GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,690 Commits 19 Branches 88 Tags
1f940f04c546a77a3430cef7aab8de9195b8c307
Commit Graph

2690 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nikos Mavrogiannopoulos
1f940f04c5 Revert "autogen: store and use auto-generated autogen files in git builds" 
This reverts commit d0908f2c52.
 2016-11-16 22:24:23 +01:00
Nikos Mavrogiannopoulos
b5c39e2edf sample.config: include switch-to-tcp-timeout directive 2016-11-15 14:57:48 +01:00
Nikos Mavrogiannopoulos
fce7610aa5 released 0.11.6 ocserv_0_11_6 2016-11-14 19:17:16 +01:00
Nikos Mavrogiannopoulos
943e2fb597 bumped version 2016-11-14 19:16:50 +01:00
Nikos Mavrogiannopoulos
7606842d99 occtl.8: Added examples of usage 2016-11-14 14:15:50 +01:00
Nikos Mavrogiannopoulos
e7b1636de4 occtl.8: added more info on JSON output 2016-11-14 14:10:49 +01:00
Nikos Mavrogiannopoulos
7b0e84a36e doc update 2016-11-11 18:17:28 +01:00
Nikos Mavrogiannopoulos
c8ea2a9183 .gitlab-ci.yml: added centos6 build 2016-11-11 18:17:28 +01:00
Nikos Mavrogiannopoulos
b7b8c084d0 common.mk: corrected path of generated static libs 2016-11-11 18:17:28 +01:00
Nikos Mavrogiannopoulos
d0908f2c52 autogen: store and use auto-generated autogen files in git builds 
That is, if autogen is not present in the build system use the
stored files.
 2016-11-11 18:17:22 +01:00
Nikos Mavrogiannopoulos
813a3a2451 configure: require automake 1.11.1 
This allows ocserv to compile on Centos 6.
 2016-11-11 17:53:21 +01:00
Nikos Mavrogiannopoulos
2c6f73222d when compiled with gnutls 3.5.6 or later use its pre-generated DH parameters 2016-11-11 09:37:12 +01:00
Nikos Mavrogiannopoulos
76ddc60c24 doc update 2016-11-11 09:27:18 +01:00
Nikos Mavrogiannopoulos
41a896fbe1 doc update 2016-11-11 09:24:54 +01:00
Nikos Mavrogiannopoulos
bcb2ec6505 ocserv: pre-load the OCSP response file 
That allows the worker processes to serve OCSP responses, even when they
have no access to the actual file.
 2016-11-11 09:17:31 +01:00
Nikos Mavrogiannopoulos
e9ea737707 doc update 2016-11-04 10:07:34 +01:00
Andrew Patrikalakis
69261b6aa8 Automatically switch to TCP in case of no received UDP traffic 
and enable by default
 2016-11-01 19:53:33 -07:00
Nikos Mavrogiannopoulos
135ee6dd75 doc update 2016-10-20 16:28:49 +02:00
Nikos Mavrogiannopoulos
9ca37523c7 doc update 2016-10-20 16:23:17 +02:00
Nikos Mavrogiannopoulos
9462dfd8c3 html: enhanced HTML decoding with decoding of explicit unicode chars 2016-10-16 17:08:49 +02:00
Nikos Mavrogiannopoulos
34caca57b0 tests: added basic checks for HTML escaping/unescaping 2016-10-16 16:58:49 +02:00
Nikos Mavrogiannopoulos
32e9766fe8 tests: added basic checks for URL escaping/unescaping 2016-10-16 15:48:42 +02:00
Nikos Mavrogiannopoulos
d743cf7bdd html: fixed URL escaping 2016-10-16 15:48:17 +02:00
Nikos Mavrogiannopoulos
f0f25dde00 doc: point to README-radius.md for radius configuration attributes 2016-10-09 17:39:37 +02:00
Nikos Mavrogiannopoulos
7f1297959b doc: mention about NAS-Port in radius README file 2016-09-27 15:41:48 +02:00
Nikos Mavrogiannopoulos
e474a15598 radius: update the worker's pid on subsequent updates 
That is, even if we initially advertize the PID of the worker
handling the client as NAS-Port, the client may eventually end-up
being served by another process. In that case we make sure that
the radius server is notified on the next accounting message.
