It is not possible to derive PSK keys when only the TCP CSTP session
is available, without the TLS session.
Relates #22
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This provides a more accurate value than the one obtained using the
TCP MSS value. The latter is affected by many factors (such as tcp
options), to provide a reliable value.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Use instead a value derived from it, to avoid access to the debugging
log files, or radius result to access to the server.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, log it, and forward it to the worker process in order
to deliver it to the user.
Resolves#72
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.
Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
When a dictionary misses an element, we would previously bail
out and not send any following value pairs. With that change
we ensure that we send as many value-pairs as are available
in the dictionary.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
HTTP/1.x allows sending any arbitrary reason we would like
after the error code. We now do that.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This was providing virtually no information since more specific
errors are typically printed prior to it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That is if 0xFFFFFFFF or 0xFFFFFFFE are given ignore the value
and ensure they are allocated from our pool.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
After adding port-specific rules to FORWARD and creating SEC_FORWARD_CHAIN
with route-specific rules, send any remaining FORWARD traffic to
SEC_FORWARD_CHAIN.
ocserv-fw only creates SEC_FORWARD_CHAIN if ports are being blocked. This
leads to an error if restrict-user-to-routes is used without any port
blocking.
Since ocserv-fw is only called if restrict-user-to-routes or -ports is set,
remove the conditional check for creating the chain.
This allows the connect-script to run for more time than
the default socket timeout, and be limited by the configured
authentication timeout ("auth-timeout").
This allows to advertise the XML configuration file for the
client to download, in recent openconnect clients. In addition
made support for the client XML file unconditional (no longer
depending on the anyconnect client compatibility flag).
Allow $OPENCONNECT in the caller's environment to override the default
openconnect system installation.
Signed-off-by: Mike Miller <mtmiller@debian.org>
fix test-sighup-key-change for current OpenConnect
OpenConnect 7.08 removed the option `--no-cert-check`. Pass the actual id of the newly generated server key. Fall back to the key fingerprint on CentOS 6 with an older version of GnuTLS certtool.
Resolves#81
See merge request !22
