mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
enabling cisco-client-compat allows 'stealing' of processes.
This change puts a proc_st that its client has terminated to a "zombie" state. That state will allow a client that connects later using the same TLS session ID to reclaim it. That way clients that try to authenticate by sending their credentials in different sessions can still authenticate with ocserv. That however puts more trust to worker processes (as the main process has no way of telling whether a TLS session is certainly resumed).
This commit is contained in:
Nikos Mavrogiannopoulos
@@ -228,5 +228,5 @@ route-del-cmd = "ip route delete %R dev %D"
|
||||
# certificate even if they are authenticating via a previously granted
|
||||
# cookie. Legacy CISCO clients do not do that, and thus this option
|
||||
# should be set for them.
|
||||
#always-require-cert = false
|
||||
cisco-client-compat = true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user