diff --git a/.gitignore b/.gitignore
index b7c327e..af95b9d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -36,3 +36,5 @@
 /ocserv-0.10.10.tar.xz
 /ocserv-0.10.11.tar.xz.sig
 /ocserv-0.10.11.tar.xz
+/ocserv-0.11.0.tar.xz
+/ocserv-0.11.0.tar.xz.sig
diff --git a/ocserv.conf b/ocserv.conf
index 62ea00b..b62dfdb 100644
--- a/ocserv.conf
+++ b/ocserv.conf
@@ -99,12 +99,22 @@ chroot-dir = /var/lib/ocserv
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
-### The options above, will remain unchanged.
+### The options above, will remain unchanged. Note however, that the 
+### server-cert, server-key, dh-params and ca-cert options will be reloaded
+### if the provided file changes, on server reload. That allows certificate
+### rotation, but requires the server key to remain the same for seamless
+### operation. If the server key changes on reload, there may be connection
+### failures during the reloading time.
+
 
 # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
 # system calls allowed to a worker process, in order to reduce damage from a
 # bug in the worker process. It is available on Linux systems at a performance cost.
 # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
+# Note however, that process isolation is restricted to the specific libc versions
+# the isolation was tested at. If you get random failures on worker processes, try
+# disabling that option and report the failures you, along with system and debugging
+# information at: https://gitlab.com/ocserv/ocserv/issues
 isolate-workers = true
 
 # A banner to be displayed on clients
@@ -118,11 +128,6 @@ max-clients = 16
 # multiple times). Unset or set to zero for unlimited.
 max-same-clients = 2
 
-# When the server has a dynamic DNS address (that may change),
-# should set that to true to ask the client to resolve again on
-# reconnects.
-#listen-host-is-dyndns = true
-
 # Limit the number of client connections to one every X milliseconds 
 # (X is the provided value). Set to zero for no limit.
 #rate-limit-ms = 100
@@ -214,7 +219,9 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
 #cert-group-oid = 2.5.4.11
 
 # The revocation list of the certificates issued by the 'ca-cert' above.
-# See the manual to generate an empty CRL initially.
+# See the manual to generate an empty CRL initially. The CRL will be reloaded
+# periodically when ocserv detects a change in the file. To force a reload use
+# SIGHUP.
 #crl = /path/to/crl.pem
 
 # Uncomment this to enable compression negotiation (LZS, LZ4).
@@ -251,7 +258,7 @@ tls-priorities = "@SYSTEM"
 
 # The time (in seconds) that a client is allowed to stay connected prior
 # to authentication
-auth-timeout = 40
+auth-timeout = 240
 
 # The time (in seconds) that a client is allowed to stay idle (no traffic)
 # before being disconnected. Unset to disable.
@@ -299,6 +306,13 @@ ban-reset-time = 300
 # between different networks.
 cookie-timeout = 300
 
+# Cookie rekey time (in seconds)
+# The time after which the key used to encrypt cookies will be
+# refreshed. After this time the previous key will also be valid
+# for verification. It is recommended not to modify the default
+# value.
+cookie-rekey-time = 14400
+
 # If this is enabled (not recommended) the cookies will stay
 # valid even after a user manually disconnects, and until they
 # expire. This may improve roaming with some broken clients.
@@ -327,11 +341,17 @@ rekey-method = ssl
 # Script to call when a client connects and obtains an IP.
 # The following parameters are passed on the environment.
 # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
-# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local
+# interface IP the client connected), IP_LOCAL (the local IP
 # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
 # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
-# assigned), IPV6_REMOVE (the IPv6 remote address), and
+# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
 # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+# In addition the following variables OCSERV_ROUTES (the applied routes for this
+# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
+# will contain a space separated list of routes or DNS servers. A version
+# of these variables with the 4 or 6 suffix will contain only the IPv4 or
+# IPv6 values.
 
 # The disconnect script will receive the additional values: STATS_BYTES_IN,
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
@@ -398,6 +418,10 @@ default-domain = example.com
 #ipv6-subnet-prefix = 128
 #ipv6-subnet-prefix = 64
 
+# Whether to tunnel all DNS queries via the VPN. This is the default
+# when a default route is set.
+#tunnel-all-dns = true
+
 # The advertized DNS server. Use multiple lines for
 # multiple servers.
 # dns = fc00::4be0
diff --git a/ocserv.spec b/ocserv.spec
index 3a3f8e0..316b66c 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -1,8 +1,8 @@
 %global _hardened_build 1
 
 Name:		ocserv
-Version:	0.10.11
-Release:	2%{?dist}
+Version:	0.11.0
+Release:	1%{?dist}
 Summary:	OpenConnect SSL VPN server
 
 # For a breakdown of the licensing, see PACKAGE-LICENSING 
@@ -32,6 +32,7 @@ BuildRequires:	protobuf-c-devel
 BuildRequires:	libnl3-devel
 BuildRequires:	krb5-devel
 BuildRequires:	libtasn1-devel
+BuildRequires:	liboath-devel
 BuildRequires:	readline-devel
 BuildRequires:	autogen
 BuildRequires:	gperf
@@ -40,6 +41,7 @@ BuildRequires:	libseccomp-devel
 %endif
 BuildRequires:	pcllib-devel
 BuildRequires:	libtalloc-devel
+BuildRequires:	libev-devel
 BuildRequires:	http-parser-devel
 BuildRequires:	tcp_wrappers-devel
 BuildRequires:	automake, autoconf
@@ -75,7 +77,7 @@ to provide the secure VPN service.
 %setup -q
 
 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
-rm -rf src/protobuf/
+rm -rf src/protobuf/protobuf-c/
 rm -rf src/ccan/talloc
 rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h
 rm -f src/pcl/*.c src/pcl/*.h
@@ -158,6 +160,9 @@ rm -rf %{buildroot}
 %{_localstatedir}/lib/ocserv/profile.xml
 
 %changelog
+* Fri Feb 19 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.0-1
+- new upstream release
+
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 
diff --git a/sources b/sources
index f10d358..9b1194f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-7be01cd70cf9e8df2210531429a7aa10  ocserv-0.10.11.tar.xz.sig
-7daf9f105b115cd6611a2ac016a29d24  ocserv-0.10.11.tar.xz
+9161b506142232957ccf786c251b5b42  ocserv-0.11.0.tar.xz
+441bb6e47fa642de92e3adfa4a46ae1b  ocserv-0.11.0.tar.xz.sig