GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-03-27 07:18:04 +08:00
Code Issues Packages Projects Releases Wiki Activity
4,044 Commits 19 Branches 89 Tags
master
Commit Graph

359 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
18401eb298 Replaced autoconf with meson build files 
Resolves: #699

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2026-03-20 20:47:27 +01:00
Ivan Verbin
a8730a6997 occtl: add terminate commands for session cookie invalidation 
Add 'terminate user', 'terminate id' and 'terminate session' commands
to occtl that disconnect users and invalidate their session cookies,
preventing reconnection with cached credentials.

Short session IDs are resolved to full safe_id by fetching the cookie
list from sec-mod via CTL_CMD_LIST_COOKIES with prefix matching and
ambiguity detection. Active sessions trigger a warning before
invalidation.

Add integration tests for all three terminate commands.

Signed-off-by: Ivan Verbin <verbinivan@gmail.com>
 2026-03-15 17:05:29 +03:00
Nikos Mavrogiannopoulos
071f1e18ee design.md: moved all diagrams to mermaid 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2026-03-01 20:11:07 +01:00
Nikos Mavrogiannopoulos
4ba99fc18b VPN overview: expanded diagram 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2026-03-01 20:11:04 +01:00
Nikos Mavrogiannopoulos
87cd179117 Removed design.dia in favor of design.md 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2026-03-01 20:10:59 +01:00
Dimitri Papadopoulos
2b178b22ba Small doc improvements 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2026-02-01 18:41:51 +01:00
Grigory Trenin
b080d7dd2b Rename min-reauth-time to ban-time (#676) 
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
 2026-01-23 05:44:05 -05:00
Grigory Trenin
08c321c41a docs: tidy up man pages 
- Updated the SYNOPSIS of ocserv(8), occtl(8), and ocpasswd(8)
  to match their --help output
- Corrected usage syntax (eg: '-c config' is optional for ocserv,
  'username' is required for ocpasswd).
- Removed non-standard ':' trailing from options definitions
- Documented missing command-line options: --log-stderr,  --syslog,
  --no-chdir, --traceable
- Added default configuration file paths:
  /etc/ocserv/ocserv.conf, /etc/ocserv/ocpasswd
- Documented USER_AGENT environment variable
- Fixed typos

Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
 2026-01-10 18:05:02 -05:00
Dimitri Papadopoulos
4a4c341b45 Option listen-host expects a single IP address 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2025-03-02 19:07:22 +01:00
Nikos Mavrogiannopoulos
344c717319 README-oidc.md: mention that only the microsoft client supports OIDC [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2024-06-03 21:11:07 +02:00
Nikos Mavrogiannopoulos
dd13e5db65 design.md: added basic mermaid diagram 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2024-05-09 17:33:08 +02:00
Nikos Mavrogiannopoulos
48d7057fb3 config: auto-select-group made global not per vhost 
The group functionality is available globally only and
there is no benefit from this option being per vhost.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2024-04-23 21:35:44 +02:00
Marcin Ochab
3f966ae8ca Allow selecting group by URL or profile 
This introduces the 'select-group-by-url' config option
that allows selecting an authgroup just by connecting to
a dedicated URI.

Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2024-04-23 21:35:00 +02:00
Nikos Mavrogiannopoulos
72b8e19cac updated copyright notices and minor text update 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2024-04-01 12:19:46 +02:00
Dimitri Papadopoulos
ab58d9e9d7 Retrieve connection speed from RADIUS 
Hijack Roaring Penguin's RADIUS attributes for that purpose:
* RP-Upstream-Speed-Limit → rx_per_sec
* RP-Downstream-Speed-Limit → tx_per_sec

While the ocserv configuration options use b/s, ocserv uses kb/s
internally. The radius attributes are already expressed in kb/s,
so we don't need to convert them.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2024-01-20 20:12:34 +01:00
Nikos Mavrogiannopoulos
29dba5cee8 web: updated links to web page 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2024-01-05 16:47:18 +01:00
Dimitri Papadopoulos
b41130163d Reorder man pages 
Follow the conventions for writing Linux man pages:
https://man7.org/linux/man-pages/man7/man-pages.7.html

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-12-30 22:48:02 +01:00
Nikos Mavrogiannopoulos
7c9e9b76a6 doc: mention issue tracker to manpage 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-12-30 18:03:51 +01:00
Dimitri Papadopoulos
715b9b2ea1 Use proper symbol for second, prefix for kilo 
The SI symbol for second is s:
https://www.bipm.org/en/si-base-units/second

The SI prefix for a multiplying factor of 10³ is k:
https://www.bipm.org/en/measurement-units/si-prefixes

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-12-24 10:40:21 +01:00
Dimitri Papadopoulos
311433b4db Minor typo 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-12-22 15:56:47 +01:00
Nikos Mavrogiannopoulos
d504ba832b sample.config: added warning for compression [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-12-19 22:36:33 +01:00
Nikos Mavrogiannopoulos
f0067ae0ea Cleanup of the logging subsystem; allow logging to stderr only 
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-12-15 13:04:40 +01:00
Nikos Mavrogiannopoulos
86cd25dafb sample.config: further clarify RX and TX meaning [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-12-10 02:11:13 +01:00
Nikos Mavrogiannopoulos
d192340484 sample.config: clarified RX and TX meaning [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-12-07 16:06:14 +01:00
Dimitri Papadopoulos Orfanos
a711aa4a22 Merge branch 'libexec' into 'master' 
bin/ocserv-fw → libexec/ocserv-fw

