The previously used HOSTNAME variable is being overriden by bash and
thus was not a reliable one. We switch to setting REMOTE_HOSTNAME,
but keep the HOSTNAME for compatibility.
This also changes 'test-pass-script' to check for the new variable.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This still prevents abuse, while allowing few more attempts than 5, which
are typically easily reached through software which remembers passwords.
At the same time increase the default ban time to 20 minutes.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.
Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
That is, do not allow radius' groupconfig=true option to be combined
with config-per-user/group. This reduces frustration since these options
are incompatible.
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
