This option was almost impossible to use in general and worked with
very few clients only (not including openconnect). That also meant that
it could not be tested. Removed to reduce maintenance to parameters
that are used in practice.
Resolves: #376
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This also removes the stop on first error directive
which was set but not used for very long time.
Resolves: #364
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This ignores any items following the first group class attribute.
Resolves: #332
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
There are certain anyconnect clients which seem to fail connecting using
TLS1.3.
Resolves: #318
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That prevents clients that send an all-zero DTLS client hello from being
able to establish a connection.
That also introduces the OCSERV_ALLOW_BROKEN_CLIENTS environment variable
which when set to 1 it allows broken clients to connect. This is used
mainly to allow test cases to pass to existing vulnerable systems in our
CI.
Resolves: #277
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
We were previously asking rc_aaa() to include NAS-Port pair to
the request which has undesirable results.
Resolves: #269
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When IPv6 is requested by iphone we provide a special route that is
necessary by these clients to use IPv6.
Resolves: #254
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes a regression which prevented DTLS-PSK (or PSK-NEGOTIATE)
from being negotiated.
Resolves: #262
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This removes a trailing comma from the end of the listing, and
adds a missing one.
Resolves: #220
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
