Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This addresses issues with anyconnect clients which send back the descriptive labels.
Resolves#267
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
This test verifies that the server will continue to operate
even if the up script will block indefinitely.
Resolves: #241
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
This removes a trailing comma from the end of the listing, and
adds a missing one.
Resolves: #220
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
tests (radius-otp): add a check radcli version (atleast 1.2.7), since debian uses version
1.2.6, which does not support Access-Challenge server response.
tests: show debug messages only in VERBOSE mode
tests (radius-otp): replace test for option max_challenge to macro MAX_CHALLENGE
Signed-off-by: Alexey Dotsenko <lex@rwx.su>
This avoids a crash when no DTLS ciphersuite is selected and adds a
test case for negotiation without DTLS.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This enables support for AES-256 for anyconnect clients which
do not support AES-GCM. Also prioritized the 256-bit ciphers
higher than the 128-bit ones.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This checks whether connecting to different virtual hosts
with different authentication methods works.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is the similar to the test case (test-pass-opt-cert) of pass or cert,
but in that case the certificate method is set as primary.
Relates #108
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This allows running the root tests under CI, even if the
docker tests (which cannot be run) are not.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
