Index: branches/2016Q2/security/openvpn/Makefile
===================================================================
--- branches/2016Q2/security/openvpn/Makefile	(revision 415186)
+++ branches/2016Q2/security/openvpn/Makefile	(revision 415187)
@@ -1,122 +1,122 @@
 # Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=		openvpn
-DISTVERSION=		2.3.10
+DISTVERSION=		2.3.11
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT?=		Secure IP/Ethernet tunnel daemon
 
 LICENSE=		GPLv2
 
 CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=		yes
 USES=			cpe libtool pkgconfig shebangfix tar:xz
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 
 # let OpenVPN's configure script pick up the requisite libraries,
 # but do not break the plugin build if an older version is installed
 CPPFLAGS+=		-I${WRKSRC}/include -I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
 			TUNNELBLICK
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 # The following feature is always enabled since 2.3.9 and no longer optional.
 # PW_SAVE_DESC=		Interactive passwords may be read from a file
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS via PolarSSL (mbedTLS) 1.3.8+ (not 2.x)
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 
 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 X509ALTUSERNAME_PREVENTS=	POLARSSL
 X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
 
 OPENSSL_USE=		openssl=yes
 OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
 
 # Pin the libmbedtls version because the 2.3.x port can't work with .so.10 or
 # newer from the security/mbedtls package. Upstream works in progress
 # for OpenVPN 2.4 to use mbedTLS 2.X.
 POLARSSL_LIB_DEPENDS=	libmbedtls.so.9:security/polarssl13
 POLARSSL_CONFIGURE_ON=	--with-crypto-library=polarssl
 
 USE_RC_SUBR=		openvpn
 USE_LDCONFIG=		${PREFIX}/lib
 
 SUB_FILES=		pkg-message openvpn-client
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 LIB_DEPENDS+=		liblzo2.so:archivers/lzo2
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
 	    ${WRKSRC}/src/plugins/down-root/Makefile
 
 .if !defined(WITHOUT_CHECK)
 post-build:
 	@# self-tests here
 	@${ECHO} ; ${ECHO} "### Note that you can skip these lengthy selftests with WITHOUT_CHECK=yes ###" ; ${ECHO}
 	cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${_MAKE_JOBS} ${MAKE_ARGS} check
 .endif
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
 	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 
 .include <bsd.port.mk>
Index: branches/2016Q2/security/openvpn/distinfo
===================================================================
--- branches/2016Q2/security/openvpn/distinfo	(revision 415186)
+++ branches/2016Q2/security/openvpn/distinfo	(revision 415187)
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.3.10.tar.xz) = c54dbf91d47b9533fac3b94d2b5719bdbe0d081fe8245184f91ef8a871d22003
-SIZE (openvpn-2.3.10.tar.xz) = 818152
+SHA256 (openvpn-2.3.11.tar.xz) = 0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7
+SIZE (openvpn-2.3.11.tar.xz) = 833496
Index: branches/2016Q2/security/openvpn/files/openvpn.in
===================================================================
--- branches/2016Q2/security/openvpn/files/openvpn.in	(revision 415186)
+++ branches/2016Q2/security/openvpn/files/openvpn.in	(revision 415187)
@@ -1,125 +1,137 @@
 #!/bin/sh
 #
 # openvpn.sh - load tun/tap driver and start OpenVPN daemon
 #
 # (C) Copyright 2005 - 2008, 2010 by Matthias Andree
 # based on suggestions by Matthias Grimm and Dirk Gouders
 # with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
 # and Vasil Dimov
 # softrestart feature suggested by Nick Hibma
 #
 # $FreeBSD$
 # 
 # This program is free software; you can redistribute it and/or modify it under
 # the terms of the GNU General Public License as published by the Free Software
 # Foundation; either version 2 of the License, or (at your option) any later
 # version.
 #
 # This program is distributed in the hope that it will be useful, but WITHOUT
 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 # FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 # details.
 #
 # You should have received a copy of the GNU General Public License along with
 # this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
 # Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
 # PROVIDE: openvpn
 # REQUIRE: DAEMON
 # KEYWORD: shutdown
 
