This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.
Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
When a dictionary misses an element, we would previously bail
out and not send any following value pairs. With that change
we ensure that we send as many value-pairs as are available
in the dictionary.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
HTTP/1.x allows sending any arbitrary reason we would like
after the error code. We now do that.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This was providing virtually no information since more specific
errors are typically printed prior to it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That is if 0xFFFFFFFF or 0xFFFFFFFE are given ignore the value
and ensure they are allocated from our pool.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
After adding port-specific rules to FORWARD and creating SEC_FORWARD_CHAIN
with route-specific rules, send any remaining FORWARD traffic to
SEC_FORWARD_CHAIN.
ocserv-fw only creates SEC_FORWARD_CHAIN if ports are being blocked. This
leads to an error if restrict-user-to-routes is used without any port
blocking.
Since ocserv-fw is only called if restrict-user-to-routes or -ports is set,
remove the conditional check for creating the chain.
This allows the connect-script to run for more time than
the default socket timeout, and be limited by the configured
authentication timeout ("auth-timeout").
This allows to advertise the XML configuration file for the
client to download, in recent openconnect clients. In addition
made support for the client XML file unconditional (no longer
depending on the anyconnect client compatibility flag).
Allow $OPENCONNECT in the caller's environment to override the default
openconnect system installation.
Signed-off-by: Mike Miller <mtmiller@debian.org>
fix test-sighup-key-change for current OpenConnect
OpenConnect 7.08 removed the option `--no-cert-check`. Pass the actual id of the newly generated server key. Fall back to the key fingerprint on CentOS 6 with an older version of GnuTLS certtool.
Resolves#81
See merge request !22
OpenConnect 7.08 removed the option `--no-cert-check`. Pass the actual
id of the newly generated server key. On systems with older versions of
GnuTLS, pass the server key fingerprint instead.
Resolves#81
Signed-off-by: Mike Miller <mtmiller@debian.org>
tests: make test-pass-script pass with new openconnect
The new versions (7.07+) do not automatically send a bogus hostname,
they require the --local-hostname parameter to be passed.
Resolves#80
See merge request !25
Some unit tests share the same ocserv config file. Ensure that the file
written and used by each test script has a unique name.
Resolves#83
Signed-off-by: Mike Miller <mtmiller@debian.org>
Autogen seems to output on the creates files gradually, something that
makes 'make' believe that the command is complete prior to the output
file being fully populated. The current approach uses stamp files to
ensure that no incomplete files are used for compilation.