Closes #78

See merge request openconnect/ocserv!388
 2023-12-06 17:51:37 +00:00
Nikos Mavrogiannopoulos
30cf47ad60 sample.config: set default logging priority to 2 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-12-06 16:47:00 +01:00
Dimitri Papadopoulos
8ada82ff5c bin/ocserv-fw → libexec/ocserv-fw 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-11-28 21:57:02 +01:00
Dimitri Papadopoulos
b29d915699 Fix misspelling newly reported by codespell 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-09-11 19:18:37 +02:00
Nikos Mavrogiannopoulos
6aad62e266 debug: increased default log-level to debug 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-08-28 20:48:02 +02:00
Nikos Mavrogiannopoulos
70ceee36d6 sample.config: corrected documentation [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-07-11 14:54:57 +02:00
Nikos Mavrogiannopoulos
9e457abda8 Merge branch 'cisco-ipphone' into 'master' 
Add support for Cisco IP-Phone Enterprise firmware VPN

See merge request openconnect/ocserv!356
 2023-07-11 12:46:40 +00:00
Gareth Palmer
996d021e1b Add support for Cisco IP-Phone Enterprise firmware VPN client. 
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.

The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.

When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.

A handler that implements this new behaviour has been added
under the '/svc' path.

To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.

New test cases test-pass-svc and test-cert-svc check the above
behaviour.

Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.

To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.

doc/README-cisco-svc.md includes additional information.

Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.

Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
 2023-07-11 22:48:22 +12:00
Nikos Mavrogiannopoulos
52f64c4032 sample.config: added more information on how logging works 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-07-05 18:37:46 +02:00
Nikos Mavrogiannopoulos
1373a11f57 tests: added a test for groups defined over multiple AVPs 
This adds a test for the available multi-group options as
well as documentation for the feature. This tests two options:
 * Separate group names in separate class attributes
 * Separate group names in separate class attributes with the OU= format

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2023-06-17 00:25:55 +02:00
Dimitri Papadopoulos
d2fef9f08f https://gitlab.com/ocserv/ocserv → openconnect/ocserv 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-06-12 17:25:59 +02:00
Kirill Ovchinnikov
85fdf7d2e6 Camouflage functionality 
This adds a "camouflage" functionality (looking and acting like an ordinary web server),
to prevent OCserv installations from being automatically scanned or blocked with active probing techniques.

Signed-off-by: Kirill Ovchinnikov <kirill.ovchinn@gmail.com>
 2023-06-09 15:08:25 +02:00
Dimitri Papadopoulos
c35dda6e2a Improve ocserv man page 
Searching "syslog daemon facility" will fetch more precise suggestions
on how to manage oscerv logs than a mere "daemon facility" which doesn't
mean anything by itself.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-06-03 10:01:31 +02:00
Dimitri Papadopoulos
4cd41e0ccf Full name for message types in sequence diagrams 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-03-03 13:30:08 +01:00
Dimitri Papadopoulos
70ec3f2d01 doc: missing whitespace 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2023-01-28 10:05:19 +01:00
Dimitri Papadopoulos
f28669bf60 Remove spaces 
* Remove trailing spaces at end-of-line
* Remove blank lines at end-of-file

Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
 2022-11-28 11:22:33 +01:00
Nikos Mavrogiannopoulos
15fe120292 ocserv.8: Align example with the default ocserv configuration for certificates 
Relates: #468

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-10-23 20:29:44 +02:00
Tara Mallesh
cfe2ea06d9 Allow HTTP headers to be configurable 2022-07-02 04:02:56 +00:00
Nikos Mavrogiannopoulos
44ec3c60ed sample.config: document the local subnet exemption from ban. 
Relates: #441

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2022-02-05 10:20:26 +01:00
Dimitri Papadopoulos
feffac374a Openconnect → OpenConnect 
Spell OpenConnect products consistently.

This will modify the README file, but not the online documentation.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-12-27 12:48:20 +01:00
Nikos Mavrogiannopoulos
db505b373c Merge branch 'visual_studio_spell_checker' into 'master' 
Typos found by Visual Studio Code Checker

See merge request openconnect/ocserv!276
 2021-12-22 18:41:17 +00:00
Dimitri Papadopoulos
3a92062b44 Typos found by Visual Studio Code Checker 
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
 2021-12-22 19:21:02 +01:00
Nikos Mavrogiannopoulos
5c79fa24b2 sample.config: removed mentioning of listen-clear-file 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-11-20 17:14:35 +01:00
Nikos Mavrogiannopoulos
11fdd9fb04 manpages: fixed output with ronn-ng 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-11-17 13:18:55 +01:00
Nikos Mavrogiannopoulos
7f5414bd07 Merge branch 'codespell' into 'master' 
Fix typo found by codespell

See merge request openconnect/ocserv!274
 2021-11-17 08:52:48 +00:00
Nikos Mavrogiannopoulos
a61daf0332 systemd files: updated 
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2021-11-14 12:27:44 +01:00