Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This allows to advertise the XML configuration file for the
client to download, in recent openconnect clients. In addition
made support for the client XML file unconditional (no longer
depending on the anyconnect client compatibility flag).
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
This option will set a script to be called once the user is
connected and provides a hostname to be used with his IP. That
script can be used to update a DNS server or so.
Relates #39
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
That is, to allow referencing to these values from proc_st
without fearing of them being invalidated on a config reload. We
perform a cleanup of these values on the server periodic check.
This option is intended to allow restricting users to accessing
specific ports once they enter the VPN. The rules set using this
option will be enforced by the ocserv-fw script.
That option allows to specify the IPv6 subnet prefix to be given
to client. That is, allow providing the clients networks larger
than /128. Set the option to 128 to simulate the previous behavior
of ocserv.
