ0qH76NybpeneBhYVj0QFTfXEFTc/B3zKQspYfYYkWYgFsmzo+4kvId/bQRcNkVeguI3y+CD22BtA==",
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
      "dev": true
    },
-    "process-nextick-args": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.0.tgz",
-      "integrity": "sha512-MtEC1TqN0EU5nephaJ4rAtThHtC86dNN9qCuEhtshvpVBkAW5ZO7BASN9REnF9eoXGcRub+pFuKEpOHE+HbEMw==",
-      "dev": true
-    },
-    "prr": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/prr/-/prr-1.0.1.tgz",
-      "integrity": "sha1-0/wRS6BplaRexok/SEzrHXj19HY=",
-      "dev": true
-    },
-    "readable-stream": {
-      "version": "2.3.6",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz",
-      "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==",
-      "dev": true,
-      "requires": {
-        "core-util-is": "~1.0.0",
-        "inherits": "~2.0.3",
-        "isarray": "~1.0.0",
-        "process-nextick-args": "~2.0.0",
-        "safe-buffer": "~5.1.1",
-        "string_decoder": "~1.1.1",
-        "util-deprecate": "~1.0.1"
-      }
-    },
    "resolve": {
      "version": "1.11.0",
      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.11.0.tgz",
@@ -399,17 +309,14 @@
        "path-parse": "^1.0.6"
      }
    },
-    "safe-buffer": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
-      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
-      "dev": true
-    },
    "semver": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.1.0.tgz",
-      "integrity": "sha512-kCqEOOHoBcFs/2Ccuk4Xarm/KiWRSLEX9CAZF8xkJ6ZPlIoTZ8V5f7J16vYLJqDbR7KrxTJpR2lqjIEm2Qx9cQ==",
-      "dev": true
+      "version": "7.3.8",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.3.8.tgz",
+      "integrity": "sha512-NB1ctGL5rlHrPJtFDVIVzTyQylMLu9N9VICA6HSFJo8MCGVTMW6gfpicwKmmK/dAjTOrqu5l63JJOpDSrAis3A==",
+      "dev": true,
+      "requires": {
+        "lru-cache": "^6.0.0"
+      }
    },
    "sprintf-js": {
      "version": "1.0.3",
@@ -417,15 +324,6 @@
      "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=",
      "dev": true
    },
-    "string_decoder": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
-      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
-      "dev": true,
-      "requires": {
-        "safe-buffer": "~5.1.0"
-      }
-    },
    "supports-color": {
      "version": "5.5.0",
      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
@@ -436,9 +334,9 @@
      }
    },
    "tapable": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-1.1.3.tgz",
-      "integrity": "sha512-4WK/bYZmj8xLr+HUCODHGF1ZFzsYffasLUgEiMBY4fgtltdO6B4WJtlSbPaDTLpYTcGVwM2qLnFTICEcNxs3kA==",
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz",
+      "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==",
      "dev": true
    },
    "to-regex-range": {
@@ -451,16 +349,66 @@
      }
    },
    "ts-loader": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/ts-loader/-/ts-loader-6.0.1.tgz",
-      "integrity": "sha512-9H5ErTIw5t73sdSoFE0hX0RO45B7cdDA4pW1VIQ2wNFAhxSpZcAlv2fwMcfv6SAYLoI7uGwHuzC5dECzmzqtzA==",
+      "version": "9.4.2",
+      "resolved": "https://registry.npmjs.org/ts-loader/-/ts-loader-9.4.2.tgz",
+      "integrity": "sha512-OmlC4WVmFv5I0PpaxYb+qGeGOdm5giHU7HwDDUjw59emP2UYMHy9fFSDcYgSNoH8sXcj4hGCSEhlDZ9ULeDraA==",
      "dev": true,
      "requires": {
-        "chalk": "^2.3.0",
-        "enhanced-resolve": "^4.0.0",
-        "loader-utils": "^1.0.2",
+        "chalk": "^4.1.0",
+        "enhanced-resolve": "^5.0.0",
        "micromatch": "^4.0.0",
-        "semver": "^6.0.0"
+        "semver": "^7.3.4"
+      },
+      "dependencies": {
+        "ansi-styles": {
+          "version": "4.3.0",
+          "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+          "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+          "dev": true,
+          "requires": {
+            "color-convert": "^2.0.1"
+          }
+        },
+        "chalk": {
+          "version": "4.1.2",
+          "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
+          "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+          "dev": true,
+          "requires": {
+            "ansi-styles": "^4.1.0",
+            "supports-color": "^7.1.0"
+          }
+        },
+        "color-convert": {
+          "version": "2.0.1",
+          "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+          "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+          "dev": true,
+          "requires": {
+            "color-name": "~1.1.4"
+          }
+        },
+        "color-name": {
+          "version": "1.1.4",
+          "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+          "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+          "dev": true
+        },
+        "has-flag": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+          "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+          "dev": true
+        },
+        "supports-color": {
+          "version": "7.2.0",
+          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+          "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+          "dev": true,
+          "requires": {
+            "has-flag": "^4.0.0"
+          }
+        }
      }
    },
    "tslib": {
@@ -513,17 +461,17 @@
      "integrity": "sha512-YycBxUb49UUhdNMU5aJ7z5Ej2XGmaIBL0x34vZ82fn3hGvD+bgrMrVDpatgz2f7YxUMJxMkbWxJZeAvDxVe7Vw==",
      "dev": true
    },
-    "util-deprecate": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
-      "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=",
-      "dev": true
-    },
    "wrappy": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
      "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
      "dev": true
+    },
+    "yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true
    }
  }
 }
@@ -23,7 +23,7 @@
  "homepage": "https://github.com/SoftEtherVPN/SoftEtherVPN/tree/master/developer_tools/vpnserver-jsonrpc-clients/#readme",
  "devDependencies": {
    "@types/node": "^12.0.2",
-    "ts-loader": "^6.0.1",
+    "ts-loader": "^9.4.2",
    "tslint": "^5.16.0",
    "typescript": "^3.4.5"
  }
@@ -29,7 +29,7 @@
  <ItemGroup>
    <PackageReference Include="Markdig" Version="0.15.4" />
    <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="2.10.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
  </ItemGroup>

 </Project>
@@ -38,7 +38,7 @@ sudo yum -y install cmake ncurses-devel openssl-devel libsodium-devel readline-d

 ## Install requirements on Debian/Ubuntu
 ```bash
-sudo apt -y install cmake gcc g++ make libncurses5-dev libssl-dev libsodium-dev libreadline-dev zlib1g-dev
+sudo apt -y install cmake gcc g++ make pkgconf libncurses5-dev libssl-dev libsodium-dev libreadline-dev zlib1g-dev
 ```

 ## Install requirements on macOS
@@ -1,31 +1,155 @@
 How to build SoftEther VPN for Windows
 ======================================

-Full Build Instructions
-----------------------
-
-There are several methods for using CMake but the easiest by far is through Visual Studio 2019 by importing the CMake project directly
+There are several methods for using CMake but the easiest by far is through Visual Studio by importing the CMake project directly
 into it. So that is what will be described below.

-Requirements:
+## Requirements

-1. Download Visual Studio 2019 (Community Edition is fine).
-2. During install, make sure to check "Desktop development with C++" under "Workloads".
-3. Click on individual components and scroll until you see "Visual C++ tools for CMake" under the compilers section. Make sure this is checked.
-4. Proceed with and finish Visual Studio 2019 installation.
-5. Install the needed submodules to build the project, avoiding CMake telling you to do so with: `git submodule update --init --recursive`
+- Visual Studio 2019 or 2022 (Community Edition is fine)

-Building:
+  https://visualstudio.microsoft.com/downloads

-Once both installs have finished, launch Visual Studio. Once its started go to the File menu click `Open --> CMake`. Then navigate to where you
-cloned the project and open the `CMakeLists.txt` file in the projects root directory.
+- Git for Windows (or other git tool)

-Visual Studio will proceed to start the CMake configuration process and once its finished, you can simply go to toolbar and click `CMake -> Build All`.
+  https://gitforwindows.org/

-Once it has finished, hopefully with no errors, look in the newly created `/build` directory in the project's folder. Inside are the development versions
-of all the SoftEtherVPN components.
+- vcpkg

-Congrats, you now have a complete CMake development environment for SoftEtherVPN on Windows, enjoy and happy contributing!
+  https://github.com/microsoft/vcpkg

-Download Links:
- Visual Studio 2019 from Microsoft: https://visualstudio.microsoft.com/downloads
+## Installation
+
+- Visual Studio
+
+  Download from the official site and run the installer.
+
+  Make sure to check **Desktop development with C++** under *Workloads* and **Clang C++ Tools for Windows** in *Optional* components.
+
+- Git
+
+  Nothing special. Just follow the installer.
+
+- vcpkg
+
+  Let's say you will install it to `C:\vcpkg`.
+
+  Open your preferred terminal and go to `C:\`. Then run these commands.
+
+  ```
+  C:\> git clone https://github.com/microsoft/vcpkg
+  C:\> cd vcpkg
+  C:\vcpkg> bootstrap-vcpkg.bat
+  C:\vcpkg> vcpkg integrate install
+  ```
+
+## Update
+
+- vcpkg
+
+  You are recommended to update vcpkg from time to time, so that the latest libraries are used in the build.
+
+  Go to the installation path, pull the latest repo and the binary:
+
+  ```
+  C:\vcpkg> git pull
+  C:\vcpkg> bootstrap-vcpkg.bat
+  ```
+  
+## Building
+
+1. Launch Visual Studio
+
+   Choose either **Clone a repository** to clone from GitHub or **Open a local folder** if you already have a copy.
+
+1. Open Terminal (*View -> Terminal*). Install the needed submodules to build the project, avoiding CMake telling you to do so with:
+
+   `git submodule update --init --recursive`
+
+   **Note**: This step is not necessary if you have chosen **Clone a repository** as Visual Studio automatically takes care of it.
+
+1. Switch to folder view in the solution explorer
+
+1. Select a configuration from the dropdown menu below the search box. The default configurations are:
+
+   - x64-native
+
+     Build x64 executables with 64-bit compiler (most common)
+
+   - x64-on-x86
+
+     Cross compile x64 executables with 32-bit compiler
+
+   - x86-native
+
+     Build x86 executables with 32-bit compiler
+
+   - x86-on-x64
+
+     Cross compile x86 executables with 64-bit compiler
+
+   On 64-bit Windows, all four configurations can be used. 32-bit platforms can only use 32-bit compiler.
+
+1. Visual Studio will try generating CMake cache. If not, click **Project -> Configure Cache** or **Generate Cache**.
+
+   If CMake is busy, you will find **Generate Cache** greyed out. Wait until it finishes or click **Cancel CMake Cache Generation** to stop it.
+
+   The initial configuration will take a longer time since it needs to download and install dependencies.
+
+1. When *CMake generation finished* is displayed, simply go to toolbar and click **Build -> Build All**.
+
+1. Once building has finished, hopefully with no errors, look in the newly created `/build` directory in the project's folder.
+
+   Run `vpnsetup.exe` to install desired components.
+
+1. Congrats, you now have a complete CMake development environment for SoftEtherVPN on Windows, enjoy and happy contributing!
+
+## Notes
+
+1. Build number
+
+   You can change the build number in `CMakeSettings.json`. Use any integer no less than 5180.
+
+   Delete and regenerate CMake cache after the change.
+
+1. OpenSSL
+
+   The above instruction builds OpenSSL library statically in the SoftEther binaries,
+   so that when you distribute the installer to others they will not need to install OpenSSL separately.
+   However, the downside is that the OpenSSL library cannot be updated without a rebuild and reinstallation of SoftEther.
+   
+   It's also possible to build OpenSSL library dynamically so that you can update OpenSSL without rebuilding SoftEther.
+   To achieve that, you need to remove `openssl` from `vcpkg.json` and install OpenSSL directly.
+   
+   Installing from a package manager such as [Scoop](https://scoop.sh/) would make the subsequent updates easily.
+   However, you should avoid using [Winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
+   for the time being because due to a bug it cannot detect the correct version of OpenSSL, causing endless updates.
+   
+   If you install from Scoop, make sure to add the OpenSSL folder to the system's `PATH`.
+   As Scoop already adds it to the user's `PATH`, just copy the same location into the system environment variable(s).
+   SoftEther Client Service starts from the System account and will fail to start if OpenSSL is not in the global `PATH`.
+   
+   Building should be straightforward. You can verify that the binaries are now linked against the locally installed OpenSSL
+   with tools like `ldd` (available from Git Bash):
+
+   ```bash
+   $ ldd /c/Program\ Files/SoftEther\ VPN\ Client\ Developer\ Edition/vpnclient.exe
+        ...
+        libcrypto-3-x64.dll => /c/Scoop/apps/openssl/current/bin/libcrypto-3-x64.dll (0x7ff8beb70000)
+        libssl-3-x64.dll => /c/Scoop/apps/openssl/current/bin/libssl-3-x64.dll (0x7ff8beaa0000)
+        ...
+   ```
+
+1. 32-bit Windows
+
+   You don't need 32-bit Windows to build 32-bit executables. However, if 32-bit Windows is what you only have, things become a little complicated.
+
+   Visual Studio 2019 is the last version that works on 32-bit Windows. It does the job but its bundled CMake and Ninja are 64-bit versions.
+
+   After the installation of VS 2019, you need to download 32-bit CMake and Ninja and replace those that come with VS in:
+
+   ```
+   C:\Program Files\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\CMake
+   ```
+
+   Currently CMake has an official x86 installer but Ninja does not. You may need to download from a 3rd party or build from source.
@@ -60,6 +60,21 @@ include_directories(.)

 if(WIN32)
  add_definitions(-DWIN32 -D_WINDOWS -DOS_WIN32 -D_CRT_SECURE_NO_WARNINGS)
+
+  #
+  # https://msrc-blog.microsoft.com/2020/08/17/control-flow-guard-for-clang-llvm-and-rust/
+  #
+
+  message("Setting CONTROL FLOW GUARD") 
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /guard:cf")
+  set(CMAKE_EXE_LINKER_FLAGS  "${CMAKE_EXE_LINKER_FLAGS} /guard:cf /DYNAMICBASE")
+
+  message("Setting QSPECTRE")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
+
+  message("Setting CETCOMPAT")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /CETCOMPAT")
+
 endif()

 if(UNIX)
@@ -21,47 +21,47 @@
 // Policy items
 POLICY_ITEM policy_item[] =
 {
-//  ID,     Value,  Omittable, Min, Max, Default, Unit name
+//  ID,     Value,  Omittable, Min, Max, Default, Unit name, Offset
 // Ver 2.0
-	{0,		false,	false,	0,	0,	0,		NULL},			// Access
-	{1,		false,	false,	0,	0,	0,		NULL},			// DHCPFilter
-	{2,		false,	false,	0,	0,	0,		NULL},			// DHCPNoServer
-	{3,		false,	false,	0,	0,	0,		NULL},			// DHCPForce
-	{4,		false,	false,	0,	0,	0,		NULL},			// NoBridge
-	{5,		false,	false,	0,	0,	0,		NULL},			// NoRouting
-	{6,		false,	false,	0,	0,	0,		NULL},			// CheckMac
-	{7,		false,	false,	0,	0,	0,		NULL},			// CheckIP
-	{8,		false,	false,	0,	0,	0,		NULL},			// ArpDhcpOnly
-	{9,		false,	false,	0,	0,	0,		NULL},			// PrivacyFilter
-	{10,	false,	false,	0,	0,	0,		NULL},			// NoServer
-	{11,	false,	false,	0,	0,	0,		NULL},			// NoBroadcastLimiter
-	{12,	false,	false,	0,	0,	0,		NULL},			// MonitorPort
-	{13,	true,	false,	1,	32,	32,		"POL_INT_COUNT"},	// MaxConnection
-	{14,	true,	false,	5,	60,	20,		"POL_INT_SEC"},	// TimeOut
-	{15,	true,	true,	1,	65535,	0,	"POL_INT_COUNT"},	// MaxMac
-	{16,	true,	true,	1,	65535,	0,	"POL_INT_COUNT"},	// MaxIP
-	{17,	true,	true,	1,	4294967295UL,	0,	"POL_INT_BPS"},	// MaxUpload
-	{18,	true,	true,	1,	4294967295UL,	0,	"POL_INT_BPS"},	// MaxDownload
-	{19,	false,	false,	0,	0,	0,		NULL},			// FixPassword
-	{20,	true,	true,	1,	65535,	0,	"POL_INT_COUNT"},	// MultiLogins
-	{21,	false,	false,	0,	0,	0,		NULL},			// NoQoS
+	{0,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, Access)},								// Access
+	{1,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, DHCPFilter)},							// DHCPFilter
+	{2,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, DHCPNoServer)},						// DHCPNoServer
+	{3,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, DHCPForce)},							// DHCPForce
+	{4,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoBridge)},							// NoBridge
+	{5,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoRouting)},							// NoRouting
+	{6,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, CheckMac)},							// CheckMac
+	{7,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, CheckIP)},								// CheckIP
+	{8,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, ArpDhcpOnly)},							// ArpDhcpOnly
+	{9,		false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, PrivacyFilter)},						// PrivacyFilter
+	{10,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoServer)},							// NoServer
+	{11,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoBroadcastLimiter)},					// NoBroadcastLimiter
+	{12,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, MonitorPort)},							// MonitorPort
+	{13,	true,	false,	1,	32,	32,		"POL_INT_COUNT",		offsetof(POLICY, MaxConnection)},			// MaxConnection
+	{14,	true,	false,	5,	60,	20,		"POL_INT_SEC",			offsetof(POLICY, TimeOut)},					// TimeOut
+	{15,	true,	true,	1,	65535,	0,	"POL_INT_COUNT",		offsetof(POLICY, MaxMac)},					// MaxMac
+	{16,	true,	true,	1,	65535,	0,	"POL_INT_COUNT",		offsetof(POLICY, MaxIP)},					// MaxIP
+	{17,	true,	true,	1,	4294967295UL,	0,	"POL_INT_BPS",	offsetof(POLICY, MaxUpload)},				// MaxUpload
+	{18,	true,	true,	1,	4294967295UL,	0,	"POL_INT_BPS",	offsetof(POLICY, MaxDownload)},				// MaxDownload
+	{19,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, FixPassword)},							// FixPassword
+	{20,	true,	true,	1,	65535,	0,	"POL_INT_COUNT",		offsetof(POLICY, MultiLogins)},				// MultiLogins
+	{21,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoQoS)},								// NoQoS
 // Ver 3.0
-	{22,	false,	false,	0,	0,	0,		NULL},			// RSandRAFilter
-	{23,	false,	false,	0,	0,	0,		NULL},			// RAFilter
-	{24,	false,	false,	0,	0,	0,		NULL},			// DHCPv6Filter
-	{25,	false,	false,	0,	0,	0,		NULL},			// DHCPv6NoServer
-	{26,	false,	false,	0,	0,	0,		NULL},			// NoRoutingV6
-	{27,	false,	false,	0,	0,	0,		NULL},			// CheckIPv6
-	{28,	false,	false,	0,	0,	0,		NULL},			// NoServerV6
-	{29,	true,	true,	1,	65535,	0,	"POL_INT_COUNT"},	// MaxIPv6
-	{30,	false,	false,	0,	0,	0,		NULL},			// NoSavePassword
-	{31,	true,	true,	1,	4294967295UL,	0,	"POL_INT_SEC"},	// AutoDisconnect
-	{32,	false,	false,	0,	0,	0,		NULL},			// FilterIPv4
-	{33,	false,	false,	0,	0,	0,		NULL},			// FilterIPv6
-	{34,	false,	false,	0,	0,	0,		NULL},			// FilterNonIP
-	{35,	false,	false,	0,	0,	0,		NULL},			// NoIPv6DefaultRouterInRA
-	{36,	false,	false,	0,	0,	0,		NULL},			// NoIPv6DefaultRouterInRAWhenIPv6
-	{37,	true,	true,	1,	4095,	0,	"POL_INT_VLAN"},	// VLanId
+	{22,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, RSandRAFilter)},						// RSandRAFilter
+	{23,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, RAFilter)},							// RAFilter
+	{24,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, DHCPv6Filter)},						// DHCPv6Filter
+	{25,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, DHCPv6NoServer)},						// DHCPv6NoServer
+	{26,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoRoutingV6)},							// NoRoutingV6
+	{27,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, CheckIPv6)},							// CheckIPv6
+	{28,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoServerV6)},							// NoServerV6
+	{29,	true,	true,	1,	65535,	0,	"POL_INT_COUNT",		offsetof(POLICY, MaxIPv6)},					// MaxIPv6
+	{30,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoSavePassword)},						// NoSavePassword
+	{31,	true,	true,	1,	4294967295UL,	0,	"POL_INT_SEC",	offsetof(POLICY, AutoDisconnect)},			// AutoDisconnect
+	{32,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, FilterIPv4)},							// FilterIPv4
+	{33,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, FilterIPv6)},							// FilterIPv6
+	{34,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, FilterNonIP)},							// FilterNonIP
+	{35,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoIPv6DefaultRouterInRA)},				// NoIPv6DefaultRouterInRA
+	{36,	false,	false,	0,	0,	0,		NULL,		offsetof(POLICY, NoIPv6DefaultRouterInRAWhenIPv6)},		// NoIPv6DefaultRouterInRAWhenIPv6
+	{37,	true,	true,	1,	4095,	0,	"POL_INT_VLAN",			offsetof(POLICY, VLanId)},					// VLanId
 };

 // Format policy value
@@ -390,7 +390,7 @@ void OverwritePolicy(POLICY **target, POLICY *p)
 			}
 			else
 			{
-				Copy(*target, p, NUM_POLICY_ITEM_FOR_VER2 * sizeof(UINT));
+				Copy(*target, p, policy_item[NUM_POLICY_ITEM_FOR_VER2].Offset);
 			}
 		}
 	}
@@ -897,6 +897,35 @@ USER *AcGetUser(HUB *h, char *name)
 	return u;
 }

+USER* AcGetUserByCert(HUB *h, X *cert)
+{
+	int i;
+
+	if (cert == NULL)
+	{
+		return NULL;
+	}
+
+	for (i = 0; i < LIST_NUM(h->HubDb->UserList); i++)
+	{
+		USER* u = LIST_DATA(h->HubDb->UserList, i);
+		if (u->AuthType == AUTHTYPE_USERCERT)
+		{
+			X* ucert = ((AUTHUSERCERT*)u->AuthData)->UserX;
+			if (ucert != NULL)
+			{
+				if (CompareX(cert, ucert))
+				{
+					AddRef(u->ref);
+					return u;
+				}
+			}
+		}
+	}
+
+	return NULL;
+}
+
 // Delete the user
 bool AcDeleteUser(HUB *h, char *name)
 {
@@ -25,6 +25,7 @@ struct POLICY_ITEM
 	UINT MaxValue;
 	UINT DefaultValue;
 	char *FormatStr;
+	UINT Offset;
 };

 // Policy
@@ -144,17 +145,17 @@ struct AUTHNT

 // Macro
 #define	POLICY_CURRENT_VERSION		3
-#define	NUM_POLICY_ITEM		((sizeof(POLICY) / sizeof(UINT)) - 1)
 #define	NUM_POLICY_ITEM_FOR_VER2	22
 #define	NUM_POLICY_ITEM_FOR_VER3	38
+#define	NUM_POLICY_ITEM				NUM_POLICY_ITEM_FOR_VER3

 #define	IS_POLICY_FOR_VER2(index)	(((index) >= 0) && ((index) < NUM_POLICY_ITEM_FOR_VER2))
 #define	IS_POLICY_FOR_VER3(index)	(((index) >= 0) && ((index) < NUM_POLICY_ITEM_FOR_VER3))

 #define	IS_POLICY_FOR_CURRENT_VER(index, ver)	((ver) >= 3 ? IS_POLICY_FOR_VER3(index) : IS_POLICY_FOR_VER2(index))

-#define	POLICY_BOOL(p, i)	(((bool *)(p))[(i)])
-#define	POLICY_INT(p, i)	(((UINT *)(p))[(i)])
+#define	POLICY_BOOL(p, i)	(*(bool *)((char *)p + policy_item[i].Offset))
+#define	POLICY_INT(p, i)	(*(UINT *)((char *)p + policy_item[i].Offset))

 extern POLICY_ITEM policy_item[];

@@ -176,6 +177,7 @@ void FreeAuthData(UINT authtype, void *authdata);
 bool AcAddUser(HUB *h, USER *u);
 bool AcAddGroup(HUB *h, USERGROUP *g);
 USER *AcGetUser(HUB *h, char *name);
+USER* AcGetUserByCert(HUB* h, X *cert);
 USERGROUP *AcGetGroup(HUB *h, char *name);
 bool AcIsUser(HUB *h, char *name);
 bool AcIsGroup(HUB *h, char *name);
@@ -260,26 +260,6 @@ CAPSLIST *ScGetCapsEx(RPC *rpc)
 		AddCapsBool(t, "b_support_config_log", info.ServerType != SERVER_TYPE_FARM_MEMBER);
 		AddCapsBool(t, "b_support_autodelete", false);
 	}
-	else
-	{
-		// Success getting Caps
-		if (info.ServerBuildInt <= 4350)
-		{
-			if (is_bridge == false)
-			{
-				// b_support_cluster should be true for build 4300 or earlier
-				CAPS *caps = GetCaps(t, "b_support_cluster");
-				if (caps == NULL)
-				{
-					AddCapsBool(t, "b_support_cluster", true);
-				}
-				else
-				{
-					caps->Value = 1;
-				}
-			}
-		}
-	}

 	if (true)
 	{
@@ -746,9 +726,8 @@ void AdminWebProcPost(CONNECTION *c, SOCK *s, HTTP_HEADER *h, UINT post_data_siz
 	if (RecvAll(s, data, post_data_size, s->SecureMode))
 	{
 		c->JsonRpcAuthed = true;
-#ifndef	GC_SOFTETHER_OSS
+
 		RemoveDosEntry(c->Listener, s);
-#endif	// GC_SOFTETHER_OSS

 		// Divide url_target into URL and query string
 		StrCpy(url, sizeof(url), url_target);
@@ -787,9 +766,8 @@ void AdminWebProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)
 	}

 	c->JsonRpcAuthed = true;
-#ifndef	GC_SOFTETHER_OSS
+
 	RemoveDosEntry(c->Listener, s);
-#endif	// GC_SOFTETHER_OSS

 	// Divide url_target into URL and query string
 	StrCpy(url, sizeof(url), url_target);
@@ -959,30 +937,26 @@ bool HttpParseBasicAuthHeader(HTTP_HEADER *h, char *username, UINT username_size
 		{
 			if (StrCmpi(key, "Basic") == 0 && IsEmptyStr(value) == false)
 			{
-				UINT b64_dest_size = StrSize(value) * 2 + 256;
-				char *b64_dest = ZeroMalloc(b64_dest_size);
-
-				Decode64(b64_dest, value);
-
-				if (IsEmptyStr(b64_dest) == false)
+				char *str = Base64ToBin(NULL, value, StrLen(value));
+				if (str != NULL)
 				{
-					if (b64_dest[0] == ':')
+					if (str[0] == ':')
 					{
 						// Empty username
 						StrCpy(username, username_size, "");
-						StrCpy(password, password_size, b64_dest + 1);
+						StrCpy(password, password_size, str + 1);
 						ret = true;
 					}
 					else
 					{
-						if (GetKeyAndValue(b64_dest, username, username_size, password, password_size, ":"))
+						if (GetKeyAndValue(str, username, username_size, password, password_size, ":"))
 						{
 							ret = true;
 						}
 					}
-				}

-				Free(b64_dest);
+					Free(str);
+				}
 			}
 		}
 	}
@@ -1223,9 +1197,7 @@ void JsonRpcProcOptions(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target

 	c->JsonRpcAuthed = true;

-#ifndef	GC_SOFTETHER_OSS
 	RemoveDosEntry(c->Listener, s);
-#endif	// GC_SOFTETHER_OSS

 	AdminWebSendBody(s, 200, "OK", NULL, 0, NULL, NULL, NULL, h);
 }
@@ -1252,9 +1224,7 @@ void JsonRpcProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)

 	c->JsonRpcAuthed = true;

-#ifndef	GC_SOFTETHER_OSS
 	RemoveDosEntry(c->Listener, s);
-#endif	// GC_SOFTETHER_OSS

 	// Divide url_target into URL and query string
 	StrCpy(url, sizeof(url), url_target);
@@ -1381,9 +1351,7 @@ void JsonRpcProcPost(CONNECTION *c, SOCK *s, HTTP_HEADER *h, UINT post_data_size

 		c->JsonRpcAuthed = true;

-#ifndef	GC_SOFTETHER_OSS
 		RemoveDosEntry(c->Listener, s);
-#endif	// GC_SOFTETHER_OSS

 		if (json_req == NULL || json_req_object == NULL)
 		{
@@ -6550,8 +6518,6 @@ UINT StSetAccessList(ADMIN *a, RPC_ENUM_ACCESS_LIST *t)
 	UINT i;
 	bool no_jitter = false;
 	bool no_include = false;
-	UINT ret = ERR_NO_ERROR;
-

 	NO_SUPPORT_FOR_BRIDGE;
 	if (s->ServerType == SERVER_TYPE_FARM_MEMBER)
@@ -6594,60 +6560,20 @@ UINT StSetAccessList(ADMIN *a, RPC_ENUM_ACCESS_LIST *t)
 	}

 	LockList(h->AccessList);
-	{
-		UINT i;
-
-		if (a->ClientBuild != 0)
-		{
-			// Confirm whether the access list of form which cannot handle by the old client already exists
-			if (a->ClientBuild < 6560)
-			{
-				for (i = 0;i < LIST_NUM(h->AccessList);i++)
-				{
-					ACCESS *access = LIST_DATA(h->AccessList, i);
-					if (access->IsIPv6 ||
-						access->Jitter != 0 || access->Loss != 0 || access->Delay != 0)
-					{
-						ret = ERR_VERSION_INVALID;
-						break;
-					}
-				}
-			}
-
-			if (a->ClientBuild < 8234)
-			{
-				for (i = 0;i < LIST_NUM(h->AccessList);i++)
-				{
-					ACCESS *access = LIST_DATA(h->AccessList, i);
-
-					if (IsEmptyStr(access->RedirectUrl) == false)
-					{
-						ret = ERR_VERSION_INVALID;
-						break;
-					}
-				}
-			}
-		}
-
-		if (ret == ERR_NO_ERROR)
 	{
 		// Delete whole access list
-			for (i = 0;i < LIST_NUM(h->AccessList);i++)
+		for (i = 0; i < LIST_NUM(h->AccessList); ++i)
 		{
 			ACCESS *access = LIST_DATA(h->AccessList, i);
 			Free(access);
 		}

 		DeleteAll(h->AccessList);
-		}
-	}

-	if (ret == ERR_NO_ERROR)
-	{
 		ALog(a, h, "LA_SET_ACCESS_LIST", t->NumAccess);

 		// Add whole access list
-		for (i = 0;i < t->NumAccess;i++)
+		for (i = 0; i < t->NumAccess; ++i)
 		{
 			ACCESS *a = &t->Accesses[i];

@@ -6686,14 +6612,10 @@ UINT StSetAccessList(ADMIN *a, RPC_ENUM_ACCESS_LIST *t)
 		h->CurrentVersion++;
 		SiHubUpdateProc(h);
 	}
-	else
-	{
-		UnlockList(h->AccessList);
-	}

 	ReleaseHub(h);

-	return ret;
+	return ERR_NO_ERROR;
 }

 // Add access list entry
@@ -7420,6 +7342,7 @@ UINT StGetLink(ADMIN *a, RPC_CREATE_LINK *t)
 		Copy(&t->Policy, k->Policy, sizeof(POLICY));

 		t->CheckServerCert = k->CheckServerCert;
+		t->AddDefaultCA = k->AddDefaultCA;
 		t->ServerCert = CloneX(k->ServerCert);
 	}
 	Unlock(k->lock);
@@ -7524,7 +7447,7 @@ UINT StSetLink(ADMIN *a, RPC_CREATE_LINK *t)

 		if (t->Policy.Ver3 == false)
 		{
-			Copy(k->Policy, &t->Policy, sizeof(UINT) * NUM_POLICY_ITEM_FOR_VER2);
+			Copy(k->Policy, &t->Policy, policy_item[NUM_POLICY_ITEM_FOR_VER2].Offset);
 		}
 		else
 		{
@@ -7535,6 +7458,7 @@ UINT StSetLink(ADMIN *a, RPC_CREATE_LINK *t)
 		k->Option->RequireMonitorMode = false;	// Disable monitor mode

 		k->CheckServerCert = t->CheckServerCert;
+		k->AddDefaultCA = t->AddDefaultCA;
 		k->ServerCert = CloneX(t->ServerCert);
 	}
 	Unlock(k->lock);
@@ -7631,6 +7555,7 @@ UINT StCreateLink(ADMIN *a, RPC_CREATE_LINK *t)
 		// setting of verifying server certification
 		// 
 		k->CheckServerCert = t->CheckServerCert;
+		k->AddDefaultCA = t->AddDefaultCA;
 		k->ServerCert = CloneX(t->ServerCert);

 		// stay this off-line
@@ -7847,11 +7772,6 @@ UINT StAddCa(ADMIN *a, RPC_HUB_ADD_CA *t)
 		return ERR_INVALID_PARAMETER;
 	}

-	if (t->Cert->is_compatible_bit == false)
-	{
-		return ERR_NOT_RSA_1024;
-	}
-
 	CHECK_RIGHT;

 	LockHubList(c);
@@ -9516,11 +9436,6 @@ UINT StSetServerCert(ADMIN *a, RPC_KEY_PAIR *t)
 		return ERR_PROTOCOL_ERROR;
 	}

-	if (t->Cert->is_compatible_bit == false)
-	{
-		return ERR_NOT_RSA_1024;
-	}
-
 	if (CheckXandK(t->Cert, t->Key) == false)
 	{
 		return ERR_PROTOCOL_ERROR;
@@ -9535,7 +9450,7 @@ UINT StSetServerCert(ADMIN *a, RPC_KEY_PAIR *t)
 		}
 	}

-	SetCedarCert(c, t->Cert, t->Key);
+	SetCedarCertAndChain(c, t->Cert, t->Key, t->Chain);

 	ALog(a, NULL, "LA_SET_SERVER_CERT");

@@ -10143,8 +10058,7 @@ UINT StSetPortsUDP(ADMIN *a, RPC_PORTS *t)

 	LockList(server_ports);
 	{
-		char tmp[MAX_SIZE];
-		wchar_t str[MAX_SIZE];
+		char str[MAX_SIZE];

 		for (i = 0; i < LIST_NUM(server_ports); ++i)
 		{
@@ -10160,8 +10074,7 @@ UINT StSetPortsUDP(ADMIN *a, RPC_PORTS *t)

 		ProtoSetUdpPorts(a->Server->Proto, server_ports);

-		IntListToStr(tmp, sizeof(tmp), server_ports, ", ");
-		StrToUni(str, sizeof(str), tmp);
+		IntListToStr(str, sizeof(str), server_ports, ", ");
 		ALog(a, NULL, "LA_SET_PORTS_UDP", str);
 	}
 	UnlockList(server_ports);
@@ -13717,6 +13630,7 @@ void InRpcCreateLink(RPC_CREATE_LINK *t, PACK *p)
 	InRpcPolicy(&t->Policy, p);

 	t->CheckServerCert = PackGetBool(p, "CheckServerCert");
+	t->AddDefaultCA = PackGetBool(p, "AddDefaultCA");
 	b = PackGetBuf(p, "ServerCert");
 	if (b != NULL)
 	{
@@ -13739,6 +13653,7 @@ void OutRpcCreateLink(PACK *p, RPC_CREATE_LINK *t)
 	OutRpcPolicy(p, &t->Policy);

 	PackAddBool(p, "CheckServerCert", t->CheckServerCert);
+	PackAddBool(p, "AddDefaultCA", t->AddDefaultCA);
 	if (t->ServerCert != NULL)
 	{
 		BUF *b;
@@ -13784,12 +13699,14 @@ void InRpcEnumLink(RPC_ENUM_LINK *t, PACK *p)

 		PackGetUniStrEx(p, "AccountName", e->AccountName, sizeof(e->AccountName), i);
 		PackGetStrEx(p, "Hostname", e->Hostname, sizeof(e->Hostname), i);
-		PackGetStrEx(p, "ConnectedHubName", e->HubName, sizeof(e->HubName), i);
+		if (PackGetStrEx(p, "ConnectedHubName", e->HubName, sizeof(e->HubName), i) == false)
+		{
+			PackGetStrEx(p, "TargetHubName", e->HubName, sizeof(e->HubName), i);
+		}
 		e->Online = PackGetBoolEx(p, "Online", i);
 		e->ConnectedTime = PackGetInt64Ex(p, "ConnectedTime", i);
 		e->Connected = PackGetBoolEx(p, "Connected", i);
 		e->LastError = PackGetIntEx(p, "LastError", i);
-		PackGetStrEx(p, "LinkHubName", e->HubName, sizeof(e->HubName), i);
 	}
 }
 void OutRpcEnumLink(PACK *p, RPC_ENUM_LINK *t)
@@ -14637,6 +14554,7 @@ void InRpcKeyPair(RPC_KEY_PAIR *t, PACK *p)
 	}

 	t->Cert = PackGetX(p, "Cert");
+	t->Chain = PackGetXList(p, "Chain");
 	t->Key = PackGetK(p, "Key");
 	t->Flag1 = PackGetInt(p, "Flag1");
 }
@@ -14649,12 +14567,14 @@ void OutRpcKeyPair(PACK *p, RPC_KEY_PAIR *t)
 	}

 	PackAddX(p, "Cert", t->Cert);
+	PackAddXList(p, "Chain", t->Chain);
 	PackAddK(p, "Key", t->Key);
 	PackAddInt(p, "Flag1", t->Flag1);
 }
 void FreeRpcKeyPair(RPC_KEY_PAIR *t)
 {
 	FreeX(t->Cert);
+	FreeXList(t->Chain);
 	FreeK(t->Key);
 }

@@ -14737,19 +14657,19 @@ void InRpcNodeInfo(NODE_INFO *t, PACK *p)
 	PackGetStr(p, "HubName", t->HubName, sizeof(t->HubName));
 	PackGetData2(p, "UniqueId", t->UniqueId, sizeof(t->UniqueId));

-	t->ClientProductVer = PackGetInt(p, "ClientProductVer");
-	t->ClientProductBuild = PackGetInt(p, "ClientProductBuild");
-	t->ServerProductVer = PackGetInt(p, "ServerProductVer");
-	t->ServerProductBuild = PackGetInt(p, "ServerProductBuild");
+	t->ClientProductVer = LittleEndian32(PackGetInt(p, "ClientProductVer"));
+	t->ClientProductBuild = LittleEndian32(PackGetInt(p, "ClientProductBuild"));
+	t->ServerProductVer = LittleEndian32(PackGetInt(p, "ServerProductVer"));
+	t->ServerProductBuild = LittleEndian32(PackGetInt(p, "ServerProductBuild"));
 	t->ClientIpAddress = PackGetIp32(p, "ClientIpAddress");
 	PackGetData2(p, "ClientIpAddress6", t->ClientIpAddress6, sizeof(t->ClientIpAddress6));
-	t->ClientPort = PackGetInt(p, "ClientPort");
+	t->ClientPort = LittleEndian32(PackGetInt(p, "ClientPort"));
 	t->ServerIpAddress = PackGetIp32(p, "ServerIpAddress");
 	PackGetData2(p, "ServerIpAddress6", t->ServerIpAddress6, sizeof(t->ServerIpAddress6));
-	t->ServerPort = PackGetInt(p, "ServerPort2");
+	t->ServerPort = LittleEndian32(PackGetInt(p, "ServerPort2"));
 	t->ProxyIpAddress = PackGetIp32(p, "ProxyIpAddress");
 	PackGetData2(p, "ProxyIpAddress6", t->ProxyIpAddress6, sizeof(t->ProxyIpAddress6));
-	t->ProxyPort = PackGetInt(p, "ProxyPort");
+	t->ProxyPort = LittleEndian32(PackGetInt(p, "ProxyPort"));
 }
 void OutRpcNodeInfo(PACK *p, NODE_INFO *t)
 {
@@ -14770,19 +14690,19 @@ void OutRpcNodeInfo(PACK *p, NODE_INFO *t)
 	PackAddStr(p, "HubName", t->HubName);
 	PackAddData(p, "UniqueId", t->UniqueId, sizeof(t->UniqueId));

-	PackAddInt(p, "ClientProductVer", t->ClientProductVer);
-	PackAddInt(p, "ClientProductBuild", t->ClientProductBuild);
-	PackAddInt(p, "ServerProductVer", t->ServerProductVer);
-	PackAddInt(p, "ServerProductBuild", t->ServerProductBuild);
+	PackAddInt(p, "ClientProductVer", LittleEndian32(t->ClientProductVer));
+	PackAddInt(p, "ClientProductBuild", LittleEndian32(t->ClientProductBuild));
+	PackAddInt(p, "ServerProductVer", LittleEndian32(t->ServerProductVer));
+	PackAddInt(p, "ServerProductBuild", LittleEndian32(t->ServerProductBuild));
 	PackAddIp32(p, "ClientIpAddress", t->ClientIpAddress);
 	PackAddData(p, "ClientIpAddress6", t->ClientIpAddress6, sizeof(t->ClientIpAddress6));
-	PackAddInt(p, "ClientPort", t->ClientPort);
+	PackAddInt(p, "ClientPort", LittleEndian32(t->ClientPort));
 	PackAddIp32(p, "ServerIpAddress", t->ServerIpAddress);
 	PackAddData(p, "ServerIpAddress6", t->ServerIpAddress6, sizeof(t->ServerIpAddress6));
-	PackAddInt(p, "ServerPort2", t->ServerPort);
+	PackAddInt(p, "ServerPort2", LittleEndian32(t->ServerPort));
 	PackAddIp32(p, "ProxyIpAddress", t->ProxyIpAddress);
 	PackAddData(p, "ProxyIpAddress6", t->ProxyIpAddress6, sizeof(t->ProxyIpAddress6));
-	PackAddInt(p, "ProxyPort", t->ProxyPort);
+	PackAddInt(p, "ProxyPort", LittleEndian32(t->ProxyPort));
 }

