GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'tmp-remove-todo' into 'master'

Browse Source 
Removed TODO file; it is out-of-date

See merge request openconnect/ocserv!220
This commit is contained in:
Nikos Mavrogiannopoulos
2020-09-30 19:06:06 +00:00
parent 71e36ccae4 333bbd536c
commit 7c0c6ec1ad
1 changed files with 0 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
TODO
View File

@@ -1,42 +0,0 @@
Short term items:
* Modify the test suite to be able to run without root privileges. That
could be done by using virt-builder for the tests instead of docker.
* When a user (IP) gets into the BAN list multiple times, disable it for
longer time (or should we drop this functionality altogether and rely
on PAM handling that?)
* Add support for memcached, to allow sharing server state.
* Give each worker a limited number of accesses to the security module.
* Allow overriding client hostnames via group or user configuration.
* We only send the right profile hash to client, only the a single profile
is specified in the global configuration file. When sending profile.xml
(user-profile) with the per-user configuration file, we do not send the
right profile hash to client, we do send the global configuration file only.
Long term items:
* radius: Consider supporting rfc5176.
* Think how the DTLS part can use better negotiation of algorithms and DTLS
is negotiated properly. Using PSK ciphersuites seem to be like a solution,
but that would require a new protocol to be implemented in openconnect
client and ocserv.
* Certificate authentication to the security module. Possibly that is just
wishful thinking. To verify the TLS client certificate verify signature
one needs in addition to the signature, the contents of all the handshake
messages, and knowledge of the negotiated TLS version, as well as being
able to select the server hello random. That could be done sanely only if
gnutls provided facilities to set the server hello random, and override the
client signature verification at an early stage before data are hashed
(to verify that the set random value was present in the handshake).
However, the complexity required to implement that may in fact reduce
security rather than increase it.
* Allow for a non-root mode where all networking is handled using something
like slirp (e.g., https://github.com/SPICE/slirp)