This would allow future extensibility, by making clients which
don't support a section to skip it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
The complexity of its command line options didn't require
the use of libopts, and by eliminating that dependency for cmd
parsing, we can chose another parser for config file parsing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
It is not possible to derive PSK keys when only the TCP CSTP session
is available, without the TLS session.
Relates #22
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.
Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This allows to advertise the XML configuration file for the
client to download, in recent openconnect clients. In addition
made support for the client XML file unconditional (no longer
depending on the anyconnect client compatibility flag).
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
This option will set a script to be called once the user is
connected and provides a hostname to be used with his IP. That
script can be used to update a DNS server or so.
Relates #39
That is, do not allow radius' groupconfig=true option to be combined
with config-per-user/group. This reduces frustration since these options
are incompatible.
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
That is, to allow referencing to these values from proc_st
without fearing of them being invalidated on a config reload. We
perform a cleanup of these values on the server periodic check.
This option is intended to allow restricting users to accessing
specific ports once they enter the VPN. The rules set using this
option will be enforced by the ocserv-fw script.
That option allows to specify the IPv6 subnet prefix to be given
to client. That is, allow providing the clients networks larger
than /128. Set the option to 128 to simulate the previous behavior
of ocserv.
