ocserv

mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00

Author	SHA1	Message	Date
Nikos Mavrogiannopoulos	068548e83f	doc update	2016-08-05 09:08:58 +02:00
Nikos Mavrogiannopoulos	b5f5f2a0c0	Enhanced the openconnect protocol DTLS negotiation If the client's X-DTLS-CipherSuite contains the PSK keyword, the server will reply with "X-DTLS-CipherSuite: PSK" and will enable DTLS-PSK negotiation on the DTLS channel. The ciphersuite set in the DTLS channel, must match the one set in TLS one. That, makes the protocol consistent in security properties (DTLS and TLS channel will match cipher/mac combinations), and allows the protocol to use any new DTLS versions, as well as new DTLS ciphersuites without any code changes. That change still requires to client to pretend it is resuming by setting in the DTLS client hello the session ID provided by X-DTLS-Session-ID.	2016-08-05 09:07:11 +02:00
Nikos Mavrogiannopoulos	5825a2cd3e	NEWS: corrected typo	2016-08-04 14:13:23 +02:00
Nikos Mavrogiannopoulos	c2ae0f6cc2	bumped version	2016-08-04 08:11:22 +02:00
Nikos Mavrogiannopoulos	5a0c6caf65	improved config macro CHECK_TRUE	2016-08-04 08:05:37 +02:00
Nikos Mavrogiannopoulos	982348df88	Reworked MTU discovery Disable MTU discovery when not requested, set the minimum packet size to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to calculate an MTU over the minimum, it disables itself and ocserv will rely on packet fragmentation. This also enhances DTLS connection detection (due to MTU issues), by setting the DPD packet size to equal to the current data MTU.	2016-08-04 07:57:37 +02:00
Nikos Mavrogiannopoulos	22d285949c	update the IP and the proc table hashes when updating the proxy protocol IP This prevents stray pointers to the replaced IP being present in the proc hash table.	2016-08-01 12:01:42 +02:00
Nikos Mavrogiannopoulos	8163e5c486	tests: use fedora24	2016-07-28 16:23:46 +02:00
Nikos Mavrogiannopoulos	37a369aec6	ocsignal: memset to zero the new sigaction	2016-07-26 13:32:40 +02:00
Nikos Mavrogiannopoulos	99c9b6749b	recv_from_new_fd: changed to unsigned type	2016-07-19 11:35:24 +02:00
Nikos Mavrogiannopoulos	6510ef06cf	doc update	2016-07-19 11:30:34 +02:00
Nikos Mavrogiannopoulos	2ffd80509d	recv_from_new_fd: update tmsg pointer This addresses issue where tmsg was free'd by the dtls_pull function, and free'd again by the caller of recv_from_new_fd.	2016-07-19 11:27:19 +02:00
Nikos Mavrogiannopoulos	c346f29860	worker: use the main buffer for receiving commands from main This avoids large stack allocations.	2016-07-19 11:24:45 +02:00
Nikos Mavrogiannopoulos	53a54b0e39	doc: documented about krb5-k5tls plugin This plugin is required in Debian and Ubuntu based distributions for kinit to be able to use KKDCP servers. Suggested by Jochen Hein.	2016-07-13 09:08:46 +02:00
Nikos Mavrogiannopoulos	23558aff31	doc update	2016-07-09 10:57:53 +02:00
Nikos Mavrogiannopoulos	4015a19a29	open_tun() ignore EINVAL error in TUNSETGROUP ioctl() This allows ocserv to work with kernels prior to 2.6.23. Relates #60	2016-07-09 10:57:03 +02:00
Nikos Mavrogiannopoulos	5964c31d68	tun: enable multicast mode for FreeBSD systems	2016-07-04 14:00:08 +02:00
Nikos Mavrogiannopoulos	6aafcc0bf5	tun: move bsd-system-specific tun code to bsd_open_tun()	2016-07-04 14:00:08 +02:00
Nikos Mavrogiannopoulos	7254f3b2e7	document how a certificate may hold multiple groups	2016-07-04 10:50:40 +02:00
Nikos Mavrogiannopoulos	b4d04878a6	doc update	2016-07-04 00:20:06 +02:00
Nikos Mavrogiannopoulos	085df882ab	tun: corrected tun device group assignment	2016-07-04 00:19:34 +02:00
Nikos Mavrogiannopoulos	e12d2e6818	tests: made pam check independent of builddir	2016-06-29 10:05:00 +02:00
Nikos Mavrogiannopoulos	0eb8aac9bf	README.md: mention NSS wrapper	2016-06-29 09:50:41 +02:00
Nikos Mavrogiannopoulos	0d1358edf2	configure: enable pam tests only when liboath is present and PAM compiled in	2016-06-29 09:49:24 +02:00
Nikos Mavrogiannopoulos	a80abeb888	tun: use the same prefix (from the lease) in Linux and *BSD	2016-06-28 09:05:27 +02:00
