2026-02-10 00:37:00 +08:00 · 2014-02-11 15:47:20 +01:00
parent fa4b24ddac
commit c92925e727
4 changed files with 21 additions and 7 deletions
							
							
								
							
							
						
@@ -88,6 +88,7 @@ static struct cfg_options available_options[] = {
	{ .name = "net-priority", .type = OPTION_STRING, .mandatory = 0 },
	{ .name = "output-buffer", .type = OPTION_NUMERIC, .mandatory = 0 },
	{ .name = "cookie-validity", .type = OPTION_NUMERIC, .mandatory = 1 },
	{ .name = "rekey-time", .type = OPTION_NUMERIC, .mandatory = 0 },
	{ .name = "auth-timeout", .type = OPTION_NUMERIC, .mandatory = 0 },
	{ .name = "max-clients", .type = OPTION_NUMERIC, .mandatory = 0 },
	{ .name = "min-reauth-time", .type = OPTION_NUMERIC, .mandatory = 0 },
							
								
							
							
								
							
							
						
@@ -376,6 +377,7 @@ unsigned force_cert_auth;
	config->tx_per_sec /= 1000;
	READ_NUMERIC("cookie-validity", config->cookie_validity);
	READ_NUMERIC("rekey-time", config->rekey_time);
	READ_NUMERIC("auth-timeout", config->auth_timeout);
	READ_NUMERIC("max-clients", config->max_clients);
	READ_NUMERIC("min-reauth-time", config->min_reauth_time);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -195,7 +195,12 @@ auth-timeout = 40
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 172800
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -189,6 +189,7 @@ struct cfg_st {
	char* socket_file_prefix;
	time_t cookie_validity;	/* in seconds */
	time_t rekey_time;	/* in seconds */
	time_t min_reauth_time;	/* after a failed auth, how soon one can reauthenticate -> in seconds */
	unsigned auth_timeout; /* timeout of HTTP auth */
	unsigned keepalive;
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -1216,12 +1216,18 @@ static int connect_handler(worker_st * ws)
		     "X-CSTP-Smartcard-Removal-Disconnect: true\r\n");
	SEND_ERR(ret);
	ret =
	    tls_printf(ws->session, "X-CSTP-Rekey-Time: %u\r\n",
		       (unsigned)(2 * ws->config->cookie_validity) / 3);
	SEND_ERR(ret);
	ret = tls_puts(ws->session, "X-CSTP-Rekey-Method: new-tunnel\r\n");
	SEND_ERR(ret);
	if (ws->config->rekey_time > 0) {
		ret =
		    tls_printf(ws->session, "X-CSTP-Rekey-Time: %u\r\n",
			       (unsigned)(ws->config->rekey_time));
		SEND_ERR(ret);
		ret = tls_puts(ws->session, "X-CSTP-Rekey-Method: ssl\r\n");
		SEND_ERR(ret);
	} else {
		ret = tls_puts(ws->session, "X-CSTP-Rekey-Method: none\r\n");
		SEND_ERR(ret);
	}
	ret = tls_puts(ws->session, "X-CSTP-Session-Timeout: none\r\n"
		       "X-CSTP-Idle-Timeout: none\r\n"