GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-03-27 07:18:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

occtl: add terminate commands for session cookie invalidation

Browse Source 
Add 'terminate user', 'terminate id' and 'terminate session' commands
to occtl that disconnect users and invalidate their session cookies,
preventing reconnection with cached credentials.

Short session IDs are resolved to full safe_id by fetching the cookie
list from sec-mod via CTL_CMD_LIST_COOKIES with prefix matching and
ambiguity detection. Active sessions trigger a warning before
invalidation.

Add integration tests for all three terminate commands.

Signed-off-by: Ivan Verbin <verbinivan@gmail.com>
This commit is contained in:
Ivan Verbin
2026-03-15 17:03:11 +03:00
parent a309ecead0
commit a8730a6997
16 changed files with 963 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@@ -1,9 +1,12 @@
* Version 1.4.2 (unreleased)
- The bundled llhttp was updated to 9.3.1.
- occtl: Added 'terminate user', 'terminate id', and 'terminate session'
commands that disconnect users and invalidate their session cookies,
preventing automatic reconnection (#689)
* Version 1.4.1 (released 2026-02-28)
- [SECURITY] Fixed authentication bypass (medium severity) when combined
- [SECURITY] Fixed authentication bypass (medium severity) when combined
password with certificate authentication with cert-user-oid set to SAN(rfc822name):
a client presenting a valid CA-signed certificate without the expected
RFC822 SAN field could authenticate using password credentials alone,