Nikos Mavrogiannopoulos	ae3c20c3ed	tests: pam tests were converted to use pam-wrapper This allows running the PAM tests without requiring root access	2016-06-25 23:05:18 +02:00
Nikos Mavrogiannopoulos	dcab477d52	radius: corrected the accounting of gigawords for outgoing data Previously the incoming bytes were accounted instead of the outgoing bytes. Resolves #57	2016-06-20 23:23:22 +02:00
Nikos Mavrogiannopoulos	954607e88a	When sending auth_id reply to pre-3.x clients use a different auth_id for username and password That is because some modified v2.x clients require that any response that asks for information does not have an XML form with auth_id set to "main". Resolves #55	2016-06-20 23:02:38 +02:00
Nikos Mavrogiannopoulos	bcef7c58cf	worker: always honour the DTLS ciphersuite that matches the TLS ciphersuite That is, do not consider the ciphersuite priorities at all, but rather prefer the DTLS ciphersuite that matches the TLS one (if any).	2016-06-18 16:09:10 +02:00
Nikos Mavrogiannopoulos	3d4fb9b3e6	tests: added unit test for valid_hostname() function	2016-06-18 14:27:40 +02:00
Nikos Mavrogiannopoulos	f7e057a6dd	tests: check whether the hostname is overriden by per-user conf	2016-06-18 14:21:46 +02:00
Nikos Mavrogiannopoulos	1f809f5e64	ocserv: check the hostname value received by the client for validity	2016-06-18 14:21:41 +02:00
Nikos Mavrogiannopoulos	ed31709e75	ocserv: notify back the client about the hostname accepted (if any) That is, the server will populate X-CSTP-Hostname and send it back the the client.	2016-06-18 14:05:29 +02:00
Nikos Mavrogiannopoulos	4124b9c089	doc update	2016-06-18 11:17:02 +02:00
Nikos Mavrogiannopoulos	0c093ad8f3	ocserv: allow overriding hostname on the per-user configuration This allows for the administrator to set specific hostnames, or even empty hostname for specific users.	2016-06-18 11:08:53 +02:00
Nikos Mavrogiannopoulos	a81652a411	doc update	2016-06-18 10:47:08 +02:00
Nikos Mavrogiannopoulos	966206ecea	worker: when advertising the IPv6 address/prefix use the subnet prefix That is, instead of advertising the address with the server's prefix advertise the IPv6 address with the prefix that is assigned to the client itself.	2016-06-18 10:45:25 +02:00
Kevin Cernekee	fb1430f95e	Zero out the whole sockaddr_in6 struct when parsing explicit-ipv6 This initializes sin6_scope_id to 0, so that $IPV6_REMOTE doesn't get strings that look like: "2001:db8::1234%932152953" Signed-off-by: Kevin Cernekee <cernekee@gmail.com>	2016-06-18 10:41:32 +02:00
Nikos Mavrogiannopoulos	efafdd9e73	tests: added missing certs	2016-06-17 23:11:21 +02:00
Nikos Mavrogiannopoulos	a0ffa818c0	tests: use the .tmp suffix to pid files	2016-06-17 11:56:43 +02:00
Nikos Mavrogiannopoulos	f2bef25cdc	sample.config: use new paths	2016-06-17 11:54:07 +02:00
Nikos Mavrogiannopoulos	cbc4dde44b	tests: moved passwd files to data/	2016-06-17 11:54:05 +02:00
Nikos Mavrogiannopoulos	f3a182dbdf	tests: moved config files to data/	2016-06-17 11:54:03 +02:00
Nikos Mavrogiannopoulos	5c88ee7715	tests: moved all certificates and keys in certs/	2016-06-17 11:53:50 +02:00
Nikos Mavrogiannopoulos	0810cc0aa7	doc update ocserv_0_11_3	2016-06-16 08:49:52 +02:00
Nikos Mavrogiannopoulos	05badbea7a	doc update	2016-06-16 08:28:42 +02:00
Nikos Mavrogiannopoulos	bb1ba34bdc	ocserv-fw: updated with Lance LeFlore's version	2016-06-16 08:27:22 +02:00
Nikos Mavrogiannopoulos	c49b395a54	ocserv: better log message on terminating worker processes	2016-06-08 19:37:17 +02:00
Nikos Mavrogiannopoulos	aa27271f3b	tests: remove the explicit docker pull commands from docker-common.sh	2016-06-08 17:01:48 +02:00
Nikos Mavrogiannopoulos	7a6a7c707a	worker: wait for confirmation on messages sent during disconnect when disconnecting and sending stats and info to main and sec-mod ensure that messages have been processed prior to exiting. That makes sure that these messages are accounted and are not lost. This addresses issue where the stats on disconnect were not properly reported to sec-mod.	2016-06-05 11:35:51 +02:00

1 2 3 4 5 ...

2633 Commits