 // RPC_SESSION_STATUS
@@ -230,6 +230,7 @@ struct RPC_FARM_CONNECTION_STATUS
 struct RPC_KEY_PAIR
 {
 	X *Cert;							// Certificate
+	LIST *Chain;						// Trust chain
 	K *Key;								// Secret key
 	UINT Flag1;							// Flag1
 };
@@ -435,6 +436,7 @@ struct RPC_CREATE_LINK
 	CLIENT_AUTH *ClientAuth;			// Client authentication data
 	POLICY Policy;						// Policy
 	bool CheckServerCert;				// Validate the server certificate
+	bool AddDefaultCA;					// Use default trust store
 	X *ServerCert;						// Server certificate
 };

@@ -9,6 +9,7 @@

 #include "Cedar.h"
 #include "Command.h"
+#include "Logging.h"
 #include "Wpc.h"

 #include "Mayaqua/Encrypt.h"
@@ -19,6 +20,7 @@
 #include "Mayaqua/Object.h"
 #include "Mayaqua/Pack.h"
 #include "Mayaqua/Str.h"
+#include "Mayaqua/Table.h"
 #include "Mayaqua/Tick64.h"

 #include <stdlib.h>
@@ -80,6 +82,9 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
 						{
 							SOCK *ns;
 							Debug("Connect Request from %r:%u\n", &client_ip, client_port);
+							char ipstr[128];
+							IPToStr(ipstr, sizeof(ipstr), &client_ip);
+							SLog(ac->Cedar, "LS_AZURE_START", ipstr, client_port);

 							// Create new socket and connect VPN Azure Server
 							if (ac->DDnsStatusCopy.InternetSetting.ProxyType == PROXY_DIRECT)
@@ -103,7 +108,10 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)

 								SetTimeout(ns, param->DataTimeout);

-								if (StartSSLEx(ns, NULL, NULL, 0, NULL))
+								UINT ssl_err = 0;
+								Copy(&ns->SslAcceptSettings, &ac->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
+
+								if (StartSSLEx3(ns, NULL, NULL, NULL, 0, NULL, NULL, &ssl_err))
 								{
 									// Check certification
 									char server_cert_hash_str[MAX_SIZE];
@@ -157,6 +165,13 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
 										}
 									}
 								}
+								else
+								{
+									if (ssl_err != 0)
+									{
+										SLog(ac->Cedar, "LS_AZURE_SSL_ERROR", GetUniErrorStr(ssl_err), ssl_err);
+									}
+								}

 								ReleaseSock(ns);
 							}
@@ -29,11 +29,13 @@
 #include <sys/ioctl.h>
 #include <sys/stat.h>

-#ifndef UNIX_OPENBSD
+#if !defined(UNIX_OPENBSD) && !defined(UNIX_SOLARIS)
 #include <net/ethernet.h>
 #endif

 #ifdef UNIX_SOLARIS
+#include <stropts.h>
+#include <sys/dlpi.h>
 #include <sys/sockio.h>
 #endif

@@ -49,7 +51,7 @@
 #endif

 #ifdef UNIX_LINUX
-#include <linux/if_packet.h>
+#include <netpacket/packet.h>

 struct my_tpacket_auxdata
 {
@@ -319,7 +321,7 @@ TOKEN_LIST *GetEthListLinux(bool enum_normal, bool enum_rawip)
 					{
 						if (IsInListStr(o, name) == false)
 						{
-							if (StartWith(name, "tap_") == false)
+							if (StartWith(name, UNIX_VLAN_BRIDGE_IFACE_PREFIX"_") == false)
 							{
 								Add(o, CopyStr(name));
 							}
@@ -504,7 +506,7 @@ ETH *OpenEthLinux(char *name, bool local, bool tapmode, char *tapaddr)
 	{
 #ifndef	NO_VLAN
 		// In tap mode
-		VLAN *v = NewTap(name, tapaddr, true);
+		VLAN *v = NewBridgeTap(name, tapaddr, true);
 		if (v == NULL)
 		{
 			return NULL;
@@ -803,7 +805,12 @@ bool EthIsChangeMtuSupported(ETH *e)
 		return false;
 	}

+// FreeBSD seriously dislikes MTU changes; disable if compiled on that platform
+#ifndef	__FreeBSD__
 	return true;
+#else
+	return false;
+#endif
 #else	// defined(UNIX_LINUX) || defined(UNIX_BSD) || defined(UNIX_SOLARIS)
 	return false;
 #endif	// defined(UNIX_LINUX) || defined(UNIX_BSD) || defined(UNIX_SOLARIS)
@@ -1397,7 +1404,7 @@ ETH *OpenEthBSD(char *name, bool local, bool tapmode, char *tapaddr)
 	{
 #ifndef	NO_VLAN
 		// In tap mode
-		VLAN *v = NewTap(name, tapaddr, true);
+		VLAN *v = NewBridgeTap(name, tapaddr, true);
 		if (v == NULL)
 		{
 			return NULL;
@@ -1414,7 +1421,7 @@ ETH *OpenEthBSD(char *name, bool local, bool tapmode, char *tapaddr)

 		return e;
 #else	// NO_VLAN
-return NULL:
+	return NULL;
 #endif	// NO_VLAN
 	}

@@ -1473,7 +1480,7 @@ void CloseEth(ETH *e)
 	if (e->Tap != NULL)
 	{
 #ifndef	NO_VLAN
-		FreeTap(e->Tap);
+		FreeBridgeTap(e->Tap);
 #endif	// NO_VLAN
 	}

@@ -410,7 +410,7 @@ void CmEasyDlgOnKey(HWND hWnd, CM_EASY_DLG *d, bool ctrl, bool alt, UINT key)
 			break;
 		case 'O':
 			// Option settings
-			Command(hWnd, CMD_TRAFFIC);
+			Command(hWnd, CMD_OPTION);
 			break;
 		case 'R':
 			// Certificate management
@@ -4251,9 +4251,6 @@ UINT CmMainWindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *p
 	case WM_TIMER:
 		switch (wParam)
 		{
-		case 1:
-			CmSetForegroundProcessToCnService();
-			break;
 		case 2:
 			CmPollingTray(hWnd);
 			break;
@@ -5019,7 +5016,7 @@ void CmOnKey(HWND hWnd, bool ctrl, bool alt, UINT key)
 			break;
 		case 'O':
 			// Option settings
-			Command(hWnd, CMD_TRAFFIC);
+			Command(hWnd, CMD_OPTION);
 			break;
 		case 'R':
 			// Certificate management
@@ -5450,8 +5447,6 @@ void CmMainWindowOnCommandEx(HWND hWnd, WPARAM wParam, LPARAM lParam, bool easy)
 			CmStopUacHelper(helper);

 			Free(name);
-
-			CmRefresh(hWnd);
 		}
 		break;
 	case CMD_DELETE_VLAN:
@@ -5480,8 +5475,6 @@ void CmMainWindowOnCommandEx(HWND hWnd, WPARAM wParam, LPARAM lParam, bool easy)
 				}
 				Free(s);
 			}
-
-			CmRefresh(hWnd);
 		}
 		break;
 	case CMD_ENABLE_VLAN:
@@ -5501,8 +5494,6 @@ void CmMainWindowOnCommandEx(HWND hWnd, WPARAM wParam, LPARAM lParam, bool easy)
 					CALL(hWnd, CcEnableVLan(cm->Client, &c));
 				}
 				Free(s);
-
-				CmRefresh(hWnd);
 			}
 		}
 		break;
@@ -5523,8 +5514,6 @@ void CmMainWindowOnCommandEx(HWND hWnd, WPARAM wParam, LPARAM lParam, bool easy)
 					CALL(hWnd, CcDisableVLan(cm->Client, &c));
 				}
 				Free(s);
-
-				CmRefresh(hWnd);
 			}
 		}
 		break;
@@ -5560,8 +5549,6 @@ void CmMainWindowOnCommandEx(HWND hWnd, WPARAM wParam, LPARAM lParam, bool easy)
 					CmStopUacHelper(helper);
 				}
 				Free(s);
-
-				CmRefresh(hWnd);
 			}
 		}
 		break;
@@ -6032,6 +6019,7 @@ void CmExportAccount(HWND hWnd, wchar_t *account_name)
 		t.StartupAccount = a->Startup;
 		t.CheckServerCert = a->CheckServerCert;
 		t.RetryOnServerCert = a->RetryOnServerCert;
+		t.AddDefaultCA = a->AddDefaultCA;
 		t.ServerCert = a->ServerCert;
 		t.ClientOption->FromAdminPack = false;

@@ -6162,6 +6150,8 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite)
 					t->ClientOption->RequireMonitorMode = old_option->RequireMonitorMode;
 					t->ClientOption->RequireBridgeRoutingMode = old_option->RequireBridgeRoutingMode;
 					t->ClientOption->DisableQoS = old_option->DisableQoS;
+					t->ClientOption->BindLocalIP = old_option->BindLocalIP;// Source IP address for outgoing connection
+					t->ClientOption->BindLocalPort = old_option->BindLocalPort;// Source port number for outgoing connection

 					// Inherit the authentication data
 					CiFreeClientAuth(t->ClientAuth);
@@ -6171,6 +6161,7 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite)
 					t->StartupAccount = get.StartupAccount;
 					t->CheckServerCert = get.CheckServerCert;
 					t->RetryOnServerCert = get.RetryOnServerCert;
+					t->AddDefaultCA = get.AddDefaultCA;
 					if (t->ServerCert != NULL)
 					{
 						FreeX(t->ServerCert);
@@ -6280,6 +6271,7 @@ void CmCopyAccount(HWND hWnd, wchar_t *account_name)
 	}
 	c.CheckServerCert = a->CheckServerCert;
 	c.RetryOnServerCert = a->RetryOnServerCert;
+	c.AddDefaultCA = a->AddDefaultCA;
 	c.StartupAccount = false;		// Don't copy the startup attribute

 	CALL(hWnd, CcCreateAccount(cm->Client, &c));
@@ -6466,9 +6458,55 @@ void CmDetailDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
 		Disable(hWnd, R_BRIDGE);
 		Disable(hWnd, R_MONITOR);
 		Disable(hWnd, R_NO_ROUTING);
+#if TYPE_BINDLOCALIP
+		Disable(hWnd, E_BIND_LOCALIP);// Source IP address for outgoing connection
+		Disable(hWnd, E_BIND_LOCALPORT);// Source port number for outgoing connection
+#endif
+
 	}
 }

+#if TYPE_BINDLOCALIP
+// Set the value of the IP type
+void SetIp(HWND hWnd, UINT id, IP* ip)
+{
+	char tmp[MAX_SIZE];
+	// Validate arguments
+	if (hWnd == NULL || ip == NULL)
+	{
+		return;
+	}
+
+	IPToStr(tmp, sizeof(tmp), ip);
+	SetTextA(hWnd, id, tmp);
+}
+
+// Get an IP address
+bool GetIp(HWND hWnd, UINT id, IP* ip)
+{
+	char tmp[MAX_SIZE];
+	// Validate arguments
+	if (hWnd == NULL || ip == NULL)
+	{
+		return false;
+	}
+
+	Zero(ip, sizeof(IP));
+
+	if (GetTxtA(hWnd, id, tmp, sizeof(tmp)) == false)
+	{
+		return false;
+	}
+
+	if (StrToIP(ip, tmp) == false)
+	{
+		return false;
+	}
+
+	return true;
+}
+#endif
+
 // Advanced Settings dialog procedure
 UINT CmDetailDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param)
 {
@@ -6505,6 +6543,11 @@ UINT CmDetailDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *pa
 		Check(hWnd, R_NO_ROUTING, a->ClientOption->NoRoutingTracking);
 		Check(hWnd, R_DISABLE_QOS, a->ClientOption->DisableQoS);
 		Check(hWnd, R_DISABLE_UDP, a->ClientOption->NoUdpAcceleration);
+#if TYPE_BINDLOCALIP
+		SetIp(hWnd, E_BIND_LOCALIP, &a->ClientOption->BindLocalIP);// Source IP address for outgoing connection
+		SetIntEx(hWnd, E_BIND_LOCALPORT, a->ClientOption->BindLocalPort);// Source port number for outgoing connection
+		//Disable(hWnd, E_BIND_LOCALPORT);	// You can not edit
+#endif

 		// Select the Connection Mode
 		if (a->LinkMode == false)
@@ -6552,6 +6595,20 @@ UINT CmDetailDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *pa
 				Focus(hWnd, E_INTERVAL);
 				break;
 			}
+#if TYPE_BINDLOCALIP
+			// Source IP address for outgoing connection
+			IP tmpIP;
+			if (GetIp(hWnd, E_BIND_LOCALIP, &tmpIP) == false)
+			{
+				FocusEx(hWnd, E_BIND_LOCALIP);
+				break;
+			}
+			// Source port number for outgoing connection
+			if ((GetInt(hWnd, E_BIND_LOCALPORT) < 0) || (GetInt(hWnd, E_BIND_LOCALPORT) > 65535)){
+				FocusEx(hWnd, E_BIND_LOCALPORT);
+				break;
+			}
+#endif

 			a->ClientOption->MaxConnection = num;
 			a->ClientOption->AdditionalConnectionInterval = GetInt(hWnd, E_INTERVAL);
@@ -6569,6 +6626,10 @@ UINT CmDetailDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *pa
 			a->ClientOption->NoRoutingTracking = IsChecked(hWnd, R_NO_ROUTING);
 			a->ClientOption->DisableQoS = IsChecked(hWnd, R_DISABLE_QOS);
 			a->ClientOption->NoUdpAcceleration = IsChecked(hWnd, R_DISABLE_UDP);
+#if TYPE_BINDLOCALIP
+			a->ClientOption->BindLocalIP = tmpIP;// Source IP address for outgoing connection
+			a->ClientOption->BindLocalPort = GetInt(hWnd, E_BIND_LOCALPORT);// Source port number for outgoing connection
+#endif

 			if (a->LinkMode)
 			{
@@ -6659,6 +6720,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
 	// Host name
 	GetTxtA(hWnd, E_HOSTNAME, a->ClientOption->Hostname, sizeof(a->ClientOption->Hostname));
 	Trim(a->ClientOption->Hostname);
+	a->ClientOption->HintStr[0] = 0;

 	if (InStr(a->ClientOption->Hostname, "/tcp"))
 	{
@@ -6695,9 +6757,13 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
 	// To validate the server certificate
 	a->CheckServerCert = IsChecked(hWnd, R_CHECK_CERT);

+	// Trust default CA list
+	a->AddDefaultCA = IsChecked(hWnd, R_TRUST_DEFAULT);
+
 	if (a->NatMode)
 	{
 		Disable(hWnd, R_CHECK_CERT);
+		Disable(hWnd, R_TRUST_DEFAULT);
 		Disable(hWnd, B_TRUST);
 	}

@@ -7040,6 +7106,7 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
 		SetEnable(hWnd, S_STATIC7, false);
 		SetEnable(hWnd, S_STATIC11, false);
 		SetEnable(hWnd, R_CHECK_CERT, false);
+		SetEnable(hWnd, R_TRUST_DEFAULT, false);
 		SetEnable(hWnd, B_TRUST, false);
 		SetEnable(hWnd, B_SERVER_CERT, false);
 		SetEnable(hWnd, B_VIEW_SERVER_CERT, false);
@@ -7101,10 +7168,17 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a)
 	SetText(hWnd, E_ACCOUNT_NAME, a->ClientOption->AccountName);

 	// Host name
-	SetTextA(hWnd, E_HOSTNAME, a->ClientOption->Hostname);
-	StrCpy(a->old_server_name, sizeof(a->old_server_name), a->ClientOption->Hostname);
+	char hostname[MAX_SIZE];
+	StrCpy(hostname, sizeof(hostname), a->ClientOption->Hostname);
+	if (IsEmptyStr(a->ClientOption->HintStr) == false)
+	{
+		StrCat(hostname, sizeof(hostname), "/");
+		StrCat(hostname, sizeof(hostname), a->ClientOption->HintStr);
+	}
+	SetTextA(hWnd, E_HOSTNAME, hostname);
+	StrCpy(a->old_server_name, sizeof(a->old_server_name), hostname);

-	if (InStr(a->ClientOption->Hostname, "/tcp"))
+	if (InStr(hostname, "/tcp"))
 	{
 		Check(hWnd, R_DISABLE_NATT, true);
 	}
@@ -7134,6 +7208,9 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a)
 	// Verify the server certificate
 	Check(hWnd, R_CHECK_CERT, a->CheckServerCert);

+	// Trust default CA list
+	Check(hWnd, R_TRUST_DEFAULT, a->AddDefaultCA);
+
 	// LAN card list
 	if (a->NatMode == false && a->LinkMode == false)
 	{
@@ -7366,6 +7443,7 @@ UINT CmEditAccountDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, voi
 		case R_HTTPS:
 		case R_SOCKS:
 		case R_CHECK_CERT:
+		case R_TRUST_DEFAULT:
 		case C_TYPE:
 		case E_USERNAME:
 		case E_PASSWORD:
@@ -8463,6 +8541,11 @@ bool CmLoadKExW(HWND hWnd, K **k, wchar_t *filename, UINT size)

 // Read a set of certificate and private key
 bool CmLoadXAndK(HWND hWnd, X **x, K **k)
+{
+	return CmLoadXListAndK(hWnd, x, k, NULL);
+}
+// Read a set of certificate and private key and trust chain
+bool CmLoadXListAndK(HWND hWnd, X **x, K **k, LIST **cc)
 {
 	wchar_t *s;
 	bool is_p12;
@@ -8510,7 +8593,7 @@ START_FIRST:
 		}
 		if (IsEncryptedP12(p12) == false)
 		{
-			if (ParseP12(p12, x, k, NULL) == false)
+			if (ParseP12Ex(p12, x, k, cc, NULL) == false)
 			{
 				MsgBoxEx(hWnd, MB_ICONSTOP, _UU("DLG_BAD_P12_W"), tmp);
 				FreeP12(p12);
@@ -8529,7 +8612,7 @@ START_FIRST:
 			}
 			else
 			{
-				if (ParseP12(p12, x, k, password) == false)
+				if (ParseP12Ex(p12, x, k, cc, password) == false)
 				{
 					MsgBoxEx(hWnd, MB_ICONSTOP, _UU("DLG_BAD_P12_W"), tmp);
 					FreeP12(p12);
@@ -8542,6 +8625,10 @@ START_FIRST:
 		{
 			FreeX(*x);
 			FreeK(*k);
+			if (cc != NULL)
+			{
+				FreeXList(*cc);
+			}
 			FreeP12(p12);
 			FreeBuf(b);
 			if (MsgBox(hWnd, MB_ICONEXCLAMATION | MB_RETRYCANCEL, _UU("DLG_BAD_SIGNATURE")) == IDRETRY)
@@ -8550,6 +8637,11 @@ START_FIRST:
 			}
 			return false;
 		}
+		if (cc != NULL && LIST_NUM(*cc) == 0)
+		{
+			ReleaseList(*cc);
+			*cc = NULL;
+		}
 		FreeP12(p12);
 		FreeBuf(b);
 		return true;
@@ -8558,19 +8650,40 @@ START_FIRST:
 	{
 		// Processing of X509
 		BUF *b = ReadDumpW(tmp);
-		X *x509;
+		X *x509 = NULL;
 		K *key;
+		LIST *chain = NULL;
 		if (b == NULL)
 		{
 			MsgBoxEx(hWnd, MB_ICONSTOP, _UU("DLG_OPEN_FILE_ERROR_W"), tmp);
 			return false;
 		}

+		// DER-encoded X509 files can't hold multiple certificates
+		if (cc == NULL || IsBase64(b) == false)
+		{
 			x509 = BufToX(b, IsBase64(b));
+		}
+		else
+		{
+			chain = BufToXList(b, true);
+			if (LIST_NUM(chain) > 0)
+			{
+				x509 = LIST_DATA(chain, 0);
+				Delete(chain, x509);
+
+				if (LIST_NUM(chain) == 0)
+				{
+					ReleaseList(chain);
+					chain = NULL;
+				}
+			}
+		}
 		FreeBuf(b);
 		if (x509 == NULL)
 		{
 			MsgBoxEx(hWnd, MB_ICONSTOP, _UU("DLG_BAD_X509_W"), tmp);
+			FreeXList(chain);
 			return false;
 		}

@@ -8579,6 +8692,7 @@ START_FIRST:
 		if (s == NULL)
 		{
 			FreeX(x509);
+			FreeXList(chain);
 			return false;
 		}
 		UniStrCpy(tmp, sizeof(tmp), s);
@@ -8589,6 +8703,7 @@ START_FIRST:
 		{
 			MsgBoxEx(hWnd, MB_ICONSTOP, _UU("DLG_OPEN_FILE_ERROR_W"), tmp);
 			FreeX(x509);
+			FreeXList(chain);
 			return false;
 		}

@@ -8603,6 +8718,7 @@ START_FIRST:
 			{
 				FreeBuf(b);
 				FreeX(x509);
+				FreeXList(chain);
 				return false;
 			}
 			key = BufToK(b, true, IsBase64(b), pass);
@@ -8612,6 +8728,7 @@ START_FIRST:
 		{
 			FreeBuf(b);
 			FreeX(x509);
+			FreeXList(chain);
 			MsgBoxEx(hWnd, MB_ICONSTOP, _UU("DLG_BAD_KEY_W"), tmp);
 			return false;
 		}
@@ -8621,6 +8738,7 @@ START_FIRST:
 			FreeBuf(b);
 			FreeX(x509);
 			FreeK(key);
+			FreeXList(chain);
 			if (MsgBox(hWnd, MB_ICONEXCLAMATION | MB_RETRYCANCEL, _UU("DLG_BAD_SIGNATURE")) == IDRETRY)
 			{
 				goto START_FIRST;
@@ -8631,6 +8749,10 @@ START_FIRST:
 		FreeBuf(b);
 		*x = x509;
 		*k = key;
+		if (cc != NULL)
+		{
+			*cc = chain;
+		}
 		return true;
 	}
 }
@@ -8728,6 +8850,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a)
 		Copy(c.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION));
 		c.ClientAuth = CopyClientAuth(a->ClientAuth);
 		c.CheckServerCert = a->CheckServerCert;
+		c.AddDefaultCA = a->AddDefaultCA;
 		if (a->ServerCert != NULL)
 		{
 			c.ServerCert = CloneX(a->ServerCert);
@@ -8781,6 +8904,7 @@ void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a)
 			Copy(t.ClientOption, a->ClientOption, sizeof(CLIENT_OPTION));
 			t.ClientAuth = CopyClientAuth(a->ClientAuth);
 			t.CheckServerCert = a->CheckServerCert;
+			t.AddDefaultCA = a->AddDefaultCA;
 			t.ServerCert = CloneX(a->ServerCert);

 			// Save the settings for cascade connection
@@ -8973,6 +9097,7 @@ CM_ACCOUNT *CmGetExistAccountObject(HWND hWnd, wchar_t *account_name)
 	a->EditMode = true;
 	a->CheckServerCert = c.CheckServerCert;
 	a->RetryOnServerCert = c.RetryOnServerCert;
+	a->AddDefaultCA = c.AddDefaultCA;
 	a->Startup = c.StartupAccount;
 	if (c.ServerCert != NULL)
 	{
@@ -9003,6 +9128,7 @@ CM_ACCOUNT *CmCreateNewAccountObject(HWND hWnd)
 	a->EditMode = false;
 	a->CheckServerCert = false;
 	a->RetryOnServerCert = false;
+	a->AddDefaultCA = false;
 	a->Startup = false;
 	a->ClientOption = ZeroMalloc(sizeof(CLIENT_OPTION));

@@ -9518,7 +9644,11 @@ void CmPrintStatusToListViewEx(LVB *b, RPC_CLIENT_GET_CONNECTION_STATUS *s, bool
 		}
 		else
 		{
-			if (StrLen(s->CipherName) != 0)
+			if (StrLen(s->CipherName) != 0 && StrLen(s->ProtocolName) != 0)
+			{
+				UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE3"), s->ProtocolName, s->CipherName);
+			}
+			else if (StrLen(s->CipherName) != 0)
 			{
 				UniFormat(tmp, sizeof(tmp), _UU("CM_ST_USE_ENCRYPT_TRUE"), s->CipherName);
 			}
@@ -10410,7 +10540,7 @@ void CmRefreshAccountListEx2(HWND hWnd, bool easy, bool style_changed)
 	UINT num = 0;
 	RPC_CLIENT_ENUM_ACCOUNT a;
 	UINT num_connecting = 0, num_connected = 0;
-	wchar_t tmp[MAX_SIZE];
+	wchar_t tooltip[MAX_SIZE];
 	wchar_t new_inserted_item[MAX_ACCOUNT_NAME_LEN + 1];
 	bool select_new_inserted_item = true;
 	// Validate arguments
@@ -10464,6 +10594,8 @@ void CmRefreshAccountListEx2(HWND hWnd, bool easy, bool style_changed)
 		select_new_inserted_item = false;
 	}

+	UniStrCpy(tooltip, sizeof(tooltip), _UU("CM_TRAY_INITING"));
+
 	// Enumerate the account list
 	if (CALL(hWnd, CcEnumAccount(cm->Client, &a)))
 	{
@@ -10587,10 +10719,16 @@ void CmRefreshAccountListEx2(HWND hWnd, bool easy, bool style_changed)
 				if (t->Connected)
 				{
 					num_connected++;
+					UniStrCat(tooltip, sizeof(tooltip), L"\r\n"L"\r\n");
+					UniStrCat(tooltip, sizeof(tooltip), t->AccountName);
+					UniStrCat(tooltip, sizeof(tooltip), _UU("CM_TRAY_CONNECTED"));
 				}
 				else
 				{
 					num_connecting++;
+					UniStrCat(tooltip, sizeof(tooltip), L"\r\n"L"\r\n");
+					UniStrCat(tooltip, sizeof(tooltip), t->AccountName);
+					UniStrCat(tooltip, sizeof(tooltip), _UU("CM_TRAY_CONNECTING"));
 				}
 			}
 		}
@@ -10643,22 +10781,8 @@ void CmRefreshAccountListEx2(HWND hWnd, bool easy, bool style_changed)
 		if (num_connecting == 0 && num_connected == 0)
 		{
 			// There is no connecting or connected account
-			UniStrCpy(tmp, sizeof(tmp), _UU("CM_TRAY_NOT_CONNECTED"));
-		}
-		else if (num_connected == 0)
-		{
-			// There is only connecting account
-			UniFormat(tmp, sizeof(tmp), _UU("CM_TRAY_CONNECTED_1"), num_connecting);
-		}
-		else if (num_connecting == 0)
-		{
-			// There is only connected account
-			UniFormat(tmp, sizeof(tmp), _UU("CM_TRAY_CONNECTED_2"), num_connected);
-		}
-		else
-		{
-			// There are both
-			UniFormat(tmp, sizeof(tmp), _UU("CM_TRAY_CONNECTED_0"), num_connected, num_connecting);
+			UniStrCat(tooltip, sizeof(tooltip), L"\r\n");
+			UniStrCat(tooltip, sizeof(tooltip), _UU("CM_TRAY_NOT_CONNECTED"));
 		}

 		if (num_connecting == 0 && num_connected == 0)
@@ -10680,7 +10804,7 @@ void CmRefreshAccountListEx2(HWND hWnd, bool easy, bool style_changed)
 			}
 		}

-		CmChangeTrayString(hWnd, tmp);
+		CmChangeTrayString(hWnd, tooltip);
 	}

 	Refresh(hWnd);
@@ -11207,7 +11331,6 @@ void CmMainWindowOnInit(HWND hWnd)
 	CmInitNotifyClientThread();

 	// Timer setting
-	SetTimer(hWnd, 1, 128, NULL);
 	SetTimer(hWnd, 6, 5000, NULL);

 	// Initialize the task tray
@@ -11844,7 +11967,6 @@ bool LoginCM()
 	// Try to login with an empty password first
 	bool bad_pass, no_remote;
 	wchar_t server_name[MAX_SIZE];
-	RPC_CLIENT_VERSION a;

 RETRY:
 	if (cm->server_name != NULL)
@@ -11896,13 +12018,8 @@ RETRY:
 		}
 	}

-	Zero(&a, sizeof(a));
-	CcGetClientVersion(cm->Client, &a);
-	if (a.ClientBuildInt >= 5192)
-	{
 	cm->CmSettingSupported = true;
 	cm->CmEasyModeSupported = true;
-	}

 	return true;
 }
@@ -140,6 +140,7 @@ typedef struct CM_ACCOUNT
 	bool Startup;						// Startup account
 	bool CheckServerCert;				// Check the server certificate
 	bool RetryOnServerCert;				// Retry on invalid server certificate
+	bool AddDefaultCA;					// Use default trust store
 	X *ServerCert;						// Server certificate
 	char old_server_name[MAX_HOST_NAME_LEN + 1];	// Old server name
 	bool Inited;						// Initialization flag
@@ -409,6 +410,7 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a);
 void CmEditAccountDlgOnOk(HWND hWnd, CM_ACCOUNT *a);
 void CmEditAccountDlgStartEnumHub(HWND hWnd, CM_ACCOUNT *a);
 bool CmLoadXAndK(HWND hWnd, X **x, K **k);
+bool CmLoadXListAndK(HWND hWnd, X **x, K **k, LIST **cc);
 bool CmLoadKEx(HWND hWnd, K **k, char *filename, UINT size);
 bool CmLoadKExW(HWND hWnd, K **k, wchar_t *filename, UINT size);
 bool CmLoadXFromFileOrSecureCard(HWND hWnd, X **x);
@@ -19,6 +19,8 @@ set_target_properties(cedar
  RUNTIME_OUTPUT_DIRECTORY "${BUILD_DIRECTORY}"
 )

+target_link_libraries(cedar PUBLIC mayaqua)
+
 cmake_host_system_information(RESULT HAS_SSE2 QUERY HAS_SSE2)

 set(BLAKE2_SRC_PATH $<IF:$<BOOL:${HAS_SSE2}>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,${TOP_DIRECTORY}/3rdparty/BLAKE2/ref>)
@@ -27,6 +29,12 @@ set(BLAKE2_SRC $<IF:$<BOOL:${HAS_SSE2}>,${BLAKE2_SRC_PATH}/blake2s.c,${BLAKE2_SR
 target_include_directories(cedar PUBLIC ${BLAKE2_SRC_PATH})
 target_sources(cedar PRIVATE ${BLAKE2_SRC})

+if(HAS_SSE2)
+  # If SSE2 is enabled, a build failure occurs with MSVC because it doesn't define "__SSE2__".
+  # The fix consists in defining "HAVE_SSE2" manually, effectively overriding the check.
+  set_property(SOURCE ${BLAKE2_SRC} PROPERTY COMPILE_DEFINITIONS "HAVE_SSE2")
+endif()
+
 if(VCPKG_TARGET_TRIPLET)
  find_package(unofficial-sodium CONFIG REQUIRED)
  target_link_libraries(cedar PUBLIC unofficial-sodium::sodium)
@@ -93,6 +101,6 @@ if(UNIX)
  install(TARGETS cedar
    COMPONENT "common"
    DESTINATION "${CMAKE_INSTALL_LIBDIR}"
-    PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
+    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
  )
 endif()
@@ -322,6 +322,34 @@ void DecrementNoSsl(CEDAR *c, IP *ip, UINT num_dec)
 	UnlockList(c->NonSslList);
 }

+// Check whether the specified IP address is in Non-SSL connection list
+bool IsInNoSsl(CEDAR *c, IP *ip)
+{
+	bool ret = false;
+	// Validate arguments
+	if (c == NULL || ip == NULL)
+	{
+		return false;
+	}
+
+	LockList(c->NonSslList);
+	{
+		NON_SSL *n = SearchNoSslList(c, ip);
+
+		if (n != NULL)
+		{
+			if (n->EntryExpires > Tick64() && n->Count > NON_SSL_MIN_COUNT)
+			{
+				n->EntryExpires = Tick64() + (UINT64)NON_SSL_ENTRY_EXPIRES;
+				ret = true;
+			}
+		}
+	}
+	UnlockList(c->NonSslList);
+
+	return ret;
+}
+
 // Add new entry to Non-SSL connection list
 bool AddNoSsl(CEDAR *c, IP *ip)
 {
@@ -704,6 +732,47 @@ void DelConnection(CEDAR *cedar, CONNECTION *c)
 	UnlockList(cedar->ConnectionList);
 }

+// Get the number of unestablished connections
+UINT GetUnestablishedConnections(CEDAR *cedar)
+{
+	UINT i, ret;
+	// Validate arguments
+	if (cedar == NULL)
+	{
+		return 0;
+	}
+
+	ret = 0;
+
+	LockList(cedar->ConnectionList);
+	{
+		for (i = 0;i < LIST_NUM(cedar->ConnectionList);i++)
+		{
+			CONNECTION *c = LIST_DATA(cedar->ConnectionList, i);
+
+			switch (c->Type)
+			{
+			case CONNECTION_TYPE_CLIENT:
+			case CONNECTION_TYPE_INIT:
+			case CONNECTION_TYPE_LOGIN:
+			case CONNECTION_TYPE_ADDITIONAL:
+				switch (c->Status)
+				{
+				case CONNECTION_STATUS_ACCEPTED:
+				case CONNECTION_STATUS_NEGOTIATION:
+				case CONNECTION_STATUS_USERAUTH:
+					ret++;
+					break;
+				}
+				break;
+			}
+		}
+	}
+	UnlockList(cedar->ConnectionList);
+
+	return ret + Count(cedar->AcceptingSockets);
+}
+
 // Add connection to Cedar
 void AddConnection(CEDAR *cedar, CONNECTION *c)
 {
@@ -1157,6 +1226,10 @@ void CleanupCedar(CEDAR *c)
 	{
 		FreeK(c->ServerK);
 	}
+	if (c->ServerChain)
+	{
+		FreeXList(c->ServerChain);
+	}

 	if (c->CipherList)
 	{
@@ -1386,6 +1459,10 @@ void FreeNetSvcList(CEDAR *cedar)

 // Change certificate of Cedar
 void SetCedarCert(CEDAR *c, X *server_x, K *server_k)
+{
+	SetCedarCertAndChain(c, server_x, server_k, NULL);
+}
+void SetCedarCertAndChain(CEDAR *c, X *server_x, K *server_k, LIST *server_chain)
 {
 	// Validate arguments
 	if (server_x == NULL || server_k == NULL)
@@ -1405,8 +1482,14 @@ void SetCedarCert(CEDAR *c, X *server_x, K *server_k)
 			FreeK(c->ServerK);
 		}

+		if (c->ServerChain != NULL)
+		{
+			FreeXList(c->ServerChain);
+		}
+
 		c->ServerX = CloneX(server_x);
 		c->ServerK = CloneK(server_k);
+		c->ServerChain = CloneXList(server_chain);
 	}
 	Unlock(c->lock);
 }
@@ -1550,11 +1633,14 @@ CEDAR *NewCedar(X *server_x, K *server_k)
 #endif	// ALPHA_VERSION

 	ToStr(tmp2, c->Beta);
+	Format(tmp2, sizeof(tmp2), " %s %s ", beta_str, tmp2);

-	Format(tmp, sizeof(tmp), "Version %u.%02u Build %u %s %s (%s)",
+	Format(tmp, sizeof(tmp),
+		"Version %u.%02u Build %u"
+		"%s"    // Alpha, Beta, Release Candidate or nothing
+		"(%s)", // Language
 		CEDAR_VERSION_MAJOR, CEDAR_VERSION_MINOR, CEDAR_VERSION_BUILD,
-		c->Beta == 0 ? "" : beta_str,
-		c->Beta == 0 ? "" : tmp2,
+		c->Beta == 0 ? " " : tmp2,
 		_SS("LANGSTR"));
 	Trim(tmp);

@@ -366,6 +366,7 @@
 #define	AUTHTYPE_ROOTCERT				3			// Root certificate which is issued by trusted Certificate Authority
 #define	AUTHTYPE_RADIUS					4			// Radius authentication
 #define	AUTHTYPE_NT						5			// Windows NT authentication
+#define AUTHTYPE_EXTERNAL				96			// External authentication (completed)
 #define	AUTHTYPE_WIREGUARD_KEY			97			// WireGuard public key authentication
 #define	AUTHTYPE_OPENVPN_CERT    		98			// TLS client certificate authentication
 #define	AUTHTYPE_TICKET					99			// Ticket authentication
@@ -675,6 +676,9 @@
 // 
 //////////////////////////////////////////////////////////////////////

+#define	UNIX_VLAN_CLIENT_IFACE_PREFIX		"vpn"			// Prefix of UNIX virtual LAN card interface (used for client)
+#define	UNIX_VLAN_BRIDGE_IFACE_PREFIX		"tap"			// Prefix of UNIX virtual LAN card interface (used for bridge destination)
+
 #ifndef	UNIX_BSD
 #define	TAP_FILENAME_1				"/dev/net/tun"
 #define	TAP_FILENAME_2				"/dev/tun"
@@ -869,6 +873,10 @@
 #define	ERR_VPNGATE_INCLIENT_CANT_STOP	146	// Can not be stopped if operating within VPN Client mode
 #define	ERR_NOT_SUPPORTED_FUNCTION_ON_OPENSOURCE	147	// It is a feature that is not supported in the open source version
 #define	ERR_SUSPENDING					148	// System is suspending
+#define ERR_HOSTNAME_MISMATCH			149	// SSL hostname mismatch
+#define ERR_SSL_PROTOCOL_VERSION		150 // SSL version not supported
+#define ERR_SSL_SHARED_CIPHER			151 // Can't find common cipher
+#define ERR_SSL_HANDSHAKE				152 // Other SSL handshake error


 ////////////////////////////
@@ -930,6 +938,7 @@ struct CEDAR
 	COUNTER *ConnectionIncrement;	// Connection increment counter
 	X *ServerX;						// Server certificate
 	K *ServerK;						// Private key of the server certificate
+	LIST *ServerChain;				// Server trust chain
 	char UsernameHubSeparator;		// Character which separates the username from the hub name
 	char *CipherList;				// List of encryption algorithms
 	UINT Version;					// Version information
@@ -1000,6 +1009,7 @@ CEDAR *NewCedar(X *server_x, K *server_k);
 void CedarForceLink();
 void SetCedarVpnBridge(CEDAR *c);
 void SetCedarCert(CEDAR *c, X *server_x, K *server_k);
+void SetCedarCertAndChain(CEDAR *c, X *server_x, K *server_k, LIST *server_chain);
 void ReleaseCedar(CEDAR *c);
 void CleanupCedar(CEDAR *c);
 void StopCedar(CEDAR *c);
@@ -1012,6 +1022,7 @@ void DelHubEx(CEDAR *c, HUB *h, bool no_lock);
 void StopAllHub(CEDAR *c);
 void StopAllConnection(CEDAR *c);
 void AddConnection(CEDAR *cedar, CONNECTION *c);
+UINT GetUnestablishedConnections(CEDAR *cedar);
 void DelConnection(CEDAR *cedar, CONNECTION *c);
 void SetCedarCipherList(CEDAR *cedar, char *name);
 void InitCedar();
@@ -1036,6 +1047,7 @@ bool AddNoSsl(CEDAR *c, IP *ip);
 void DecrementNoSsl(CEDAR *c, IP *ip, UINT num_dec);
 void DeleteOldNoSsl(CEDAR *c);
 NON_SSL *SearchNoSslList(CEDAR *c, IP *ip);
+bool IsInNoSsl(CEDAR *c, IP *ip);
 void FreeTinyLog(TINY_LOG *t);
 void WriteTinyLog(TINY_LOG *t, char *str);
 TINY_LOG *NewTinyLog();
@@ -22,6 +22,9 @@
 #include "VLanWin32.h"
 #include "Win32Com.h"
 #include "WinUi.h"
+#ifdef	NO_VLAN
+#include "NullLan.h"
+#endif

 #include "Mayaqua/Cfg.h"
 #include "Mayaqua/Encrypt.h"
@@ -1957,6 +1960,7 @@ RPC_CLIENT_CREATE_ACCOUNT *CiCfgToAccount(BUF *b)
 	t->StartupAccount = a->StartupAccount;
 	t->CheckServerCert = a->CheckServerCert;
 	t->RetryOnServerCert = a->RetryOnServerCert;
+	t->AddDefaultCA = a->AddDefaultCA;
 	t->ServerCert = a->ServerCert;
 	Free(a);

@@ -1981,6 +1985,7 @@ BUF *CiAccountToCfg(RPC_CLIENT_CREATE_ACCOUNT *t)
 	a.ClientAuth = t->ClientAuth;
 	a.CheckServerCert = t->CheckServerCert;
 	a.RetryOnServerCert = t->RetryOnServerCert;
+	a.AddDefaultCA = t->AddDefaultCA;
 	a.ServerCert = t->ServerCert;
 	a.StartupAccount = t->StartupAccount;

@@ -4315,6 +4320,13 @@ void InRpcClientOption(CLIENT_OPTION *c, PACK *p)

 	PackGetUniStr(p, "AccountName", c->AccountName, sizeof(c->AccountName));
 	PackGetStr(p, "Hostname", c->Hostname, sizeof(c->Hostname));
+	// Extract hint string from hostname
+	UINT i = SearchStrEx(c->Hostname, "/", 0, false);
+	if (i != INFINITE)
+	{
+		StrCpy(c->HintStr, sizeof(c->HintStr), c->Hostname + i + 1);
+		c->Hostname[i] = 0;
+	}
 	c->Port = PackGetInt(p, "Port");
 	c->PortUDP = PackGetInt(p, "PortUDP");
 	c->ProxyType = PackGetInt(p, "ProxyType");
@@ -4333,6 +4345,9 @@ void InRpcClientOption(CLIENT_OPTION *c, PACK *p)
 	PackGetStr(p, "CustomHttpHeader", c->CustomHttpHeader, sizeof(c->CustomHttpHeader));
 	PackGetStr(p, "HubName", c->HubName, sizeof(c->HubName));
 	PackGetStr(p, "DeviceName", c->DeviceName, sizeof(c->DeviceName));
+	PackGetIp(p, "BindLocalIP", &c->BindLocalIP);// Source IP address for outgoing connection
+	c->BindLocalPort = PackGetInt(p, "BindLocalPort");// Source port nubmer for outgoing connection
+
 	c->UseEncrypt = PackGetInt(p, "UseEncrypt") ? true : false;
 	c->UseCompress = PackGetInt(p, "UseCompress") ? true : false;
 	c->HalfConnection = PackGetInt(p, "HalfConnection") ? true : false;
@@ -4352,7 +4367,20 @@ void OutRpcClientOption(PACK *p, CLIENT_OPTION *c)
 	}

