This allows to advertise the XML configuration file for the
client to download, in recent openconnect clients. In addition
made support for the client XML file unconditional (no longer
depending on the anyconnect client compatibility flag).
Autogen seems to output on the creates files gradually, something that
makes 'make' believe that the command is complete prior to the output
file being fully populated. The current approach uses stamp files to
ensure that no incomplete files are used for compilation.
That is, even if we initially advertize the PID of the worker
handling the client as NAS-Port, the client may eventually end-up
being served by another process. In that case we make sure that
the radius server is notified on the next accounting message.
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
The server sends the X-DTLS-App-ID header in the new protocol;
the X-DTLS-Session-ID is only used in the legacy protocol. The
server expects the Application identifier to be placed in a TLS
extension.
There the DTLS ciphersuite and DTLS version are negotiated and
we cannot accurately predict the actual tunnel size. In that
case the client must rely on the Base-MTU.
This was changed so that it is explicitly made incompatible with
existing openconnect patch. The new openconnect client patch for
PSK negotiation is incompatible with the protocol as implemented
in 0.11.4 and requires the option match-tls-and-dtls-ciphers for its
openssl variant.
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
If the client's X-DTLS-CipherSuite contains the PSK keyword,
the server will reply with "X-DTLS-CipherSuite: PSK" and will enable
DTLS-PSK negotiation on the DTLS channel. The ciphersuite set
in the DTLS channel, must match the one set in TLS one. That,
makes the protocol consistent in security properties (DTLS and TLS channel
will match cipher/mac combinations), and allows the protocol to use
any new DTLS versions, as well as new DTLS ciphersuites without
any code changes.
That change still requires to client to pretend it is resuming
by setting in the DTLS client hello the session ID provided by
X-DTLS-Session-ID.
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