 # -----------------------------------------------------------------------------
 #
 # This script supports running multiple instances of openvpn.
 # To run additional instances link this script to something like
 # % ln -s openvpn openvpn_foo
 # and define additional openvpn_foo_* variables in one of
 # /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
 #
 # Below NAME should be substituted with the name of this script. By default
 # it is openvpn, so read as openvpn_enable. If you linked the script to
 # openvpn_foo, then read as openvpn_foo_enable etc.
 #
 # The following variables are supported (defaults are shown).
 # You can place them in any of
 # /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
 #
 # NAME_enable="NO"	# set to YES to enable openvpn
 # NAME_if=		# driver(s) to load, set to "tun", "tap" or "tun tap"
 #			# it is OK to specify the if_ prefix.
 #
 # # optional:
 # NAME_flags=				# additional command line arguments
 # NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf"	# --config file
 # NAME_dir="%%PREFIX%%/etc/openvpn"	# --cd directory
 #
 # You also need to set NAME_configfile and NAME_dir, if the configuration
 # file and directory where keys and certificates reside differ from the above
 # settings.
 #
 # Note that we deliberately refrain from unloading drivers.
 #
 # For further documentation, please see openvpn(8).
 #
 
 . /etc/rc.subr
 
+# service(8) does not create an authentic environment, try to guess,
+# and as of 10.3-RELEASE-p0, it will not find the indented name=
+# assignments below. So give it a default.
+# Trailing semicolon also for service(8)'s benefit:
+name="$file" ;
+
 case "$0" in
 /etc/rc*)
 	# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
 	# so get the name of the script from $_file
 	name="$_file"
 	;;
+*/service)
+	# do not use this as $0
+	;;
 *)
 	name="$0"
 	;;
 esac
 
+# default name to "openvpn" if guessing failed
+# Trailing semicolon also for service(8)'s benefit:
+name="${name:-openvpn}" ;
 name="${name##*/}"
 rcvar=${name}_enable
 
 stop_postcmd()
 {
 	rm -f "$pidfile" || warn "Could not remove $pidfile."
 }
 
 softrestart()
 {
     sig_reload=USR1 run_rc_command reload
     exit $?
 }
 
 # reload: support SIGHUP to reparse configuration file
 # softrestart: support SIGUSR1 to reconnect without superuser privileges
 extra_commands="reload softrestart"
 softrestart_cmd="softrestart"
 
 # pidfile
 pidfile="/var/run/${name}.pid"
 
 # command and arguments
 command="%%PREFIX%%/sbin/openvpn"
 
 # run this last
 stop_postcmd="stop_postcmd"
 
 load_rc_config ${name}
 
 eval ": \${${name}_enable:=\"NO\"}"
 eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
 eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
 
 configfile="$(eval echo \${${name}_configfile})"
 dir="$(eval echo \${${name}_dir})"
 interfaces="$(eval echo \${${name}_if})"
 
 required_modules=
 for i in $interfaces ; do
     required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
 done
 
 required_files=${configfile}
 
 command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}"
 
 run_rc_command "$1"
Index: branches/2016Q2/security/openvpn/files/patch-629baad8
===================================================================
--- branches/2016Q2/security/openvpn/files/patch-629baad8	(nonexistent)
+++ branches/2016Q2/security/openvpn/files/patch-629baad8	(revision 415187)
@@ -0,0 +1,37 @@
+commit 629baad8f89af261445a2ace03694601f8e476f9
+Author: Steffan Karger <steffan@karger.me>
+Date:   Fri May 13 08:54:52 2016 +0200
+
+    Fix polarssl / mbedtls builds
+    
+    Commit 8a399cd3 hardened the OpenSSL default cipher list,
+    but also introduced a change in shared code that causes
+    polarssl / mbedtls builds to break when no --tls-cipher is
+    specified.
+    
+    This fix is backported code from the master branch.
+    
+    Signed-off-by: Steffan Karger <steffan@karger.me>
+    Acked-by: Gert Doering <gert@greenie.muc.de>
+    Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me>
+    URL: http://article.gmane.org/gmane.network.openvpn.devel/11647
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+
+diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
+index 1f58369..9263698 100644
+--- ./src/openvpn/ssl_polarssl.c
++++ ./src/openvpn/ssl_polarssl.c
+@@ -176,7 +176,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
+ {
+   char *tmp_ciphers, *tmp_ciphers_orig, *token;
+   int i, cipher_count;
+-  int ciphers_len = strlen (ciphers);
++  int ciphers_len;
++
++  if (NULL == ciphers)
++    return; /* Nothing to do */
++
++  ciphers_len = strlen (ciphers);
+ 
+   ASSERT (NULL != ctx);
+   ASSERT (0 != ciphers_len);

Property changes on: branches/2016Q2/security/openvpn/files/patch-629baad8
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: branches/2016Q2
===================================================================
--- branches/2016Q2	(revision 415186)
+++ branches/2016Q2	(revision 415187)

Property changes on: branches/2016Q2
___________________________________________________________________
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /head:r412540-412541,415093,415116