 	PackAddUniStr(p, "AccountName", c->AccountName);
+	// Append hint string to hostname
+	if (IsEmptyStr(c->HintStr))
+	{
+		// No hint
 		PackAddStr(p, "Hostname", c->Hostname);
+	}
+	else
+	{
+		char hostname[MAX_SIZE];
+		StrCpy(hostname, sizeof(hostname), c->Hostname);
+		StrCat(hostname, sizeof(hostname), "/");
+		StrCat(hostname, sizeof(hostname), c->HintStr);
+		PackAddStr(p, "Hostname", hostname);
+	}
 	PackAddStr(p, "ProxyName", c->ProxyName);
 	PackAddStr(p, "ProxyUsername", c->ProxyUsername);
 	PackAddStr(p, "ProxyPassword", c->ProxyPassword);
@@ -4380,6 +4408,8 @@ void OutRpcClientOption(PACK *p, CLIENT_OPTION *c)
 	PackAddBool(p, "FromAdminPack", c->FromAdminPack);
 	PackAddBool(p, "NoUdpAcceleration", c->NoUdpAcceleration);
 	PackAddData(p, "HostUniqueKey", c->HostUniqueKey, SHA1_SIZE);
+	PackAddIp(p, "BindLocalIP", &c->BindLocalIP);// Source IP address for outgoing connection
+	PackAddInt(p, "BindLocalPort", c->BindLocalPort);// Source port number for outgoing connection
 }

 // CLIENT_AUTH
@@ -4522,6 +4552,7 @@ void InRpcClientCreateAccount(RPC_CLIENT_CREATE_ACCOUNT *c, PACK *p)
 	c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false;
 	c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false;
 	c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false;
+	c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false;
 	b = PackGetBuf(p, "ServerCert");
 	if (b != NULL)
 	{
@@ -4545,6 +4576,7 @@ void OutRpcClientCreateAccount(PACK *p, RPC_CLIENT_CREATE_ACCOUNT *c)
 	PackAddInt(p, "StartupAccount", c->StartupAccount);
 	PackAddInt(p, "CheckServerCert", c->CheckServerCert);
 	PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert);
+	PackAddInt(p, "AddDefaultCA", c->AddDefaultCA);
 	if (c->ServerCert != NULL)
 	{
 		b = XToBuf(c->ServerCert, false);
@@ -4695,6 +4727,7 @@ void InRpcClientGetAccount(RPC_CLIENT_GET_ACCOUNT *c, PACK *p)
 	c->StartupAccount = PackGetInt(p, "StartupAccount") ? true : false;
 	c->CheckServerCert = PackGetInt(p, "CheckServerCert") ? true : false;
 	c->RetryOnServerCert = PackGetInt(p, "RetryOnServerCert") ? true : false;
+	c->AddDefaultCA = PackGetInt(p, "AddDefaultCA") ? true : false;
 	b = PackGetBuf(p, "ServerCert");
 	if (b != NULL)
 	{
@@ -4724,6 +4757,7 @@ void OutRpcClientGetAccount(PACK *p, RPC_CLIENT_GET_ACCOUNT *c)
 	PackAddInt(p, "StartupAccount", c->StartupAccount);
 	PackAddInt(p, "CheckServerCert", c->CheckServerCert);
 	PackAddInt(p, "RetryOnServerCert", c->RetryOnServerCert);
+	PackAddInt(p, "AddDefaultCA", c->AddDefaultCA);

 	if (c->ServerCert != NULL)
 	{
@@ -4810,6 +4844,7 @@ void InRpcClientGetConnectionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *s, PACK *p

 	PackGetStr(p, "ServerName", s->ServerName, sizeof(s->ServerName));
 	PackGetStr(p, "ServerProductName", s->ServerProductName, sizeof(s->ServerProductName));
+	PackGetStr(p, "ProtocolVersion", s->ProtocolName, sizeof(s->ProtocolName));
 	PackGetStr(p, "CipherName", s->CipherName, sizeof(s->CipherName));
 	PackGetStr(p, "SessionName", s->SessionName, sizeof(s->SessionName));
 	PackGetStr(p, "ConnectionName", s->ConnectionName, sizeof(s->ConnectionName));
@@ -4846,6 +4881,7 @@ void InRpcClientGetConnectionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *s, PACK *p
 	s->UseCompress = PackGetInt(p, "UseCompress") ? true : false;
 	s->IsRUDPSession = PackGetInt(p, "IsRUDPSession") ? true : false;
 	PackGetStr(p, "UnderlayProtocol", s->UnderlayProtocol, sizeof(s->UnderlayProtocol));
+	PackGetStr(p, "ProtocolDetails", s->ProtocolDetails, sizeof(s->ProtocolDetails));
 	s->IsUdpAccelerationEnabled = PackGetInt(p, "IsUdpAccelerationEnabled") ? true : false;
 	s->IsUsingUdpAcceleration = PackGetInt(p, "IsUsingUdpAcceleration") ? true : false;

@@ -4885,6 +4921,7 @@ void OutRpcClientGetConnectionStatus(PACK *p, RPC_CLIENT_GET_CONNECTION_STATUS *

 	PackAddStr(p, "ServerName", c->ServerName);
 	PackAddStr(p, "ServerProductName", c->ServerProductName);
+	PackAddStr(p, "ProtocolVersion", c->ProtocolName);
 	PackAddStr(p, "CipherName", c->CipherName);
 	PackAddStr(p, "SessionName", c->SessionName);
 	PackAddStr(p, "ConnectionName", c->ConnectionName);
@@ -4908,6 +4945,7 @@ void OutRpcClientGetConnectionStatus(PACK *p, RPC_CLIENT_GET_CONNECTION_STATUS *
 	PackAddBool(p, "UseCompress", c->UseCompress);
 	PackAddBool(p, "IsRUDPSession", c->IsRUDPSession);
 	PackAddStr(p, "UnderlayProtocol", c->UnderlayProtocol);
+	PackAddStr(p, "ProtocolDetails", c->ProtocolDetails);
 	PackAddBool(p, "IsUdpAccelerationEnabled", c->IsUdpAccelerationEnabled);
 	PackAddBool(p, "IsUsingUdpAcceleration", c->IsUsingUdpAcceleration);

@@ -5117,6 +5155,22 @@ void CiRpcAccepted(CLIENT *c, SOCK *s)
 		retcode = 0;
 	}

+	if (retcode == 0)
+	{
+		if (IsLocalHostIP(&s->RemoteIP) == false)
+		{
+			// If the RPC client is from network check whether the password is empty
+			UCHAR empty_password_hash[20];
+			Sha0(empty_password_hash, "", 0);
+			if (Cmp(empty_password_hash, hashed_password, SHA1_SIZE) == 0 ||
+				IsZero(hashed_password, SHA1_SIZE))
+			{
+				// Regard it as incorrect password
+				retcode = 1;
+			}
+		}
+	}
+
 	Lock(c->lock);
 	{
 		if (c->Config.AllowRemoteConfig == false)
@@ -5220,14 +5274,21 @@ void CiRpcServerThread(THREAD *thread, void *param)

 	// Open the port
 	listener = NULL;
+	if (c->Config.DisableRpcDynamicPortListener == false)
+	{
 		for (i = CLIENT_CONFIG_PORT;i < (CLIENT_CONFIG_PORT + 5);i++)
 		{
-		listener = Listen(i);
+			listener = ListenEx(i, !c->Config.AllowRemoteConfig);
 			if (listener != NULL)
 			{
 				break;
 			}
 		}
+	}
+	else
+	{
+		listener = ListenEx(CLIENT_CONFIG_PORT, !c->Config.AllowRemoteConfig);
+	}

 	if (listener == NULL)
 	{
@@ -5410,7 +5471,7 @@ NOTIFY_CLIENT *CcConnectNotify(REMOTE_CLIENT *rc)
 	NOTIFY_CLIENT *n;
 	SOCK *s;
 	char tmp[MAX_SIZE];
-	bool rpc_mode = false;
+	UINT rpc_mode = 0;
 	UINT port;
 	// Validate arguments
 	if (rc == NULL || rc->Rpc == NULL || rc->Rpc->Sock == NULL)
@@ -5838,6 +5899,7 @@ void CiGetSessionStatus(RPC_CLIENT_GET_CONNECTION_STATUS *st, SESSION *s)
 				if (st->UseEncrypt)
 				{
 					StrCpy(st->CipherName, sizeof(st->CipherName), s->Connection->CipherName);
+					StrCpy(st->ProtocolName, sizeof(st->ProtocolName), s->Connection->SslVersion);
 				}
 				// Use of compression
 				st->UseCompress = s->UseCompress;
@@ -6493,9 +6555,7 @@ bool CtConnect(CLIENT *c, RPC_CLIENT_CONNECT *connect)
 // Requires account and VLan lists of the CLIENT argument to be already locked
 bool CtVLansDown(CLIENT *c)
 {
-#ifndef UNIX_LINUX
-	return true;
-#else
+#if defined(UNIX_LINUX) || defined(UNIX_BSD)
 	int i;
 	LIST *tmpVLanList;
 	UNIX_VLAN t, *r;
@@ -6537,6 +6597,8 @@ bool CtVLansDown(CLIENT *c)

 	ReleaseList(tmpVLanList);
 	return result;
+#else
+	return true;
 #endif
 }

@@ -6544,9 +6606,7 @@ bool CtVLansDown(CLIENT *c)
 // Requires VLan list of the CLIENT argument to be already locked
 bool CtVLansUp(CLIENT *c)
 {
-#ifndef UNIX_LINUX
-	return true;
-#else
+#if defined(UNIX_LINUX) || defined(UNIX_BSD)
 	int i;
 	UNIX_VLAN *r;

@@ -6560,9 +6620,8 @@ bool CtVLansUp(CLIENT *c)
 		r = LIST_DATA(c->UnixVLanList, i);
 		UnixVLanSetState(r->Name, true);
 	}
-
-	return true;
 #endif
+	return true;
 }

 // Get the account information
@@ -6597,6 +6656,9 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a)

 		Lock(r->lock);
 		{
+			// Copy account name (restore the correct case)
+			UniStrCpy(a->AccountName, sizeof(a->AccountName), r->ClientOption->AccountName);
+
 			// Copy the client option
 			if (a->ClientOption != NULL)
 			{
@@ -6616,6 +6678,7 @@ bool CtGetAccount(CLIENT *c, RPC_CLIENT_GET_ACCOUNT *a)

 			a->CheckServerCert = r->CheckServerCert;
 			a->RetryOnServerCert = r->RetryOnServerCert;
+			a->AddDefaultCA = r->AddDefaultCA;
 			a->ServerCert = NULL;
 			if (r->ServerCert != NULL)
 			{
@@ -7027,6 +7090,12 @@ bool CtEnumAccount(CLIENT *c, RPC_CLIENT_ENUM_ACCOUNT *e)

 			// Server name
 			StrCpy(item->ServerName, sizeof(item->ServerName), a->ClientOption->Hostname);
+			// Append hint string to hostname
+			if (IsEmptyStr(a->ClientOption->HintStr) == false)
+			{
+				StrCat(item->ServerName, sizeof(item->ServerName), "/");
+				StrCat(item->ServerName, sizeof(item->ServerName), a->ClientOption->HintStr);
+			}

 			// Proxy type
 			item->ProxyType = a->ClientOption->ProxyType;
@@ -7109,14 +7178,6 @@ bool CtSetAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)
 			}
 		}

-		if (a->ServerCert != NULL && a->ServerCert->is_compatible_bit == false)
-		{
-			// Server certificate is invalid
-			UnlockList(c->AccountList);
-			CiSetError(c, ERR_NOT_RSA_1024);
-			return false;
-		}
-
 		Lock(ret->lock);
 		{

@@ -7152,6 +7213,7 @@ bool CtSetAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)

 			ret->CheckServerCert = a->CheckServerCert;
 			ret->RetryOnServerCert = a->RetryOnServerCert;
+			ret->AddDefaultCA = a->AddDefaultCA;

 			if (a->ServerCert != NULL)
 			{
@@ -7236,14 +7298,6 @@ bool CtCreateAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)
 			}
 		}

-		if (a->ServerCert != NULL && a->ServerCert->is_compatible_bit == false)
-		{
-			// The server certificate is invalid
-			UnlockList(c->AccountList);
-			CiSetError(c, ERR_NOT_RSA_1024);
-			return false;
-		}
-
 		// Add a new account
 		new_account = ZeroMalloc(sizeof(ACCOUNT));
 		new_account->lock = NewLock();
@@ -7259,6 +7313,7 @@ bool CtCreateAccount(CLIENT *c, RPC_CLIENT_CREATE_ACCOUNT *a, bool inner)

 		new_account->CheckServerCert = a->CheckServerCert;
 		new_account->RetryOnServerCert = a->RetryOnServerCert;
+		new_account->AddDefaultCA = a->AddDefaultCA;
 		if (a->ServerCert != NULL)
 		{
 			new_account->ServerCert = CloneX(a->ServerCert);
@@ -8536,12 +8591,6 @@ bool CtAddCa(CLIENT *c, RPC_CERT *cert)
 		return false;
 	}

-	if (cert->x->is_compatible_bit == false)
-	{
-		CiSetError(c, ERR_NOT_RSA_1024);
-		return false;
-	}
-
 	AddCa(c->Cedar, cert->x);

 	CiSaveConfigurationFile(c);
@@ -9002,6 +9051,12 @@ void CiInitConfiguration(CLIENT *c)
 		c->Config.UseKeepConnect = false;	// Don't use the connection maintenance function by default in the Client
 		// Eraser
 		c->Eraser = NewEraser(c->Logger, 0);
+
+#ifdef	OS_WIN32
+		c->Config.DisableRpcDynamicPortListener = false;
+#else	// OS_WIN32
+		c->Config.DisableRpcDynamicPortListener = true;
+#endif	// OS_WIN32
 	}
 	else
 	{
@@ -9148,6 +9203,19 @@ void CiLoadClientConfig(CLIENT_CONFIG *c, FOLDER *f)
 	c->AllowRemoteConfig = CfgGetBool(f, "AllowRemoteConfig");
 	c->KeepConnectInterval = MAKESURE(CfgGetInt(f, "KeepConnectInterval"), KEEP_INTERVAL_MIN, KEEP_INTERVAL_MAX);
 	c->NoChangeWcmNetworkSettingOnWindows8 = CfgGetBool(f, "NoChangeWcmNetworkSettingOnWindows8");
+
+	if (CfgIsItem(f, "DisableRpcDynamicPortListener"))
+	{
+		c->DisableRpcDynamicPortListener = CfgGetBool(f, "DisableRpcDynamicPortListener");
+	}
+	else
+	{
+#ifdef	OS_WIN32
+		c->DisableRpcDynamicPortListener = false;
+#else	// OS_WIN32
+		c->DisableRpcDynamicPortListener = true;
+#endif	// OS_WIN32
+	}
 }

 // Read the client authentication data
@@ -9241,6 +9309,13 @@ CLIENT_OPTION *CiLoadClientOption(FOLDER *f)

 	CfgGetUniStr(f, "AccountName", o->AccountName, sizeof(o->AccountName));
 	CfgGetStr(f, "Hostname", o->Hostname, sizeof(o->Hostname));
+	// Extract hint string from hostname
+	UINT i = SearchStrEx(o->Hostname, "/", 0, false);
+	if (i != INFINITE)
+	{
+		StrCpy(o->HintStr, sizeof(o->HintStr), o->Hostname + i + 1);
+		o->Hostname[i] = 0;
+	}
 	o->Port = CfgGetInt(f, "Port");
 	o->PortUDP = CfgGetInt(f, "PortUDP");
 	o->ProxyType = CfgGetInt(f, "ProxyType");
@@ -9271,6 +9346,8 @@ CLIENT_OPTION *CiLoadClientOption(FOLDER *f)
 	o->DisableQoS = CfgGetBool(f, "DisableQoS");
 	o->FromAdminPack = CfgGetBool(f, "FromAdminPack");
 	o->NoUdpAcceleration = CfgGetBool(f, "NoUdpAcceleration");
+	CfgGetIp(f, "BindLocalIP", &o->BindLocalIP);// Source IP address for outgoing connection
+	o->BindLocalPort = CfgGetInt(f, "BindLocalPort");// Source port number for outgoing connection

 	b = CfgGetBuf(f, "HostUniqueKey");
 	if (b != NULL)
@@ -9322,6 +9399,7 @@ ACCOUNT *CiLoadClientAccount(FOLDER *f)
 	a->StartupAccount = CfgGetBool(f, "StartupAccount");
 	a->CheckServerCert = CfgGetBool(f, "CheckServerCert");
 	a->RetryOnServerCert = CfgGetBool(f, "RetryOnServerCert");
+	a->AddDefaultCA = CfgGetBool(f, "AddDefaultCA");
 	a->CreateDateTime = CfgGetInt64(f, "CreateDateTime");
 	a->UpdateDateTime = CfgGetInt64(f, "UpdateDateTime");
 	a->LastConnectDateTime = CfgGetInt64(f, "LastConnectDateTime");
@@ -9712,6 +9790,7 @@ void CiWriteClientConfig(FOLDER *cc, CLIENT_CONFIG *config)
 	CfgAddBool(cc, "AllowRemoteConfig", config->AllowRemoteConfig);
 	CfgAddInt(cc, "KeepConnectInterval", config->KeepConnectInterval);
 	CfgAddBool(cc, "NoChangeWcmNetworkSettingOnWindows8", config->NoChangeWcmNetworkSettingOnWindows8);
+	CfgAddBool(cc, "DisableRpcDynamicPortListener", config->DisableRpcDynamicPortListener);
 }

 // Write the client authentication data
@@ -9783,7 +9862,20 @@ void CiWriteClientOption(FOLDER *f, CLIENT_OPTION *o)
 	}

 	CfgAddUniStr(f, "AccountName", o->AccountName);
+	// Append hint string to hostname
+	if (IsEmptyStr(o->HintStr))
+	{
+		// No hint
 		CfgAddStr(f, "Hostname", o->Hostname);
+	}
+	else
+	{
+		char hostname[MAX_SIZE];
+		StrCpy(hostname, sizeof(hostname), o->Hostname);
+		StrCat(hostname, sizeof(hostname), "/");
+		StrCat(hostname, sizeof(hostname), o->HintStr);
+		CfgAddStr(f, "Hostname", hostname);
+	}
 	CfgAddInt(f, "Port", o->Port);
 	CfgAddInt(f, "PortUDP", o->PortUDP);
 	CfgAddInt(f, "ProxyType", o->ProxyType);
@@ -9811,6 +9903,8 @@ void CiWriteClientOption(FOLDER *f, CLIENT_OPTION *o)
 	CfgAddBool(f, "RequireBridgeRoutingMode", o->RequireBridgeRoutingMode);
 	CfgAddBool(f, "DisableQoS", o->DisableQoS);
 	CfgAddBool(f, "NoUdpAcceleration", o->NoUdpAcceleration);
+	CfgAddIp(f, "BindLocalIP", &o->BindLocalIP);// Source IP address for outgoing connection
+	CfgAddInt(f, "BindLocalPort", o->BindLocalPort);// Source port number for outgoing connection

 	if (o->FromAdminPack)
 	{
@@ -9947,6 +10041,9 @@ void CiWriteAccountData(FOLDER *f, ACCOUNT *a)
 	// Retry on invalid server certificate flag
 	CfgAddBool(f, "RetryOnServerCert", a->RetryOnServerCert);

+	// Add default SSL trust store
+	CfgAddBool(f, "AddDefaultCA", a->AddDefaultCA);
+
 	// Date and time
 	CfgAddInt64(f, "CreateDateTime", a->CreateDateTime);
 	CfgAddInt64(f, "UpdateDateTime", a->UpdateDateTime);
@@ -61,6 +61,7 @@ struct ACCOUNT
 	CLIENT_AUTH *ClientAuth;				// Client authentication data
 	bool CheckServerCert;					// Check the server certificate
 	bool RetryOnServerCert;					// Retry on invalid server certificate
+	bool AddDefaultCA;						// Use default trust store
 	X *ServerCert;							// Server certificate
 	bool StartupAccount;					// Start-up account
 	UCHAR ShortcutKey[SHA1_SIZE];			// Key
@@ -86,6 +87,7 @@ struct CLIENT_CONFIG
 	UINT KeepConnectProtocol;				// Protocol
 	UINT KeepConnectInterval;				// Interval
 	bool NoChangeWcmNetworkSettingOnWindows8;	// Don't change the WCM network settings on Windows 8
+	bool DisableRpcDynamicPortListener;
 };

 // Version acquisition
@@ -239,6 +241,7 @@ struct RPC_CLIENT_CREATE_ACCOUNT
 	bool StartupAccount;					// Startup account
 	bool CheckServerCert;					// Checking of the server certificate
 	bool RetryOnServerCert;					// Retry on invalid server certificate
+	bool AddDefaultCA;						// Use default trust store
 	X *ServerCert;							// Server certificate
 	UCHAR ShortcutKey[SHA1_SIZE];			// Shortcut Key
 };
@@ -292,6 +295,7 @@ struct RPC_CLIENT_GET_ACCOUNT
 	bool StartupAccount;					// Startup account
 	bool CheckServerCert;					// Check the server certificate
 	bool RetryOnServerCert;					// Retry on invalid server certificate
+	bool AddDefaultCA;						// Use default trust store
 	X *ServerCert;							// Server certificate
 	UCHAR ShortcutKey[SHA1_SIZE];			// Shortcut Key
 	UINT64 CreateDateTime;					// Creation date and time (Ver 3.0 or later)
@@ -236,6 +236,7 @@ bool CmdEvalPortList(CONSOLE *c, wchar_t *str, void *param);
 wchar_t *PsClusterSettingMemberPromptPorts(CONSOLE *c, void *param);
 K *CmdLoadKey(CONSOLE *c, wchar_t *filename);
 bool CmdLoadCertAndKey(CONSOLE *c, X **xx, K **kk, wchar_t *cert_filename, wchar_t *key_filename);
+bool CmdLoadCertChainAndKey(CONSOLE *c, X **xx, K **kk, LIST **cc, wchar_t *cert_filename, wchar_t *key_filename);
 bool CmdEvalTcpOrUdp(CONSOLE *c, wchar_t *str, void *param);
 wchar_t *GetConnectionTypeStr(UINT type);
 bool CmdEvalHostAndSubnetMask4(CONSOLE *c, wchar_t *str, void *param);
@@ -307,6 +308,8 @@ UINT PtConnect(CONSOLE *c, wchar_t *cmdline);
 PT *NewPt(CONSOLE *c, wchar_t *cmdline);
 void FreePt(PT *pt);
 void PtMain(PT *pt);
+UINT PtGenX25519(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
+UINT PtGetPublicX25519(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PtMakeCert(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PtMakeCert2048(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PtTrafficClient(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@@ -339,6 +342,7 @@ UINT PcNicDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcNicList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountList(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountCreate(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
+void SetRpcClientCreateAccountFromGetAccount(RPC_CLIENT_CREATE_ACCOUNT *c, RPC_CLIENT_GET_ACCOUNT *t);
 UINT PcAccountSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@@ -362,6 +366,8 @@ UINT PcAccountServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *p
 UINT PcAccountServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountRetryOnServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountRetryOnServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
+UINT PcAccountDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
+UINT PcAccountDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PcAccountServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@@ -507,6 +513,8 @@ UINT PsCascadeProxySocks(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PsCascadeProxySocks5(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PsCascadeServerCertEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PsCascadeServerCertDisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
+UINT PsCascadeDefaultCAEnable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
+UINT PsCascadeDefaultCADisable(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PsCascadeServerCertSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PsCascadeServerCertDelete(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
 UINT PsCascadeServerCertGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param);
@@ -28,6 +28,7 @@
 #include "Mayaqua/Object.h"
 #include "Mayaqua/Pack.h"
 #include "Mayaqua/Str.h"
+#include "Mayaqua/Table.h"
 #include "Mayaqua/Tick64.h"

 #include <stdlib.h>
@@ -909,20 +910,24 @@ void SendKeepAlive(CONNECTION *c, TCPSOCK *ts)

 	if (s->UseUdpAcceleration && udp_accel != NULL)
 	{
+		UINT required_size = 0;
+
 		if (udp_accel->MyPortNatT != 0)
 		{
-			size = MAX(size, (StrLen(UDP_NAT_T_PORT_SIGNATURE_IN_KEEP_ALIVE) + sizeof(USHORT)));
+			required_size += StrLen(UDP_NAT_T_PORT_SIGNATURE_IN_KEEP_ALIVE) + sizeof(USHORT);

 			insert_natt_port = true;
 		}

 		if (IsZeroIP(&udp_accel->MyIpNatT) == false)
 		{
-			size = MAX(size, (StrLen(UDP_NAT_T_IP_SIGNATURE_IN_KEEP_ALIVE) + sizeof(udp_accel->MyIpNatT.address)));
+			required_size += StrLen(UDP_NAT_T_IP_SIGNATURE_IN_KEEP_ALIVE) + sizeof(udp_accel->MyIpNatT.address);

 			insert_natt_ip = true;
 		}

+		size = MAX(size, required_size);
+
 	}

 	buf = MallocFast(size);
@@ -2986,6 +2991,7 @@ void ConnectionAccept(CONNECTION *c)
 	SOCK *s;
 	X *x;
 	K *k;
+	LIST *chain;
 	char tmp[128];
 	UINT initial_timeout = CONNECTING_TIMEOUT;
 	UCHAR ctoken_hash[SHA1_SIZE];
@@ -3036,26 +3042,34 @@ void ConnectionAccept(CONNECTION *c)

 		x = CloneX(c->Cedar->ServerX);
 		k = CloneK(c->Cedar->ServerK);
+		chain = CloneXList(c->Cedar->ServerChain);
 	}
 	Unlock(c->Cedar->lock);

 	// Start the SSL communication
 	Copy(&s->SslAcceptSettings, &c->Cedar->SslAcceptSettings, sizeof(SSL_ACCEPT_SETTINGS));
-	if (StartSSL(s, x, k) == false)
+	UINT ssl_err = 0;
+	if (StartSSLEx3(s, x, k, chain, 0, NULL, NULL, &ssl_err) == false)
 	{
 		// Failed
 		AddNoSsl(c->Cedar, &s->RemoteIP);
 		Debug("ConnectionAccept(): StartSSL() failed\n");
+		if (ssl_err != 0)
+		{
+			SLog(c->Cedar, "LS_SSL_START_ERROR", c->Name, GetUniErrorStr(ssl_err), ssl_err);
+		}
 		FreeX(x);
 		FreeK(k);
+		FreeXList(chain);

 		goto FINAL;
 	}

 	FreeX(x);
 	FreeK(k);
+	FreeXList(chain);

-	SLog(c->Cedar, "LS_SSL_START", c->Name, s->CipherName);
+	SLog(c->Cedar, "LS_SSL_START", c->Name, s->SslVersion, s->CipherName);

 	Copy(c->CToken_Hash, ctoken_hash, SHA1_SIZE);

@@ -3391,6 +3405,11 @@ void CleanupConnection(CONNECTION *c)
 		Free(c->CipherName);
 	}

+	if (c->SslVersion != NULL)
+	{
+		Free(c->SslVersion);
+	}
+
 	Free(c);
 }

@@ -58,8 +58,11 @@ struct RC4_KEY_PAIR
 	UCHAR ServerToClientKey[16];
 	UCHAR ClientToServerKey[16];
 };
+#define	TYPE_BINDLOCALIP	1	//  Enable HMI user to edit Source IP address & Source port number for outgoing connection

 // Client Options
+// Do not change item size or order and only add new items at the end!
+// See comments in struct SETTING (SMInner.h)
 struct CLIENT_OPTION
 {
 	wchar_t AccountName[MAX_ACCOUNT_NAME_LEN + 1];			// Connection setting name
@@ -71,26 +74,41 @@ struct CLIENT_OPTION
 	UINT ProxyPort;											// Port number of the proxy server
 	char ProxyUsername[PROXY_MAX_USERNAME_LEN + 1];			// Maximum user name length
 	char ProxyPassword[PROXY_MAX_PASSWORD_LEN + 1];			// Maximum password length
-	char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE + 1];	// Custom HTTP proxy header
 	UINT NumRetry;											// Automatic retries
 	UINT RetryInterval;										// Retry interval
 	char HubName[MAX_HUBNAME_LEN + 1];						// HUB name
 	UINT MaxConnection;										// Maximum number of concurrent TCP connections
 	bool UseEncrypt;										// Use encrypted communication
+	char pad1[3];
 	bool UseCompress;										// Use data compression
+	char pad2[3];
 	bool HalfConnection;									// Use half connection in TCP
+	char pad3[3];
 	bool NoRoutingTracking;									// Disable the routing tracking
+	char pad4[3];
 	char DeviceName[MAX_DEVICE_NAME_LEN + 1];				// VLAN device name
 	UINT AdditionalConnectionInterval;						// Connection attempt interval when additional connection establish
 	UINT ConnectionDisconnectSpan;							// Disconnection interval
 	bool HideStatusWindow;									// Hide the status window
+	char pad5[3];
 	bool HideNicInfoWindow;									// Hide the NIC status window
+	char pad6[3];
 	bool RequireMonitorMode;								// Monitor port mode
+	char pad7[3];
 	bool RequireBridgeRoutingMode;							// Bridge or routing mode
+	char pad8[3];
 	bool DisableQoS;										// Disable the VoIP / QoS function
+	char pad9[3];
 	bool FromAdminPack;										// For Administration Pack
+	char pad10[3];
+	char pad11[4];											// Removed bool
 	bool NoUdpAcceleration;									// Do not use UDP acceleration mode
+	char pad12[3];
 	UCHAR HostUniqueKey[SHA1_SIZE];							// Host unique key
+	char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE];		// Custom HTTP proxy header
+	char HintStr[MAX_HOST_NAME_LEN + 1];					// Hint string for NAT-T
+	IP   BindLocalIP;										// Source IP address for outgoing connection
+	UINT BindLocalPort;										// Source port number for outgoing connection
 };

 // Client authentication data
@@ -208,6 +226,7 @@ struct CONNECTION
 	X *ServerX;						// Server certificate
 	X *ClientX;						// Client certificate
 	char *CipherName;				// Encryption algorithm name
+	char *SslVersion;				// SSL protocol version
 	UINT64 ConnectedTick;			// Time it is connected
 	IP ClientIp;					// Client IP address
 	char ClientHostname[MAX_HOST_NAME_LEN + 1];	// Client host name
@@ -541,13 +541,9 @@ UINT DCRegister(DDNS_CLIENT *c, bool ipv6, DDNS_REGISTER_PARAM *p, char *replace
 		}
 	}

-
-
 	Format(url2, sizeof(url2), "%s?v=%I64u", url, Rand64());
 	Format(url3, sizeof(url3), url2, key_hash_str[2], key_hash_str[3]);

-	ReplaceStr(url3, sizeof(url3), url3, "https://", "http://");
-
 	ReplaceStr(url3, sizeof(url3), url3, ".servers", ".open.servers");

 	cert_hash = StrToBin(DDNS_CERT_HASH);
@@ -18,7 +18,11 @@
 							"439BAFA75A6EE5671FC9F9A02D34FF29881761A0" \
 							"EFAC5FA0CDD14E0F864EED58A73C35D7E33B62F3" \
 							"74DF99D4B1B5F0488A388B50D347D26013DC67A5" \
-							"6EBB39AFCA8C900635CFC11218CF293A612457E4"
+							"6EBB39AFCA8C900635CFC11218CF293A612457E4" \
+							"05A9386C5E2B233F7BAB2479620EAAA2793709ED" \
+							"A811C64BB715351E36B6C1E022648D8BE0ACD128" \
+							"BD264DB3B0B1B3ABA0AF3074AA574ED1EF3B42D7" \
+							"9AB61D691536645DD55A8730FC6D2CDF33C8C73F"

 #define	DDNS_SNI_VER_STRING		"DDNS"

@@ -43,7 +47,7 @@
 #define	DDNS_URL2_V4_ALT	"http://get-my-ip.ddns.uxcom.jp/ddns/getmyip.ashx"
 #define	DDNS_URL2_V6_ALT	"http://get-my-ip-v6.ddns.uxcom.jp/ddns/getmyip.ashx"

-#define	DDNS_RPC_MAX_RECV_SIZE				DYN32(DDNS_RPC_MAX_RECV_SIZE, (128 * 1024 * 1024))
+#define	DDNS_RPC_MAX_RECV_SIZE				DYN32(DDNS_RPC_MAX_RECV_SIZE, (38 * 1024 * 1024))

 // Connection Timeout
 #define	DDNS_CONNECT_TIMEOUT		DYN32(DDNS_CONNECT_TIMEOUT, (15 * 1000))
@@ -91,7 +91,8 @@ UINT num_admin_options = sizeof(admin_options) / sizeof(ADMIN_OPTION);


 // Create an EAP client for the specified Virtual Hub
-EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str)
+EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str, bool proxy_only, 
+							PPP_LCP **response, UCHAR last_recv_eapid)
 {
 	HUB *hub = NULL;
 	EAP_CLIENT *ret = NULL;
@@ -137,7 +138,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 						if (GetIP(&ip, radius_servers_list->Token[i]))
 						{
 							eap = NewEapClient(&ip, radius_port, radius_secret, radius_retry_interval,
-								RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username, hubname);
+								RADIUS_INITIAL_EAP_TIMEOUT, client_ip_str, username, hubname, last_recv_eapid);

 							if (eap != NULL)
 							{
@@ -146,7 +147,19 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 									StrCpy(eap->In_VpnProtocolState, sizeof(eap->In_VpnProtocolState), vpn_protocol_state_str);
 								}

-								if (use_peap == false)
+								if (proxy_only && response != NULL)
+								{
+									// EAP proxy for EAP-capable clients
+									PPP_LCP *lcp = EapClientSendEapIdentity(eap);
+									if (lcp != NULL)
+									{
+										*response = lcp;
+										eap->GiveupTimeout = RADIUS_RETRY_TIMEOUT;
+										ret = eap;
+										finish = true;
+									}
+								}
+								else if (use_peap == false)
 								{
 									// EAP
 									if (EapClientSendMsChapv2AuthRequest(eap))
@@ -606,6 +619,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "DoNotSaveHeavySecurityLogs", o->DoNotSaveHeavySecurityLogs);
 	GetHubAdminOptionDataAndSet(ao, "DropBroadcastsInPrivacyFilterMode", o->DropBroadcastsInPrivacyFilterMode);
 	GetHubAdminOptionDataAndSet(ao, "DropArpInPrivacyFilterMode", o->DropArpInPrivacyFilterMode);
+	GetHubAdminOptionDataAndSet(ao, "AllowSameUserInPrivacyFilterMode", o->AllowSameUserInPrivacyFilterMode);
 	GetHubAdminOptionDataAndSet(ao, "SuppressClientUpdateNotification", o->SuppressClientUpdateNotification);
 	GetHubAdminOptionDataAndSet(ao, "FloodingSendQueueBufferQuota", o->FloodingSendQueueBufferQuota);
 	GetHubAdminOptionDataAndSet(ao, "AssignVLanIdByRadiusAttribute", o->AssignVLanIdByRadiusAttribute);
@@ -615,6 +629,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "NoPhysicalIPOnPacketLog", o->NoPhysicalIPOnPacketLog);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
+	GetHubAdminOptionDataAndSet(ao, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
 }

 // Convert the contents of the HUB_OPTION to data
@@ -679,6 +694,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("DoNotSaveHeavySecurityLogs", o->DoNotSaveHeavySecurityLogs));
 	Add(aol, NewAdminOption("DropBroadcastsInPrivacyFilterMode", o->DropBroadcastsInPrivacyFilterMode));
 	Add(aol, NewAdminOption("DropArpInPrivacyFilterMode", o->DropArpInPrivacyFilterMode));
+	Add(aol, NewAdminOption("AllowSameUserInPrivacyFilterMode", o->AllowSameUserInPrivacyFilterMode));
 	Add(aol, NewAdminOption("SuppressClientUpdateNotification", o->SuppressClientUpdateNotification));
 	Add(aol, NewAdminOption("FloodingSendQueueBufferQuota", o->FloodingSendQueueBufferQuota));
 	Add(aol, NewAdminOption("AssignVLanIdByRadiusAttribute", o->AssignVLanIdByRadiusAttribute));
@@ -688,6 +704,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("NoPhysicalIPOnPacketLog", o->NoPhysicalIPOnPacketLog));
 	Add(aol, NewAdminOption("UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption));
 	Add(aol, NewAdminOption("UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId));
+	Add(aol, NewAdminOption("AllowEapMatchUserByCert", o->AllowEapMatchUserByCert));

 	Zero(ao, sizeof(RPC_ADMIN_OPTION));

@@ -3562,7 +3579,7 @@ bool HubPaPutPacket(SESSION *s, void *data, UINT size)

 		target_mss = MIN(target_mss, session_mss);

-		if (s->IsUsingUdpAcceleration && s->UdpAccelMss != 0)
+		if (s->UseUdpAcceleration && s->UdpAccelMss != 0)
 		{
 			// If the link is established with UDP acceleration function, use optimum value of the UDP acceleration function
 			target_mss = MIN(target_mss, s->UdpAccelMss);
@@ -3915,6 +3932,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
 	bool no_heavy = false;
 	bool drop_broadcast_packet_privacy = false;
 	bool drop_arp_packet_privacy = false;
+	bool allow_same_user_packet_privacy = false;
 	UINT tcp_queue_quota = 0;
 	UINT64 dormant_interval = 0;
 	// Validate arguments
@@ -3939,6 +3957,7 @@ void StorePacket(HUB *hub, SESSION *s, PKT *packet)
 		no_heavy = hub->Option->DoNotSaveHeavySecurityLogs;
 		drop_broadcast_packet_privacy = hub->Option->DropBroadcastsInPrivacyFilterMode;
 		drop_arp_packet_privacy = hub->Option->DropArpInPrivacyFilterMode;
+		allow_same_user_packet_privacy = hub->Option->AllowSameUserInPrivacyFilterMode;
 		tcp_queue_quota = hub->Option->FloodingSendQueueBufferQuota;
 		if (hub->Option->DetectDormantSessionInterval != 0)
 		{
@@ -4839,10 +4858,14 @@ UPDATE_FDB:
 						{
 							// Privacy filter
 							if (drop_arp_packet_privacy || packet->TypeL3 != L3_ARPV4)
+							{
+								// Do not block sessions owned by the same user, if the corresponding option is enabled.
+								if (allow_same_user_packet_privacy == false || StrCmp(s->Username, dest_session->Username))
 								{
 									goto DISCARD_UNICAST_PACKET;
 								}
 							}
+						}

 						if (s != NULL)
 						{
@@ -5056,10 +5079,14 @@ DISCARD_UNICAST_PACKET:
 								{
 									// Privacy filter
 									if (drop_arp_packet_privacy || packet->TypeL3 != L3_ARPV4)
+									{
+										// Do not block sessions owned by the same user, if the corresponding option is enabled.
+										if (allow_same_user_packet_privacy == false || StrCmp(s->Username, dest_session->Username))
 										{
 											discard = true;
 										}
 									}
+								}

 								if (s != NULL)
 								{
@@ -5350,7 +5377,7 @@ void StorePacketToHubPa(HUB_PA *dest, SESSION *src, void *data, UINT size, PKT *
 	if (src != NULL && dest->Session != NULL && src->Hub != NULL && src->Hub->Option != NULL)
 	{
 		if (dest->Session->AdjustMss != 0 ||
-			(dest->Session->IsUsingUdpAcceleration && dest->Session->UdpAccelMss != 0) ||
+			(dest->Session->UseUdpAcceleration && dest->Session->UdpAccelMss != 0) ||
 			(dest->Session->IsRUDPSession && dest->Session->RUdpMss != 0))
 		{
 			if (src->Hub->Option->DisableAdjustTcpMss == false)
@@ -5362,7 +5389,7 @@ void StorePacketToHubPa(HUB_PA *dest, SESSION *src, void *data, UINT size, PKT *
 					target_mss = MIN(target_mss, dest->Session->AdjustMss);
 				}

-				if (dest->Session->IsUsingUdpAcceleration && dest->Session->UdpAccelMss != 0)
+				if (dest->Session->UseUdpAcceleration && dest->Session->UdpAccelMss != 0)
 				{
 					target_mss = MIN(target_mss, dest->Session->UdpAccelMss);
 				}
@@ -6955,6 +6982,7 @@ HUB *NewHub(CEDAR *cedar, char *HubName, HUB_OPTION *option)

 	h->Option->DropBroadcastsInPrivacyFilterMode = true;
 	h->Option->DropArpInPrivacyFilterMode = true;
+	h->Option->AllowSameUserInPrivacyFilterMode = false;

 	Rand(h->HubSignature, sizeof(h->HubSignature));

@@ -172,6 +172,7 @@ struct HUB_OPTION
 	bool DoNotSaveHeavySecurityLogs;	// Do not take heavy security log
 	bool DropBroadcastsInPrivacyFilterMode;	// Drop broadcasting packets if the both source and destination session is PrivacyFilter mode
 	bool DropArpInPrivacyFilterMode;	// Drop ARP packets if the both source and destination session is PrivacyFilter mode
+	bool AllowSameUserInPrivacyFilterMode;	// Allow packets if both the source and destination session user are the same
 	bool SuppressClientUpdateNotification;	// Suppress the update notification function on the VPN Client
 	UINT FloodingSendQueueBufferQuota;	// The global quota of send queues of flooding packets
 	bool AssignVLanIdByRadiusAttribute;	// Assign the VLAN ID for the VPN session, by the attribute value of RADIUS
@@ -181,6 +182,7 @@ struct HUB_OPTION
 	bool NoPhysicalIPOnPacketLog;		// Disable saving physical IP address on the packet log
 	bool UseHubNameAsDhcpUserClassOption;	// Add HubName to DHCP request as User-Class option
 	bool UseHubNameAsRadiusNasId;		// Add HubName to Radius request as NAS-Identifier attrioption
+	bool AllowEapMatchUserByCert;		// Allow matching EAP Identity with user certificate CNs
 };

 // MAC table entry
@@ -535,7 +537,8 @@ bool IsUserMatchInUserList(LIST *o, char *filename, UINT64 user_hash);
 bool IsUserMatchInUserListWithCacheExpires(LIST *o, char *filename, UINT64 user_hash, UINT64 lifetime);
 bool IsUserMatchInUserListWithCacheExpiresAcl(LIST *o, char *name_in_acl, UINT64 user_hash, UINT64 lifetime);
 bool CheckMaxLoggedPacketsPerMinute(SESSION *s, UINT max_packets, UINT64 now);
-EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str);
+EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, char *username, char *vpn_protocol_state_str, bool proxy_only, 
+							PPP_LCP **response, UCHAR last_recv_eapid);

