Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
That adds support for GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS which is
necessary for RSA-PSS private keys.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, do not print expiration time in sessions that are in use
(they don't expire during that time), and print whether a session
is in use.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, enhance the security module to accept and understand
more elaborate signing commands.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That is, store:
* number of timed out sessions
* number of timed out due being idle sessions
* number of errored sessions
* total number of session handled (closed)
* total number of kbytes sent
* total number of kbytes received
* minimum MTU seen
* maximum MTU seen
* total authentication failures
* average/max authentication time (in secs)
* average/max session time (in minutes)
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Use instead a value derived from it, to avoid access to the debugging
log files, or radius result to access to the server.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
That checks whether the first packet received in the new session is valid
and if true, accept the new fd. This avoids the mess with validity detection
based on timeouts.
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
This option is intended to allow restricting users to accessing
specific ports once they enter the VPN. The rules set using this
option will be enforced by the ocserv-fw script.
We now use a common structure in SESSION_REPLY and AUTH_REP
messages. That structure is generated by sec-mod and forwarded
by main to worker, thus eliminating the need to create passing
code for each new user-config variable being added.
That option allows to specify the IPv6 subnet prefix to be given
to client. That is, allow providing the clients networks larger
than /128. Set the option to 128 to simulate the previous behavior
of ocserv.
That allows to pass TLS information early, but more importantly
to pass information on the IP of the client (and our listen IP),
to main, which will be provided in turn to the up and down scripts,
as well as occtl.