 2016-09-27 09:06:18 +02:00
Nikos Mavrogiannopoulos
2c308e3a86 doc update 2016-09-25 15:46:54 +02:00
Nikos Mavrogiannopoulos
5fce6c8c86 Use the X-AnyConnect-Identifier-Platform header to identify mobile clients 
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
 2016-09-25 15:44:43 +02:00
Nikos Mavrogiannopoulos
d30c5616af .gitlab-ci.yml: restrict freebsd build on ocserv branches 
This runner is not shared and cannot be taken advantage outside
the ocserv group.
 2016-09-24 13:20:22 +02:00
Nikos Mavrogiannopoulos
047b70e1bb bumped version ocserv_0_11_5 2016-09-23 09:38:40 +02:00
Nikos Mavrogiannopoulos
17122fe364 bumped version 2016-09-22 17:55:59 +02:00
Nikos Mavrogiannopoulos
8f8ff565af get_session_id: added explicit casts 2016-09-22 15:56:23 +02:00
Nikos Mavrogiannopoulos
c53b97367e config: more consistent printing of startup error and info messages 2016-09-22 15:52:22 +02:00
Nikos Mavrogiannopoulos
445b9070a6 untied the cisco-client-compat option from the DTLS-LEGACY protocol 
Introduced instead the 'dtls-legacy' config option which can be used
to explicitly disable the legacy DTLS protocol.
 2016-09-22 15:43:50 +02:00
Nikos Mavrogiannopoulos
bd87c7607e renamed match-tls-and-dtls-ciphers to match-tls-dtls-ciphers 2016-09-22 15:26:02 +02:00
Nikos Mavrogiannopoulos
22a01d2981 doc update 2016-09-22 15:21:57 +02:00
Nikos Mavrogiannopoulos
4c85fa97f0 Added configuration option 'dtls-psk' 
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
 2016-09-22 15:20:35 +02:00
Nikos Mavrogiannopoulos
33089ab74e Updated the new DTLS protocol negotiation 
The server sends the X-DTLS-App-ID header in the new protocol;
the X-DTLS-Session-ID is only used in the legacy protocol. The
server expects the Application identifier to be placed in a TLS
extension.
 2016-09-21 08:53:35 +02:00
Nikos Mavrogiannopoulos
a5a80f8236 seccomp: add getrandom syscall to filter only when it is available 2016-09-21 08:53:08 +02:00
Nikos Mavrogiannopoulos
ede5d97be8 worker: increased the wait time for the SEC_AUTH_REPLY message from sec-mod 
That is, to allow for authentication methods which require the user input
prior to returning a reply.
 2016-09-15 08:38:53 +02:00
Nikos Mavrogiannopoulos
0a4e06b354 Only send the X-DTLS-MTU in the legacy protocol 
There the DTLS ciphersuite and DTLS version are negotiated and
we cannot accurately predict the actual tunnel size. In that
case the client must rely on the Base-MTU.
 2016-09-14 13:12:05 +02:00
Nikos Mavrogiannopoulos
284af95d79 tests: link valid-hostname with gnulib 
It is used by its included file.
 2016-09-14 11:35:58 +02:00
Nikos Mavrogiannopoulos
c3c54cd958 ocspasswd: compile with LIBGNUTLS_CFLAGS 2016-09-14 11:29:08 +02:00
Nikos Mavrogiannopoulos
646449743c added defs.h containing definitions from vpn.h 
These are the definitions used by common/ library and
a split from vpn.h to reduce the dependencies (in headers)
to common library.
 2016-09-14 11:18:35 +02:00
Nikos Mavrogiannopoulos
cc74e66f75 doc update 2016-09-14 10:21:20 +02:00
Nikos Mavrogiannopoulos
cc1dbf1c24 seccomp: added getrandom() to the accepted list of calls 2016-09-14 10:20:44 +02:00
Nikos Mavrogiannopoulos
58b447c413 Use a macro for the DTLS-PSK protocol indicator 
Also corrected its usage in worker-http
 2016-09-13 14:09:59 +02:00
Nikos Mavrogiannopoulos
b0dcea76ca Modified the X-DTLS-CipherSuite parameter for PSK to PSK-NEGOTIATE 
This was changed so that it is explicitly made incompatible with
existing openconnect patch. The new openconnect client patch for
PSK negotiation is incompatible with the protocol as implemented
in 0.11.4 and requires the option match-tls-and-dtls-ciphers for its
openssl variant.
 2016-09-13 13:41:46 +02:00
Nikos Mavrogiannopoulos
2022ee4270 doc update 2016-09-13 13:35:14 +02:00
Nikos Mavrogiannopoulos
555d2cb03e Added the match-tls-and-dtls-ciphers config option 
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
 2016-09-13 13:25:35 +02:00