 #endif	// HUB_H

@@ -244,7 +244,8 @@ IPC *NewIPCByParam(CEDAR *cedar, IPC_PARAM *param, UINT *error_code)
 	             param->UserName, param->Password, param->WgKey, error_code,
 	             &param->ClientIp, param->ClientPort, &param->ServerIp, param->ServerPort,
 	             param->ClientHostname, param->CryptName,
-	             param->BridgeMode, param->Mss, NULL, param->ClientCertificate, param->Layer);
+	             param->BridgeMode, param->Mss, NULL, param->ClientCertificate, param->RadiusOK,
+				 param->Layer);

 	return ipc;
 }
@@ -253,7 +254,7 @@ IPC *NewIPCByParam(CEDAR *cedar, IPC_PARAM *param, UINT *error_code)
 IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char *username, char *password, char *wg_key,
            UINT *error_code, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port,
            char *client_hostname, char *crypt_name,
-            bool bridge_mode, UINT mss, EAP_CLIENT *eap_client, X *client_certificate,
+            bool bridge_mode, UINT mss, EAP_CLIENT *eap_client, X *client_certificate, bool external_auth,
            UINT layer)
 {
 	IPC *ipc;
@@ -360,6 +361,10 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 	{
 		p = PackLoginWithOpenVPNCertificate(hubname, username, client_certificate);
 	}
+	else if (external_auth)
+	{
+		p = PackLoginWithExternal(hubname, username);
+	}
 	else
 	{
 		p = PackLoginWithPlainPassword(hubname, username, password);
@@ -497,6 +502,8 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 		ZeroIP4(&ipc->BroadcastAddress);
 	}

+	ReleaseHub(hub);
+
 	ZeroIP4(&ipc->ClientIPAddress);

 	MacToStr(macstr, sizeof(macstr), ipc->MacAddress);
@@ -1501,6 +1508,7 @@ void IPCProcessL3EventsEx(IPC *ipc, UINT64 now)
 							if (p->IPv6HeaderPacketInfo.Protocol == IP_PROTO_ICMPV6)
 							{
 								IP icmpHeaderAddr;
+								UINT header_size = 0;
 								// We need to parse the Router Advertisement and Neighbor Advertisement messages
 								// to build the Neighbor Discovery Table (aka ARP table for IPv6)
 								switch (p->ICMPv6HeaderPacketInfo.Type)
@@ -1510,6 +1518,8 @@ void IPCProcessL3EventsEx(IPC *ipc, UINT64 now)
 									IPCIPv6AddRouterPrefixes(ipc, &p->ICMPv6HeaderPacketInfo.OptionList, src_mac, &ip_src);
 									IPCIPv6AssociateOnNDTEx(ipc, &ip_src, src_mac, true);
 									IPCIPv6AssociateOnNDTEx(ipc, &ip_src, p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer->Address, true);
+									ndtProcessed = true;
+									header_size = sizeof(ICMPV6_ROUTER_ADVERTISEMENT_HEADER);
 									break;
 								case ICMPV6_TYPE_NEIGHBOR_ADVERTISEMENT:
 									// We save the neighbor advertisements into NDT
@@ -1517,7 +1527,76 @@ void IPCProcessL3EventsEx(IPC *ipc, UINT64 now)
 									IPCIPv6AssociateOnNDTEx(ipc, &icmpHeaderAddr, src_mac, true);
 									IPCIPv6AssociateOnNDTEx(ipc, &ip_src, src_mac, true);
 									ndtProcessed = true;
+									header_size = sizeof(ICMPV6_NEIGHBOR_ADVERTISEMENT_HEADER);
 									break;
+								case ICMPV6_TYPE_NEIGHBOR_SOLICIATION:
+									header_size = sizeof(ICMPV6_NEIGHBOR_SOLICIATION_HEADER);
+									break;
+								}
+
+								// Remove link-layer address options for Windows clients (required on Windows 11)
+								if (header_size > 0)
+								{
+									UCHAR *src = p->ICMPv6HeaderPacketInfo.Headers.HeaderPointer + header_size;
+									UINT opt_size = p->ICMPv6HeaderPacketInfo.DataSize - header_size;
+									UCHAR *dst = src;
+									UINT removed = 0;
+
+									while (opt_size > sizeof(ICMPV6_OPTION))
+									{
+										ICMPV6_OPTION *option_header;
+										UINT header_total_size;
+
+										option_header = (ICMPV6_OPTION *)src;
+										// Calculate the entire header size
+										header_total_size = option_header->Length * 8;
+										if (header_total_size == 0)
+										{
+											// The size is zero
+											break;
+										}
+										if (opt_size < header_total_size)
+										{
+											// Size shortage
+											break;
+										}
+
+										switch (option_header->Type)
+										{
+										case ICMPV6_OPTION_TYPE_SOURCE_LINK_LAYER:
+										case ICMPV6_OPTION_TYPE_TARGET_LINK_LAYER:
+											// Skip source or target link-layer option
+											removed += header_total_size;
+											break;
+										default:
+											// Copy options other than source link-layer
+											if (src != dst)
+											{
+												UCHAR *tmp = Clone(src, header_total_size);
+												Copy(dst, tmp, header_total_size);
+												Free(tmp);
+											}
+											dst += header_total_size;
+										}
+
+										src += header_total_size;
+										opt_size -= header_total_size;
+
+									}
+
+									// Recalculate length and checksum if modified
+									if (removed > 0)
+									{
+										size -= removed;
+										p->L3.IPv6Header->PayloadLength = Endian16(size - sizeof(IPV6_HEADER));
+										p->L4.ICMPHeader->Checksum = 0;
+										p->L4.ICMPHeader->Checksum =
+											CalcChecksumForIPv6(&p->L3.IPv6Header->SrcAddress,
+												&p->L3.IPv6Header->DestAddress, IP_PROTO_ICMPV6,
+												p->L4.ICMPHeader, size - sizeof(IPV6_HEADER), 0);
+										Copy(data, b->Buf + 14, size);
+									}
+
 								}
 							}

@@ -2054,7 +2133,7 @@ void IPCIPv6Init(IPC *ipc)
 	ipc->IPv6RouterAdvs = NewList(NULL);

 	ipc->IPv6ClientEUI = 0;
-	ipc->IPv6ServerEUI = 0;
+	GenerateEui64Address6((UCHAR *)&ipc->IPv6ServerEUI, ipc->MacAddress);

 	ipc->IPv6State = IPC_PROTO_STATUS_CLOSED;
 }
@@ -2290,6 +2369,15 @@ bool IPCIPv6CheckUnicastFromRouterPrefix(IPC *ipc, IP *ip, IPC_IPV6_ROUTER_ADVER
 	UINT i;
 	IPC_IPV6_ROUTER_ADVERTISEMENT *matchingRA = NULL;
 	bool isInPrefix = false;
+
+	if (LIST_NUM(ipc->IPv6RouterAdvs) == 0)
+	{
+		// We have a unicast packet but we haven't got any RAs.
+		// The client is probably misconfigured in IPv6. We send non-blocking RS at best effort.
+		IPCSendIPv6RouterSoliciation(ipc, false);
+		return false;
+	}
+
 	for (i = 0; i < LIST_NUM(ipc->IPv6RouterAdvs); i++)
 	{
 		IPC_IPV6_ROUTER_ADVERTISEMENT *ra = LIST_DATA(ipc->IPv6RouterAdvs, i);
@@ -2309,23 +2397,9 @@ bool IPCIPv6CheckUnicastFromRouterPrefix(IPC *ipc, IP *ip, IPC_IPV6_ROUTER_ADVER
 	return isInPrefix;
 }

-// Send router solicitation and then eventually populate the info from Router Advertisements
-UINT64 IPCIPv6GetServerEui(IPC *ipc)
+// Send router solicitation to find a router
+bool IPCSendIPv6RouterSoliciation(IPC *ipc, bool blocking)
 {
-	// It is already configured, nothing to do here
-	if (ipc->IPv6ServerEUI != 0)
-	{
-		return ipc->IPv6ServerEUI;
-	}
-
-	// If we don't have a valid client EUI, we can't generate a correct link local
-	if (ipc->IPv6ClientEUI == 0)
-	{
-		return ipc->IPv6ServerEUI;
-	}
-
-	if (LIST_NUM(ipc->IPv6RouterAdvs) == 0)
-	{
 	IP destIP;
 	IPV6_ADDR destV6;
 	UCHAR destMacAddress[6];
@@ -2334,6 +2408,12 @@ UINT64 IPCIPv6GetServerEui(IPC *ipc)
 	UINT64 giveup_time = Tick64() + (UINT64)(IPC_IPV6_RA_MAX_RETRIES * IPC_IPV6_RA_INTERVAL);
 	UINT64 timeout_retry = 0;

+	// If we don't have a valid client EUI, we can't generate a correct link local
+	if (ipc->IPv6ClientEUI == 0)
+	{
+		return false;
+	}
+
 	Zero(&linkLocal, sizeof(IPV6_ADDR));

 	// Generate link local from client's EUI
@@ -2352,6 +2432,12 @@ UINT64 IPCIPv6GetServerEui(IPC *ipc)

 	packet = BuildICMPv6RouterSoliciation(&linkLocal, &destV6, ipc->MacAddress, 0);

+	if (blocking == false) {
+		IPCIPv6SendWithDestMacAddr(ipc, packet->Buf, packet->Size, destMacAddress);
+		FreeBuf(packet);
+		return false;
+	}
+
 	while (LIST_NUM(ipc->IPv6RouterAdvs) == 0)
 	{
 		UINT64 now = Tick64();
@@ -2366,7 +2452,8 @@ UINT64 IPCIPv6GetServerEui(IPC *ipc)
 		if (Tick64() >= giveup_time)
 		{
 			// We failed to receive any router advertisements
-				break;
+			FreeBuf(packet);
+			return false;
 		}

 		// The processing should populate the received RAs by itself
@@ -2374,26 +2461,7 @@ UINT64 IPCIPv6GetServerEui(IPC *ipc)
 	}

 	FreeBuf(packet);
-	}
-
-	// Populating the IPv6 Server EUI for IPV6CP
-	if (LIST_NUM(ipc->IPv6RouterAdvs) > 0)
-	{
-		IPC_IPV6_ROUTER_ADVERTISEMENT *ra = LIST_DATA(ipc->IPv6RouterAdvs, 0);
-		Copy(&ipc->IPv6ServerEUI, &ra->RouterAddress.address[8], sizeof(ipc->IPv6ServerEUI));
-	}
-
-	// If it is still not defined, let's just generate something random
-	while (ipc->IPv6ServerEUI == 0)
-	{
-		ipc->IPv6ServerEUI = Rand64();
-		if (ipc->IPv6ClientEUI == ipc->IPv6ServerEUI)
-		{
-			ipc->IPv6ServerEUI = 0;
-		}
-	}
-
-	return ipc->IPv6ServerEUI;
+	return true;
 }

 // Data flow
@@ -2481,10 +2549,20 @@ void IPCIPv6SendWithDestMacAddr(IPC *ipc, void *data, UINT size, UCHAR *dest_mac
 			BUF *buf;
 			BUF *optBuf;
 			BUF *packet;
+			UINT header_size = 0;
 			// We need to rebuild the packet to
 			switch (p->ICMPv6HeaderPacketInfo.Type)
 			{
+			case ICMPV6_TYPE_ROUTER_SOLICIATION:
+				header_size = sizeof(ICMPV6_ROUTER_SOLICIATION_HEADER);
+				if (p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer == NULL)
+				{
+					p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer = &linkLayer;
+				}
+				Copy(p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer->Address, ipc->MacAddress, 6);
+				break;
 			case ICMPV6_TYPE_NEIGHBOR_SOLICIATION:
+				header_size = sizeof(ICMPV6_NEIGHBOR_SOLICIATION_HEADER);
 				if (p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer == NULL)
 				{
 					p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer = &linkLayer;
@@ -2492,6 +2570,7 @@ void IPCIPv6SendWithDestMacAddr(IPC *ipc, void *data, UINT size, UCHAR *dest_mac
 				Copy(p->ICMPv6HeaderPacketInfo.OptionList.SourceLinkLayer->Address, ipc->MacAddress, 6);
 				break;
 			case ICMPV6_TYPE_NEIGHBOR_ADVERTISEMENT:
+				header_size = sizeof(ICMPV6_NEIGHBOR_ADVERTISEMENT_HEADER);
 				if (p->ICMPv6HeaderPacketInfo.OptionList.TargetLinkLayer == NULL)
 				{
 					p->ICMPv6HeaderPacketInfo.OptionList.TargetLinkLayer = &linkLayer;
@@ -2501,12 +2580,12 @@ void IPCIPv6SendWithDestMacAddr(IPC *ipc, void *data, UINT size, UCHAR *dest_mac
 			}
 			switch (p->ICMPv6HeaderPacketInfo.Type)
 			{
+			case ICMPV6_TYPE_ROUTER_SOLICIATION:
 			case ICMPV6_TYPE_NEIGHBOR_SOLICIATION:
 			case ICMPV6_TYPE_NEIGHBOR_ADVERTISEMENT:
 				optBuf = BuildICMPv6Options(&p->ICMPv6HeaderPacketInfo.OptionList);
 				buf = NewBuf();
-				WriteBuf(buf, p->ICMPv6HeaderPacketInfo.Headers.HeaderPointer,
-				         p->ICMPv6HeaderPacketInfo.Type == ICMPV6_TYPE_NEIGHBOR_SOLICIATION ? sizeof(ICMPV6_NEIGHBOR_SOLICIATION_HEADER) : sizeof(ICMPV6_NEIGHBOR_ADVERTISEMENT_HEADER));
+				WriteBuf(buf, p->ICMPv6HeaderPacketInfo.Headers.HeaderPointer, header_size);
 				WriteBufBuf(buf, optBuf);
 				packet = BuildICMPv6(&p->IPv6HeaderPacketInfo.IPv6Header->SrcAddress,
 				                     &p->IPv6HeaderPacketInfo.IPv6Header->DestAddress,
@@ -91,6 +91,7 @@ struct IPC_PARAM
 	UINT Mss;
 	bool IsL3Mode;
 	X *ClientCertificate;
+	bool RadiusOK;
 	UINT Layer;
 };

@@ -155,7 +156,7 @@ struct IPC
 	LIST *IPv6NeighborTable;			// Neighbor Discovery Table
 	LIST *IPv6RouterAdvs;				// Router offered prefixes
 	UINT64 IPv6ClientEUI;				// The EUI of the client (for the SLAAC autoconf)
-	UINT64 IPv6ServerEUI;				// The EUI of the server (from the RA discovery)
+	UINT64 IPv6ServerEUI;				// The EUI of the server (from the IPC Mac address)
 };

 // MS-CHAPv2 authentication information
@@ -180,7 +181,7 @@ struct IPC_IPV6_ROUTER_ADVERTISEMENT
 IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char *username, char *password, char *wg_key,
            UINT *error_code, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port,
            char *client_hostname, char *crypt_name,
-            bool bridge_mode, UINT mss, EAP_CLIENT *eap_client, X *client_certificate,
+            bool bridge_mode, UINT mss, EAP_CLIENT *eap_client, X *client_certificate, bool external_auth,
            UINT layer);
 IPC *NewIPCByParam(CEDAR *cedar, IPC_PARAM *param, UINT *error_code);
 IPC *NewIPCBySock(CEDAR *cedar, SOCK *s, void *mac_address);
@@ -233,7 +234,7 @@ bool IPCIPv6CheckExistingLinkLocal(IPC *ipc, UINT64 eui);
 // RA
 void IPCIPv6AddRouterPrefixes(IPC *ipc, ICMPV6_OPTION_LIST *recvPrefix, UCHAR *macAddress, IP *ip);
 bool IPCIPv6CheckUnicastFromRouterPrefix(IPC *ipc, IP *ip, IPC_IPV6_ROUTER_ADVERTISEMENT *matchedRA);
-UINT64 IPCIPv6GetServerEui(IPC *ipc);
+bool IPCSendIPv6RouterSoliciation(IPC *ipc, bool blocking);
 // Data flow
 BLOCK *IPCIPv6Recv(IPC *ipc);
 void IPCIPv6Send(IPC *ipc, void *data, UINT size);
@@ -31,6 +31,7 @@ struct LINK
 	UINT CurrentSendPacketQueueSize;	// Current send packet queue size
 	UINT LastError;					// Last error
 	bool CheckServerCert;			// To check the server certificate
+	bool AddDefaultCA;				// Use default trust store
 	X *ServerCert;					// Server certificate
 	bool LockFlag;					// Lock flag
 	bool *StopAllLinkFlag;			// Stop all link flag
@@ -17,6 +17,7 @@
 #include "Mayaqua/Memory.h"
 #include "Mayaqua/Object.h"
 #include "Mayaqua/Str.h"
+#include "Mayaqua/Tick64.h"

 static bool disable_dos = false;
 static UINT max_connections_per_ip = DEFAULT_MAX_CONNECTIONS_PER_IP;
@@ -181,6 +182,11 @@ void TCPAcceptedThread(THREAD *t, void *param)
 	ConnectionAccept(c);
 	flag1 = c->flag1;

+	if (c->JsonRpcAuthed)
+	{
+		RemoveDosEntry(r, s);
+	}
+
 	// Release
 	SLog(r->Cedar, "LS_CONNECTION_END_1", c->Name);
 	ReleaseListener(c->Listener);
@@ -221,6 +227,46 @@ void TCPAccepted(LISTENER *r, SOCK *s)

 	num_clients_from_this_ip = GetNumIpClient(&s->RemoteIP);

+#ifdef	USE_DOS_ATTACK_DETECTION
+	if (disable_dos == false && r->DisableDos == false && r->Protocol != LISTENER_INPROC)
+	{
+		UINT max_uec, now_uec;
+		// DOS attack check
+		if (CheckDosAttack(r, s) == false)
+		{
+			Debug("DOS Attack 1 !!\n");
+			IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
+			SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);
+			return;
+		}
+		if (StrCmpi(s->UnderlayProtocol, SOCK_UNDERLAY_NATIVE_V6) == 0 ||
+			StrCmpi(s->UnderlayProtocol, SOCK_UNDERLAY_NATIVE_V4) == 0)
+		{
+			if (IsInNoSsl(r->Cedar, &s->RemoteIP))
+			{
+				Debug("DOS Attack 2 !!\n");
+				IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
+				SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);
+				return;
+			}
+		}
+		if (num_clients_from_this_ip > GetMaxConnectionsPerIp())
+		{
+			Debug("DOS Attack 3 !!\n");
+			IPToStr(tmp, sizeof(tmp), &s->RemoteIP);
+			SLog(r->Cedar, "LS_LISTENER_DOS", r->Port, tmp, s->RemotePort);
+			return;
+		}
+		max_uec = GetMaxUnestablishedConnections();
+		now_uec = GetUnestablishedConnections(cedar);
+		if (now_uec > max_uec)
+		{
+			Debug("DOS Attack 4 !!\n");
+			SLog(r->Cedar, "LS_LISTENER_MAXUEC", max_uec, now_uec);
+			return;
+		}
+	}
+#endif	// USE_DOS_ATTACK_DETECTION

 	IPToStr(tmp, sizeof(tmp), &s->RemoteIP);

@@ -239,6 +285,169 @@ void TCPAccepted(LISTENER *r, SOCK *s)
 	ReleaseThread(t);
 }

+// Remove a DOS entry
+bool RemoveDosEntry(LISTENER *r, SOCK *s)
+{
+	DOS *d;
+	bool ok = false;
+	// Validate arguments
+	if (r == NULL || s == NULL)
+	{
+		return false;
+	}
+
+	LockList(r->DosList);
+	{
+		// Delete old entries from the DOS attack list
+		RefreshDosList(r);
+
+		// Search the table
+		d = SearchDosList(r, &s->RemoteIP);
+
+		if (d != NULL)
+		{
+			Delete(r->DosList, d);
+			Free(d);
+			ok = true;
+		}
+	}
+	UnlockList(r->DosList);
+
+	return ok;
+}
+
+// Check whether this is a DOS attack
+bool CheckDosAttack(LISTENER *r, SOCK *s)
+{
+	DOS *d;
+	bool ok = true;
+	// Validate arguments
+	if (r == NULL || s == NULL)
+	{
+		return false;
+	}
+
+	LockList(r->DosList);
+	{
+		// Delete old entries from the DOS attack list
+		RefreshDosList(r);
+
+		// Search the table
+		d = SearchDosList(r, &s->RemoteIP);
+
+		if (d != NULL)
+		{
+			// There is a entry already
+			// This should mean being under a DOS attack
+			d->LastConnectedTick = Tick64();
+			d->CurrentExpireSpan = MIN(d->CurrentExpireSpan * (UINT64)2, DOS_TABLE_EXPIRES_MAX);
+			d->AccessCount++;
+			if (d->AccessCount > DOS_TABLE_MAX_LIMIT_PER_IP)
+			{
+				ok = false;
+			}
+		}
+		else
+		{
+			// Create a new entry
+			d = ZeroMalloc(sizeof(DOS));
+			d->CurrentExpireSpan = (UINT64)DOS_TABLE_EXPIRES_FIRST;
+			d->FirstConnectedTick = d->LastConnectedTick = Tick64();
+			d->AccessCount = 1;
+			d->DeleteEntryTick = d->FirstConnectedTick + (UINT64)DOS_TABLE_EXPIRES_TOTAL;
+			Copy(&d->IpAddress, &s->RemoteIP, sizeof(IP));
+			Add(r->DosList, d);
+		}
+	}
+	UnlockList(r->DosList);
+
+	return ok;
+}
+
+// Delete old entries from the DOS attack list
+void RefreshDosList(LISTENER *r)
+{
+	// Validate arguments
+	if (r == NULL)
+	{
+		return;
+	}
+
+	if (r->DosListLastRefreshTime == 0 ||
+		(r->DosListLastRefreshTime + (UINT64)DOS_TABLE_REFRESH_INTERVAL) <= Tick64())
+	{
+		UINT i;
+		LIST *o;
+		r->DosListLastRefreshTime = Tick64();
+
+		o = NewListFast(NULL);
+		for (i = 0;i < LIST_NUM(r->DosList);i++)
+		{
+			DOS *d = LIST_DATA(r->DosList, i);
+			if ((d->LastConnectedTick + d->CurrentExpireSpan) <= Tick64() ||
+				(d->DeleteEntryTick <= Tick64()))
+			{
+				Add(o, d);
+			}
+		}
+
+		for (i = 0;i < LIST_NUM(o);i++)
+		{
+			DOS *d = LIST_DATA(o, i);
+			Delete(r->DosList, d);
+			Free(d);
+		}
+
+		ReleaseList(o);
+	}
+}
+
+// Search the DOS attack list by the IP address
+DOS *SearchDosList(LISTENER *r, IP *ip)
+{
+	DOS *d, t;
+	// Validate arguments
+	if (r == NULL || ip == NULL)
+	{
+		return NULL;
+	}
+
+	Copy(&t.IpAddress, ip, sizeof(IP));
+
+	d = Search(r->DosList, &t);
+
+	if (d != NULL)
+	{
+		if ((d->LastConnectedTick + d->CurrentExpireSpan) <= Tick64() ||
+			(d->DeleteEntryTick <= Tick64()))
+		{
+			// Delete old entries
+			Delete(r->DosList, d);
+			Free(d);
+			return NULL;
+		}
+	}
+
+	return d;
+}
+
+// Comparison of DOS attack list entries
+int CompareDos(void *p1, void *p2)
+{
+	DOS *d1, *d2;
+	if (p1 == NULL || p2 == NULL)
+	{
+		return 0;
+	}
+	d1 = *(DOS **)p1;
+	d2 = *(DOS **)p2;
+	if (d1 == NULL || d2 == NULL)
+	{
+		return 0;
+	}
+
+	return CmpIpAddr(&d1->IpAddress, &d2->IpAddress);
+}

 // UDP listener main loop
 void ListenerUDPMainLoop(LISTENER *r)
@@ -385,9 +594,16 @@ void ListenerTCPMainLoop(LISTENER *r)
 					}
 				}
 				else
+				{
+					if (r->Cedar->Server == NULL)
 					{
 						s = ListenEx6(r->Port, r->LocalOnly);
 					}
+					else
+					{
+						s = ListenEx63(r->Port, r->LocalOnly, false, &r->Cedar->Server->ListenIP);
+					}
+				}
 			}
 			else if (r->Protocol == LISTENER_INPROC)
 			{
@@ -646,6 +862,13 @@ void CleanupListener(LISTENER *r)
 		return;
 	}

+	// Release the DOS attack list
+	for (i = 0;i < LIST_NUM(r->DosList);i++)
+	{
+		DOS *d = LIST_DATA(r->DosList, i);
+		Free(d);
+	}
+	ReleaseList(r->DosList);

 	if (r->Sock != NULL)
 	{
@@ -795,6 +1018,7 @@ LISTENER *NewListenerEx5(CEDAR *cedar, UINT proto, UINT port, THREAD_PROC *proc,
 	r->Port = port;
 	r->Event = NewEvent();

+	r->DosList = NewList(CompareDos);

 	r->LocalOnly = local_only;
 	r->ShadowIPv6 = shadow_ipv6;
@@ -10,12 +10,24 @@

 #include "CedarType.h"

+#include "Mayaqua/MayaType.h"
 #include "Mayaqua/Kernel.h"
+#include "Mayaqua/Network.h"

 // Function to call when receiving a new connection
 typedef void (NEW_CONNECTION_PROC)(CONNECTION *c);


+// DOS attack list
+struct DOS
+{
+	IP IpAddress;					// IP address
+	UINT64 FirstConnectedTick;		// Time which a client connects at the first time
+	UINT64 LastConnectedTick;		// Time which a client connected at the last time
+	UINT64 CurrentExpireSpan;		// Current time-out period of this record
+	UINT64 DeleteEntryTick;			// Time planned to delete this entry
+	UINT AccessCount;				// The number of accesses
+};

 // Listener structure
 struct LISTENER
@@ -31,6 +43,8 @@ struct LISTENER
 	volatile bool Halt;				// Halting flag
 	UINT Status;					// State

+	LIST *DosList;					// DOS attack list
+	UINT64 DosListLastRefreshTime;	// Time that the DOS list is refreshed at the last

 	THREAD_PROC *ThreadProc;		// Thread procedure
 	void *ThreadParam;				// Thread parameters
@@ -105,6 +119,11 @@ void FreeDynamicListener(DYNAMIC_LISTENER *d);
 bool ListenerRUDPRpcRecvProc(RUDP_STACK *r, UDPPACKET *p);
 void ListenerSetProcRecvRpcEnable(bool b);

+int CompareDos(void *p1, void *p2);
+DOS *SearchDosList(LISTENER *r, IP *ip);
+void RefreshDosList(LISTENER *r);
+bool CheckDosAttack(LISTENER *r, SOCK *s);
+bool RemoveDosEntry(LISTENER *r, SOCK *s);

 #endif	// LISTENER_H

@@ -75,7 +75,7 @@ void EtherIPIpcConnectThread(THREAD *t, void *p)
 			&s->ClientIP, s->ClientPort,
 			&s->ServerIP, s->ServerPort,
 			tmp,
-			s->CryptName, true, mss, NULL, NULL, IPC_LAYER_2);
+			s->CryptName, true, mss, NULL, NULL, false, IPC_LAYER_2);

 		if (ipc != NULL)
 		{
@@ -2008,7 +2008,6 @@ UINT CalcL2TPMss(L2TP_SERVER *l2tp, L2TP_TUNNEL *t, L2TP_SESSION *s)
 // Start the L2TP thread
 void StartL2TPThread(L2TP_SERVER *l2tp, L2TP_TUNNEL *t, L2TP_SESSION *s)
 {
-	PPP_SESSION* underlyingSession;
 	// Validate arguments
 	if (l2tp == NULL || t == NULL || s == NULL)
 	{
@@ -2037,11 +2036,9 @@ void StartL2TPThread(L2TP_SERVER *l2tp, L2TP_TUNNEL *t, L2TP_SESSION *s)
 		}

 		// Create a PPP thread
-		underlyingSession = NewPPPSession(l2tp->Cedar, &t->ClientIp, t->ClientPort, &t->ServerIp, t->ServerPort,
+		s->Thread = NewPPPSession(l2tp->Cedar, &t->ClientIp, t->ClientPort, &t->ServerIp, t->ServerPort,
 			s->TubeSend, s->TubeRecv, L2TP_IPC_POSTFIX, tmp, t->HostName, l2tp->CryptName,
 			CalcL2TPMss(l2tp, t, s));
-		s->Thread = underlyingSession->SessionThread;
-		s->PPPSession = underlyingSession;
 	}
 }

@@ -2145,9 +2142,9 @@ void L2TPProcessInterrupts(L2TP_SERVER *l2tp)
 		{
 			L2TP_SESSION* s = LIST_DATA(t->SessionList, i);

-			if (s->PPPSession != NULL && s->PPPSession->DataTimeout > l2tpTimeout)
+			if (s->TubeRecv != NULL && s->TubeRecv->DataTimeout > l2tpTimeout)
 			{
-				l2tpTimeout = s->PPPSession->DataTimeout;
+				l2tpTimeout = s->TubeRecv->DataTimeout;
 			}
 		}

@@ -171,7 +171,6 @@ struct L2TP_SESSION
 	UINT64 DisconnectTimeout;					// Disconnection completion time-out
 	bool HasThread;								// Whether have a thread
 	THREAD *Thread;								// Thread
-	PPP_SESSION* PPPSession;						// Underlying PPP session
 	TUBE *TubeSend;								// Tube of PPP to L2TP direction
 	TUBE *TubeRecv;								// Tube of L2TP to PPP direction
 	UINT PseudowireType;						// Type of L2TPv3 virtual line
@@ -147,7 +147,7 @@ bool OvsProcessData(void *param, TCP_RAW_DATA *in, FIFO *out)
 		payload_size = READ_USHORT(FifoPtr(fifo));
 		packet_size = payload_size + sizeof(USHORT);

-		if (payload_size == 0 || packet_size > sizeof(buf))
+		if (payload_size == 0 || payload_size > (sizeof(buf) - sizeof(USHORT)))
 		{
 			ret = false;
 			Debug("OvsProcessData(): Invalid payload size: %u bytes\n", payload_size);
@@ -824,6 +824,10 @@ void OvsProcessRecvControlPacket(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN
 				}

 				c->SslPipe = NewSslPipeEx(true, s->Cedar->ServerX, s->Cedar->ServerK, s->Dh, true, &c->ClientCert);
+				if (c->SslPipe == NULL)
+				{
+					return;
+				}
 			}
 			Unlock(s->Cedar->lock);

@@ -1902,6 +1906,10 @@ BUF *OvsBuildPacket(OPENVPN_PACKET *p)

 	// NumAck
 	num_ack = MIN(p->NumAck, OPENVPN_MAX_NUMACK);
+	if (p->OpCode != OPENVPN_P_ACK_V1)
+	{
+		num_ack = MIN(num_ack, OPENVPN_MAX_NUMACK_NONACK);
+	}
 	WriteBufChar(b, (UCHAR)num_ack);

 	if (p->NumAck >= 1)
@@ -1982,7 +1990,7 @@ OPENVPN_PACKET *OvsParsePacket(UCHAR *data, UINT size)

 	ret->NumAck = uc;

-	if (ret->NumAck > 4)
+	if (ret->NumAck > OPENVPN_MAX_NUMACK)
 	{
 		goto LABEL_ERROR;
 	}
@@ -2486,8 +2494,8 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 											if (r->Exists)
 											{
 												Format(l3_options, sizeof(l3_options),
-												       ",route %r %r vpn_gateway",
-												       &r->Network, &r->SubnetMask);
+												       ",route %r %r %r",
+												       &r->Network, &r->SubnetMask, &r->Gateway);

 												StrCat(option_str, sizeof(option_str), l3_options);
 											}
@@ -14,7 +14,8 @@
 #define	OPENVPN_UDP_PORT						1194	// OpenVPN default UDP port number
 #define	OPENVPN_UDP_PORT_INCLUDE				1195	// OpenVPN default UDP port number (Operating within the client)

-#define	OPENVPN_MAX_NUMACK						4		// The maximum number of ACKs
+#define	OPENVPN_MAX_NUMACK						8		// The maximum number of ACKs
+#define	OPENVPN_MAX_NUMACK_NONACK					4		// The maximum number of ACKs in != P_ACK_V1
 #define	OPENVPN_NUM_CHANNELS					8		// Maximum number of channels during a session
 #define	OPENVPN_CONTROL_PACKET_RESEND_INTERVAL	500		// Control packet retransmission interval
 #define	OPENVPN_CONTROL_PACKET_MAX_DATASIZE		1200	// Maximum data size that can be stored in one control packet
@@ -9,6 +9,7 @@
 #define	PROTO_PPP_H

 #include "CedarType.h"
+#include "Proto_IPsec.h"

 #include "Mayaqua/TcpIp.h"

@@ -111,6 +112,7 @@
 #define	PPP_EAP_TYPE_NOTIFICATION		2
 #define	PPP_EAP_TYPE_NAK				3
 #define	PPP_EAP_TYPE_TLS				13
+#define	PPP_EAP_TYPE_MSCHAPV2			26

 // EAP-TLS Flags
 #define	PPP_EAP_TLS_FLAG_NONE			0
@@ -228,6 +230,8 @@ struct PPP_EAP_TLS_CONTEXT
 	UCHAR *CachedBufferRecvPntr;
 	UCHAR *CachedBufferSend;
 	UCHAR *CachedBufferSendPntr;
+	bool DisableTls13;
+	int Tls13SessionTicketsCount;
 };

 // PPP request resend
@@ -290,7 +294,7 @@ struct PPP_SESSION
 	UINT MsChapV2_ErrorCode;			// Authentication failure error code of MS-CHAPv2
 	UINT MsChapV2_PacketId;				// MS-CHAPv2 Packet ID

-	bool MsChapV2_UseDoubleMsChapV2;	// Use the double-MSCHAPv2 technique
+	bool UseEapRadius;					// Use EAP for RADIUS authentication
 	EAP_CLIENT *EapClient;				// EAP client

 	UCHAR ServerInterfaceId[8];			// Server IPv6CP Interface Identifier
@@ -301,7 +305,8 @@ struct PPP_SESSION
 	// EAP contexts
 	UINT Eap_Protocol;					// Current EAP Protocol used
 	UINT Eap_PacketId;					// EAP Packet ID;
-	UCHAR Eap_Identity[MAX_SIZE];		// Received from client identity
+	ETHERIP_ID Eap_Identity;			// Received from client identity
+	bool Eap_MatchUserByCert;			// Attempt to match the user from it's certificate during EAP-TLS, ignoring the EAP-identification
 	PPP_EAP_TLS_CONTEXT Eap_TlsCtx;		// Context information for EAP TLS. May be possibly reused for EAP TTLS?

 	LIST *SentReqPacketList;			// Sent requests list
@@ -313,8 +318,6 @@ struct PPP_SESSION
 	UINT64 DataTimeout;
 	UINT64 UserConnectionTimeout;
 	UINT64 UserConnectionTick;
-
-	THREAD *SessionThread;				// Thread of the PPP session
 };


@@ -325,7 +328,7 @@ struct PPP_SESSION
 void PPPThread(THREAD *thread, void *param);

 // Entry point
-PPP_SESSION *NewPPPSession(CEDAR *cedar, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, TUBE *send_tube, TUBE *recv_tube, char *postfix, char *client_software_name, char *client_hostname, char *crypt_name, UINT adjust_mss);
+THREAD *NewPPPSession(CEDAR *cedar, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, TUBE *send_tube, TUBE *recv_tube, char *postfix, char *client_software_name, char *client_hostname, char *crypt_name, UINT adjust_mss);

 // PPP processing functions
 bool PPPRejectUnsupportedPacket(PPP_SESSION *p, PPP_PACKET *pp);
@@ -336,9 +339,11 @@ bool PPPSendEchoRequest(PPP_SESSION *p);
 bool PPPProcessResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessLCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessCHAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
+bool PPPProcessCHAPResponsePacketEx(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req, PPP_LCP *chap, bool use_eap);
 bool PPPProcessIPCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessIPv6CPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
+bool PPPProcessEapResponseForRadius(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eap_datasize);
 // Request packets
 bool PPPProcessRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
 bool PPPProcessLCPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
@@ -375,7 +380,8 @@ PPP_OPTION *NewPPPOption(UCHAR type, void *data, UINT size);
 // Packet parse utilities
 PPP_PACKET *ParsePPPPacket(void *data, UINT size);
 PPP_LCP *PPPParseLCP(USHORT protocol, void *data, UINT size);
-bool PPPParseMSCHAP2ResponsePacket(PPP_SESSION *p, PPP_PACKET *req);
+bool PPPParseMSCHAP2ResponsePacket(PPP_SESSION *p, PPP_PACKET *pp);
+bool PPPParseMSCHAP2ResponsePacketEx(PPP_SESSION *p, PPP_LCP *lcp, bool use_eap);
 // Packet building utilities
 BUF *BuildPPPPacketData(PPP_PACKET *pp);
 BUF *BuildLCPData(PPP_LCP *c);
@@ -386,7 +392,7 @@ bool PPPSetIPOptionToLCP(PPP_IPOPTION *o, PPP_LCP *c, bool only_modify);
 bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip);
 bool PPPSetIPAddressValueToLCP(PPP_LCP *c, UINT type, IP *ip, bool only_modify);
 // EAP packet utilities
-bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSize);
+bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize);
 PPP_LCP *BuildEAPPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize);
 PPP_LCP *BuildEAPTlsPacketEx(UCHAR code, UCHAR id, UCHAR type, UINT datasize, UCHAR flags);
 PPP_LCP *BuildEAPTlsRequest(UCHAR id, UINT datasize, UCHAR flags);
@@ -408,6 +414,7 @@ bool PPPParseUsername(CEDAR *cedar, char *src, ETHERIP_ID *dst);
 void GenerateNtPasswordHash(UCHAR *dst, char *password);
 void GenerateNtPasswordHashHash(UCHAR *dst_hash, UCHAR *src_hash);
 void MsChapV2Server_GenerateChallenge(UCHAR *dst);
+void MsChapV2Client_GenerateChallenge(UCHAR *dst);
 void MsChapV2_GenerateChallenge8(UCHAR *dst, UCHAR *client_challenge, UCHAR *server_challenge, char *username);
 void MsChapV2Client_GenerateResponse(UCHAR *dst, UCHAR *challenge8, UCHAR *nt_password_hash);
 void MsChapV2Server_GenerateResponse(UCHAR *dst, UCHAR *nt_password_hash_hash, UCHAR *client_response, UCHAR *challenge8);
@@ -275,8 +275,6 @@ void SstpProcessControlPacket(SSTP_SERVER *s, SSTP_PACKET *p)
 // Process the SSTP received data packet
 void SstpProcessDataPacket(SSTP_SERVER *s, SSTP_PACKET *p)
 {
-	PPP_SESSION *underlyingSession;
-
 	// Validate arguments
 	if (s == NULL || p == NULL || p->IsControl)
 	{
@@ -288,11 +286,9 @@ void SstpProcessDataPacket(SSTP_SERVER *s, SSTP_PACKET *p)
 	if (s->PPPThread == NULL)
 	{
 		// Create a thread to initialize the new PPP module
-		underlyingSession = NewPPPSession(s->Cedar, &s->ClientIp, s->ClientPort, &s->ServerIp, s->ServerPort,
+		s->PPPThread = NewPPPSession(s->Cedar, &s->ClientIp, s->ClientPort, &s->ServerIp, s->ServerPort,
 			s->TubeSend, s->TubeRecv, SSTP_IPC_POSTFIX, SSTP_IPC_CLIENT_NAME,
 			s->ClientHostName, s->ClientCipherName, 0);
-		s->PPPSession = underlyingSession;
-		s->PPPThread = underlyingSession->SessionThread;
 	}

 	// Pass the received data to the PPP module
@@ -444,9 +440,9 @@ void SstpProcessInterrupt(SSTP_SERVER *s)
 		}
 	}

-	if (s->PPPSession != NULL && s->PPPSession->DataTimeout > sstpTimeout)
+	if (s->TubeRecv != NULL && s->TubeRecv->DataTimeout > sstpTimeout)
 	{
-		sstpTimeout = s->PPPSession->DataTimeout;
+		sstpTimeout = s->TubeRecv->DataTimeout;
 	}

 	if ((s->LastRecvTick + sstpTimeout) <= s->Now)
@@ -119,7 +119,6 @@ struct SSTP_SERVER
 	UINT64 LastRecvTick;					// Tick when some data has received at the end
 	bool FlushRecvTube;						// Flag whether to flush the reception tube
 	UINT EstablishedCount;					// Number of session establishment
-	PPP_SESSION *PPPSession;				// Underlying PPP Session
 };


@@ -940,6 +940,7 @@ UINT ChangePasswordAccept(CONNECTION *c, PACK *p)
 								{
 									Copy(pw->HashedKey, new_password, SHA1_SIZE);
 									Copy(pw->NtLmSecureHash, new_password_ntlm, MD5_SIZE);
+									IncrementServerConfigRevision(cedar->Server);
 								}
 								HLog(hub, "LH_CHANGE_PASSWORD_5", c->Name, username);
 							}
@@ -1572,6 +1573,12 @@ bool ServerAccept(CONNECTION *c)

 				c->CipherName = NULL;

+				if (c->SslVersion != NULL)
+				{
+					Free(c->SslVersion);
+				}
+				c->SslVersion = NULL;
+
 				if (IsEmptyStr(tmp) == false)
 				{
 					c->CipherName = CopyStr(tmp);
@@ -1591,11 +1598,22 @@ bool ServerAccept(CONNECTION *c)
 				}
 				c->CipherName = NULL;

+				if (c->SslVersion != NULL)
+				{
+					Free(c->SslVersion);
+				}
+				c->SslVersion = NULL;
+
 				if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->CipherName) == false)
 				{
 					c->CipherName = CopyStr(c->FirstSock->CipherName);
 				}

+				if (c->FirstSock != NULL && IsEmptyStr(c->FirstSock->SslVersion) == false)
+				{
+					c->SslVersion = CopyStr(c->FirstSock->SslVersion);
+				}
+
 				Format(radius_login_opt.In_VpnProtocolState, sizeof(radius_login_opt.In_VpnProtocolState),
 					"L%u:%s", IPC_LAYER_2, "SEVPN");
 			}
@@ -1684,6 +1702,9 @@ bool ServerAccept(CONNECTION *c)
 				case CLIENT_AUTHTYPE_CERT:
 					authtype_str = _UU("LH_AUTH_CERT");
 					break;
+				case AUTHTYPE_EXTERNAL:
+					authtype_str = _UU("LH_AUTH_EXTERNAL");
+					break;
 				case AUTHTYPE_WIREGUARD_KEY:
 					authtype_str = _UU("LH_AUTH_WIREGUARD_KEY");
 					break;
@@ -1811,6 +1832,11 @@ bool ServerAccept(CONNECTION *c)
 					// Anonymous authentication (this have been already attempted)
 					break;

