From 96a7f042374474f45ad7616a3d51bfc8a7a2157e Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 23 May 2013 16:06:20 +0200 Subject: [PATCH] doc update --- NEWS | 1 + doc/sample.config | 45 ++++++++++++++++++++++++++++++++++++--------- src/ocserv-args.c | 10 +++++----- src/ocserv-args.def | 7 ++++--- src/ocserv-args.h | 6 +++--- 5 files changed, 49 insertions(+), 20 deletions(-) diff --git a/NEWS b/NEWS index cc9a271b..a97205c4 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,7 @@ - Updated HTTP header parsing to correct issues seen with openconnect 3.20. - seccomp will no longer force an exit if system calls cannot be disabled. Patch by Faidon Liambiotis. +- Added support for Salsa20 + UMAC ciphers. * Version 0.1.2 (released 2013-05-07) diff --git a/doc/sample.config b/doc/sample.config index 7aab0c40..1807985d 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -15,6 +15,10 @@ auth = "plain[./sample.passwd]" #max-clients = 1024 max-clients = 16 +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + # Limit the number of identical clients (i.e., users connecting multiple times) # Unset or set to zero for unlimited. max-same-clients = 2 @@ -36,6 +40,9 @@ try-mtu-discovery = false # The key may be a file, or any URL supported by GnuTLS (e.g., # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. server-cert = ../test-cert.pem server-key = ../test-key.pem @@ -43,7 +50,16 @@ server-key = ../test-key.pem # for the DHE ciphersuites (by default this server supports ECDHE). # Can be generated using: # certtool --generate-dh-params --outfile /path/to/dh.pem -#dh-params = dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der # In case PKCS #11 or TPM keys are used the PINs should be available # in files. The srk-pin-file is applicable to TPM keys only (It's the storage @@ -72,18 +88,16 @@ server-key = ../test-key.pem #crl = /path/to/crl.pem # GnuTLS priority string -tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE" - -# The default server directory -#chroot-dir = /path/to/chroot +tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" +#tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT:+ESTREAM-SALSA20-256:+SALSA20-256:+UMAC-96" # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth-timeout = 40 -# The time (in seconds) that a client is not allowed to reconnect after a failed -# authentication attempt. -min-reauth-time = 10 +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 # Cookie validity time (in seconds) # Once a client is authenticated he's provided a cookie with @@ -99,7 +113,8 @@ cookie-validity = 172800 # Parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connect), IP_REMOTE (the VPN IP of the client). +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON +# may be "connect" or "disconnect". #connect-script = /usr/bin/myscript #disconnect-script = /usr/bin/myscript @@ -109,10 +124,15 @@ use-utmp = true # PID file pid-file = /var/run/ocserv.pid +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + # socket file used for IPC, will be appended with .PID # It must be accessible within the chroot environment (if any) socket-file = /var/run/ocserv-socket +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). run-as-user = nobody run-as-group = nogroup @@ -129,10 +149,17 @@ ipv4-netmask = 255.255.255.0 # ipv4-dns = 192.168.2.1 ipv4-dns = local +# The NBNS server (if any) +#ipv4-nbns = 192.168.2.3 + #ipv6-address = #ipv6-mask = #ipv6-dns = +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + # Leave empty to assign the default MTU of the device # mtu = diff --git a/src/ocserv-args.c b/src/ocserv-args.c index f79888ca..c9b27c53 100644 --- a/src/ocserv-args.c +++ b/src/ocserv-args.c @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (ocserv-args.c) * - * It has been AutoGen-ed May 6, 2013 at 10:55:54 AM by AutoGen 5.17.3 + * It has been AutoGen-ed May 23, 2013 at 04:06:00 PM by AutoGen 5.17.3 * From the definitions ocserv-args.def * and the template file options * @@ -63,7 +63,7 @@ extern FILE * option_usage_fp; * static const strings for ocserv options */ static char const ocserv_opt_strs[1795] = -/* 0 */ "ocserv 0.1.1\n" +/* 0 */ "ocserv 0.1.2\n" "Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the GNU General Public License,\n" @@ -107,7 +107,7 @@ static char const ocserv_opt_strs[1795] = "authentication. Authenticated users are assigned an unprivileged worker\n" "process and obtain a networking (tun) device and IP from a configurable\n" "pool of addresses.\n\0" -/* 1707 */ "ocserv 0.1.1\0" +/* 1707 */ "ocserv 0.1.2\0" /* 1720 */ "Usage: ocserv [options] -c [config]\n" "ocserv --help for usage instructions.\n"; @@ -562,7 +562,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via ocservOptions.pzCopyright */ - puts(_("ocserv 0.1.1\n\ + puts(_("ocserv 0.1.2\n\ Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the GNU General Public License,\n\ @@ -617,7 +617,7 @@ process and obtain a networking (tun) device and IP from a configurable\n\ pool of addresses.\n")); /* referenced via ocservOptions.pzFullVersion */ - puts(_("ocserv 0.1.1")); + puts(_("ocserv 0.1.2")); /* referenced via ocservOptions.pzFullUsage */ puts(_("<<>>")); diff --git a/src/ocserv-args.def b/src/ocserv-args.def index af3be60c..4b25b24a 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -166,7 +166,7 @@ server-key = /path/to/key.pem #crl = /path/to/crl.pem # GnuTLS priority string -tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE" +tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" # The time (in seconds) that a client is allowed to stay connected prior # to authentication @@ -180,7 +180,7 @@ auth-timeout = 40 # Once a client is authenticated he's provided a cookie with # which he can reconnect. This option sets the maximum lifetime # of that cookie. -cookie-validity = 43200 +cookie-validity = 172800 # A cookie database. If not set cookies are stored in memory and # server restarts won't preserve them. @@ -208,7 +208,8 @@ pid-file = /var/run/ocserv.pid # It must be accessible within the chroot environment (if any) socket-file = /var/run/ocserv-socket -# The user the worker processes will be run as. +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). run-as-user = nobody run-as-group = nogroup diff --git a/src/ocserv-args.h b/src/ocserv-args.h index 8a92dd75..428826fa 100644 --- a/src/ocserv-args.h +++ b/src/ocserv-args.h @@ -2,7 +2,7 @@ * * DO NOT EDIT THIS FILE (ocserv-args.h) * - * It has been AutoGen-ed May 6, 2013 at 10:55:54 AM by AutoGen 5.17.3 + * It has been AutoGen-ed May 23, 2013 at 04:06:00 PM by AutoGen 5.17.3 * From the definitions ocserv-args.def * and the template file options * @@ -77,9 +77,9 @@ typedef enum { /** count of all options for ocserv */ #define OPTION_CT 7 /** ocserv version */ -#define OCSERV_VERSION "0.1.1" +#define OCSERV_VERSION "0.1.2" /** Full ocserv version text */ -#define OCSERV_FULL_VERSION "ocserv 0.1.1" +#define OCSERV_FULL_VERSION "ocserv 0.1.2" /** * Interface defines for all options. Replace "n" with the UPPER_CASED