GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

OpenConnect will interpret these headers once https://gitlab.com/openconnect/openconnect/-/merge_requests/156 is merged

Browse Source 
Examples of newly-authenticated sessions from Cisco servers:

- Default value of `Session-Timeout` is 1209600 seconds (14 days) per
  https://www.cisco.com/assets/sol/sb/RV345P_Emulators/RV345P_Emulator_v1-0-01-17/help/help/t_SSL_VPN.html
- https://www.mail-archive.com/openconnect-devel@lists.infradead.org/msg00968.html:
  `Lease-Duration` having the default value, while `Session-Timeout`
  and `Session-Timeout-Remaining` are `none`
- https://gitlab.com/openconnect/openconnect/-/issues/43#note_177677716:
  `Lease-Duration`, `Session-Timeout`, and `Session-Timeout-Remaining` all with
  same value

My own testing of *reconnected* sessions (on a newer Cisco server supporting
DTLS 1.2) shows that Session-Timeout-Remaining will have a value less than
Session-Timeout, such that the expiration timestamp remains constant from one
reconnection to the next.

Signed-off-by: Daniel Lenski <dlenski@amazon.com>
This commit is contained in:
Daniel Lenski
2020-12-09 16:52:41 -08:00
parent 3257070312
commit dd34f85875
1 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/worker-vpn.c
View File

@@ -1871,6 +1871,7 @@ static int connect_handler(worker_st * ws)
unsigned rnd;
unsigned i;
unsigned ip6;
time_t now = time(0);
ret = gnutls_rnd(GNUTLS_RND_NONCE, &rnd, sizeof(rnd));
if (ret < 0) {
@@ -2213,8 +2214,22 @@ static int connect_handler(worker_st * ws)
}
}
ret = cstp_puts(ws, "X-CSTP-Session-Timeout: none\r\n"
"X-CSTP-Disconnected-Timeout: none\r\n"
if (!ws->user_config->has_session_timeout_secs) {
ret = cstp_puts(ws, "X-CSTP-Lease-Duration: none\r\n"
"X-CSTP-Session-Timeout: none\r\n");
SEND_ERR(ret);
} else {
time_t expiration = ws->session_start_time + ws->user_config->session_timeout_secs;
ret = cstp_printf(ws, "X-CSTP-Lease-Duration: %u\r\n"
"X-CSTP-Session-Timeout: %u\r\n"
"X-CSTP-Session-Timeout-Remaining: %ld\r\n",
ws->user_config->session_timeout_secs,
ws->user_config->session_timeout_secs,
MAX(expiration - now, 0));
SEND_ERR(ret);
}
ret = cstp_puts(ws, "X-CSTP-Disconnected-Timeout: none\r\n"
"X-CSTP-Keep: true\r\n"
"X-CSTP-TCP-Keepalive: true\r\n"
"X-CSTP-License: accept\r\n");