+				case AUTHTYPE_EXTERNAL:
+					// External authentication already completed
+					auth_ret = true;
+					break;
+
 				case AUTHTYPE_TICKET:
 					// Ticket authentication
 					if (PackGetDataSize(p, "ticket") == SHA1_SIZE)
@@ -1896,7 +1922,7 @@ bool ServerAccept(CONNECTION *c)

 						if (auth_ret == false)
 						{
-							// Attempt external authentication registered users
+							// Attempt external authentication
 							bool fail_ext_user_auth = false;
 							if (GetGlobalServerFlag(GSF_DISABLE_RADIUS_AUTH) != 0)
 							{
@@ -1905,7 +1931,7 @@ bool ServerAccept(CONNECTION *c)

 							if (fail_ext_user_auth == false)
 							{
-								auth_ret = SamAuthUserByPlainPassword(c, hub, username, plain_password, false, mschap_v2_server_response_20, &radius_login_opt);
+								auth_ret = SamAuthUserByPlainPassword(c, hub, username, plain_password, true, mschap_v2_server_response_20, &radius_login_opt);
 							}

 							if (auth_ret && pol == NULL)
@@ -1914,37 +1940,6 @@ bool ServerAccept(CONNECTION *c)
 							}
 						}

-						if (auth_ret == false)
-						{
-							// Attempt external authentication asterisk user
-							bool b = false;
-							bool fail_ext_user_auth = false;
-
-							if (GetGlobalServerFlag(GSF_DISABLE_RADIUS_AUTH) != 0)
-							{
-								fail_ext_user_auth = true;
-							}
-
-							if (fail_ext_user_auth == false)
-							{
-								AcLock(hub);
-								{
-									b = AcIsUser(hub, "*");
-								}
-								AcUnlock(hub);
-
-								// If there is asterisk user, log on as the user
-								if (b)
-								{
-									auth_ret = SamAuthUserByPlainPassword(c, hub, username, plain_password, true, mschap_v2_server_response_20, &radius_login_opt);
-									if (auth_ret && pol == NULL)
-									{
-										pol = SamGetUserPolicy(hub, "*");
-									}
-								}
-							}
-						}
-
 						if (pol != NULL)
 						{
 							no_save_password = pol->NoSavePassword;
@@ -2385,23 +2380,6 @@ bool ServerAccept(CONNECTION *c)
 				goto CLEANUP;
 			}

-			if ((policy->NoSavePassword) || (policy->AutoDisconnect != 0))
-			{
-				if (c->ClientBuild < 6560 && InStrEx(c->ClientStr, "client", false))
-				{
-					// If NoSavePassword policy is specified,
-					// only supported client can connect
-					HLog(hub, "LH_CLIENT_VERSION_OLD", c->Name, c->ClientBuild, 6560);
-
-					Unlock(hub->lock);
-					ReleaseHub(hub);
-					c->Err = ERR_VERSION_INVALID;
-					error_detail = "ERR_VERSION_INVALID";
-					Free(policy);
-					goto CLEANUP;
-				}
-			}
-
 			if (user_expires != 0 && user_expires <= SystemTime64())
 			{
 				// User expired
@@ -2956,6 +2934,8 @@ bool ServerAccept(CONNECTION *c)
 				rudp_bulk_version = 2;
 			}

+			s->BulkOnRUDPVersion = rudp_bulk_version;
+
 			if (s->EnableBulkOnRUDP)
 			{
 				AddProtocolDetailsKeyValueInt(s->ProtocolDetails, sizeof(s->ProtocolDetails), "RUDP_Bulk_Ver", s->BulkOnRUDPVersion);
@@ -3217,7 +3197,7 @@ bool ServerAccept(CONNECTION *c)
 #endif	// OS_WIN32

 					tmp2 = ZeroMalloc(tmp2_size);
-					UniFormat(tmp2, tmp2_size, _UU(c->ClientBuild >= 9428 ? "NATT_MSG" : "NATT_MSG2"), local_name);
+					UniFormat(tmp2, tmp2_size, _UU("NATT_MSG"), local_name);

 					UniStrCat(tmp, tmpsize, tmp2);

@@ -3843,7 +3823,18 @@ void CreateNodeInfo(NODE_INFO *info, CONNECTION *c)
 	// Server host name
 	StrCpy(info->ServerHostname, sizeof(info->ServerHostname), c->ServerName);
 	// Server IP address
-	if (GetIP(&ip, info->ServerHostname))
+	if (s->ClientOption->ProxyType == PROXY_DIRECT)
+	{
+		if (IsIP6(&c->FirstSock->RemoteIP) == false)
+		{
+			info->ServerIpAddress = IPToUINT(&c->FirstSock->RemoteIP);
+		}
+		else
+		{
+			Copy(info->ServerIpAddress6, c->FirstSock->RemoteIP.address, sizeof(info->ServerIpAddress6));
+		}
+	}
+	else if (GetIP(&ip, info->ServerHostname))
 	{
 		if (IsIP6(&ip) == false)
 		{
@@ -4300,7 +4291,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
 	X *x;
 	CHECK_CERT_THREAD_PROC *p;
 	THREAD *thread;
-	CEDAR *cedar;
 	bool ret;
 	UINT64 start;
 	// Validate arguments
@@ -4315,32 +4305,11 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
 	}

 	auth = c->Session->ClientAuth;
-	cedar = c->Cedar;

-	if (auth->CheckCertProc == NULL && c->Session->LinkModeClient == false)
-	{
-		// No checking function
-		return true;
-	}
-
-	if (c->Session->LinkModeClient && c->Session->Link->CheckServerCert == false)
-	{
-		// It's in cascade connection mode, but do not check the server certificate
-		return true;
-	}
-
-	if (c->UseTicket)
-	{
-		// Check the certificate of the redirected VPN server
-		if (CompareX(c->FirstSock->RemoteX, c->ServerX) == false)
+	if (auth->CheckCertProc == NULL)
 	{
 		return false;
 	}
-		else
-		{
-			return true;
-		}
-	}

 	x = CloneX(c->FirstSock->RemoteX);
 	if (x == NULL)
@@ -4349,63 +4318,6 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
 		return false;
 	}

-	if (CheckXDateNow(x))
-	{
-		// Check whether it is signed by the root certificate to trust
-		if (c->Session->LinkModeClient == false)
-		{
-			// Normal VPN Client mode
-			if (CheckSignatureByCa(cedar, x))
-			{
-				// This certificate can be trusted because it is signed
-				FreeX(x);
-				return true;
-			}
-		}
-		else
-		{
-			// Cascade connection mode
-			if (CheckSignatureByCaLinkMode(c->Session, x))
-			{
-				// This certificate can be trusted because it is signed
-				FreeX(x);
-				return true;
-			}
-		}
-	}
-
-	if (c->Session->LinkModeClient)
-	{
-		if (CheckXDateNow(x))
-		{
-			Lock(c->Session->Link->lock);
-			{
-				if (c->Session->Link->ServerCert != NULL)
-				{
-					if (CompareX(c->Session->Link->ServerCert, x))
-					{
-						Unlock(c->Session->Link->lock);
-						// Exactly match the certificate that is registered in the cascade configuration
-						FreeX(x);
-						return true;
-					}
-				}
-			}
-			Unlock(c->Session->Link->lock);
-		}
-		else
-		{
-			if (expired != NULL)
-			{
-				*expired = true;
-			}
-		}
-
-		// Verification failure at this point in the case of cascade connection mode
-		FreeX(x);
-		return false;
-	}
-
 	p = ZeroMalloc(sizeof(CHECK_CERT_THREAD_PROC));
 	p->ServerX = x;
 	p->CheckCertProc = auth->CheckCertProc;
@@ -4423,7 +4335,8 @@ bool ClientCheckServerCert(CONNECTION *c, bool *expired)
 		{
 			// Send a NOOP periodically for disconnection prevention
 			start = Tick64();
-			ClientUploadNoop(c);
+			// Do not send because we now ask for user permission before sending signature
+			//ClientUploadNoop(c);
 		}
 		if (p->UserSelected)
 		{
@@ -4482,10 +4395,43 @@ REDIRECTED:
 	s = ClientConnectToServer(c);
 	if (s == NULL)
 	{
+		// Do not retry if untrusted or hostname mismatched
+		if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH)
+			&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
+		{
+			c->Session->ForceStopFlag = true;
+		}
 		PrintStatus(sess, L"free");
 		return false;
 	}

+	PrintStatus(sess, _UU("STATUS_5"));
+
+	// Prompt user whether to continue on verification errors
+	if ((c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH || c->Err == ERR_SERVER_CERT_EXPIRES) && ClientCheckServerCert(c, &expired) == false)
+	{
+		if (expired)
+		{
+			c->Err = ERR_SERVER_CERT_EXPIRES;
+		}
+
+		// Do not retry if untrusted or hostname mismatched
+		if (c->Session->LinkModeClient == false && (c->Err == ERR_CERT_NOT_TRUSTED || c->Err == ERR_HOSTNAME_MISMATCH)
+			&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
+		{
+			c->Session->ForceStopFlag = true;
+		}
+
+		goto CLEANUP;
+	}
+
+	// Check the certificate of the redirected VPN server
+	if (c->UseTicket && CompareX(s->RemoteX, c->ServerX) == false)
+	{
+		c->Err = ERR_CERT_NOT_TRUSTED;
+		goto CLEANUP;
+	}
+
 	Copy(&server_ip, &s->RemoteIP, sizeof(IP));

 	if (c->Halt)
@@ -4537,8 +4483,6 @@ REDIRECTED:
 		goto CLEANUP;
 	}

-	PrintStatus(sess, _UU("STATUS_5"));
-
 	// Receive a Hello packet
 	Debug("Downloading Hello...\n");
 	if (ClientDownloadHello(c, s) == false)
@@ -4574,27 +4518,6 @@ REDIRECTED:
 	// During user authentication
 	c->Session->ClientStatus = CLIENT_STATUS_AUTH;

-	// Verify the server certificate by the client
-	if (ClientCheckServerCert(c, &expired) == false)
-	{
-		if (expired == false)
-		{
-			c->Err = ERR_CERT_NOT_TRUSTED;
-		}
-		else
-		{
-			c->Err = ERR_SERVER_CERT_EXPIRES;
-		}
-
-		if (c->Session->LinkModeClient == false && c->Err == ERR_CERT_NOT_TRUSTED
-			&& (c->Session->Account == NULL || ! c->Session->Account->RetryOnServerCert))
-		{
-			c->Session->ForceStopFlag = true;
-		}
-
-		goto CLEANUP;
-	}
-
 	PrintStatus(sess, _UU("STATUS_6"));

 	// Send the authentication data
@@ -5048,6 +4971,13 @@ REDIRECTED:
 		}

 		c->CipherName = CopyStr(c->FirstSock->CipherName);
+
+		if (c->SslVersion != NULL)
+		{
+			Free(c->SslVersion);
+		}
+
+		c->SslVersion = CopyStr(c->FirstSock->SslVersion);
 	}
 	Unlock(c->lock);

@@ -6223,16 +6153,29 @@ SOCK *ClientConnectToServer(CONNECTION *c)
 	SetTimeout(s, CONNECTING_TIMEOUT);

 	// Start the SSL communication
-	if (StartSSLEx(s, x, k, 0, c->ServerName) == false)
+	UINT err = 0;
+	if (StartSSLEx3(s, x, k, NULL, 0, c->ServerName, c->Session->SslOption, &err) == false)
 	{
 		// SSL communication start failure
 		Disconnect(s);
 		ReleaseSock(s);
 		c->FirstSock = NULL;
+		if (err != 0)
+		{
+			c->Err = err;
+		}
+		else
+		{
 			c->Err = ERR_SERVER_IS_NOT_VPN;
+		}
 		return NULL;
 	}

+	if (err != 0)
+	{
+		c->Err = err;
+	}
+
 	if (s->RemoteX == NULL)
 	{
 		// SSL communication start failure
@@ -6243,6 +6186,8 @@ SOCK *ClientConnectToServer(CONNECTION *c)
 		return NULL;
 	}

+	CLog(c->Cedar->Client, "LC_SSL_CONNECTED", c->Session->ClientOption->AccountName,	s->SslVersion, s->CipherName);
+
 	return s;
 }

@@ -6251,6 +6196,8 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
 {
 	volatile bool *cancel_flag = NULL;
 	char hostname[MAX_HOST_NAME_LEN];
+	char localaddr[MAX_HOST_NAME_LEN];
+
 	bool save_resolved_ip = false;
 	CLIENT_OPTION *o;
 	SESSION *sess;
@@ -6282,7 +6229,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
 		c->ServerPort = o->Port;
 	}

-	if (IsZeroIP(&sess->ServerIP_CacheForNextConnect) == false)
+	if (additional_connect && IsZeroIP(&sess->ServerIP_CacheForNextConnect) == false)
 	{
 		IPToStr(hostname, sizeof(hostname), &sess->ServerIP_CacheForNextConnect);
 		Debug("ClientConnectGetSocket(): Using cached IP address %s\n", hostname);
@@ -6302,6 +6249,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)

 	if (o->ProxyType == PROXY_DIRECT)
 	{
+		UINT ssl_err = 0;
 		UINT nat_t_err = 0;
 		wchar_t tmp[MAX_SIZE];
 		UniFormat(tmp, sizeof(tmp), _UU("STATUS_4"), hostname);
@@ -6309,11 +6257,50 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)

 		if (o->PortUDP == 0)
 		{
+			IP		*localIP;
+			UINT	localport;
+
+			// Top of Bind outgoing connection
+			// Decide the binding operation which is explicitly executed on the client-side
+
+			// In the case of first TCP/IP connection
+			if (additional_connect == false) {
+				if (sess->ClientOption->NoRoutingTracking == false) {
+					localIP = BIND_LOCALIP_NULL;	// Specify not to bind
+				}
+				else {
+					// Nonzero address is for source IP address to bind. Zero address is for dummy not to bind.
+					if (IsZeroIP(&sess->ClientOption->BindLocalIP) == true) {
+						localIP = BIND_LOCALIP_NULL;
+					}
+					else {
+						localIP = &sess->ClientOption->BindLocalIP;
+					}
+					Debug("ClientConnectGetSocket(): Source IP address %r and source port number %d for binding\n"
+						, &sess->ClientOption->BindLocalIP, sess->ClientOption->BindLocalPort);
+				}
+			}
+			// In the case of second and subsequent TCP/IP connections
+			else {
+				// Bind the socket to the actual local IP address of first TCP / IP connection
+				localIP = &sess->LocalIP_CacheForNextConnect;
+				//localIP = BIND_LOCALIP_NULL;	// Specify not to bind for test
+			}
+			if (sess->ClientOption->BindLocalPort == 0) {
+				localport = BIND_LOCALPORT_NULL;
+			}
+			else {
+				localport = sess->ClientOption->BindLocalPort + Count(sess->Connection->CurrentNumConnection) - 1;
+				Debug("ClientConnectGetSocket(): Additional source port number %u\n", localport);
+			}
+			// Bottom of Bind outgoing connection
+
 			// If additional_connect == false, enable trying to NAT-T connection
 			// If additional_connect == true, follow the IsRUDPSession setting in this session
-			sock = TcpIpConnectEx(hostname, c->ServerPort,
+			// In additional connect or redirect we do not need ssl verification as the certificate is always compared with a saved one
+			sock = BindTcpIpConnectEx2(localIP, localport, hostname, c->ServerPort,
 				(bool *)cancel_flag, c->hWndForUI, &nat_t_err, (additional_connect ? (!sess->IsRUDPSession) : false),
-				true, &resolved_ip);
+				true, ((additional_connect || c->UseTicket) ? NULL : sess->SslOption), &ssl_err, o->HintStr, &resolved_ip);
 		}
 		else
 		{
@@ -6335,9 +6322,16 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
 		{
 			// Connection failure
 			if (nat_t_err != RUDP_ERROR_NAT_T_TWO_OR_MORE)
+			{
+				if (ssl_err != 0)
+				{
+					c->Err = ssl_err;
+				}
+				else
 				{
 					c->Err = ERR_CONNECT_FAILED;
 				}
+			}
 			else
 			{
 				c->Err = ERR_NAT_T_TWO_OR_MORE;
@@ -6345,6 +6339,11 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)

 			return NULL;
 		}
+
+		if (ssl_err != 0)
+		{
+			c->Err = ssl_err;
+		}
 	}
 	else
 	{
@@ -6369,6 +6368,33 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
 		StrCpy(in.HttpCustomHeader, sizeof(in.HttpCustomHeader), o->CustomHttpHeader);
 		StrCpy(in.HttpUserAgent, sizeof(in.HttpUserAgent), c->Cedar->HttpUserAgent);

+		// Top of Bind outgoing connection
+		// In the case of first TCP/IP connection
+		if (additional_connect == false) {
+			if (sess->ClientOption->NoRoutingTracking == false) {
+				in.BindLocalIP = BIND_LOCALIP_NULL;	// Specify not to bind
+			}
+			else {
+				if (IsZeroIP(&sess->ClientOption->BindLocalIP) == true) {
+					in.BindLocalIP = BIND_LOCALIP_NULL;
+				}
+				else {
+					in.BindLocalIP = &sess->ClientOption->BindLocalIP;
+				}
+			}
+		}
+		// In the case of second and subsequent TCP/IP connections
+		else {
+			in.BindLocalIP = &sess->LocalIP_CacheForNextConnect;
+		}
+		if (sess->ClientOption->BindLocalPort == 0) {
+			in.BindLocalPort = BIND_LOCALPORT_NULL;
+		}
+		else {
+			in.BindLocalPort = sess->ClientOption->BindLocalPort + Count(sess->Connection->CurrentNumConnection) - 1;
+		}
+		// Bottom of Bind outgoing connection
+
 #ifdef OS_WIN32
 		in.Hwnd = c->hWndForUI;
 #endif
@@ -6379,13 +6405,16 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
 		switch (o->ProxyType)
 		{
 		case PROXY_HTTP:
-			ret = ProxyHttpConnect(&out, &in, cancel_flag);
+//			ret = ProxyHttpConnect(&out, &in, cancel_flag);
+			ret = BindProxyHttpConnect(&out, &in, cancel_flag);		// Bind outgoing connection
 			break;
 		case PROXY_SOCKS:
-			ret = ProxySocks4Connect(&out, &in, cancel_flag);
+//			ret = ProxySocks4Connect(&out, &in, cancel_flag);
+			ret = BindProxySocks4Connect(&out, &in, cancel_flag);	// Bind outgoing connection
 			break;
 		case PROXY_SOCKS5:
-			ret = ProxySocks5Connect(&out, &in, cancel_flag);
+//			ret = ProxySocks5Connect(&out, &in, cancel_flag);
+			ret = BindProxySocks5Connect(&out, &in, cancel_flag);	// Bind outgoing connection
 			break;
 		default:
 			c->Err = ERR_INTERNAL_ERROR;
@@ -6408,7 +6437,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)

 	if (additional_connect == false || IsZeroIP(&sock->RemoteIP))
 	{
-		if (((sock->IsRUDPSocket || sock->IPv6) && IsZeroIP(&sock->RemoteIP) == false && o->ProxyType == PROXY_DIRECT) || GetIP(&c->Session->ServerIP, hostname) == false)
+		if (IsZeroIP(&sock->RemoteIP) == false || (sock->IPv6 && GetIP6(&c->Session->ServerIP, hostname) == false) || (sock->IPv6 == false && GetIP4(&c->Session->ServerIP, hostname) == false))
 		{
 			Copy(&c->Session->ServerIP, &sock->RemoteIP, sizeof(c->Session->ServerIP));
 		}
@@ -6420,6 +6449,25 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
 		Debug("ClientConnectGetSocket(): Saved %s IP address %r for future connections.\n", hostname, &resolved_ip);
 	}

+	// Top of Bind outgoing connection
+	IPToStr(localaddr, sizeof(localaddr), &sock->LocalIP);
+
+	// In the case of first TCP/IP connection, save the local IP address
+	if (additional_connect == false) {
+		c->Session->LocalIP_CacheForNextConnect = sock->LocalIP;
+		Debug("ClientConnectGetSocket(): Saved local IP address %r for future connections.\n", &sock->LocalIP);
+	}
+	// In the case of second and subsequent TCP/IP connections, check to see whether or not the local IP address is same as the first one
+	else {
+		if (memcmp(sock->LocalIP.address, c->Session->LocalIP_CacheForNextConnect.address, sizeof(sock->LocalIP.address)) == 0) {
+			Debug("ClientConnectGetSocket(): Binded local IP address %s OK\n", localaddr);
+		}
+		else {
+			Debug("ClientConnectGetSocket(): Binded local IP address %s NG\n", localaddr);
+		}
+	}
+	// Bottom of Bind outgoing connection
+
 	return sock;
 }

@@ -6449,23 +6497,60 @@ UINT ProxyCodeToCedar(UINT code)

 // TCP connection function
 SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip)
+{
+	return BindTcpConnectEx3(BIND_LOCALIP_NULL, BIND_LOCALPORT_NULL, hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ret_ip);
+}
+
+SOCK *TcpConnectEx4(char * hostname, UINT port, UINT timeout, bool * cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
+{
+	return BindTcpConnectEx4(BIND_LOCALIP_NULL, BIND_LOCALPORT_NULL, hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip);
+}
+
+// Connect with TCP/IP
+SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
+{
+	return BindTcpIpConnectEx(BIND_LOCALIP_NULL, BIND_LOCALPORT_NULL, hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, ret_ip);
+}
+
+SOCK *TcpIpConnectEx2(char * hostname, UINT port, bool * cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
+{
+	return BindTcpIpConnectEx2(BIND_LOCALIP_NULL, BIND_LOCALPORT_NULL, hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip);
+}
+
+// TCP connection function
+//SOCK* TcpConnectEx3(char* hostname, UINT port, UINT timeout, bool* cancel_flag, void* hWnd, bool no_nat_t, UINT* nat_t_error_code, bool try_start_ssl, IP* ret_ip)
+SOCK *BindTcpConnectEx3(IP *localIP, UINT localport, char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip)
+{
+//	return TcpConnectEx4(hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, NULL, NULL, ret_ip);
+	return BindTcpConnectEx4(localIP, localport, hostname, port, timeout, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, NULL, NULL, NULL, ret_ip);
+}
+//SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
+SOCK *BindTcpConnectEx4(IP *localIP, UINT localport, char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
 {
 #ifdef	OS_WIN32
 	if (hWnd == NULL)
 	{
 #endif	// OS_WIN32
-		return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ret_ip);
+//		return ConnectEx5(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ssl_option, ssl_err, hint_str, ret_ip);
+		return BindConnectEx5(localIP, localport, hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ssl_option, ssl_err, hint_str, ret_ip);
 #ifdef	OS_WIN32
 	}
 	else
 	{
-		return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl);
+		return WinConnectEx4((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, ssl_option, ssl_err, hint_str);
 	}
 #endif	// OS_WIN32
 }

 // Connect with TCP/IP
-SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
+//SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
+SOCK *BindTcpIpConnectEx(IP *localIP, UINT localport, char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
+{
+//	return TcpIpConnectEx2(hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, NULL, NULL, ret_ip);
+	return BindTcpIpConnectEx2(localIP, localport, hostname, port, cancel_flag, hWnd, nat_t_error_code, no_nat_t, try_start_ssl, NULL, NULL, NULL, ret_ip);
+}
+//SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
+SOCK *BindTcpIpConnectEx2(IP *localIP, UINT localport, char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip)
 {
 	SOCK *s = NULL;
 	UINT dummy_int = 0;
@@ -6480,7 +6565,8 @@ SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, U
 		return NULL;
 	}

-	s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ret_ip);
+//	s = TcpConnectEx4(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip);
+	s = BindTcpConnectEx4(localIP, localport, hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_option, ssl_err, hint_str, ret_ip);
 	if (s == NULL)
 	{
 		return NULL;
@@ -6752,6 +6838,25 @@ PACK *PackLoginWithAnonymous(char *hubname, char *username)
 	return p;
 }

+// Create a packet for external login
+PACK *PackLoginWithExternal(char *hubname, char *username)
+{
+	PACK *p;
+	// Validate arguments
+	if (hubname == NULL || username == NULL)
+	{
+		return NULL;
+	}
+
+	p = NewPack();
+	PackAddStr(p, "method", "login");
+	PackAddStr(p, "hubname", hubname);
+	PackAddStr(p, "username", username);
+	PackAddInt(p, "authtype", AUTHTYPE_EXTERNAL);
+
+	return p;
+}
+
 // Create a packet for the additional connection
 PACK *PackAdditionalConnect(UCHAR *session_key)
 {
@@ -114,6 +114,12 @@ bool ServerAccept(CONNECTION *c);
 bool ClientConnect(CONNECTION *c);
 SOCK *ClientConnectToServer(CONNECTION *c);
 SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip);
+SOCK *TcpIpConnectEx2(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
+
+// New function named with prefix "Bind" binds outgoing connection to a specific address. New one is wrapped in original one.
+SOCK* BindTcpIpConnectEx(IP *localIP, UINT localport, char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip);
+SOCK* BindTcpIpConnectEx2(IP *localIP, UINT localport, char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
+
 bool ClientUploadSignature(SOCK *s);
 bool ClientDownloadHello(CONNECTION *c, SOCK *s);
 bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str);
@@ -121,6 +127,11 @@ bool ServerUploadHello(CONNECTION *c);
 bool ClientUploadAuth(CONNECTION *c);
 SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect);
 SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip);
+SOCK *TcpConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);
+
+// New function named with prefix "Bind" binds outgoing connection to a specific address. New one is wrapped in original one.
+SOCK* BindTcpConnectEx3(IP *localIP, UINT localport, char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip);
+SOCK* BindTcpConnectEx4(IP *localIP, UINT localport, char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str, IP *ret_ip);

 UINT ProxyCodeToCedar(UINT code);

@@ -132,6 +143,7 @@ void PackAddPolicy(PACK *p, POLICY *y);
 PACK *PackWelcome(SESSION *s);
 PACK *PackHello(void *random, UINT ver, UINT build, char *server_str);
 bool GetHello(PACK *p, void *random, UINT *ver, UINT *build, char *server_str, UINT server_str_size);
+PACK *PackLoginWithExternal(char *hubname, char *username);
 PACK *PackLoginWithAnonymous(char *hubname, char *username);
 PACK *PackLoginWithPassword(char *hubname, char *username, void *secure_password);
 PACK *PackLoginWithPlainPassword(char *hubname, char *username, void *plain_password);
@@ -10,6 +10,7 @@
 #include "Connection.h"
 #include "IPC.h"
 #include "Server.h"
+#include "Proto_PPP.h"

 #include "Mayaqua/DNS.h"
 #include "Mayaqua/Internat.h"
@@ -19,7 +20,7 @@
 #include "Mayaqua/Tick64.h"

 // send PEAP-MSCHAPv2 auth client response
-bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge)
+bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username)
 {
 	bool ret = false;
 	EAP_MSCHAPV2_RESPONSE msg1;
@@ -37,13 +38,13 @@ bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_respo
 	msg1.Type = EAP_TYPE_MS_AUTH;
 	msg1.Chap_Opcode = EAP_MSCHAPV2_OP_RESPONSE;
 	msg1.Chap_Id = e->MsChapV2Challenge.Chap_Id;
-	msg1.Chap_Len = Endian16(54 + StrLen(e->Username));
+	msg1.Chap_Len = Endian16(54 + StrLen(username));
 	msg1.Chap_ValueSize = 49;
 	Copy(msg1.Chap_PeerChallenge, client_challenge, 16);
 	Copy(msg1.Chap_NtResponse, client_response, 24);
-	Copy(msg1.Chap_Name, e->Username, MIN(StrLen(e->Username), 255));
+	Copy(msg1.Chap_Name, username, MIN(StrLen(username), 255));

-	if (SendPeapPacket(e, &msg1, 59 + StrLen(e->Username)) &&
+	if (SendPeapPacket(e, &msg1, 59 + StrLen(username)) &&
 		GetRecvPeapMessage(e, &msg2))
 	{
 		if (msg2.Type == EAP_TYPE_MS_AUTH &&
@@ -300,7 +301,7 @@ bool SendPeapRawPacket(EAP_CLIENT *e, UCHAR *peap_data, UINT peap_size)

 		Add(send_packet->AvpList, eap_avp);

-		response_packet = EapSendPacketAndRecvResponse(e, send_packet);
+		response_packet = EapSendPacketAndRecvResponse(e, send_packet, true);

 		if (response_packet != NULL)
 		{
@@ -416,6 +417,11 @@ bool StartPeapSslClient(EAP_CLIENT *e)
 	}

 	e->SslPipe = NewSslPipe(false, NULL, NULL, NULL);
+	if (e->SslPipe == NULL)
+	{
+		return false;
+	}
+
 	send_fifo = e->SslPipe->RawOut->RecvFifo;
 	recv_fifo = e->SslPipe->RawIn->SendFifo;

@@ -502,7 +508,7 @@ bool StartPeapClient(EAP_CLIENT *e)
 	Copy(eap1->Data, e->Username, StrLen(e->Username));
 	Add(request1->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(e->Username) + 5));

-	response1 = EapSendPacketAndRecvResponse(e, request1);
+	response1 = EapSendPacketAndRecvResponse(e, request1, true);

 	if (response1 != NULL)
 	{
@@ -532,7 +538,7 @@ bool StartPeapClient(EAP_CLIENT *e)

 					Add(request2->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap2, 6));

-					response2 = EapSendPacketAndRecvResponse(e, request2);
+					response2 = EapSendPacketAndRecvResponse(e, request2, true);

 					if (response2 != NULL && response2->Parse_EapMessage_DataSize != 0 && response2->Parse_EapMessage != NULL)
 					{
@@ -632,7 +638,7 @@ void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e)
 }

 // Send a MSCHAPv2 client auth response1
-bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge)
+bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username)
 {
 	bool ret = false;
 	RADIUS_PACKET *request1 = NULL;
@@ -657,20 +663,20 @@ bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_respon

 	eap1 = ZeroMalloc(sizeof(EAP_MSCHAPV2_RESPONSE));
 	eap1->Code = EAP_CODE_RESPONSE;
-	eap1->Id = e->NextEapId++;
-	eap1->Len = Endian16(59 + StrLen(e->Username));
+	eap1->Id = e->LastRecvEapId;
+	eap1->Len = Endian16(59 + StrLen(username));
 	eap1->Type = EAP_TYPE_MS_AUTH;
 	eap1->Chap_Opcode = EAP_MSCHAPV2_OP_RESPONSE;
 	eap1->Chap_Id = e->MsChapV2Challenge.Chap_Id;
-	eap1->Chap_Len = Endian16(54 + StrLen(e->Username));
+	eap1->Chap_Len = Endian16(54 + StrLen(username));
 	eap1->Chap_ValueSize = 49;
 	Copy(eap1->Chap_PeerChallenge, client_challenge, 16);
 	Copy(eap1->Chap_NtResponse, client_response, 24);
-	Copy(eap1->Chap_Name, e->Username, MIN(StrLen(e->Username), 255));
+	Copy(eap1->Chap_Name, username, MIN(StrLen(username), 255));

-	Add(request1->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(e->Username) + 59));
+	Add(request1->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(username) + 59));

-	response1 = EapSendPacketAndRecvResponse(e, request1);
+	response1 = EapSendPacketAndRecvResponse(e, request1, false);

 	if (response1 != NULL)
 	{
@@ -713,14 +719,14 @@ bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_respon

 									eap2 = ZeroMalloc(sizeof(EAP_MSCHAPV2_SUCCESS_CLIENT));
 									eap2->Code = EAP_CODE_RESPONSE;
-									eap2->Id = e->NextEapId++;
+									eap2->Id = e->LastRecvEapId;
 									eap2->Len = Endian16(6);
 									eap2->Type = EAP_TYPE_MS_AUTH;
 									eap2->Chap_Opcode = EAP_MSCHAPV2_OP_SUCCESS;

 									Add(request2->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap2, 6));

-									response2 = EapSendPacketAndRecvResponse(e, request2);
+									response2 = EapSendPacketAndRecvResponse(e, request2, false);

 									if (response2 != NULL)
 									{
@@ -770,13 +776,13 @@ bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e)

 	eap1 = ZeroMalloc(sizeof(EAP_MESSAGE));
 	eap1->Code = EAP_CODE_RESPONSE;
-	eap1->Id = e->NextEapId++;
+	eap1->Id = e->LastRecvEapId;
 	eap1->Len = Endian16(StrLen(e->Username) + 5);
 	eap1->Type = EAP_TYPE_IDENTITY;
 	Copy(eap1->Data, e->Username, StrLen(e->Username));
 	Add(request1->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(e->Username) + 5));

-	response1 = EapSendPacketAndRecvResponse(e, request1);
+	response1 = EapSendPacketAndRecvResponse(e, request1, false);

 	if (response1 != NULL)
 	{
@@ -799,14 +805,14 @@ bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e)

 					eap2 = ZeroMalloc(sizeof(EAP_MESSAGE));
 					eap2->Code = EAP_CODE_RESPONSE;
-					eap2->Id = e->NextEapId++;
+					eap2->Id = e->LastRecvEapId;
 					eap2->Len = Endian16(6);
 					eap2->Type = EAP_TYPE_LEGACY_NAK;
 					eap2->Data[0] = EAP_TYPE_MS_AUTH;

 					Add(request2->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap2, 6));

-					response2 = EapSendPacketAndRecvResponse(e, request2);
+					response2 = EapSendPacketAndRecvResponse(e, request2, false);

 					if (response2 != NULL && response2->Parse_EapMessage_DataSize != 0 && response2->Parse_EapMessage != NULL)
 					{
@@ -849,8 +855,141 @@ LABEL_PARSE_EAP:
 	return ret;
 }

+// Send a EAP identity request to Radius
+PPP_LCP *EapClientSendEapIdentity(EAP_CLIENT *e)
+{
+	PPP_LCP *lcp = NULL;
+	RADIUS_PACKET *request = NULL;
+	RADIUS_PACKET *response = NULL;
+	EAP_MESSAGE *eap1 = NULL;
+	if (e == NULL)
+	{
+		return NULL;
+	}
+
+	request = NewRadiusPacket(RADIUS_CODE_ACCESS_REQUEST, e->NextRadiusPacketId++);
+	EapSetRadiusGeneralAttributes(request, e);
+
+	eap1 = ZeroMalloc(sizeof(EAP_MESSAGE));
+	eap1->Code = EAP_CODE_RESPONSE;
+	eap1->Id = e->LastRecvEapId;
+	eap1->Len = Endian16(StrLen(e->Username) + 5);
+	eap1->Type = EAP_TYPE_IDENTITY;
+	Copy(eap1->Data, e->Username, StrLen(e->Username));
+	Add(request->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, eap1, StrLen(e->Username) + 5));
+	Debug("Radius proxy: send access-request %d with EAP code %d id %d type %d datasize %d\n", 
+			request->PacketId, eap1->Code, eap1->Id, eap1->Type, StrLen(e->Username));
+
+	response = EapSendPacketAndRecvResponse(e, request, false);
+
+	if (response != NULL)
+	{
+		if (response->Parse_EapMessage_DataSize >= 5 && response->Parse_EapMessage != NULL)
+		{
+			EAP_MESSAGE *eap2 = response->Parse_EapMessage;
+			UINT datasize = response->Parse_EapMessage_DataSize - 5;
+			lcp = BuildEAPPacketEx(eap2->Code, eap2->Id, eap2->Type, datasize);
+			PPP_EAP *eap_packet = lcp->Data;
+			Copy(eap_packet->Data, eap2->Data, datasize);
+			Debug("Radius proxy: received access-challenge %d with EAP code %d id %d type %d datasize %d\n", 
+					response->PacketId, eap2->Code, eap2->Id, eap2->Type, datasize);
+		}
+	}
+
+	FreeRadiusPacket(request);
+	FreeRadiusPacket(response);
+	Free(eap1);
+
+	return lcp;
+}
+
+// Send generic EAP Radius request (client EAP response) and get reply
+PPP_LCP *EapClientSendEapRequest(EAP_CLIENT *e, PPP_EAP *eap_request, UINT request_datasize)
+{
+	PPP_LCP *lcp = NULL;
+	RADIUS_PACKET *request = NULL;
+	RADIUS_PACKET *response = NULL;
+	EAP_MESSAGE *eap1 = NULL;
+	UCHAR *pos;
+	UINT remaining;
+	if (e == NULL || eap_request == NULL)
+	{
+		return NULL;
+	}
+
+	request = NewRadiusPacket(RADIUS_CODE_ACCESS_REQUEST, e->NextRadiusPacketId++);
+	EapSetRadiusGeneralAttributes(request, e);
+
+	if (e->LastStateSize != 0)
+	{
+		Add(request->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_STATE, 0, 0,
+			e->LastState, e->LastStateSize));
+	}
+
+	eap1 = ZeroMalloc(sizeof(EAP_MESSAGE));
+	eap1->Code = EAP_CODE_RESPONSE;
+	eap1->Id = e->LastRecvEapId;
+	eap1->Len = Endian16(request_datasize + 5);
+	eap1->Type = eap_request->Type;
+	Copy(eap1->Data, eap_request->Data, request_datasize);
+
+	// Fragmentation
+	pos = (UCHAR *)eap1;
+	remaining = request_datasize + 5;
+	while (remaining > 0)
+	{
+		UINT size = MIN(253, remaining);
+		Add(request->AvpList, NewRadiusAvp(RADIUS_ATTRIBUTE_EAP_MESSAGE, 0, 0, pos, size));
+		pos += size;
+		remaining -= size;
+	}
+	Debug("Radius proxy: send access-request %d with EAP code %d id %d type %d datasize %d\n", 
+			request->PacketId, eap1->Code, eap1->Id, eap1->Type, request_datasize);
+
+	response = EapSendPacketAndRecvResponse(e, request, false);
+
+	if (response != NULL)
+	{
+		switch (response->Code)
+		{
+		case RADIUS_CODE_ACCESS_CHALLENGE:
+			if (response->Parse_EapMessage_DataSize >= 5 && response->Parse_EapMessage != NULL)
+			{
+				EAP_MESSAGE *eap2 = response->Parse_EapMessage;
+				UINT datasize = response->Parse_EapMessage_DataSize - 5;
+				lcp = BuildEAPPacketEx(eap2->Code, eap2->Id, eap2->Type, datasize);
+				PPP_EAP *eap_packet = lcp->Data;
+				Copy(eap_packet->Data, eap2->Data, datasize);
+				Debug("Radius proxy: received access-challenge %d with EAP code %d id %d type %d datasize %d\n", 
+						response->PacketId, eap2->Code, eap2->Id, eap2->Type, datasize);
+			}
+			else
+			{
+				Debug("Radius proxy error: received access-challenge %d without EAP\n", response->PacketId);
+				lcp = NewPPPLCP(PPP_EAP_CODE_FAILURE, e->LastRecvEapId);				
+			}
+			break;
+		case RADIUS_CODE_ACCESS_ACCEPT:
+			Debug("Radius proxy: received access-accept %d\n", response->PacketId);
+			lcp = NewPPPLCP(PPP_EAP_CODE_SUCCESS, e->LastRecvEapId);
+			break;
+		case RADIUS_CODE_ACCESS_REJECT:
+		default:
+			Debug("Radius proxy: received access-reject %d\n", response->PacketId);
+			lcp = NewPPPLCP(PPP_EAP_CODE_FAILURE, e->LastRecvEapId);
+			break;
+		}
+	}
+
+	FreeRadiusPacket(request);
+	FreeRadiusPacket(response);
+	Free(eap1);
+
+	return lcp;
+}
+
 // Send a packet and recv a response
-RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r)
+RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r, bool parse_inner)
 {
 	SOCKSET set;
 	UINT64 giveup_tick = 0;
@@ -990,7 +1129,7 @@ RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r)
 									{
 										EAP_MESSAGE *eap_msg = (EAP_MESSAGE *)rp->Parse_EapMessage;

-										if (eap_msg->Type == EAP_TYPE_PEAP)
+										if (parse_inner && eap_msg->Type == EAP_TYPE_PEAP)
 										{
 											EAP_PEAP *peap_message = (EAP_PEAP *)eap_msg;

@@ -1069,7 +1208,8 @@ RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r)
 															is_finish = true;

 															Free(rp->Parse_EapMessage);
-															rp->Parse_EapMessage = Clone(e->PEAP_CurrentReceivingMsg->Buf, e->PEAP_CurrentReceivingMsg->Size);
+															rp->Parse_EapMessage = ZeroMalloc(sizeof(EAP_MESSAGE));
+															Copy(rp->Parse_EapMessage, e->PEAP_CurrentReceivingMsg->Buf, e->PEAP_CurrentReceivingMsg->Size);
 															rp->Parse_EapMessage_DataSize = e->PEAP_CurrentReceivingMsg->Size;
 														}
 													}
@@ -1165,7 +1305,8 @@ bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r)
 }

 // New EAP client
-EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname)
+EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, 
+						char *username, char *hubname, UCHAR last_recv_eapid)
 {
 	EAP_CLIENT *e;
 	if (server_ip == NULL)
@@ -1197,7 +1338,7 @@ EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, U
 	StrCpy(e->CalledStationStr, sizeof(e->CalledStationStr), hubname);
 	StrCpy(e->ClientIpStr, sizeof(e->ClientIpStr), client_ip_str);
 	StrCpy(e->Username, sizeof(e->Username), username);
-	e->LastRecvEapId = 0;
+	e->LastRecvEapId = last_recv_eapid;

 	e->PEAP_CurrentReceivingMsg = NewBuf();

@@ -1508,7 +1649,8 @@ RADIUS_PACKET *ParseRadiusPacket(void *data, UINT size)
 				{
 					if (p->Parse_EapMessage == NULL)
 					{
-						EAP_MESSAGE *eap = Clone(a.Data, a.DataSize);
+						EAP_MESSAGE *eap = ZeroMalloc(sizeof(EAP_MESSAGE));
+						Copy(eap, a.Data, a.DataSize);

 						p->Parse_EapMessage_DataSize = sz_tmp;

@@ -1603,7 +1745,8 @@ RADIUS_PACKET *ParseRadiusPacket(void *data, UINT size)

 				p->Parse_EapMessage_DataSize = b->Size;
 				p->Parse_EapMessage_DataSize = MIN(p->Parse_EapMessage_DataSize, 1500);
-				p->Parse_EapMessage = Clone(b->Buf, p->Parse_EapMessage_DataSize);
+				p->Parse_EapMessage = ZeroMalloc(sizeof(EAP_MESSAGE));
+				Copy(p->Parse_EapMessage, b->Buf, p->Parse_EapMessage_DataSize);
 			}

