There are certain anyconnect clients which seem to fail connecting using
TLS1.3.
Resolves: #318
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That prevents clients that send an all-zero DTLS client hello from being
able to establish a connection.
That also introduces the OCSERV_ALLOW_BROKEN_CLIENTS environment variable
which when set to 1 it allows broken clients to connect. This is used
mainly to allow test cases to pass to existing vulnerable systems in our
CI.
Resolves: #277
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
We were previously asking rc_aaa() to include NAS-Port pair to
the request which has undesirable results.
Resolves: #269
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When IPv6 is requested by iphone we provide a special route that is
necessary by these clients to use IPv6.
Resolves: #254
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes a regression which prevented DTLS-PSK (or PSK-NEGOTIATE)
from being negotiated.
Resolves: #262
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This removes a trailing comma from the end of the listing, and
adds a missing one.
Resolves: #220
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
When a user explicitly disconnects after the session is open,
cleanup its entry immediatelly. That ensures that a radius
server will be notified sooner, while anyconnect clients which
disconnect early (before session is open), remain unaffected.
Resolves: #210
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This ensures that libev will not be notified by already
terminated and handled scripts.
Resolves: #208
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This ensures that the main process receives the TLS channel information
early and does not depend on DTLS channel establishment. Furthermore,
we refactor to make setup_dtls_psk_keys() fail early when no TLS channel
is available.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This avoids a crash when no DTLS ciphersuite is selected and adds a
test case for negotiation without DTLS.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This enables support for AES-256 for anyconnect clients which
do not support AES-GCM. Also prioritized the 256-bit ciphers
higher than the 128-bit ones.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That addresses the issue of not being able to run under systemd,
or under non-forking mode. Added test case to detect proper
operation.
Resolves#154
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