 			FreeBuf(b);
@@ -1676,15 +1819,16 @@ bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT sec
 			StrCpy(eap->In_VpnProtocolState, sizeof(eap->In_VpnProtocolState), opt->In_VpnProtocolState);
 		}

+		// Use the username known to the client instead of parsed by us, or response may be invalid
 		if (eap->PeapMode == false)
 		{
 			ret = EapClientSendMsChapv2AuthClientResponse(eap, mschap.MsChapV2_ClientResponse,
-				mschap.MsChapV2_ClientChallenge);
+				mschap.MsChapV2_ClientChallenge, mschap.MsChapV2_PPPUsername);
 		}
 		else
 		{
 			ret = PeapClientSendMsChapv2AuthClientResponse(eap, mschap.MsChapV2_ClientResponse,
-				mschap.MsChapV2_ClientChallenge);
+				mschap.MsChapV2_ClientChallenge, mschap.MsChapV2_PPPUsername);
 		}

 		if (ret)
@@ -215,7 +215,6 @@ struct EAP_CLIENT
 	UINT ResendTimeout;
 	UINT GiveupTimeout;
 	UCHAR TmpBuffer[4096];
-	UCHAR NextEapId;
 	UCHAR LastRecvEapId;

 	bool PeapMode;
@@ -249,17 +248,20 @@ RADIUS_AVP *GetRadiusAvp(RADIUS_PACKET *p, UCHAR type);
 void RadiusTest();


-EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, char *username, char *hubname);
+EAP_CLIENT *NewEapClient(IP *server_ip, UINT server_port, char *shared_secret, UINT resend_timeout, UINT giveup_timeout, char *client_ip_str, 
+						char *username, char *hubname, UCHAR last_recv_eapid);
 void ReleaseEapClient(EAP_CLIENT *e);
 void CleanupEapClient(EAP_CLIENT *e);
 bool EapClientSendMsChapv2AuthRequest(EAP_CLIENT *e);
-bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge);
+bool EapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username);
+PPP_LCP *EapClientSendEapIdentity(EAP_CLIENT *e);
+PPP_LCP *EapClientSendEapRequest(EAP_CLIENT *e, PPP_EAP *eap_request, UINT request_datasize);
 void EapSetRadiusGeneralAttributes(RADIUS_PACKET *r, EAP_CLIENT *e);
 bool EapSendPacket(EAP_CLIENT *e, RADIUS_PACKET *r);
-RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r);
+RADIUS_PACKET *EapSendPacketAndRecvResponse(EAP_CLIENT *e, RADIUS_PACKET *r, bool parse_inner);

 bool PeapClientSendMsChapv2AuthRequest(EAP_CLIENT *eap);
-bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge);
+bool PeapClientSendMsChapv2AuthClientResponse(EAP_CLIENT *e, UCHAR *client_response, UCHAR *client_challenge, char *username);

 bool StartPeapClient(EAP_CLIENT *e);
 bool StartPeapSslClient(EAP_CLIENT *e);
@@ -806,9 +806,6 @@ static UINT SmDdnsGetKey(char *key, SM_DDNS *d){

 void SmDDnsDlgInit(HWND hWnd, SM_DDNS *d)
 {
-	char key[20];
-	char encodedkey[20 * 4 + 32];
-
 	// Validate arguments
 	if (hWnd == NULL || d == NULL)
 	{
@@ -845,10 +842,15 @@ void SmDDnsDlgInit(HWND hWnd, SM_DDNS *d)

 	Hide(hWnd, B_PROXY);

-	if(SmDdnsGetKey(key, d) == ERR_NO_ERROR){
-		encodedkey[ B64_Encode(encodedkey, key, 20) ] = 0;
-		SetTextA(hWnd, E_KEY, encodedkey);
-	}else{
+	char key[20];
+	if (SmDdnsGetKey(key, d) == ERR_NO_ERROR)
+	{
+		char *encoded_key = Base64FromBin(NULL, key, sizeof(key));
+		SetTextA(hWnd, E_KEY, encoded_key);
+		Free(encoded_key);
+	}
+	else
+	{
 		SetText(hWnd, E_KEY, _UU("SM_DDNS_KEY_ERR"));
 	}

@@ -7985,7 +7987,9 @@ void SmBridgeDlgOnOk(HWND hWnd, SM_SERVER *s)
 	StrCpy(t.HubName, sizeof(t.HubName), hub);
 	t.TapMode = tapmode;

-	if (InStrEx(t.DeviceName, "vpn", false) || InStrEx(t.DeviceName, "tun", false)
+	if (InStrEx(t.DeviceName, UNIX_VLAN_CLIENT_IFACE_PREFIX, false)
+		|| InStrEx(t.DeviceName, UNIX_VLAN_BRIDGE_IFACE_PREFIX, false)
+		|| InStrEx(t.DeviceName, "tun", false)
 		|| InStrEx(t.DeviceName, "tap", false))
 	{
 		// Trying to make a local bridge to the VPN device
@@ -9331,12 +9335,6 @@ void SmSessionDlgUpdate(HWND hWnd, SM_HUB *s)
 		}
 	}

-	if (s->p->ServerInfo.ServerBuildInt < 2844)
-	{
-		// Old version doesn't support for remote management of the sessions
-		ok2 = ok;
-	}
-
 	SetEnable(hWnd, IDOK, ok2);
 	SetEnable(hWnd, B_DISCONNECT, ok2);
 	SetEnable(hWnd, B_SESSION_IP_TABLE, ok);
@@ -9618,7 +9616,7 @@ bool SmRefreshSessionStatus(HWND hWnd, SM_SERVER *s, void *param)

 	b = LvInsertStart();

-	if (t.ClientIp != 0)
+	if (t.ClientIp != 0 || IsZero(t.ClientIp6, sizeof(t.ClientIp6)) == false)
 	{
 		IPToStr4or6(str, sizeof(str), t.ClientIp, t.ClientIp6);
 		StrToUni(tmp, sizeof(tmp), str);
@@ -10290,6 +10288,7 @@ bool SmLinkEdit(HWND hWnd, SM_HUB *s, wchar_t *name)
 	a.ClientAuth = CopyClientAuth(t.ClientAuth);
 	Copy(&a.Policy, &t.Policy, sizeof(POLICY));
 	a.CheckServerCert = t.CheckServerCert;
+	a.AddDefaultCA = t.AddDefaultCA;
 	a.ServerCert = CloneX(t.ServerCert);
 	a.HideTrustCert = GetCapsBool(s->p->CapsList, "b_support_config_hub");
 	FreeRpcCreateLink(&t);
@@ -16813,6 +16812,7 @@ void SmSslDlgOnOk(HWND hWnd, SM_SSL *s)

 		t.Cert = CloneX(s->Cert);
 		t.Key = CloneK(s->Key);
+		t.Chain = CloneXList(s->Chain);

 		if (CALL(hWnd, ScSetServerCert(s->p->Rpc, &t)) == false)
 		{
@@ -16927,6 +16927,7 @@ void SmSslDlgInit(HWND hWnd, SM_SSL *s)
 			// Copy the certificate and key
 			s->Cert = CloneX(t.Cert);
 			s->Key = CloneK(t.Key);
+			s->Chain = CloneXList(t.Chain);

 			if (t.Key != NULL)
 			{
@@ -17178,6 +17179,7 @@ UINT SmSslDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param
 	SM_SSL *s = (SM_SSL *)param;
 	X *x;
 	K *k;
+	LIST *chain = NULL;
 	// Validate arguments
 	if (hWnd == NULL)
 	{
@@ -17226,16 +17228,18 @@ UINT SmSslDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param

 		case B_IMPORT:
 			// Import
-			if (CmLoadXAndK(hWnd, &x, &k))
+			if (CmLoadXListAndK(hWnd, &x, &k, &chain))
 			{
 				wchar_t tmp[MAX_SIZE];

 LABEL_APPLY_NEW_CERT:
 				FreeX(s->Cert);
 				FreeK(s->Key);
+				FreeXList(s->Chain);
 				s->Cert = x;
 				s->Key = k;
 				s->SetCertAndKey = true;
+				s->Chain = chain;
 				// Show the Certificate Information
 				SmGetCertInfoStr(tmp, sizeof(tmp), s->Cert);
 				SetText(hWnd, S_CERT_INFO, tmp);
@@ -17314,6 +17318,7 @@ void SmSslDlg(HWND hWnd, SM_SERVER *p)
 	// Cleanup
 	FreeX(s.Cert);
 	FreeK(s.Key);
+	FreeXList(s.Chain);
 }

 // Listener creation dialog procedure
@@ -19358,7 +19363,14 @@ void SmEditSettingDlgInit(HWND hWnd, SM_EDIT_SETTING *p)
 	SetText(hWnd, E_ACCOUNT_NAME, s->Title);

 	// Host name
-	SetTextA(hWnd, E_HOSTNAME, s->ClientOption.Hostname);
+	char hostname[MAX_SIZE];
+	StrCpy(hostname, sizeof(hostname), s->ClientOption.Hostname);
+	if (IsEmptyStr(s->ClientOption.HintStr) == false)
+	{
+		StrCat(hostname, sizeof(hostname), "/");
+		StrCat(hostname, sizeof(hostname), s->ClientOption.HintStr);
+	}
+	SetTextA(hWnd, E_HOSTNAME, hostname);

 	// Port number
 	CbSetHeight(hWnd, C_PORT, 18);
@@ -19448,6 +19460,16 @@ void SmEditSettingDlgUpdate(HWND hWnd, SM_EDIT_SETTING *p)

 	GetTxtA(hWnd, E_HOSTNAME, tmp, sizeof(tmp));
 	Trim(tmp);
+	UINT i = SearchStrEx(tmp, "/", 0, false);
+	if (i != INFINITE)
+	{
+		StrCpy(s->ClientOption.HintStr, sizeof(s->ClientOption.HintStr), tmp + i + 1);
+		tmp[i] = 0;
+	}
+	else
+	{
+		s->ClientOption.HintStr[0] = 0;
+	}

 	if (StrCmpi(tmp, s->ClientOption.Hostname) != 0)
 	{
@@ -19955,6 +19977,215 @@ void SmWriteSettingList()
 	}
 }

+SETTING *LoadSetting9658(BUF *b)
+{
+	typedef struct OLD_CLIENT_OPTION
+	{
+		wchar_t AccountName[256];								// Connection setting name
+		char Hostname[256];										// Host name
+		UINT Port;												// Port number
+		UINT PortUDP;											// UDP port number (0: Use only TCP)
+		UINT ProxyType;											// Type of proxy
+		char ProxyName[256];									// Proxy server name
+		UINT ProxyPort;											// Port number of the proxy server
+		char ProxyUsername[256];								// Maximum user name length
+		char ProxyPassword[256];								// Maximum password length
+		UINT NumRetry;											// Automatic retries
+		UINT RetryInterval;										// Retry interval
+		char HubName[256];										// HUB name
+		UINT MaxConnection;										// Maximum number of concurrent TCP connections
+		UINT UseEncrypt;										// Use encrypted communication
+		UINT UseCompress;										// Use data compression
+		UINT HalfConnection;									// Use half connection in TCP
+		UINT NoRoutingTracking;									// Disable the routing tracking
+		char DeviceName[32];									// VLAN device name
+		UINT AdditionalConnectionInterval;						// Connection attempt interval when additional connection establish
+		UINT ConnectionDisconnectSpan;							// Disconnection interval
+		UINT HideStatusWindow;									// Hide the status window
+		UINT HideNicInfoWindow;									// Hide the NIC status window
+		UINT RequireMonitorMode;								// Monitor port mode
+		UINT RequireBridgeRoutingMode;							// Bridge or routing mode
+		UINT DisableQoS;										// Disable the VoIP / QoS function
+		UINT FromAdminPack;										// For Administration Pack
+		UINT NoUdpAcceleration;									// Do not use UDP acceleration mode
+		UCHAR HostUniqueKey[20];								// Host unique key
+	} OLD_CLIENT_OPTION;
+
+	typedef struct OLD_SETTING
+	{
+		wchar_t Title[512];				// Setting Name
+		UINT ServerAdminMode;			// Server management mode
+		char HubName[256];				// HUB name
+		UCHAR HashedPassword[20];		// Password
+		OLD_CLIENT_OPTION ClientOption;		// Client Option
+		UCHAR Reserved[10188];			// Reserved area
+	} OLD_SETTING;
+
+	if (b->Size != sizeof(OLD_SETTING))	// 13416
+	{
+		return NULL;
+	}
+
+	OLD_SETTING s0;
+	Copy(&s0, b->Buf, sizeof(OLD_SETTING));
+
+	SETTING *s = ZeroMalloc(sizeof(SETTING));
+	UniStrCpy(s->Title, sizeof(s->Title), s0.Title);
+	s->ServerAdminMode = s0.ServerAdminMode;
+	StrCpy(s->HubName, sizeof(s->HubName), s0.HubName);
+	Copy(s->HashedPassword, s0.HashedPassword, sizeof(s->HashedPassword));
+	UniStrCpy(s->ClientOption.AccountName, sizeof(s->ClientOption.AccountName), s0.ClientOption.AccountName);
+	StrCpy(s->ClientOption.Hostname, sizeof(s->ClientOption.Hostname), s0.ClientOption.Hostname);
+	s->ClientOption.Port = s0.ClientOption.Port;
+	s->ClientOption.ProxyType = s0.ClientOption.ProxyType;
+	StrCpy(s->ClientOption.ProxyName, sizeof(s->ClientOption.ProxyName), s0.ClientOption.ProxyName);
+	s->ClientOption.ProxyPort = s0.ClientOption.ProxyPort;
+	StrCpy(s->ClientOption.ProxyUsername, sizeof(s->ClientOption.ProxyUsername), s0.ClientOption.ProxyUsername);
+	StrCpy(s->ClientOption.ProxyPassword, sizeof(s->ClientOption.ProxyPassword), s0.ClientOption.ProxyPassword);
+
+	return s;
+}
+
+SETTING *LoadSetting9666(BUF *b)
+{
+	typedef struct OLD_CLIENT_OPTION
+	{
+		wchar_t AccountName[256];								// Connection setting name
+		char Hostname[256];										// Host name
+		UINT Port;												// Port number
+		UINT PortUDP;											// UDP port number (0: Use only TCP)
+		UINT ProxyType;											// Type of proxy
+		char ProxyName[256];									// Proxy server name
+		UINT ProxyPort;											// Port number of the proxy server
+		char ProxyUsername[256];								// Maximum user name length
+		char ProxyPassword[256];								// Maximum password length
+		char CustomHttpHeader[1025];							// Custom HTTP proxy header
+		UINT NumRetry;											// Automatic retries
+		UINT RetryInterval;										// Retry interval
+		char HubName[256];										// HUB name
+		UINT MaxConnection;										// Maximum number of concurrent TCP connections
+		UINT UseEncrypt;										// Use encrypted communication
+		UINT UseCompress;										// Use data compression
+		UINT HalfConnection;									// Use half connection in TCP
+		UINT NoRoutingTracking;									// Disable the routing tracking
+		char DeviceName[32];									// VLAN device name
+		UINT AdditionalConnectionInterval;						// Connection attempt interval when additional connection establish
+		UINT ConnectionDisconnectSpan;							// Disconnection interval
+		UINT HideStatusWindow;									// Hide the status window
+		UINT HideNicInfoWindow;									// Hide the NIC status window
+		UINT RequireMonitorMode;								// Monitor port mode
+		UINT RequireBridgeRoutingMode;							// Bridge or routing mode
+		UINT DisableQoS;										// Disable the VoIP / QoS function
+		UINT FromAdminPack;										// For Administration Pack
+		UINT NoUdpAcceleration;									// Do not use UDP acceleration mode
+		UCHAR HostUniqueKey[20];								// Host unique key
+	} OLD_CLIENT_OPTION;
+
+	typedef struct OLD_SETTING
+	{
+		wchar_t Title[512];				// Setting Name
+		UINT ServerAdminMode;			// Server management mode
+		char HubName[256];				// HUB name
+		UCHAR HashedPassword[20];		// Password
+		OLD_CLIENT_OPTION ClientOption;		// Client Option
+		UCHAR Reserved[10188];			// Reserved area
+	} OLD_SETTING;
+
+	if (b->Size != sizeof(OLD_SETTING))	// 14444
+	{
+		return NULL;
+	}
+
+	OLD_SETTING s0;
+	Copy(&s0, b->Buf, sizeof(OLD_SETTING));
+
+	SETTING *s = ZeroMalloc(sizeof(SETTING));
+	UniStrCpy(s->Title, sizeof(s->Title), s0.Title);
+	s->ServerAdminMode = s0.ServerAdminMode;
+	StrCpy(s->HubName, sizeof(s->HubName), s0.HubName);
+	Copy(s->HashedPassword, s0.HashedPassword, sizeof(s->HashedPassword));
+	UniStrCpy(s->ClientOption.AccountName, sizeof(s->ClientOption.AccountName), s0.ClientOption.AccountName);
+	StrCpy(s->ClientOption.Hostname, sizeof(s->ClientOption.Hostname), s0.ClientOption.Hostname);
+	s->ClientOption.Port = s0.ClientOption.Port;
+	s->ClientOption.ProxyType = s0.ClientOption.ProxyType;
+	StrCpy(s->ClientOption.ProxyName, sizeof(s->ClientOption.ProxyName), s0.ClientOption.ProxyName);
+	s->ClientOption.ProxyPort = s0.ClientOption.ProxyPort;
+	StrCpy(s->ClientOption.ProxyUsername, sizeof(s->ClientOption.ProxyUsername), s0.ClientOption.ProxyUsername);
+	StrCpy(s->ClientOption.ProxyPassword, sizeof(s->ClientOption.ProxyPassword), s0.ClientOption.ProxyPassword);
+
+	return s;
+}
+
+SETTING *LoadSetting502(BUF *b)
+{
+	typedef struct OLD_CLIENT_OPTION
+	{
+		wchar_t AccountName[256];								// Connection setting name
+		char Hostname[256];										// Host name
+		UINT Port;												// Port number
+		UINT PortUDP;											// UDP port number (0: Use only TCP)
+		UINT ProxyType;											// Type of proxy
+		char ProxyName[256];									// Proxy server name
+		UINT ProxyPort;											// Port number of the proxy server
+		char ProxyUsername[256];								// Maximum user name length
+		char ProxyPassword[256];								// Maximum password length
+		char CustomHttpHeader[1025];							// Custom HTTP proxy header
+		UINT NumRetry;											// Automatic retries
+		UINT RetryInterval;										// Retry interval
+		char HubName[256];										// HUB name
+		UINT MaxConnection;										// Maximum number of concurrent TCP connections
+		bool UseEncrypt;										// Use encrypted communication
+		bool UseCompress;										// Use data compression
+		bool HalfConnection;									// Use half connection in TCP
+		bool NoRoutingTracking;									// Disable the routing tracking
+		char DeviceName[32];									// VLAN device name
+		UINT AdditionalConnectionInterval;						// Connection attempt interval when additional connection establish
+		UINT ConnectionDisconnectSpan;							// Disconnection interval
+		bool HideStatusWindow;									// Hide the status window
+		bool HideNicInfoWindow;									// Hide the NIC status window
+		bool RequireMonitorMode;								// Monitor port mode
+		bool RequireBridgeRoutingMode;							// Bridge or routing mode
+		bool DisableQoS;										// Disable the VoIP / QoS function
+		bool FromAdminPack;										// For Administration Pack
+		bool NoUdpAcceleration;									// Do not use UDP acceleration mode
+		UCHAR HostUniqueKey[20];								// Host unique key
+	} OLD_CLIENT_OPTION;
+
+	typedef struct OLD_SETTING
+	{
+		wchar_t Title[512];				// Setting Name
+		bool ServerAdminMode;			// Server management mode
+		char HubName[256];				// HUB name
+		UCHAR HashedPassword[20];		// Password
+		OLD_CLIENT_OPTION ClientOption;		// Client Option
+		UCHAR Reserved[10212];			// Reserved area
+	} OLD_SETTING;
+
+	if (b->Size != sizeof(OLD_SETTING))	// 14436
+	{
+		return NULL;
+	}
+
+	OLD_SETTING s0;
+	Copy(&s0, b->Buf, sizeof(OLD_SETTING));
+
+	SETTING *s = ZeroMalloc(sizeof(SETTING));
+	UniStrCpy(s->Title, sizeof(s->Title), s0.Title);
+	s->ServerAdminMode = s0.ServerAdminMode;
+	StrCpy(s->HubName, sizeof(s->HubName), s0.HubName);
+	Copy(s->HashedPassword, s0.HashedPassword, sizeof(s->HashedPassword));
+	UniStrCpy(s->ClientOption.AccountName, sizeof(s->ClientOption.AccountName), s0.ClientOption.AccountName);
+	StrCpy(s->ClientOption.Hostname, sizeof(s->ClientOption.Hostname), s0.ClientOption.Hostname);
+	s->ClientOption.Port = s0.ClientOption.Port;
+	s->ClientOption.ProxyType = s0.ClientOption.ProxyType;
+	StrCpy(s->ClientOption.ProxyName, sizeof(s->ClientOption.ProxyName), s0.ClientOption.ProxyName);
+	s->ClientOption.ProxyPort = s0.ClientOption.ProxyPort;
+	StrCpy(s->ClientOption.ProxyUsername, sizeof(s->ClientOption.ProxyUsername), s0.ClientOption.ProxyUsername);
+	StrCpy(s->ClientOption.ProxyPassword, sizeof(s->ClientOption.ProxyPassword), s0.ClientOption.ProxyPassword);
+
+	return s;
+}
+
 // Load the connection list
 void SmLoadSettingList()
 {
@@ -19979,11 +20210,34 @@ void SmLoadSettingList()
 		BUF *b = MsRegReadBin(REG_CURRENT_USER, key_name, name);
 		if (b != NULL)
 		{
-			if (b->Size == sizeof(SETTING))
+			SETTING *s = NULL;
+			if (b->Size == 13416)	// 5.01 Build 9658 - 9665
 			{
-				SETTING *s = ZeroMalloc(sizeof(SETTING));
+				s = LoadSetting9658(b);
+			}
+			else if (b->Size == 14444)	// 5.01 Build 9666 - 9674
+			{
+				s = LoadSetting9666(b);
+			}
+			else if (b->Size == 14436)	// 5.02
+			{
+				s = LoadSetting502(b);
+			}
+			else if (b->Size == sizeof(SETTING))	// Must be 13420 (the size used since version 4.x)
+			{
+				s = ZeroMalloc(sizeof(SETTING));
 				Copy(s, b->Buf, sizeof(SETTING));
+			}

+			if (s != NULL)
+			{
+				// Migrate from old settings that mixed hint string with hostname
+				UINT i = SearchStrEx(s->ClientOption.Hostname, "/", 0, false);
+				if (i != INFINITE)
+				{
+					StrCpy(s->ClientOption.HintStr, sizeof(s->ClientOption.HintStr), s->ClientOption.Hostname + i + 1);
+					s->ClientOption.Hostname[i] = 0;
+				}
 				Add(sm->SettingList, s);
 			}
 			FreeBuf(b);
@@ -20046,6 +20300,7 @@ void SmInitDefaultSettingList()
 			Sha0(s->HashedPassword, "", 0);
 			UniStrCpy(s->ClientOption.AccountName, sizeof(s->ClientOption.AccountName), s->Title);
 			StrCpy(s->ClientOption.Hostname, sizeof(s->ClientOption.Hostname), "localhost");
+			s->ClientOption.HintStr[0] = 0;
 			s->ClientOption.Port = GC_DEFAULT_PORT;

 			Add(sm->SettingList, s);
@@ -20135,7 +20390,14 @@ void SmRefreshSettingEx(HWND hWnd, wchar_t *select_name)
 			UniFormat(tmp, sizeof(tmp), _UU("SM_MODE_HUB"), s->HubName);
 		}

-		StrToUni(tmp2, sizeof(tmp2), s->ClientOption.Hostname);
+		char hostname[MAX_SIZE];
+		StrCpy(hostname, sizeof(hostname), s->ClientOption.Hostname);
+		if (IsEmptyStr(s->ClientOption.HintStr) == false)
+		{
+			StrCat(hostname, sizeof(hostname), "/");
+			StrCat(hostname, sizeof(hostname), s->ClientOption.HintStr);
+		}
+		StrToUni(tmp2, sizeof(tmp2), hostname);

 		LvInsertAdd(b,
 			(s->ServerAdminMode ? ICO_SERVER_ONLINE : ICO_HUB),
@@ -20554,6 +20816,12 @@ void SmParseCommandLine()

 					UniStrCpy(o->AccountName, sizeof(o->AccountName), s->Title);
 					StrCpy(o->Hostname, sizeof(o->Hostname), host);
+					UINT i = SearchStrEx(o->Hostname, "/", 0, false);
+					if (i != INFINITE)
+					{
+						StrCpy(o->HintStr, sizeof(o->HintStr), o->Hostname + i + 1);
+						o->Hostname[i] = 0;
+					}
 					o->Port = port;
 					o->ProxyType = PROXY_DIRECT;
 					StrCpy(o->DeviceName, sizeof(o->DeviceName), "DUMMY");
@@ -31,14 +31,20 @@
 #define	SM_SETTING_REG_KEY_OLD	"Software\\SoftEther Corporation\\PacketiX VPN\\Server Manager\\Settings"

 // Connection setting
+// Do not change item size or order
+// Size must be kept at 13420 (use Reserved to adjust for new items)
 typedef struct SETTING
 {
 	wchar_t Title[MAX_SIZE];	// Setting Name
 	bool ServerAdminMode;		// Server management mode
+	char pad1[3];
 	char HubName[MAX_HUBNAME_LEN + 1];	// HUB name
 	UCHAR HashedPassword[SHA1_SIZE];	// Password
 	CLIENT_OPTION ClientOption;	// Client Option
-	UCHAR Reserved[10240 - sizeof(bool) * 8 - SHA1_SIZE];	// Reserved area
+
+#define	SRC_SIZE		(sizeof(IP)	+ sizeof(UINT))		// Source IP address & port number for outgoing connection
+//	UCHAR Reserved[10240 - sizeof(UINT) * 8 - SHA1_SIZE - HTTP_CUSTOM_HEADER_MAX_SIZE - MAX_HOST_NAME_LEN - 1];	// Reserved area
+	UCHAR Reserved[10240 - sizeof(UINT) * 8 - SHA1_SIZE - HTTP_CUSTOM_HEADER_MAX_SIZE - MAX_HOST_NAME_LEN - 1 - SRC_SIZE];	// Reserved area
 } SETTING;

 // Structure declaration
@@ -112,6 +118,7 @@ typedef struct SM_SSL
 	SM_SERVER *p;				// P
 	X *Cert;					// Certificate
 	K *Key;						// Secret key
+	LIST *Chain;				// Trust chain
 	bool SetCertAndKey;			// Set the key
 } SM_SSL;

@@ -113,9 +113,12 @@ bool SwCompileSfx(LIST *o, wchar_t *dst_filename)
 	}

 	// Get the API related to the resource editing 
+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
 	_BeginUpdateResourceW = (HANDLE (__stdcall *)(LPCWSTR,UINT))GetProcAddress(hKernel32, "BeginUpdateResourceW");
 	_UpdateResourceA = (UINT (__stdcall *)(HANDLE,LPCSTR,LPCSTR,WORD,LPVOID,DWORD))GetProcAddress(hKernel32, "UpdateResourceA");
 	_EndUpdateResourceW = (UINT (__stdcall *)(HANDLE,UINT))GetProcAddress(hKernel32, "EndUpdateResourceW");
+    #pragma clang diagnostic pop

 	if (_BeginUpdateResourceW != NULL && _UpdateResourceA != NULL && _EndUpdateResourceW != NULL)
 	{
@@ -647,7 +650,10 @@ UINT SWExec()
 	bool is_datafile_exists = false;

 	// Examine whether DATAFILE resources are stored in setup.exe that is currently running
+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
 	EnumResourceNamesA(NULL, SW_SFX_RESOURCE_TYPE, SwEnumResourceNamesProc, (LONG_PTR)(&is_datafile_exists));
+    #pragma clang diagnostic pop

 	if (is_datafile_exists)
 	{
@@ -4005,11 +4011,6 @@ SW_LOGFILE *SwLoadLogFile(SW *sw, wchar_t *filename)
 	CfgGetStr(info, "ComponentName", component_name, sizeof(component_name));
 	build = CfgGetInt(info, "Build");

-	if (build == 0)
-	{
-		goto LABEL_CLEANUP;
-	}
-
 	c = SwFindComponent(sw, component_name);
 	if (c == NULL)
 	{
@@ -9,12 +9,14 @@

 #include "Account.h"
 #include "Cedar.h"
+#include "Connection.h"
 #include "Hub.h"
 #include "IPC.h"
 #include "Proto_PPP.h"
 #include "Radius.h"
 #include "Server.h"

+#include "Mayaqua/Encoding.h"
 #include "Mayaqua/Internat.h"
 #include "Mayaqua/Memory.h"
 #include "Mayaqua/Microsoft.h"
@@ -31,11 +33,6 @@
 #include <unistd.h>
 #endif

-int base64_enc_len(unsigned int plainLen) {
-	unsigned int n = plainLen;
-	return (n + 2 - ((n + 2) % 3)) / 3 * 4;
-}
-
 PID OpenChildProcess(const char* path, char* const parameter[], int fd[] )
 {
 #ifdef OS_WIN32
@@ -134,7 +131,6 @@ bool SmbAuthenticate(char* name, char* password, char* domainname, char* groupna
 	int   fds[2];
 	FILE* out, *in;
 	PID   pid;
-	char  buffer[255];
 	char  ntlm_timeout[32];
 	char* proc_parameter[6];

@@ -153,8 +149,6 @@ bool SmbAuthenticate(char* name, char* password, char* domainname, char* groupna
 		return false;
 	}

-	Zero(buffer, sizeof(buffer));
-
 	// Truncate string if unsafe char
 	EnSafeStr(domainname, '\0');

@@ -218,64 +212,48 @@ bool SmbAuthenticate(char* name, char* password, char* domainname, char* groupna
 		return false;
 	}

-	if (base64_enc_len((unsigned int)strlen(name)) < sizeof(buffer)-1 &&
-		base64_enc_len((unsigned int)strlen(password)) < sizeof(buffer)-1 &&
-		base64_enc_len((unsigned int)strlen(domainname)) < sizeof(buffer)-1)
 	{
-		char  answer[300];
-
-		unsigned int end = B64_Encode(buffer, name, (int)strlen(name));
-		buffer[end] = '\0';
+		char *base64 = Base64FromBin(NULL, name, StrLen(name));
 		fputs("Username:: ", out);
-		fputs(buffer, out);
+		fputs(base64, out);
 		fputs("\n", out);
-		Debug("Username: %s\n", buffer);
-		buffer[0] = 0;
+		Free(base64);

-		end = B64_Encode(buffer, domainname, (int)strlen(domainname));
-		buffer[end] = '\0';
+		base64 = Base64FromBin(NULL, domainname, StrLen(domainname));
 		fputs("NT-Domain:: ", out);
-		fputs(buffer, out);
+		fputs(base64, out);
 		fputs("\n", out);
-		Debug("NT-Domain: %s\n", buffer);
-		buffer[0] = 0;
+		Free(base64);

-		if (password[0] != '\0')
+		if (IsEmptyStr(password) == false)
 		{
-			Debug("Password authentication\n");
-			end = B64_Encode(buffer, password, (int)strlen(password));
-			buffer[end] = '\0';
+			Debug("SmbAuthenticate(): Using password authentication...\n");
+
+			base64 = Base64FromBin(NULL, password, StrLen(password));
 			fputs("Password:: ", out);
-			fputs(buffer, out);
+			fputs(base64, out);
 			fputs("\n", out);
-			Debug("Password: %s\n", buffer);
-			buffer[0] = 0;
+			Free(base64);
 		}
 		else
 		{
-			char* mschapv2_client_response;
-			char* base64_challenge8;
+			Debug("SmbAuthenticate(): Using MsChapV2 authentication...\n");

-			Debug("MsChapV2 authentication\n");
-			mschapv2_client_response = CopyBinToStr(MsChapV2_ClientResponse, 24);
-			end = B64_Encode(buffer, mschapv2_client_response, 48);
-			buffer[end] = '\0';
-			fputs("NT-Response:: ", out);
-			fputs(buffer, out);
-			fputs("\n", out);
-			Debug("NT-Response:: %s\n", buffer);
-			buffer[0] = 0;
+			char *mschapv2_client_response = CopyBinToStr(MsChapV2_ClientResponse, 24);
+			base64 = Base64FromBin(NULL, mschapv2_client_response, 48);
 			Free(mschapv2_client_response);
-
-			base64_challenge8 = CopyBinToStr(challenge8, 8);
-			end = B64_Encode(buffer, base64_challenge8 , 16);
-			buffer[end] = '\0';
-			fputs("LANMAN-Challenge:: ", out);
-			fputs(buffer, out);
+			fputs("NT-Response:: ", out);
+			fputs(base64, out);
 			fputs("\n", out);
-			Debug("LANMAN-Challenge:: %s\n", buffer);
-			buffer[0] = 0;
+			Free(base64);
+
+			char *base64_challenge8 = CopyBinToStr(challenge8, 8);
+			base64 = Base64FromBin(NULL, base64_challenge8, 16);
 			Free(base64_challenge8);
+			fputs("LANMAN-Challenge:: ", out);
+			fputs(base64, out);
+			fputs("\n", out);
+			Free(base64);

 			fputs("Request-User-Session-Key: Yes\n", out);
 		}
@@ -285,6 +263,7 @@ bool SmbAuthenticate(char* name, char* password, char* domainname, char* groupna
 		fflush (out);
 		// Request send!

+		char answer[300];
 		Zero(answer, sizeof(answer));

 		while (fgets(answer, sizeof(answer)-1, in))
@@ -323,7 +302,7 @@ bool SmbAuthenticate(char* name, char* password, char* domainname, char* groupna
 				response_parameter[0] ='\0';
 				response_parameter++;

-				end = Decode64(response_parameter, response_parameter);
+				const UINT end = Base64Decode(response_parameter, response_parameter, StrLen(response_parameter));
 				response_parameter[end] = '\0';
 			}

@@ -442,7 +421,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 	bool auth_by_nt = false;
 	HUB *h;
 	// Validate arguments
-	if (hub == NULL || c == NULL || username == NULL)
+	if (hub == NULL || c == NULL || username == NULL || password == NULL || opt == NULL)
 	{
 		return false;
 	}
@@ -460,7 +439,14 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 	AcLock(hub);
 	{
 		USER *u;
-		u = AcGetUser(hub, ast == false ? username : "*");
+
+		// Find exact user first
+		u = AcGetUser(hub, username);
+		if (u == NULL && ast)
+		{
+			u = AcGetUser(hub, "*");
+		}
+
 		if (u)
 		{
 			Lock(u->lock);
@@ -469,7 +455,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 				{
 					// Radius authentication
 					AUTHRADIUS *auth = (AUTHRADIUS *)u->AuthData;
-					if (ast || auth->RadiusUsername == NULL || UniStrLen(auth->RadiusUsername) == 0)
+					if (auth->RadiusUsername == NULL || UniStrLen(auth->RadiusUsername) == 0)
 					{
 						if( IsEmptyStr(h->RadiusRealm) == false )
 						{	
@@ -494,7 +480,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 				{
 					// NT authentication
 					AUTHNT *auth = (AUTHNT *)u->AuthData;
-					if (ast || auth->NtUsername == NULL || UniStrLen(auth->NtUsername) == 0)
+					if (auth->NtUsername == NULL || UniStrLen(auth->NtUsername) == 0)
 					{
 						name = CopyStrToUni(username);
 					}
@@ -530,10 +516,75 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			char suffix_filter[MAX_SIZE];
 			wchar_t suffix_filter_w[MAX_SIZE];
 			UINT interval;
+			EAP_CLIENT *eap = NULL;
+			char password1[MAX_SIZE];
+			UCHAR client_challenge[16];
+			UCHAR server_challenge[16];
+			UCHAR challenge8[8];
+			UCHAR client_response[24];
+			UCHAR ntlm_hash[MD5_SIZE];

 			Zero(suffix_filter, sizeof(suffix_filter));
 			Zero(suffix_filter_w, sizeof(suffix_filter_w));

+			// MSCHAPv2 / EAP wrapper for SEVPN
+			if (c->IsInProc == false && StartWith(password, IPC_PASSWORD_MSCHAPV2_TAG) == false)
+			{
+				char client_ip_str[MAX_SIZE];
+				char utf8[MAX_SIZE];
+
+				// Convert the user name to a Unicode string
+				UniToStr(utf8, sizeof(utf8), name);
+				utf8[MAX_SIZE-1] = 0;
+
+				Zero(client_ip_str, sizeof(client_ip_str));
+				if (c != NULL && c->FirstSock != NULL)
+				{
+					IPToStr(client_ip_str, sizeof(client_ip_str), &c->FirstSock->RemoteIP);
+				}
+
+				if (hub->RadiusConvertAllMsChapv2AuthRequestToEap)
+				{
+					// Do EAP or PEAP
+					eap = HubNewEapClient(hub->Cedar, hub->Name, client_ip_str, utf8, opt->In_VpnProtocolState, false, NULL, 0);
+
+					// Prepare MSCHAP response and replace plain password
+					if (eap != NULL)
+					{
+						char server_challenge_hex[MAX_SIZE];
+						char client_challenge_hex[MAX_SIZE];
+						char client_response_hex[MAX_SIZE];
+						char eap_client_hex[64];
+
+						MsChapV2Client_GenerateChallenge(client_challenge);
+						GenerateNtPasswordHash(ntlm_hash, password);
+						Copy(server_challenge, eap->MsChapV2Challenge.Chap_ChallengeValue, 16);
+						MsChapV2_GenerateChallenge8(challenge8, client_challenge, server_challenge, utf8);
+						MsChapV2Client_GenerateResponse(client_response, challenge8, ntlm_hash);
+
+						BinToStr(server_challenge_hex, sizeof(server_challenge_hex),
+								server_challenge, sizeof(server_challenge));
+						BinToStr(client_challenge_hex, sizeof(client_challenge_hex),
+								client_challenge, sizeof(client_challenge));
+						BinToStr(client_response_hex, sizeof(client_response_hex),
+								client_response, sizeof(client_response));
+						BinToStr(eap_client_hex, sizeof(eap_client_hex), &eap, 8);
+						Format(password1, sizeof(password1), "%s%s:%s:%s:%s:%s",
+										IPC_PASSWORD_MSCHAPV2_TAG,
+										utf8,
+										server_challenge_hex,
+										client_challenge_hex,
+										client_response_hex,
+										eap_client_hex);
+						password = password1;
+					}
+				}
+				else
+				{
+					// Todo: Do MSCHAPv2
+				}
+			}
+
 			// Get the Radius server information
 			if (GetRadiusServerEx2(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, suffix_filter, sizeof(suffix_filter)))
 			{
@@ -549,13 +600,10 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 						name, password, interval, mschap_v2_server_response_20, opt, hub->Name);

 					if (b)
-					{
-						if (opt != NULL)
 					{
 						opt->Out_IsRadiusLogin = true;
 					}
 				}
-				}

 				Lock(hub->lock);
 			}
@@ -563,6 +611,11 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			{
 				HLog(hub, "LH_NO_RADIUS_SETTING", name);
 			}
+
+			if (eap != NULL)
+			{
+				ReleaseEapClient(eap);
+			}
 		}
 		else
 		{
@@ -93,9 +93,12 @@ void SuDeleteGarbageInfsInner()
 		return;
 	}

+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
 	_SetupUninstallOEMInfA =
 		(UINT (__stdcall *)(PCSTR,DWORD,PVOID))
 		GetProcAddress(hSetupApiDll, "SetupUninstallOEMInfA");
+    #pragma clang diagnostic pop

 	if (_SetupUninstallOEMInfA != NULL)
 	{
@@ -1092,10 +1092,15 @@ UINT GetServerCapsInt(SERVER *s, char *name)
 		return 0;
 	}

+
+	Lock(s->CapsCacheLock);
+	{
 		Zero(&t, sizeof(t));
 		GetServerCaps(s, &t);

 		ret = GetCapsInt(&t, name);
+	}
+	Unlock(s->CapsCacheLock);

 	return ret;
 }
@@ -1164,10 +1169,14 @@ void FlushServerCaps(SERVER *s)
 		return;
 	}

+	Lock(s->CapsCacheLock);
+	{
 		DestroyServerCapsCache(s);

 		Zero(&t, sizeof(t));
 		GetServerCaps(s, &t);
+	}
+	Unlock(s->CapsCacheLock);
 }

 // Get the Caps list for this server
@@ -2320,7 +2329,7 @@ void SiSetDefaultHubOption(HUB_OPTION *o)
 	o->DefaultSubnet = SetIP32(255, 255, 255, 0);
 	o->MaxSession = 0;
 	o->VlanTypeId = MAC_PROTO_TAGVLAN;
-	o->NoIPv6DefaultRouterInRAWhenIPv6 = true;
+	o->NoIPv6DefaultRouterInRAWhenIPv6 = false;
 	o->ManageOnlyPrivateIP = true;
 	o->ManageOnlyLocalUnicastIPv6 = true;
 	o->NoMacAddressLog = true;
@@ -3400,6 +3409,7 @@ void SiWriteHubLinkCfg(FOLDER *f, LINK *k)
 		}

 		CfgAddBool(f, "CheckServerCert", k->CheckServerCert);
+		CfgAddBool(f, "AddDefaultCA", k->AddDefaultCA);

 		if (k->ServerCert != NULL)
 		{
@@ -3450,6 +3460,7 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h)
 	{
 		BUF *b;
 		k->CheckServerCert = CfgGetBool(f, "CheckServerCert");
+		k->AddDefaultCA = CfgGetBool(f, "AddDefaultCA");
 		b = CfgGetBuf(f, "ServerCert");
 		if (b != NULL)
 		{
@@ -3457,16 +3468,8 @@ void SiLoadHubLinkCfg(FOLDER *f, HUB *h)
 			FreeBuf(b);
 		}

-		if (online)
-		{
-			k->Offline = true;
-			SetLinkOnline(k);
-		}
-		else
-		{
-			k->Offline = false;
-			SetLinkOffline(k);
-		}
+		k->Offline = !online;
+
 		ReleaseLink(k);
 	}

@@ -3880,6 +3883,16 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 		o->DropArpInPrivacyFilterMode = true;
 	}

+	if (CfgIsItem(f, "AllowSameUserInPrivacyFilterMode"))
+        {
+                o->AllowSameUserInPrivacyFilterMode = CfgGetBool(f, "AllowSameUserInPrivacyFilterMode");
+        }
+        else
+        {
+                o->AllowSameUserInPrivacyFilterMode = false;
+        }
+
+
 	o->NoLookBPDUBridgeId = CfgGetBool(f, "NoLookBPDUBridgeId");
 	o->AdjustTcpMssValue = CfgGetInt(f, "AdjustTcpMssValue");
 	o->DisableAdjustTcpMss = CfgGetBool(f, "DisableAdjustTcpMss");
@@ -3928,6 +3941,7 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	o->NoPhysicalIPOnPacketLog = CfgGetBool(f, "NoPhysicalIPOnPacketLog");
 	o->UseHubNameAsDhcpUserClassOption = CfgGetBool(f, "UseHubNameAsDhcpUserClassOption");
 	o->UseHubNameAsRadiusNasId = CfgGetBool(f, "UseHubNameAsRadiusNasId");
+	o->AllowEapMatchUserByCert = CfgGetBool(f, "AllowEapMatchUserByCert");

 	// Enabled by default
 	if (CfgIsItem(f, "ManageOnlyPrivateIP"))
@@ -4004,6 +4018,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "DoNotSaveHeavySecurityLogs", o->DoNotSaveHeavySecurityLogs);
 	CfgAddBool(f, "DropBroadcastsInPrivacyFilterMode", o->DropBroadcastsInPrivacyFilterMode);
 	CfgAddBool(f, "DropArpInPrivacyFilterMode", o->DropArpInPrivacyFilterMode);
+	CfgAddBool(f, "AllowSameUserInPrivacyFilterMode", o->AllowSameUserInPrivacyFilterMode);
 	CfgAddBool(f, "SuppressClientUpdateNotification", o->SuppressClientUpdateNotification);
 	CfgAddBool(f, "AssignVLanIdByRadiusAttribute", o->AssignVLanIdByRadiusAttribute);
 	CfgAddBool(f, "DenyAllRadiusLoginWithNoVlanAssign", o->DenyAllRadiusLoginWithNoVlanAssign);
@@ -4032,6 +4047,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "DisableCorrectIpOffloadChecksum", o->DisableCorrectIpOffloadChecksum);
 	CfgAddBool(f, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	CfgAddBool(f, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
+	CfgAddBool(f, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
 }

 // Write the user
@@ -5608,6 +5624,7 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 	char tmp[MAX_SIZE];
 	X *x = NULL;
 	K *k = NULL;
+	LIST *chain = NewList(NULL);
 	FOLDER *params_folder;
 	UINT i;
 	// Validate arguments
@@ -5847,10 +5864,14 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 			FreeBuf(b);
 		}

+		// Server trust chain
+		SiLoadCertList(chain, CfgGetFolder(f, "ServerChain"));
+
 		if (x == NULL || k == NULL || CheckXandK(x, k) == false)
 		{
 			FreeX(x);
 			FreeK(k);
+			FreeXList(chain);
 			SiGenerateDefaultCert(&x, &k);

 			SetCedarCert(c, x, k);
@@ -5859,11 +5880,19 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 			FreeK(k);
 		}
 		else
+		{
+			if (LIST_NUM(chain) == 0)
 			{
 				SetCedarCert(c, x, k);
+			}
+			else
+			{
+				SetCedarCertAndChain(c, x, k, chain);
+			}

 			FreeX(x);
 			FreeK(k);
+			FreeXList(chain);
 		}

 		// Character which separates the username from the hub name
@@ -6246,6 +6275,9 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 		CfgAddBuf(f, "ServerKey", b);
 		FreeBuf(b);

+		// Server trust chain
+		SiWriteCertList(CfgCreateFolder(f, "ServerChain"), c->ServerChain);
+
 		{
 			// Character which separates the username from the hub name
 			char str[2];
@@ -7449,6 +7481,7 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.DoNotSaveHeavySecurityLogs = PackGetBool(p, "DoNotSaveHeavySecurityLogs");
 	o.DropBroadcastsInPrivacyFilterMode = PackGetBool(p, "DropBroadcastsInPrivacyFilterMode");
 	o.DropArpInPrivacyFilterMode = PackGetBool(p, "DropArpInPrivacyFilterMode");
+	o.AllowSameUserInPrivacyFilterMode= PackGetBool(p, "AllowSameUserInPrivacyFilterMode");
 	o.SuppressClientUpdateNotification = PackGetBool(p, "SuppressClientUpdateNotification");
 	o.AssignVLanIdByRadiusAttribute = PackGetBool(p, "AssignVLanIdByRadiusAttribute");
 	o.DenyAllRadiusLoginWithNoVlanAssign = PackGetBool(p, "DenyAllRadiusLoginWithNoVlanAssign");
@@ -7499,6 +7532,7 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.DisableCorrectIpOffloadChecksum = PackGetBool(p, "DisableCorrectIpOffloadChecksum");
 	o.UseHubNameAsDhcpUserClassOption = PackGetBool(p, "UseHubNameAsDhcpUserClassOption");
 	o.UseHubNameAsRadiusNasId = PackGetBool(p, "UseHubNameAsRadiusNasId");
+	o.AllowEapMatchUserByCert = PackGetBool(p, "AllowEapMatchUserByCert");

 	save_packet_log = PackGetInt(p, "SavePacketLog");
 	packet_log_switch_type = PackGetInt(p, "PacketLogSwitchType");
@@ -9275,6 +9309,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddBool(p, "DoNotSaveHeavySecurityLogs", h->Option->DoNotSaveHeavySecurityLogs);
 	PackAddBool(p, "DropBroadcastsInPrivacyFilterMode", h->Option->DropBroadcastsInPrivacyFilterMode);
 	PackAddBool(p, "DropArpInPrivacyFilterMode", h->Option->DropArpInPrivacyFilterMode);
+	PackAddBool(p, "AllowSameUserInPrivacyFilterMode", h->Option->AllowSameUserInPrivacyFilterMode);
 	PackAddBool(p, "SuppressClientUpdateNotification", h->Option->SuppressClientUpdateNotification);
 	PackAddBool(p, "AssignVLanIdByRadiusAttribute", h->Option->AssignVLanIdByRadiusAttribute);
 	PackAddBool(p, "DenyAllRadiusLoginWithNoVlanAssign", h->Option->DenyAllRadiusLoginWithNoVlanAssign);
@@ -9332,6 +9367,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddData(p, "SecurePassword", h->SecurePassword, SHA1_SIZE);
 	PackAddBool(p, "UseHubNameAsDhcpUserClassOption", h->Option->UseHubNameAsDhcpUserClassOption);
 	PackAddBool(p, "UseHubNameAsRadiusNasId", h->Option->UseHubNameAsRadiusNasId);
+	PackAddBool(p, "AllowEapMatchUserByCert", h->Option->AllowEapMatchUserByCert);

 	SiAccessListToPack(p, h->AccessList);

@@ -609,6 +609,24 @@ void SessionMain(SESSION *s)
 							WHERE;
 						}
 					}
+
+					// If all the specified number of tcp connections are not alive continuously, then terminate the session.
+					UINT num_tcp_conn = LIST_NUM(s->Connection->Tcp->TcpSockList);
+					UINT max_conn = s->ClientOption->MaxConnection;
+
+					if ((s->CurrentConnectionEstablishTime +
+						(UINT64)(s->ClientOption->AdditionalConnectionInterval * 1000 * 2 + CONNECTING_TIMEOUT * 2))
+						<= Tick64())
+					{
+						if (s->ClientOption->BindLocalPort != 0 || num_tcp_conn == 0)
+						{
+							timeouted = true;
+							WHERE;
+						}
+					}
+					//Debug("SessionMain(): The number of TCP connections short... Num_Tcp_Conn=%d Max_Conn=%d Curr_Conn_Time=%llu Tick64=%llu\n"
+					//	, num_tcp_conn, max_conn, s->CurrentConnectionEstablishTime, Tick64());
+
 				}
 			}

@@ -1270,6 +1288,13 @@ void CleanupSession(SESSION *s)
 		Free(s->ClientAuth);
 	}

+	if (s->SslOption != NULL)
+	{
+		FreeXList(s->SslOption->CaList);
+		FreeX(s->SslOption->SavedCert);
+		Free(s->SslOption);
+	}
+
 	FreeTraffic(s->Traffic);
 	Free(s->Name);

@@ -1423,6 +1448,9 @@ void ClientThread(THREAD *t, void *param)
 	while (true)
 	{
 		Zero(&s->ServerIP_CacheForNextConnect, sizeof(IP));
+		Zero(&s->LocalIP_CacheForNextConnect, sizeof(IP));	// Assigned by first outgoing connection
+		Zero(s->UnderlayProtocol, sizeof(s->UnderlayProtocol));
+		Zero(s->ProtocolDetails, sizeof(s->ProtocolDetails));

 		if (s->Link != NULL && ((*s->Link->StopAllLinkFlag) || s->Link->Halting))
 		{
@@ -1966,6 +1994,38 @@ SESSION *NewClientSessionEx(CEDAR *cedar, CLIENT_OPTION *option, CLIENT_AUTH *au
 		// Link client mode
 		s->LinkModeClient = true;
 		s->Link = (LINK *)s->PacketAdapter->Param;
+		if (s->Link != NULL && s->Link->CheckServerCert && s->Link->Hub->HubDb != NULL)
+		{
+			// Enable SSL peer verification
+			s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION));
+			s->SslOption->VerifyPeer = true;
+			s->SslOption->AddDefaultCA = s->Link->AddDefaultCA;
+			s->SslOption->VerifyHostname = true;
+			s->SslOption->SavedCert = CloneX(s->Link->ServerCert);
+
+			// Copy trusted CA
+			LIST *o = s->Link->Hub->HubDb->RootCertList;
+			s->SslOption->CaList = CloneXList(o);
+		}
+	}
+	else
+	{
+		if (account != NULL && account->CheckServerCert)
+		{
+			// Enable SSL peer verification
+			s->SslOption = ZeroMalloc(sizeof(SSL_VERIFY_OPTION));
+			s->SslOption->VerifyPeer = true;
+#ifdef	OS_WIN32
+			s->SslOption->PromptOnVerifyFail = true;
+#endif
+			s->SslOption->AddDefaultCA = account->AddDefaultCA;
+			s->SslOption->VerifyHostname = true;
+			s->SslOption->SavedCert = CloneX(account->ServerCert);
+
+			// Copy trusted CA
+			LIST *o = cedar->CaList;
+			s->SslOption->CaList = CloneXList(o);
+		}
 	}

 	if (StrCmpi(s->ClientOption->DeviceName, SNAT_DEVICE_NAME) == 0)
@@ -91,6 +91,7 @@ struct SESSION
 	char ClientIP[64];				// Client IP
 	CLIENT_OPTION *ClientOption;	// Client connection options
 	CLIENT_AUTH *ClientAuth;		// Client authentication data
+	SSL_VERIFY_OPTION *SslOption;	// SSL verification option
 	volatile bool Halt;				// Halting flag
 	volatile bool CancelConnect;	// Cancel the connection
 	EVENT *HaltEvent;				// Halting event
@@ -129,6 +130,7 @@ struct SESSION
 	UCHAR Padding[2];

 	IP ServerIP_CacheForNextConnect;	// Server IP, cached for next connect
+	IP LocalIP_CacheForNextConnect;		// Local  IP, cached for next connect (2nd and subsequent), assigned by first outgoing connection

 	UINT64 CreatedTime;				// Creation date and time
 	UINT64 LastCommTime;			// Last communication date and time
@@ -338,6 +338,8 @@ void UdpAccelSend(UDP_ACCEL *a, UCHAR *data, UINT data_size, UCHAR flag, UINT ma
 	UINT size = 0;
 	UINT64 tmp;
 	UINT ret;
+	UINT u32;
+	USHORT u16;
 	// Validate arguments
 	if (a == NULL || (data_size != 0 && data == NULL))
 	{
@@ -367,8 +369,8 @@ void UdpAccelSend(UDP_ACCEL *a, UCHAR *data, UINT data_size, UCHAR flag, UINT ma
 	}

 	// Cookie
-	tmp = Endian32(a->YourCookie);
-	Copy(buf, &tmp, sizeof(UINT));
+	u32 = Endian32(a->YourCookie);
+	Copy(buf, &u32, sizeof(UINT));
 	buf += sizeof(UINT);
 	size += sizeof(UINT);

@@ -385,8 +387,8 @@ void UdpAccelSend(UDP_ACCEL *a, UCHAR *data, UINT data_size, UCHAR flag, UINT ma
 	size += sizeof(UINT64);

 	// Size
-	tmp = Endian16(data_size);
-	Copy(buf, &tmp, sizeof(USHORT));
+	u16 = Endian16(data_size);
+	Copy(buf, &u16, sizeof(USHORT));
 	buf += sizeof(USHORT);
 	size += sizeof(USHORT);

@@ -29,7 +29,7 @@
 #include <net/if.h>
 #include <sys/ioctl.h>

-#ifdef UNIX_OPENBSD
+#if defined(UNIX_OPENBSD) || defined(UNIX_SOLARIS)
 #include <netinet/if_ether.h>
 #else
 #include <net/ethernet.h>
@@ -263,7 +263,7 @@ void FreeVLan(VLAN *v)
 }

 // Create a tap
-VLAN *NewTap(char *name, char *mac_address, bool create_up)
+VLAN *NewBridgeTap(char *name, char *mac_address, bool create_up)
 {
 	int fd;
 	VLAN *v;
@@ -273,7 +273,7 @@ VLAN *NewTap(char *name, char *mac_address, bool create_up)
 		return NULL;
 	}

-	fd = UnixCreateTapDeviceEx(name, "tap", mac_address, create_up);
+	fd = UnixCreateTapDeviceEx(name, UNIX_VLAN_BRIDGE_IFACE_PREFIX, mac_address, create_up);
 	if (fd == -1)
 	{
 		return NULL;
@@ -288,7 +288,7 @@ VLAN *NewTap(char *name, char *mac_address, bool create_up)
 }

 // Close the tap
-void FreeTap(VLAN *v)
+void FreeBridgeTap(VLAN *v)
 {
 	// Validate arguments
 	if (v == NULL)
@@ -296,7 +296,11 @@ void FreeTap(VLAN *v)
 		return;
 	}

-	close(v->fd);
+	UnixCloseTapDevice(v->fd);
+#ifdef	UNIX_BSD
+	UnixDestroyBridgeTapDevice(v->InstanceName);
+#endif
+
 	FreeVLan(v);
 }

@@ -470,6 +474,20 @@ int UnixCreateTapDeviceEx(char *name, char *prefix, UCHAR *mac_address, bool cre
 			ioctl(s, SIOCSIFLLADDR, &ifr);
 		}

+		// Set interface description
+#ifdef	SIOCSIFDESCR
+		{
+			char desc[] = CEDAR_PRODUCT_STR " Virtual Network Adapter";
+
+			ifr.ifr_buffer.buffer = desc;
+			ifr.ifr_buffer.length = StrLen(desc) + 1;
+			ioctl(s, SIOCSIFDESCR, &ifr);
+		}
+#endif
+
+		// Set interface group
+		UnixSetIfGroup(s, tap_name, CEDAR_PRODUCT_STR);
+
 		if (create_up)
 		{
 			Zero(&ifr, sizeof(ifr));
@@ -554,7 +572,7 @@ int UnixCreateTapDeviceEx(char *name, char *prefix, UCHAR *mac_address, bool cre
 }
 int UnixCreateTapDevice(char *name, UCHAR *mac_address, bool create_up)
 {
-	return UnixCreateTapDeviceEx(name, "vpn", mac_address, create_up);
+	return UnixCreateTapDeviceEx(name, UNIX_VLAN_CLIENT_IFACE_PREFIX, mac_address, create_up);
 }

 // Close the tap device
@@ -569,9 +587,77 @@ void UnixCloseTapDevice(int fd)
 	close(fd);
 }

+// Destroy the tap device (for FreeBSD)
+// FreeBSD tap device is still plumbed after closing fd so need to destroy after close
+void UnixDestroyTapDeviceEx(char *name, char *prefix)
+{
+#ifdef UNIX_BSD
+	struct ifreq ifr;
+	char eth_name[MAX_SIZE];
+	int s;
+
+	Zero(&ifr, sizeof(ifr));
+	GenerateTunName(name, prefix, eth_name, sizeof(eth_name));
+	StrCpy(ifr.ifr_name, sizeof(ifr.ifr_name), eth_name);
+
+	s = socket(AF_INET, SOCK_DGRAM, 0);
+	if (s == -1)
+	{
+		return;
+	}
+	ioctl(s, SIOCIFDESTROY, &ifr);
+
+	close(s);
+#endif	// UNIX_BSD
+}
+
+void UnixDestroyBridgeTapDevice(char *name)
+{
+#ifdef UNIX_BSD
+	UnixDestroyTapDeviceEx(name, UNIX_VLAN_BRIDGE_IFACE_PREFIX);
+#endif	// UNIX_BSD
+}
+
+void UnixDestroyClientTapDevice(char *name)
+{
+#ifdef UNIX_BSD
+	UnixDestroyTapDeviceEx(name, UNIX_VLAN_CLIENT_IFACE_PREFIX);
+#endif	// UNIX_BSD
+}
+
+void UnixSetIfGroup(int fd, const char *name, const char *group_name)
+{
+#ifdef	SIOCAIFGROUP
+	struct ifgroupreq ifgr;
+	char *tmp;
+
+	tmp = CopyStr((char *)group_name);
+	StrLower(tmp);
+	Zero(&ifgr, sizeof(ifgr));
+
+	StrCpy(ifgr.ifgr_name, sizeof(ifgr.ifgr_name), (char *) name);
+	StrCpy(ifgr.ifgr_group, sizeof(ifgr.ifgr_group), tmp);
+	ioctl(fd, SIOCAIFGROUP, &ifgr);
+
+	Free(tmp);
+#endif
+}
+
 #else	// NO_VLAN

-void UnixCloseTapDevice(int fd)
+void UnixCloseDevice(int fd)
+{
+}
+
+void UnixDestroyTapDevice(char *name)
+{
+}
+
+void UnixDestroyTapDeviceEx(char *name, char *prefix)
+{
+}
+
+void UnixSetIfGroup()
 {
 }

@@ -662,13 +748,13 @@ bool UnixVLanCreateEx(char *name, char *prefix, UCHAR *mac_address, bool create_
 }
 bool UnixVLanCreate(char *name, UCHAR *mac_address, bool create_up)
 {
-	return UnixVLanCreateEx(name, "vpn", mac_address, create_up);
+	return UnixVLanCreateEx(name, UNIX_VLAN_CLIENT_IFACE_PREFIX, mac_address, create_up);
 }

 // Set a VLAN up/down
 bool UnixVLanSetState(char* name, bool state_up)
 {
-#ifdef UNIX_LINUX
+#if defined(UNIX_LINUX) || defined(UNIX_BSD)
 	UNIX_VLAN_LIST *t, tt;
 	struct ifreq ifr;
 	int s;
@@ -689,7 +775,7 @@ bool UnixVLanSetState(char* name, bool state_up)
 			return false;
 		}

-		GenerateTunName(name, "vpn", eth_name, sizeof(eth_name));
+		GenerateTunName(name, UNIX_VLAN_CLIENT_IFACE_PREFIX, eth_name, sizeof(eth_name));
 		Zero(&ifr, sizeof(ifr));
 		StrCpy(ifr.ifr_name, sizeof(ifr.ifr_name), eth_name);

@@ -714,7 +800,7 @@ bool UnixVLanSetState(char* name, bool state_up)
 		close(s);
 	}
 	UnlockList(unix_vlan);
-#endif // UNIX_LINUX
+#endif // UNIX_LINUX || UNIX_BSD

 	return true;
 }
@@ -769,6 +855,9 @@ void UnixVLanDelete(char *name)
 		if (t != NULL)
 		{
 			UnixCloseTapDevice(t->fd);
+#ifdef UNIX_BSD
+			UnixDestroyClientTapDevice(t->Name);
+#endif
 			Delete(unix_vlan, t);
 			Free(t);
 		}
@@ -815,6 +904,9 @@ void UnixVLanFree()
 		UNIX_VLAN_LIST *t = LIST_DATA(unix_vlan, i);

 		UnixCloseTapDevice(t->fd);
+#ifdef UNIX_BSD
+		UnixDestroyClientTapDevice(t->Name);
+#endif
 		Free(t);
 	}

@@ -31,9 +31,9 @@ struct VLAN

 // Function prototype
 VLAN *NewVLan(char *instance_name, VLAN_PARAM *param);
-VLAN *NewTap(char *name, char *mac_address, bool create_up);
+VLAN *NewBridgeTap(char *name, char *mac_address, bool create_up);
 void FreeVLan(VLAN *v);
-void FreeTap(VLAN *v);
+void FreeBridgeTap(VLAN *v);
 CANCEL *VLanGetCancel(VLAN *v);
 bool VLanGetNextPacket(VLAN *v, void **buf, UINT *size);
 bool VLanPutPacket(VLAN *v, void *buf, UINT size);
@@ -60,6 +60,9 @@ struct UNIX_VLAN_LIST
 int UnixCreateTapDevice(char *name, UCHAR *mac_address, bool create_up);
 int UnixCreateTapDeviceEx(char *name, char *prefix, UCHAR *mac_address, bool create_up);
 void UnixCloseTapDevice(int fd);
+void UnixDestroyBridgeTapDevice(char *name);
+void UnixDestroyClientTapDevice(char *name);
+void UnixSetIfGroup(int fd, const char *name, const char *group_name);
 void UnixVLanInit();
 void UnixVLanFree();
 bool UnixVLanCreate(char *name, UCHAR *mac_address, bool create_up);
@@ -162,7 +162,6 @@ void RouteTrackingMain(SESSION *s)
 					char ip_str2[64];

 					Copy(&e->DestIP, &nat_t_ip, sizeof(IP));
-					e->Metric = e->OldIfMetric;

 					IPToStr(ip_str, sizeof(ip_str), &e->DestIP);
 					IPToStr(ip_str2, sizeof(ip_str2), &e->GatewayIP);
@@ -190,9 +189,12 @@ void RouteTrackingMain(SESSION *s)
 	{
 		UINT i;
 		bool route_to_server_erased = true;
-		bool is_vlan_want_to_be_default_gateway = false;
-		UINT vlan_default_gateway_metric = 0;
-		UINT other_if_default_gateway_metric_min = INFINITE;
+		bool is_vlan_want_to_be_default_gateway_v4 = false;
+		bool is_vlan_want_to_be_default_gateway_v6 = false;
+		UINT vlan_default_gateway_metric_v4 = 0;
+		UINT vlan_default_gateway_metric_v6 = 0;
+		UINT other_if_default_gateway_metric_min_v4 = INFINITE;
+		UINT other_if_default_gateway_metric_min_v6 = INFINITE;

 		// Get whether the routing table have been changed
 		if (t->LastRoutingTableHash != table->HashedValue)
@@ -224,20 +226,22 @@ void RouteTrackingMain(SESSION *s)
 			}

 			// Search for the default gateway
-			if (IPToUINT(&e->DestIP) == 0 &&
-				IPToUINT(&e->DestMask) == 0)
+			if (IsZeroIP(&e->DestIP) && IsZeroIP(&e->DestMask))
 			{
 				Debug("e->InterfaceID = %u, t->VLanInterfaceId = %u\n",
 					e->InterfaceID, t->VLanInterfaceId);

 				if (e->InterfaceID == t->VLanInterfaceId)
+				{
+					if (IsIP4(&e->DestIP))
 					{
 						// The virtual LAN card think that he want to be a default gateway
-					is_vlan_want_to_be_default_gateway = true;
-					vlan_default_gateway_metric = e->Metric;
+						is_vlan_want_to_be_default_gateway_v4 = true;
+						vlan_default_gateway_metric_v4 = e->Metric;

-					if (vlan_default_gateway_metric >= 2 &&
-						t->OldDefaultGatewayMetric == (vlan_default_gateway_metric - 1))
+						// PPP route fix
+						if (vlan_default_gateway_metric_v4 >= 2 &&
+							t->OldDefaultGatewayMetric == (vlan_default_gateway_metric_v4 - 1))
 						{
 							// Restore because the PPP server rewrites
 							// the routing table selfishly
@@ -259,18 +263,26 @@ void RouteTrackingMain(SESSION *s)
 						t->DefaultGatewayByVLan = ZeroMalloc(sizeof(ROUTE_ENTRY));
 						Copy(t->DefaultGatewayByVLan, e, sizeof(ROUTE_ENTRY));

-					t->OldDefaultGatewayMetric = vlan_default_gateway_metric;
+						t->OldDefaultGatewayMetric = vlan_default_gateway_metric_v4;
 					}
 					else
+					{
+						is_vlan_want_to_be_default_gateway_v6 = true;
+						vlan_default_gateway_metric_v6 = e->Metric;
+					}
+				}
+				else
+				{
+					if (IsIP4(&e->DestIP))
 					{
 						// There are default gateway other than the virtual LAN card
 						// Save the metric value of the default gateway
-					if (other_if_default_gateway_metric_min > e->Metric)
+						if (other_if_default_gateway_metric_min_v4 > e->Metric)
 						{
 							// Ignore the metric value of all PPP connection in the case of Windows Vista
 							if (e->PPPConnection == false)
 							{
-							other_if_default_gateway_metric_min = e->Metric;
+								other_if_default_gateway_metric_min_v4 = e->Metric;
 							}
 							else
 							{
@@ -280,6 +292,14 @@ void RouteTrackingMain(SESSION *s)
 							}
 						}
 					}
+					else
+					{
+						if (other_if_default_gateway_metric_min_v6 > e->Metric)
+						{
+							other_if_default_gateway_metric_min_v6 = e->Metric;
+						}
+					}
+				}
 			}
 		}

@@ -287,7 +307,7 @@ void RouteTrackingMain(SESSION *s)
 		{
 			if (t->DefaultGatewayByVLan != NULL)
 			{
-				if (is_vlan_want_to_be_default_gateway)
+				if (is_vlan_want_to_be_default_gateway_v4)
 				{
 					if (t->VistaOldDefaultGatewayByVLan == NULL || Cmp(t->VistaOldDefaultGatewayByVLan, t->DefaultGatewayByVLan, sizeof(ROUTE_ENTRY)) != 0)
 					{
@@ -362,8 +382,9 @@ void RouteTrackingMain(SESSION *s)
 		// to elect the virtual LAN card as the default gateway
 //		Debug("is_vlan_want_to_be_default_gateway = %u, rs = %u, route_to_server_erased = %u, other_if_default_gateway_metric_min = %u, vlan_default_gateway_metric = %u\n",
 //			is_vlan_want_to_be_default_gateway, rs, route_to_server_erased, other_if_default_gateway_metric_min, vlan_default_gateway_metric);
-		if (is_vlan_want_to_be_default_gateway && (rs != NULL && route_to_server_erased == false) &&
-			other_if_default_gateway_metric_min >= vlan_default_gateway_metric)
+		if ((is_vlan_want_to_be_default_gateway_v4 && other_if_default_gateway_metric_min_v4 >= vlan_default_gateway_metric_v4 ||
+			is_vlan_want_to_be_default_gateway_v6 && other_if_default_gateway_metric_min_v6 >= vlan_default_gateway_metric_v6)
+			&& rs != NULL && route_to_server_erased == false)
 		{
 			// Scan the routing table again
 			for (i = 0;i < table->NumEntry;i++)
@@ -372,8 +393,7 @@ void RouteTrackingMain(SESSION *s)

 				if (e->InterfaceID != t->VLanInterfaceId)
 				{
-					if (IPToUINT(&e->DestIP) == 0 &&
-					IPToUINT(&e->DestMask) == 0)
+					if (IsZeroIP(&e->DestIP) && IsZeroIP(&e->DestMask))
 					{
 						char str[64];
 						// Default gateway is found
@@ -486,8 +506,6 @@ void RouteTrackingStart(SESSION *s)
 	Debug("GetBestRouteEntry() Succeed. [Gateway: %s]\n", tmp);

 	// Add a route
-	e->Metric = e->OldIfMetric;
-
 	if (AddRouteEntryEx(e, &already_exists) == false)
 	{
 		FreeRouteEntry(e);
@@ -549,8 +567,6 @@ void RouteTrackingStart(SESSION *s)
 			else
 			{
 				// Add a route
-				dns->Metric = dns->OldIfMetric;
-
 				if (AddRouteEntry(dns) == false)
 				{
 					FreeRouteEntry(dns);
@@ -569,8 +585,6 @@ void RouteTrackingStart(SESSION *s)

 			if (route_to_real_server_global != NULL)
 			{
-				route_to_real_server_global->Metric = route_to_real_server_global->OldIfMetric;
-
 				if (AddRouteEntry(route_to_real_server_global) == false)
 				{
 					FreeRouteEntry(route_to_real_server_global);
@@ -633,11 +647,6 @@ void RouteTrackingStart(SESSION *s)
 			MsFreeAdapter(a);
 		}
 	}
-	else
-	{
-		// For Win9x
-		Win32RenewDhcp9x(if_id);
-	}

 	// Clear the DNS cache
 	Win32FlushDnsCache();
@@ -782,12 +791,12 @@ void RouteTrackingStop(SESSION *s, ROUTE_TRACKING *t)
 		// If the restoring routing entry is a default gateway and
 		// the existing routing table contains another default gateway
 		// on the interface, give up restoring the entry
-		if (IPToUINT(&e->DestIP) == 0 && IPToUINT(&e->DestMask) == 0)
+		if (IsZeroIP(&e->DestIP) && IsZeroIP(&e->DestMask))
 		{
 			for (i = 0;i < table->NumEntry;i++)
 			{
 				ROUTE_ENTRY *r = table->Entry[i];
-				if (IPToUINT(&r->DestIP) == 0 && IPToUINT(&r->DestMask) == 0)
+				if (IsZeroIP(&r->DestIP) && IsZeroIP(&r->DestMask))
 				{
 					if (r->InterfaceID == e->InterfaceID)
 					{
@@ -4214,7 +4214,7 @@ bool NatTransactUdp(VH *v, NAT_ENTRY *n)
 	// Try to send data to the UDP socket
 	while (block = GetNext(n->UdpSendQueue))
 	{
-		UINT send_size;
+		UINT send_size = 0;
 		bool is_nbtdgm = false;
 		LIST *local_ip_list = NULL;

@@ -35,6 +35,9 @@
 #include <shellapi.h>
 #include <shlobj.h>

+#include <openssl/evp.h>
+#include <openssl/ec.h>
+
 // Process name list of incompatible anti-virus software
 static BAD_PROCESS bad_processes[] =
 {
@@ -900,7 +903,10 @@ void ShowWizard(HWND hWndParent, WIZARD *w, UINT start_id)
 	h.phpage = (HPROPSHEETPAGE *)pages_array;
 	h.pszbmHeader = MAKEINTRESOURCEW(w->Bitmap);
 	h.pszCaption = w->Caption;
+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
 	h.pfnCallback = WizardDlgProc;
+    #pragma clang diagnostic pop

 	start_page = GetWizardPage(w, start_id);
 	if (start_page != NULL)
@@ -1326,7 +1332,7 @@ void WinConnectDlgThread(THREAD *thread, void *param)
 		nat_t_svc_name = d->nat_t_svc_name;
 	}

-	s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false);
+	s = ConnectEx5(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false, d->ssl_option, d->ssl_err, d->hint_str, NULL);

 	d->ret_sock = s;
 	d->nat_t_error_code = nat_t_error_code;
@@ -1395,6 +1401,10 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *

 // TCP connection with showing the UI
 SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl)
+{
+	return WinConnectEx4(hWnd, server, port, timeout, icon_id, caption, info, nat_t_error_code, nat_t_svc_name, try_start_ssl, NULL, NULL, NULL);
+}
+SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str)
 {
 	wchar_t tmp[MAX_SIZE];
 	wchar_t tmp2[MAX_SIZE];
@@ -1437,6 +1447,9 @@ SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_
 	d.timeout = timeout;
 	d.hostname = server;
 	d.port = port;
+	d.ssl_option = ssl_option;
+	d.ssl_err = ssl_err;
+	d.hint_str = hint_str;
 	StrCpy(d.nat_t_svc_name, sizeof(d.nat_t_svc_name), nat_t_svc_name);

 	Dialog(hWnd, D_CONNECT, WinConnectDlgProc, &d);
@@ -3477,7 +3490,10 @@ HWND SearchWindow(wchar_t *caption)
 	p.caption = caption;
 	p.hWndFound = NULL;

+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wincompatible-function-pointer-types"
 	EnumWindows(SearchWindowEnumProc, (LPARAM)&p);
+    #pragma clang diagnostic pop

 	return p.hWndFound;
 }
@@ -5566,17 +5582,58 @@ void PrintCertInfo(HWND hWnd, CERT_DLG *p)
 	GetDateTimeStrEx64(tmp, sizeof(tmp), SystemToLocal64(x->notAfter), NULL);
 	LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_NOT_AFTER"), tmp);

-	// Number of bits
-	if (x->is_compatible_bit)
-	{
-		UniFormat(tmp, sizeof(tmp), _UU("CERT_BITS_FORMAT"), x->bits);
-		LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_BITS"), tmp);
-	}
-
 	// Public key
 	k = GetKFromX(x);
 	if (k != NULL)
 	{
+		UINT type = EVP_PKEY_base_id(k->pkey);
+		switch (type)
+		{
+		case EVP_PKEY_RSA:
+			LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_KEY_ALGORITHM"), L"RSA");
+			UniFormat(tmp, sizeof(tmp), _UU("CERT_BITS_FORMAT"), x->bits);
+			LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_BITS"), tmp);
+			break;
+		case EVP_PKEY_EC:
+			LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_KEY_ALGORITHM"), L"ECDSA");
+			UniFormat(tmp, sizeof(tmp), _UU("CERT_BITS_FORMAT"), x->bits);
+			LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_BITS"), tmp);
+
+# ifndef OPENSSL_NO_EC
+			EC_KEY *key = EVP_PKEY_get0_EC_KEY(k->pkey);
+			if (key == NULL)
+			{
+				break;
+			}
+
+			EC_GROUP *group = EC_KEY_get0_group(key);
+			if (group == NULL)
+			{
+				break;
+			}
+
+			int nid = EC_GROUP_get_curve_name(group);
+			if (nid == 0)
+			{
+				break;
+			}
+
+			if (StrToUni(tmp, sizeof(tmp), OBJ_nid2sn(nid)) > 0)
+			{
+				wchar_t *nname = CopyStrToUni(EC_curve_nid2nist(nid));
+				if (nname)
+				{
+					UniFormat(tmp, sizeof(tmp), L"%s (%s)", tmp, nname);
+				}
+				LvInsert(hWnd, L_CERTINFO, ICO_CERT, NULL, 2, _UU("CERT_KEY_PARAMETER"), tmp);
+				Free(nname);
+			}
+# endif
+			break;
+		default:
+			break;
+		}
+
 		BUF *b = KToBuf(k, false, NULL);
 		s_tmp = CopyBinToStrEx(b->Buf, b->Size);
 		StrToUni(tmp, sizeof(tmp), s_tmp);
@@ -331,6 +331,9 @@ typedef struct WINCONNECT_DLG_DATA
 	char nat_t_svc_name[MAX_SIZE];
 	UINT nat_t_error_code;
 	bool try_start_ssl;
+	SSL_VERIFY_OPTION *ssl_option;
+	UINT *ssl_err;
+	char *hint_str;
 } WINCONNECT_DLG_DATA;

 HBITMAP ResizeBitmap(HBITMAP hSrc, UINT src_x, UINT src_y, UINT dst_x, UINT dst_y);
@@ -694,6 +697,7 @@ HFONT GetMeiryoFontEx(UINT font_size);
 HFONT GetMeiryoFontEx2(UINT font_size, bool bold);
 bool ShowWindowsNetworkConnectionDialog();
 SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl);
+SOCK *WinConnectEx4(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, SSL_VERIFY_OPTION *ssl_option, UINT *ssl_err, char *hint_str);
 UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param);
 void WinConnectDlgThread(THREAD *thread, void *param);
 void NicInfo(UI_NICINFO *info);
@@ -11,6 +11,7 @@
 #include "Protocol.h"

 #include "Mayaqua/DNS.h"
+#include "Mayaqua/Encoding.h"
 #include "Mayaqua/Memory.h"
 #include "Mayaqua/Microsoft.h"
 #include "Mayaqua/Pack.h"
@@ -312,8 +313,16 @@ BUF *WpcDataEntryToBuf(WPC_ENTRY *e)
 	}

 	data_size = e->Size + 4096;
-	data = Malloc(data_size);
+	data = ZeroMalloc(data_size);
+
+	if (e->Size >= 1)
+	{
 		size = DecodeSafe64(data, e->Data, e->Size);
+	}
+	else
+	{
+		size = 0;
+	}

 	b = NewBuf();
 	WriteBuf(b, data, size);
@@ -807,19 +816,14 @@ BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,

 		if (IsEmptyStr(setting->ProxyUsername) == false || IsEmptyStr(setting->ProxyPassword) == false)
 		{
-			char auth_tmp_str[MAX_SIZE], auth_b64_str[MAX_SIZE * 2];
-			char basic_str[MAX_SIZE * 2];
+			char auth_str[MAX_SIZE * 2];
+			Format(auth_str, sizeof(auth_str), "%s:%s", setting->ProxyUsername, setting->ProxyPassword);

-			// Generate the authentication string
-			Format(auth_tmp_str, sizeof(auth_tmp_str), "%s:%s",
-				setting->ProxyUsername, setting->ProxyPassword);
+			char *base64 = Base64FromBin(NULL, auth_str, StrLen(auth_str));
+			Format(auth_str, sizeof(auth_str), "Basic %s", base64);
+			Free(base64);

-			// Base64 encode
-			Zero(auth_b64_str, sizeof(auth_b64_str));
-			Encode64(auth_b64_str, auth_tmp_str);
-			Format(basic_str, sizeof(basic_str), "Basic %s", auth_b64_str);
-
-			AddHttpValue(h, NewHttpValue("Proxy-Authorization", basic_str));
+			AddHttpValue(h, NewHttpValue("Proxy-Authorization", auth_str));
 		}
 	}

@@ -1229,18 +1233,14 @@ bool ParseUrl(URL_DATA *data, char *str, bool is_post, char *referrer)
 }

 // String replacement
-void Base64ToSafe64(char *str)
+void Base64ToSafe64(char *str, const UINT size)
 {
-	UINT i, len;
-	// Validate arguments
-	if (str == NULL)
+	if (str == NULL || size == 0)
 	{
 		return;
 	}

-	len = StrLen(str);
-
-	for (i = 0;i < len;i++)
+	for (UINT i = 0; i < size; ++i)
 	{
 		switch (str[i])
 		{
@@ -1258,18 +1258,14 @@ void Base64ToSafe64(char *str)
 		}
 	}
 }
-void Safe64ToBase64(char *str)
+void Safe64ToBase64(char *str, const UINT size)
 {
-	UINT i, len;
-	// Validate arguments
-	if (str == NULL)
+	if (str == NULL || size == 0)
 	{
 		return;
 	}

-	len = StrLen(str);
-
-	for (i = 0;i < len;i++)
+	for (UINT i = 0; i < size; ++i)
 	{
 		switch (str[i])
 		{
@@ -1288,44 +1284,39 @@ void Safe64ToBase64(char *str)
 	}
 }

-// Decode from Safe64
-UINT DecodeSafe64(void *dst, char *src, UINT src_strlen)
+// Decode from escaped Base64
+UINT DecodeSafe64(void *dst, const char *src, UINT size)
 {
-	char *tmp;
-	UINT ret;
 	if (dst == NULL || src == NULL)
 	{
 		return 0;
 	}

-	if (src_strlen == 0)
+	if (size == 0)
 	{
-		src_strlen = StrLen(src);
+		size = StrLen(src);
 	}

-	tmp = Malloc(src_strlen + 1);
-	Copy(tmp, src, src_strlen);
-	tmp[src_strlen] = 0;
-	Safe64ToBase64(tmp);
+	char *tmp = Malloc(size + 1);
+	Copy(tmp, src, size);
+	tmp[size] = '\0';

-	ret = B64_Decode(dst, tmp, src_strlen);
+	Safe64ToBase64(tmp, size);
+	const UINT ret = Base64Decode(dst, tmp, size);
 	Free(tmp);

 	return ret;
 }

-// Encode to Safe64
-void EncodeSafe64(char *dst, void *src, UINT src_size)
+// Encode to escaped Base64
+void EncodeSafe64(char *dst, const void *src, const UINT size)
 {
-	UINT size;
 	if (dst == NULL || src == NULL)
 	{
 		return;
 	}

-	size = B64_Encode(dst, src, src_size);
-	dst[size] = 0;
+	const UINT ret = Base64Encode(dst, src, size);

-	Base64ToSafe64(dst);
+	Base64ToSafe64(dst, ret);
 }
-
@@ -32,7 +32,7 @@ struct WPC_CONNECT
 	UINT ProxyPort;											// Proxy server port number
 	char ProxyUsername[MAX_USERNAME_LEN + 1];				// Proxy server user name
 	char ProxyPassword[MAX_USERNAME_LEN + 1];				// Proxy server password
-	char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE + 1];	// Custom HTTP header
+	char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE];		// Custom HTTP header
 	bool UseCompress;										// Use of compression
 	bool DontCheckCert;										// Do not check the certificate
 };
@@ -45,7 +45,7 @@ struct INTERNET_SETTING
 	UINT ProxyPort;											// Proxy server port number
 	char ProxyUsername[MAX_USERNAME_LEN + 1];				// Proxy server user name
 	char ProxyPassword[MAX_USERNAME_LEN + 1];				// Proxy server password
-	char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE + 1];	// Custom HTTP header
+	char CustomHttpHeader[HTTP_CUSTOM_HEADER_MAX_SIZE];		// Custom HTTP header
 };

 // URL
@@ -84,10 +84,10 @@ struct WPC_PACKET
 typedef bool (WPC_RECV_CALLBACK)(void *param, UINT total_size, UINT current_size, BUF *recv_buf);

 // Function prototype
-void EncodeSafe64(char *dst, void *src, UINT src_size);
-UINT DecodeSafe64(void *dst, char *src, UINT src_strlen);
-void Base64ToSafe64(char *str);
-void Safe64ToBase64(char *str);
+void Base64ToSafe64(char *str, const UINT size);
+void Safe64ToBase64(char *str, const UINT size);
+UINT DecodeSafe64(void *dst, const char *src, UINT size);
+void EncodeSafe64(char *dst, const void *src, const UINT size);
 bool ParseUrl(URL_DATA *data, char *str, bool is_post, char *referrer);
 void CreateUrl(char *url, UINT url_size, URL_DATA *data);
 void GetSystemInternetSetting(INTERNET_SETTING *setting);
@@ -1,5 +1,5 @@
-file(GLOB SOURCES_MAYAQUA "*.c")
-file(GLOB HEADERS_MAYAQUA "*.h")
+file(GLOB SOURCES_MAYAQUA "*.c" "Crypto/*.c")
+file(GLOB HEADERS_MAYAQUA "*.h" "Crypto/*.h")

 if(WIN32)
  add_library(mayaqua STATIC ${SOURCES_MAYAQUA} ${HEADERS_MAYAQUA})
@@ -17,6 +17,29 @@ set_target_properties(mayaqua
 )

 find_package(OpenSSL REQUIRED)
+
+include(CheckSymbolExists)
+
+set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+set(CMAKE_REQUIRED_LIBRARIES OpenSSL::Crypto)
+set(CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL)
+
+check_symbol_exists(EVP_PKEY_get_raw_public_key "openssl/evp.h" HAVE_EVP_PKEY_GET_RAW_PUBLIC_KEY)
+check_symbol_exists(SSL_CTX_set_num_tickets "openssl/ssl.h" HAVE_SSL_CTX_SET_NUM_TICKETS)
+
+unset(CMAKE_REQUIRED_INCLUDES)
+unset(CMAKE_REQUIRED_LIBRARIES)
+
+if(NOT HAVE_EVP_PKEY_GET_RAW_PUBLIC_KEY)
+  message(FATAL_ERROR "Required EVP_PKEY_get_raw_public_key() not found in OpenSSL library!")
+endif()
+
+if (HAVE_SSL_CTX_SET_NUM_TICKETS)
+  add_compile_definitions(HAVE_SSL_CTX_SET_NUM_TICKETS)
+endif()
+
+
+
 find_package(ZLIB REQUIRED)

 # Required because we include <openssl/opensslv.h> in Encrypt.h.
@@ -39,6 +62,7 @@ if(WIN32)

  target_link_libraries(mayaqua
    PRIVATE
+      "crypt32.lib"
      "DbgHelp.Lib"
      "dwmapi.lib"
      "iphlpapi.lib"
@@ -47,6 +71,7 @@ if(WIN32)
      "Secur32.Lib"
      "setupapi.lib"
      "winmm.lib"
+      "ws2_32.lib"
      "WtsApi32.Lib"
    )
 endif()
@@ -57,9 +82,16 @@ if(UNIX)
  # In some cases libiconv is not included in libc
  find_library(LIB_ICONV iconv)

+  find_library(LIB_M m)
  find_library(LIB_RT rt)

-  target_link_libraries(mayaqua PRIVATE Threads::Threads)
+  target_link_libraries(mayaqua
+    PRIVATE
+      Threads::Threads
+      $<$<BOOL:${LIB_ICONV}>:${LIB_ICONV}>
+      $<$<BOOL:${LIB_M}>:${LIB_M}>
+      $<$<BOOL:${LIB_RT}>:${LIB_RT}>
+  )

  if (CMAKE_SYSTEM_PROCESSOR MATCHES "^(armv7l|aarch64|s390x)$" OR NOT HAVE_SYS_AUXV OR SKIP_CPU_FEATURES)
    add_definitions(-DSKIP_CPU_FEATURES)
@@ -69,14 +101,6 @@ if(UNIX)
    target_link_libraries(mayaqua PRIVATE cpu_features)
  endif()

-  if(LIB_RT)
-    target_link_libraries(mayaqua PRIVATE rt)
-  endif()
-
-  if(LIB_ICONV)
-    target_link_libraries(mayaqua PRIVATE ${LIB_ICONV})
-  endif()
-
  if(${CMAKE_SYSTEM_NAME} STREQUAL "SunOS")
    target_link_libraries(mayaqua PRIVATE nsl socket)
  endif()
@@ -7,6 +7,7 @@

 #include "Cfg.h"

+#include "Encoding.h"
 #include "FileIO.h"
 #include "Internat.h"
 #include "Memory.h"
@@ -746,12 +747,18 @@ bool CfgReadNextTextBUF(BUF *b, FOLDER *current)
 			if (!StrCmpi(token->Token[0], TAG_BYTE))
 			{
 				// byte
-				char *unescaped_b64 = CfgUnescape(data);
-				void *tmp = Malloc(StrLen(unescaped_b64) * 4 + 64);
-				int size = B64_Decode(tmp, unescaped_b64, StrLen(unescaped_b64));
-				CfgAddByte(current, name, tmp, size);
-				Free(tmp);
-				Free(unescaped_b64);
+				char *base64 = CfgUnescape(data);
+				const UINT base64_size = StrLen(base64);
+
+				UINT bin_size;
+				void *bin = Base64ToBin(&bin_size, base64, base64_size);
+				if (bin != NULL)
+				{
+					CfgAddByte(current, name, bin, bin_size);
+					Free(bin);
+				}
+
+				Free(base64);
 			}

 			Free(name);
@@ -1162,9 +1169,7 @@ void CfgAddItemText(BUF *b, ITEM *t, UINT depth)
 		break;

 	case ITEM_TYPE_BYTE:
-		data = ZeroMalloc(t->size * 4 + 32);
-		len = B64_Encode(data, t->Buf, t->size);
-		data[len] = 0;
+		data = Base64FromBin(NULL, t->Buf, t->size);
 		break;

 	case ITEM_TYPE_STRING:
@@ -0,0 +1,225 @@
+#include "Key.h"
+
+#include "Encrypt.h"
+#include "Memory.h"
+#include "Str.h"
+
+#include <openssl/evp.h>
+
+static int CryptoKeyTypeToID(const CRYPTO_KEY_TYPE type)
+{
+	switch (type)
+	{
+		case KEY_UNKNOWN:
+			break;
+		case KEY_X25519:
+			return EVP_PKEY_X25519;
+#if defined(EVP_PKEY_X448)
+		case KEY_X448:
+			return EVP_PKEY_X448;
+#endif
+		default:
+			Debug("CryptoKeyTypeToID(): Unhandled type %u!\n", type);
+	}
+
+	return EVP_PKEY_NONE;
+}
+
+UINT CryptoKeyTypeSize(const CRYPTO_KEY_TYPE type)
+{
+	switch (type)
+	{
+		case KEY_UNKNOWN:
+			break;
+		case KEY_X25519:
+			return KEY_X25519_SIZE;
+		case KEY_X448:
+			return KEY_X448_SIZE;
+		default:
+			Debug("CryptoKeyTypeSize(): Unhandled type %u!\n", type);
+	}
+
+	return 0;
+}
+
+CRYPTO_KEY_RAW *CryptoKeyRawNew(const void *data, const UINT size, const CRYPTO_KEY_TYPE type)
+{
+	if (size == 0 || size != CryptoKeyTypeSize(type))
+	{
+		return NULL;
+	}
+
+	CRYPTO_KEY_RAW *key = Malloc(sizeof(CRYPTO_KEY_RAW));
+	key->Data = MallocEx(size, true);
+	key->Size = size;
+	key->Type = type;
+
+	if (data == NULL)
+	{
+		Rand(key->Data, key->Size);
+	}
+	else
+	{
+		Copy(key->Data, data, key->Size);
+	}
+
+	return key;
+}
+
+void CryptoKeyRawFree(CRYPTO_KEY_RAW *key)
+{
+	if (key == NULL)
+	{
+		return;
+	}
+
+	Free(key->Data);
+	Free(key);
+}
+
+CRYPTO_KEY_RAW *CryptoKeyRawPublic(const CRYPTO_KEY_RAW *private)
+{
+	if (private == NULL)
+	{
+		return NULL;
+	}
+
+	void *opaque = CryptoKeyRawToOpaque(private, false);
+	if (opaque == NULL)
+	{
+		return NULL;
+	}
+
+	CRYPTO_KEY_RAW *public = NULL;
+	CryptoKeyOpaqueToRaw(opaque, NULL, &public);
+	CryptoKeyOpaqueFree(opaque);
+
+	return public;
+}
+
+void *CryptoKeyRawToOpaque(const CRYPTO_KEY_RAW *key, const bool public)
+{
+	if (key == NULL)
+	{
+		return NULL;
+	}
+
+	const int id = CryptoKeyTypeToID(key->Type);
+
+	if (public)
+	{
+		return EVP_PKEY_new_raw_public_key(id, NULL, key->Data, key->Size);
+	}
+	else
+	{
+		return EVP_PKEY_new_raw_private_key(id, NULL, key->Data, key->Size);
+	}
+}
+
+void *CryptoKeyOpaqueNew(const CRYPTO_KEY_TYPE type)
+{
+	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(CryptoKeyTypeToID(type), NULL);
+	if (ctx == NULL)
+	{
+		Debug("CryptoKeyOpaqueNew(): EVP_PKEY_CTX_new_id() returned NULL!\n");
+		return false;
+	}
+
+	EVP_PKEY *key = NULL;
+
+	int ret = EVP_PKEY_keygen_init(ctx);
+	if (ret != 1)
+	{
+		Debug("CryptoKeyOpaqueNew(): EVP_PKEY_keygen_init() returned %d!\n", ret);
+		goto FINAL;
+	}
+
+	ret = EVP_PKEY_keygen(ctx, &key);
+	if (ret != 1)
+	{
+		Debug("CryptoKeyOpaqueNew(): EVP_PKEY_keygen() returned %d!\n", ret);
+	}
+FINAL:
+	EVP_PKEY_CTX_free(ctx);
+	return key;
+}
+
+void CryptoKeyOpaqueFree(void *key)
+{
+	if (key != NULL)
+	{
+		EVP_PKEY_free(key);
+	}
+}
+
+bool CryptoKeyOpaqueToRaw(const void *opaque, CRYPTO_KEY_RAW **private, CRYPTO_KEY_RAW **public)
+{
+	if (opaque == NULL || (private == NULL && public == NULL))
+	{
+		return false;
+	}
+
+	CRYPTO_KEY_TYPE type;
+
+	switch (EVP_PKEY_id(opaque))
+	{
+	case EVP_PKEY_X25519:
+		type = KEY_X25519;
+		break;
+#if defined(EVP_PKEY_X448)
+	case EVP_PKEY_X448:
+		type = KEY_X448;
+		break;
+#endif
+	default:
+		return false;
+	}
+
+	if (private != NULL)
+	{
+		size_t size;
+		int ret = EVP_PKEY_get_raw_private_key(opaque, NULL, &size);
+		if (ret != 1)
+		{
+			Debug("CryptoKeyOpaqueToRaw(): #1 EVP_PKEY_get_raw_private_key() returned %d!\n", ret);
+			return false;
+		}
+
+		CRYPTO_KEY_RAW *key = CryptoKeyRawNew(NULL, size, type);
+
+		ret = EVP_PKEY_get_raw_private_key(opaque, key->Data, &size);
+		if (ret != 1)
+		{
+			Debug("CryptoKeyOpaqueToRaw(): #2 EVP_PKEY_get_raw_private_key() returned %d!\n", ret);
+			CryptoKeyRawFree(key);
+			return false;
+		}
+
+		*private = key;
+	}
+
+	if (public != NULL)
+	{
+		size_t size;
+		int ret = EVP_PKEY_get_raw_public_key(opaque, NULL, &size);
+		if (ret != 1)
+		{
+			Debug("CryptoKeyOpaqueToRaw(): #1 EVP_PKEY_get_raw_public_key() returned %d!\n", ret);
+			return false;
+		}
+
+		CRYPTO_KEY_RAW *key = CryptoKeyRawNew(NULL, size, type);
+
+		ret = EVP_PKEY_get_raw_public_key(opaque, key->Data, &size);
+		if (ret != 1)
+		{
+			Debug("CryptoKeyOpaqueToRaw(): #2 EVP_PKEY_get_raw_public_key() returned %d!\n", ret);
+			CryptoKeyRawFree(key);
+			return false;
+		}
+
+		*public = key;
+	}
+
+	return true;
+}
@@ -0,0 +1,36 @@
+#ifndef CRYPTO_KEY_H
+#define CRYPTO_KEY_H
+
+#include "MayaType.h"
+
+#define KEY_X25519_SIZE 32
+#define KEY_X448_SIZE   56
+
+enum CRYPTO_KEY_TYPE
+{
+	KEY_UNKNOWN,
+	KEY_X25519,
+	KEY_X448
+};
+
+struct CRYPTO_KEY_RAW
+{
+	BYTE *Data;
+	UINT Size;
+	CRYPTO_KEY_TYPE Type;
+};
+
+UINT CryptoKeyTypeSize(const CRYPTO_KEY_TYPE type);
+
+CRYPTO_KEY_RAW *CryptoKeyRawNew(const void *data, const UINT size, const CRYPTO_KEY_TYPE type);
+void CryptoKeyRawFree(CRYPTO_KEY_RAW *key);
+
+CRYPTO_KEY_RAW *CryptoKeyRawPublic(const CRYPTO_KEY_RAW *private);
+void *CryptoKeyRawToOpaque(const CRYPTO_KEY_RAW *key, const bool public);
+
+void *CryptoKeyOpaqueNew(const CRYPTO_KEY_TYPE type);
+void CryptoKeyOpaqueFree(void *key);
+
+bool CryptoKeyOpaqueToRaw(const void *opaque, CRYPTO_KEY_RAW **private, CRYPTO_KEY_RAW **public);
+
+#endif
@@ -0,0 +1,8 @@
+#ifndef CRYPTO_TYPES_H
+#define CRYPTO_TYPES_H
+
+typedef enum CRYPTO_KEY_TYPE CRYPTO_KEY_TYPE;
+
+typedef struct CRYPTO_KEY_RAW CRYPTO_KEY_RAW;
+
+#endif
@@ -75,6 +75,8 @@ void DnsFree()
 		{
 			DNS_CACHE *entry = LIST_DATA(cache, i);
 			Free((void *)entry->Hostname);
+			FreeHostIPAddressList(entry->IPList_v6);
+			FreeHostIPAddressList(entry->IPList_v4);
 			Free(entry);
 		}
 	}
@@ -153,6 +155,35 @@ DNS_CACHE *DnsCacheUpdate(const char *hostname, const IP *ipv6, const IP *ipv4)
 		return NULL;
 	}

+	LIST *iplist_v6 = NULL;
+	LIST *iplist_v4 = NULL;
+
+	if (ipv6 != NULL)
+	{
+		iplist_v6 = NewListFast(NULL);
+		AddHostIPAddressToList(iplist_v6, ipv6);
+	}
+
+	if (ipv4 != NULL)
+	{
+		iplist_v4 = NewListFast(NULL);
+		AddHostIPAddressToList(iplist_v4, ipv4);
+	}
+
+	DNS_CACHE *ret = DnsCacheUpdateEx(hostname, iplist_v6, iplist_v4);
+
+	FreeHostIPAddressList(iplist_v6);
+	FreeHostIPAddressList(iplist_v4);
+
+	return ret;
+}
+DNS_CACHE *DnsCacheUpdateEx(const char *hostname, const LIST *iplist_v6, const LIST *iplist_v4)
+{
+	if (DnsCacheIsEnabled() == false || IsEmptyStr(hostname))
+	{
+		return NULL;
+	}
+
 	DNS_CACHE *entry;

 	LockList(cache);
@@ -161,11 +192,14 @@ DNS_CACHE *DnsCacheUpdate(const char *hostname, const IP *ipv6, const IP *ipv4)
 		t.Hostname = hostname;
 		entry = Search(cache, &t);

-		if (ipv6 == NULL && ipv4 == NULL)
+		if (iplist_v6 == NULL && iplist_v4 == NULL)
 		{
 			if (entry != NULL)
 			{
 				Delete(cache, entry);
+				Free((void *)entry->Hostname);
+				FreeHostIPAddressList(entry->IPList_v6);
+				FreeHostIPAddressList(entry->IPList_v4);
 				Free(entry);
 				entry = NULL;
 			}
@@ -182,19 +216,25 @@ DNS_CACHE *DnsCacheUpdate(const char *hostname, const IP *ipv6, const IP *ipv4)

 			entry->Expiration = Tick64();

-			if (ipv6 != NULL)
+			FreeHostIPAddressList(entry->IPList_v6);
+			FreeHostIPAddressList(entry->IPList_v4);
+
+			if (iplist_v6 != NULL)
 			{
-				if (CmpIpAddr(&entry->IPv6, ipv6) != 0)
-				{
-					Copy(&entry->IPv6, ipv6, sizeof(entry->IPv6));
-				}
+				entry->IPList_v6 = CloneIPAddressList(iplist_v6);
 			}
 			else
 			{
-				if (CmpIpAddr(&entry->IPv4, ipv4) != 0)
-				{
-					Copy(&entry->IPv4, ipv4, sizeof(entry->IPv4));
+				entry->IPList_v6 = NULL;
 			}
+
+			if (iplist_v4 != NULL)
+			{
+				entry->IPList_v4 = CloneIPAddressList(iplist_v4);
+			}
+			else
+			{
+				entry->IPList_v4 = NULL;
 			}
 		}
 	}
@@ -225,7 +265,7 @@ DNS_CACHE_REVERSE *DnsCacheReverseFind(const IP *ip)

 DNS_CACHE_REVERSE *DnsCacheReverseUpdate(const IP *ip, const char *hostname)
 {
-	if (DnsCacheIsEnabled() == false || IsZeroIP(&ip))
+	if (DnsCacheIsEnabled() == false || IsZeroIP(ip))
 	{
 		return NULL;
 	}
@@ -278,10 +318,52 @@ bool DnsResolve(IP *ipv6, IP *ipv4, const char *hostname, UINT timeout, volatile
 		return false;
 	}

+	LIST *iplist_v6 = NULL;
+	LIST *iplist_v4 = NULL;
+
+	bool ret = DnsResolveEx(&iplist_v6, &iplist_v4, hostname, timeout, cancel_flag);
+
+	if (ipv6 != NULL && LIST_NUM(iplist_v6) > 0)
+	{
+		IP *ip = LIST_DATA(iplist_v6, 0);
+		Copy(ipv6, ip, sizeof(IP));
+	}
+	else
+	{
+		Zero(ipv6, sizeof(IP));
+	}
+
+	if (ipv4 != NULL && LIST_NUM(iplist_v4) > 0)
+	{
+		IP *ip = LIST_DATA(iplist_v4, 0);
+		Copy(ipv4, ip, sizeof(IP));
+	}
+	else
+	{
+		ZeroIP4(ipv4);
+	}
+
+	FreeHostIPAddressList(iplist_v6);
+	FreeHostIPAddressList(iplist_v4);
+
+	return ret;
+}
+bool DnsResolveEx(LIST **iplist_v6, LIST **iplist_v4, const char *hostname, UINT timeout, volatile const bool *cancel_flag)
+{
+	if (iplist_v6 == NULL || iplist_v4 == NULL || IsEmptyStr(hostname))
+	{
+		return false;
+	}
+
 	if (StrCmpi(hostname, "localhost") == 0)
 	{
-		GetLocalHostIP6(ipv6);
-		GetLocalHostIP4(ipv4);
+		IP ipv6, ipv4;
+		GetLocalHostIP6(&ipv6);
+		GetLocalHostIP4(&ipv4);
+		*iplist_v6 = NewListFast(NULL);
+		*iplist_v4 = NewListFast(NULL);
+		AddHostIPAddressToList(*iplist_v6, &ipv6);
+		AddHostIPAddressToList(*iplist_v4, &ipv4);
 		return true;
 	}

@@ -290,22 +372,16 @@ bool DnsResolve(IP *ipv6, IP *ipv4, const char *hostname, UINT timeout, volatile
 	{
 		if (IsIP6(&ip))
 		{
-			if (ipv6 != NULL)
-			{
-				ZeroIP4(ipv4);
-				Copy(ipv6, &ip, sizeof(IP));
+			*iplist_v6 = NewListFast(NULL);
+			AddHostIPAddressToList(*iplist_v6, &ip);
 			return true;
 		}
-		}
 		else
 		{
-			if (ipv4 != NULL)
-			{
-				Zero(ipv6, sizeof(IP));
-				Copy(ipv4, &ip, sizeof(IP));
+			*iplist_v4 = NewListFast(NULL);
+			AddHostIPAddressToList(*iplist_v4, &ip);
 			return true;
 		}
-		}

 		return false;
 	}
@@ -330,12 +406,14 @@ bool DnsResolve(IP *ipv6, IP *ipv4, const char *hostname, UINT timeout, volatile

 	Inc(threads_counter);

-	DNS_RESOLVER resolver;
-	Zero(&resolver, sizeof(resolver));
-	ZeroIP4(&resolver.IPv4);
-	resolver.Hostname = hostname;
+	DNS_RESOLVER *resolver;
+	resolver = ZeroMalloc(sizeof(DNS_RESOLVER));
+	resolver->Ref = NewRef();
+	resolver->IPList_v6 = NewListFast(NULL);
+	resolver->IPList_v4 = NewListFast(NULL);
+	resolver->Hostname = CopyStr(hostname);

-	THREAD *worker = NewThread(DnsResolver, &resolver);
+	THREAD *worker = NewThread(DnsResolver, resolver);
 	WaitThreadInit(worker);

 	if (cancel_flag == NULL)
@@ -366,15 +444,20 @@ bool DnsResolve(IP *ipv6, IP *ipv4, const char *hostname, UINT timeout, volatile

 	Dec(threads_counter);

-	if (resolver.OK)
+	if (resolver->OK)
 	{
-		Copy(ipv6, &resolver.IPv6, sizeof(IP));
-		Copy(ipv4, &resolver.IPv4, sizeof(IP));
-
-		DnsCacheUpdate(hostname, ipv6, ipv4);
+		*iplist_v6 = resolver->IPList_v6;
+		*iplist_v4 = resolver->IPList_v4;
+		resolver->IPList_v6 = NULL;
+		resolver->IPList_v4 = NULL;
+		DnsCacheUpdateEx(hostname, *iplist_v6, *iplist_v4);
+		ReleaseDnsResolver(resolver);

 		return true;
 	}
+
+	ReleaseDnsResolver(resolver);
+
 CACHE:
 	Debug("DnsResolve(): Could not resolve \"%s\". Searching for it in the cache...\n", hostname);

@@ -384,8 +467,8 @@ CACHE:
 		return false;
 	}

-	Copy(ipv6, &cached->IPv6, sizeof(IP));
-	Copy(ipv4, &cached->IPv4, sizeof(IP));
+	*iplist_v6 = CloneIPAddressList(cached->IPList_v6);
+	*iplist_v4 = CloneIPAddressList(cached->IPList_v4);

 	return true;
 }
@@ -399,14 +482,23 @@ void DnsResolver(THREAD *t, void *param)

 	DNS_RESOLVER *resolver = param;

+	AddRef(resolver->Ref);
+
 	NoticeThreadInit(t);
 	AddWaitThread(t);

 	struct addrinfo hints;
 	Zero(&hints, sizeof(hints));

+	if (HasIPv6Address())
+	{
 		hints.ai_family = AF_INET6;
 		hints.ai_flags = AI_ALL | AI_ADDRCONFIG | AI_V4MAPPED;
+	}
+	else
+	{
+		hints.ai_family = AF_INET;
+	}

 	struct addrinfo *results;
 	const int ret = getaddrinfo(resolver->Hostname, NULL, &hints, &results);
@@ -417,20 +509,33 @@ void DnsResolver(THREAD *t, void *param)
 		for (struct addrinfo *result = results; result != NULL; result = result->ai_next)
 		{
 			IP ip;
+			if (hints.ai_family == AF_INET6)
+			{
 				const struct sockaddr_in6 *in = (struct sockaddr_in6 *)result->ai_addr;
 				InAddrToIP6(&ip, &in->sin6_addr);
-			if (IsIP6(&ip) && ipv6_ok == false)
+				if (IsIP6(&ip))
 				{
-				Copy(&resolver->IPv6, &ip, sizeof(resolver->IPv6));
-				resolver->IPv6.ipv6_scope_id = in->sin6_scope_id;
+					ip.ipv6_scope_id = in->sin6_scope_id;
+					AddHostIPAddressToList(resolver->IPList_v6, &ip);
 					ipv6_ok = true;
 				}
-			else if (ipv4_ok == false)
+				else if (IsIP4(&ip))
 				{
-				Copy(&resolver->IPv4, &ip, sizeof(resolver->IPv4));
+					AddHostIPAddressToList(resolver->IPList_v4, &ip);
 					ipv4_ok = true;
 				}
 			}
+			else
+			{
+				const struct sockaddr_in *in = (struct sockaddr_in *)result->ai_addr;
+				InAddrToIP(&ip, &in->sin_addr);
+				if (IsIP4(&ip))
+				{
+					AddHostIPAddressToList(resolver->IPList_v4, &ip);
+					ipv4_ok = true;
+				}
+			}
+		}

 		resolver->OK = true;

@@ -441,6 +546,8 @@ void DnsResolver(THREAD *t, void *param)
 		Debug("DnsResolver(): getaddrinfo() failed with error %d!\n", ret);
 	}

+	ReleaseDnsResolver(resolver);
+
 	DelWaitThread(t);
 }

@@ -471,11 +578,12 @@ bool DnsResolveReverse(char *dst, const UINT size, const IP *ip, UINT timeout, v

 	Inc(threads_counter);

-	DNS_RESOLVER_REVERSE resolver;
-	Zero(&resolver, sizeof(resolver));
-	Copy(&resolver.IP, ip, sizeof(resolver.IP));
+	DNS_RESOLVER_REVERSE *resolver;
+	resolver = ZeroMalloc(sizeof(DNS_RESOLVER_REVERSE));
+	resolver->Ref = NewRef();
+	Copy(&resolver->IP, ip, sizeof(resolver->IP));

-	THREAD *worker = NewThread(DnsResolverReverse, &resolver);
+	THREAD *worker = NewThread(DnsResolverReverse, resolver);
 	WaitThreadInit(worker);

 	if (cancel_flag == NULL)
@@ -506,15 +614,17 @@ bool DnsResolveReverse(char *dst, const UINT size, const IP *ip, UINT timeout, v

 	Dec(threads_counter);

-	if (resolver.OK)
+	if (resolver->OK)
 	{
-		StrCpy(dst, size, resolver.Hostname);
-		Free(resolver.Hostname);
-
+		StrCpy(dst, size, resolver->Hostname);
 		DnsCacheReverseUpdate(ip, dst);
+		ReleaseDnsResolverReverse(resolver);

 		return true;
 	}
+
+	ReleaseDnsResolverReverse(resolver);
+
 CACHE:
 	Debug("DnsResolveReverse(): Could not resolve \"%r\". Searching for it in the cache...\n", ip);

@@ -538,6 +648,8 @@ void DnsResolverReverse(THREAD *t, void *param)

 	DNS_RESOLVER_REVERSE *resolver = param;

+	AddRef(resolver->Ref);
+
 	NoticeThreadInit(t);
 	AddWaitThread(t);

@@ -558,6 +670,8 @@ void DnsResolverReverse(THREAD *t, void *param)
 		Debug("DnsResolverReverse(): getnameinfo() failed with error %d!\n", ret);
 	}

+	ReleaseDnsResolverReverse(resolver);
+
 	DelWaitThread(t);
 }

@@ -587,3 +701,37 @@ bool GetIPEx(IP *ip, const char *hostname, UINT timeout, volatile const bool *ca

 	return false;
 }
+
+// Release of the parameters of the DNS Resolver thread
+void ReleaseDnsResolver(DNS_RESOLVER *p)
+{
+	// Validate arguments
+	if (p == NULL)
+	{
+		return;
+	}
+
+	if (Release(p->Ref) == 0)
+	{
+		FreeHostIPAddressList(p->IPList_v6);
+		FreeHostIPAddressList(p->IPList_v4);
+		Free(p->Hostname);
+		Free(p);
+	}
+}
+
+// Release of the parameters of the DNS Resolver Reverse thread
+void ReleaseDnsResolverReverse(DNS_RESOLVER_REVERSE *p)
+{
+	// Validate arguments
+	if (p == NULL)
+	{
+		return;
+	}
+
+	if (Release(p->Ref) == 0)
+	{
+		Free(p->Hostname);
+		Free(p);
+	}
+}
@@ -24,8 +24,8 @@
 struct DNS_CACHE
 {
 	const char *Hostname;
-	IP IPv4;
-	IP IPv6;
+	LIST *IPList_v4;
+	LIST *IPList_v6;
 	UINT64 Expiration;
 };

@@ -38,14 +38,16 @@ struct DNS_CACHE_REVERSE

 struct DNS_RESOLVER
 {
+	REF *Ref;
 	const char *Hostname;
-	IP IPv4;
-	IP IPv6;
+	LIST *IPList_v4;
+	LIST *IPList_v6;
 	bool OK;
 };

 struct DNS_RESOLVER_REVERSE
 {
+	REF *Ref;
 	IP IP;
 	char *Hostname;
 	bool OK;
@@ -63,11 +65,13 @@ void DnsCacheToggle(const bool enabled);

 DNS_CACHE *DnsCacheFind(const char *hostname);
 DNS_CACHE *DnsCacheUpdate(const char *hostname, const IP *ipv6, const IP *ipv4);
+DNS_CACHE *DnsCacheUpdateEx(const char *hostname, const LIST *iplist_v6, const LIST *iplist_v4);

 DNS_CACHE_REVERSE *DnsCacheReverseFind(const IP *ip);
 DNS_CACHE_REVERSE *DnsCacheReverseUpdate(const IP *ip, const char *hostname);

 bool DnsResolve(IP *ipv6, IP *ipv4, const char *hostname, UINT timeout, volatile const bool *cancel_flag);
+bool DnsResolveEx(LIST **iplist_v6, LIST **iplist_v4, const char *hostname, UINT timeout, volatile const bool *cancel_flag);
 void DnsResolver(THREAD *t, void *param);

 bool DnsResolveReverse(char *dst, const UINT size, const IP *ip, UINT timeout, volatile const bool *cancel_flag);
@@ -75,4 +79,7 @@ void DnsResolverReverse(THREAD *t, void *param);

 bool GetIPEx(IP *ip, const char *hostname, UINT timeout, volatile const bool *cancel_flag);

+void ReleaseDnsResolver(DNS_RESOLVER *p);
+void ReleaseDnsResolverReverse(DNS_RESOLVER_REVERSE *p);
+
 #endif
@@ -0,0 +1,64 @@
+#include "Encoding.h"
+
+#include <math.h>
+
+#include <openssl/evp.h>
+
+UINT Base64Decode(void *dst, const void *src, const UINT size)
+{
+	if (dst == NULL)
+	{
+		// 4 input bytes = max. 3 output bytes.
+		//
+		// EVP_DecodeUpdate() ignores:
+		// - Leading/trailing whitespace.
+		// - Trailing newlines, carriage returns or EOF characters.
+		//
+		// EVP_DecodeFinal() fails if the input is not divisible by 4.
+		return size / 4 * 3;
+	}
+
+	// We don't use EVP_DecodeBlock() because it adds padding if the output is not divisible by 3.
+	EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
+	if (ctx == NULL)
+	{
+		return 0;
+	}
+
+	int ret = 0;
+	if (EVP_DecodeUpdate(ctx, dst, &ret, src, size) < 0)
+	{
+		goto FINAL;
+	}
+
+	int dummy;
+	if (EVP_DecodeFinal(ctx, dst, &dummy) < 0)
+	{
+		ret = 0;
+	}
+FINAL:
+	EVP_ENCODE_CTX_free(ctx);
+	return ret;
+}
+
+UINT Base64Encode(void *dst, const void *src, const UINT size)
+{
+	if (dst == NULL)
+	{
+		// 3 input bytes = 4 output bytes.
+		// +1 for the NUL terminator.
+		//
+		// EVP_EncodeBlock() adds padding when the input is not divisible by 3.
+		return ceilf((float)size / 3) * 4 + 1;
+	}
+
+	const int ret = EVP_EncodeBlock(dst, src, size);
+	if (ret > 0)
+	{
+		// EVP_EncodeBlock() returns the length of the string without the NUL terminator.
+		// We, instead, want to return the amount of bytes written into the output buffer.
+		return ret + 1;
+	}
+
+	return 0;
+}
@@ -0,0 +1,9 @@
+#ifndef ENCODING_H
+#define ENCODING_H
+
+#include "MayaType.h"
+
+UINT Base64Decode(void *dst, const void *src, const UINT size);
+UINT Base64Encode(void *dst, const void *src, const UINT size);
+
+#endif
@@ -38,6 +38,9 @@
 #include <openssl/pem.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif

 #ifdef _MSC_VER
 	#include <intrin.h> // For __cpuid()
@@ -82,6 +85,11 @@ LOCK *openssl_lock = NULL;

 int ssl_clientcert_index = 0;

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *ossl_provider_legacy = NULL;
+static OSSL_PROVIDER *ossl_provider_default = NULL;
+#endif
+
 LOCK **ssl_lock_obj = NULL;
 UINT ssl_lock_num;
 static bool openssl_inited = false;
@@ -704,7 +712,8 @@ UINT RsaPublicSize(K *k)
 // Hash a pointer to a 32-bit
 UINT HashPtrToUINT(void *p)
 {
-	UCHAR hash_data[MD5_SIZE];
+	UCHAR hash_data[SHA256_SIZE];
+	UCHAR hash_src[CANARY_RAND_SIZE + sizeof(void *)];
 	UINT ret;
 	// Validate arguments
 	if (p == NULL)
@@ -712,7 +721,11 @@ UINT HashPtrToUINT(void *p)
 		return 0;
 	}

-	Md5(hash_data, &p, sizeof(p));
+	Zero(hash_src, sizeof(hash_src));
+	Copy(hash_src + 0, GetCanaryRand(CANARY_RAND_ID_PTR_KEY_HASH), CANARY_RAND_SIZE);
+	Copy(hash_src + CANARY_RAND_SIZE, p, sizeof(void *));
+
+	Sha2_256(hash_data, hash_src, sizeof(hash_src));

 	Copy(&ret, hash_data, sizeof(ret));

@@ -1079,6 +1092,41 @@ X *CloneX(X *x)
 	return ret;
 }

+// Clone of certificate chain
+LIST *CloneXList(LIST *chain)
+{
+	BUF *b;
+	X *x;
+	LIST *ret;
+	// Validate arguments
+	if (chain == NULL)
+	{
+		return NULL;
+	}
+
+	ret = NewList(NULL);
+	LockList(chain);
+	{
+		UINT i;
+		for (i = 0;i < LIST_NUM(chain);i++)
+		{
+			x = LIST_DATA(chain, i);
+			b = XToBuf(x, false);
+			if (b == NULL)
+			{
+				continue;
+			}
+
+			x = BufToX(b, false);
+			Add(ret, x);
+			FreeBuf(b);
+		}
+	}
+	UnlockList(chain);
+
+	return ret;
+}
+
 // Generate a P12
 P12 *NewP12(X *x, K *k, char *password)
 {
@@ -1133,9 +1181,15 @@ bool IsEncryptedP12(P12 *p12)

 // Extract the X and the K from the P12
 bool ParseP12(P12 *p12, X **x, K **k, char *password)
+{
+	return ParseP12Ex(p12, x, k, NULL, password);
+}
+// Extract the X, the K and the chain from the P12
+bool ParseP12Ex(P12 *p12, X **x, K **k, LIST **cc, char *password)
 {
 	EVP_PKEY *pkey;
 	X509 *x509;
+	STACK_OF(X509) *sk = NULL;
 	// Validate arguments
 	if (p12 == NULL || x == NULL || k == NULL)
 	{
@@ -1165,9 +1219,9 @@ bool ParseP12(P12 *p12, X **x, K **k, char *password)
 	// Extraction
 	Lock(openssl_lock);
 	{
-		if (PKCS12_parse(p12->pkcs12, password, &pkey, &x509, NULL) == false)
+		if (PKCS12_parse(p12->pkcs12, password, &pkey, &x509, &sk) == false)
 		{
-			if (PKCS12_parse(p12->pkcs12, NULL, &pkey, &x509, NULL) == false)
+			if (PKCS12_parse(p12->pkcs12, NULL, &pkey, &x509, &sk) == false)
 			{
 				Unlock(openssl_lock);
 				return false;
@@ -1182,6 +1236,7 @@ bool ParseP12(P12 *p12, X **x, K **k, char *password)
 	if (*x == NULL)
 	{
 		FreePKey(pkey);
+		sk_X509_free(sk);
 		return false;
 	}

@@ -1189,6 +1244,37 @@ bool ParseP12(P12 *p12, X **x, K **k, char *password)
 	(*k)->private_key = true;
 	(*k)->pkey = pkey;

+	if (sk == NULL || cc == NULL)
+	{
+		if (cc != NULL)
+		{
+			*cc = NULL;
+		}
+		if (sk != NULL)
+		{
+			sk_X509_free(sk);
+		}
+		return true;
+	}
+
+	LIST *chain = NewList(NULL);
+	X *x1;
+	while (sk_X509_num(sk)) {
+		x509 = sk_X509_shift(sk);
+		x1 = X509ToX(x509);
+		if (x1 != NULL)
+		{
+			Add(chain, x1);
+		}
+		else
+		{
+			X509_free(x509);
+		}
+	}
+	sk_X509_free(sk);
+
+	*cc = chain;
+
 	return true;
 }

@@ -3128,6 +3214,7 @@ bool IsEncryptedK(BUF *b, bool private_key)

 K *OpensslEngineToK(char *key_file_name, char *engine_name)
 {
+#ifndef OPENSSL_NO_ENGINE
    K *k;
 #if OPENSSL_API_COMPAT < 0x10100000L
    ENGINE_load_dynamic();
@@ -3140,6 +3227,9 @@ K *OpensslEngineToK(char *key_file_name, char *engine_name)
    k->pkey = pkey;
    k->private_key = true;
    return k;
+#else
+    return NULL;
+#endif
 }

 // Convert the BUF to a K
@@ -3365,6 +3455,29 @@ void FreeX(X *x)
 	Free(x);
 }

+// Release of an X chain
+void FreeXList(LIST *chain)
+{
+	// Validate arguments
+	if (chain == NULL)
+	{
+		return;
+	}
+
+	LockList(chain);
+	{
+		UINT i;
+		for (i = 0; i < LIST_NUM(chain); i++)
+		{
+			X *x = LIST_DATA(chain, i);
+			FreeX(x);
+		}
+	}
+	UnlockList(chain);
+
+	ReleaseList(chain);
+}
+
 // Release of the X509
 void FreeX509(X509 *x509)
 {
@@ -3406,6 +3519,31 @@ X *BufToX(BUF *b, bool text)
 	return x;
 }

+// Convert the BUF to X chain
+LIST *BufToXList(BUF *b, bool text)
+{
+	LIST *chain;
+	BIO *bio;
+	// Validate arguments
+	if (b == NULL)
+	{
+		return NULL;
+	}
+
+	bio = BufToBio(b);
+	if (bio == NULL)
+	{
+		FreeBuf(b);
+		return NULL;
+	}
+
+	chain = BioToXList(bio, text);
+
+	FreeBio(bio);
+
+	return chain;
+}
+
 // Get a digest of the X
 void GetXDigest(X *x, UCHAR *buf, bool sha1)
 {
@@ -3469,6 +3607,49 @@ X *BioToX(BIO *bio, bool text)
 	return x;
 }

+// Convert BIO to X chain
+LIST *BioToXList(BIO *bio, bool text)
+{
+	X *x;
+	STACK_OF(X509_INFO) *sk = NULL;
+	X509_INFO *xi;
+	LIST *chain;
+
+	// Validate arguments
+	if (bio == NULL || text == false)
+	{
+		return NULL;
+	}
+
+	Lock(openssl_lock);
+	{
+		sk = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
+		if (sk == NULL)
+		{
+			return NULL;
+		}
+
+		chain = NewList(NULL);
+
+		while (sk_X509_INFO_num(sk))
+		{
+			xi = sk_X509_INFO_shift(sk);
+			x = X509ToX(xi->x509);
+			if (x != NULL)
+			{
+				Add(chain, x);
+				xi->x509 = NULL;
+			}
+			X509_INFO_free(xi);
+		}
+
+		sk_X509_INFO_free(sk);
+	}
+	Unlock(openssl_lock);
+
+	return chain;
+}
+
 // Convert the X509 to X
 X *X509ToX(X509 *x509)
 {
@@ -3780,6 +3961,20 @@ void FreeCryptLibrary()
 	SSL_COMP_free_compression_methods();
 #endif
 #endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (ossl_provider_default != NULL)
+	{
+		OSSL_PROVIDER_unload(ossl_provider_default);
+		ossl_provider_default = NULL;
+	}
+
+	if (ossl_provider_legacy != NULL)
+	{
+		OSSL_PROVIDER_unload(ossl_provider_legacy);
+		ossl_provider_legacy = NULL;
+	}
+#endif
 }

 // Initialize the Crypt library
@@ -3798,6 +3993,11 @@ void InitCryptLibrary()
 	SSL_load_error_strings();
 #endif

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	ossl_provider_default = OSSL_PROVIDER_load(NULL, "legacy");
+	ossl_provider_legacy = OSSL_PROVIDER_load(NULL, "default");
+#endif
+
 	ssl_clientcert_index = SSL_get_ex_new_index(0, "struct SslClientCertInfo *", NULL, NULL, NULL);

 #ifdef	OS_UNIX
@@ -293,9 +293,12 @@ BUF *BioToBuf(BIO *bio);
 BIO *NewBio();
 void FreeBio(BIO *bio);
 X *BioToX(BIO *bio, bool text);
+LIST *BioToXList(BIO *bio, bool text);
 X *BufToX(BUF *b, bool text);
+LIST *BufToXList(BUF *b, bool text);
 void FreeX509(X509 *x509);
 void FreeX(X *x);
+void FreeXList(LIST *chain);
 BIO *XToBio(X *x, bool text);
 BUF *XToBuf(X *x, bool text);
 K *BioToK(BIO *bio, bool private_key, bool text, char *password);
@@ -357,9 +360,11 @@ void FreePKCS12(PKCS12 *pkcs12);
 void FreeP12(P12 *p12);
 bool P12ToFileW(P12 *p12, wchar_t *filename);
 bool ParseP12(P12 *p12, X **x, K **k, char *password);
+bool ParseP12Ex(P12 *p12, X **x, K **k, LIST **cc, char *password);
 bool IsEncryptedP12(P12 *p12);
 P12 *NewP12(X *x, K *k, char *password);
 X *CloneX(X *x);
+LIST *CloneXList(LIST *chain);
 K *CloneK(K *k);
 void FreeCryptLibrary();
 void GetPrintNameFromX(wchar_t *str, UINT size, X *x);
--- a/Show More
+++ b/Show More