GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
3,659 Commits 19 Branches 88 Tags
d6d5680249cbaeeb046f6c91124f6aaced27e95e
Commit Graph

323 Commits

Author SHA1 Message Date
Timo Förster
8f7a416aa4 Change documentation url for UsersFile. Fixes #163 
Signed-off-by: Timo Förster <tfoerster@webfoersterei.de>
 2018-08-07 10:35:31 +02:00
Nikos Mavrogiannopoulos
2c460034a3 ocserv.8: link to openconnect(8) 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-06-26 02:24:34 +02:00
Nikos Mavrogiannopoulos
20f7ea1355 README-radius.md: mention groupconfig=true relevance for Class attribute [ci skip] 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-05-13 08:37:54 +02:00
Nikos Mavrogiannopoulos
bbc7958490 doc: fail safe when ronn is not available 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-04-23 22:07:10 +02:00
Nikos Mavrogiannopoulos
d989b925c4 doc: corrected typo in manpage generation 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-04-23 21:57:16 +02:00
Nikos Mavrogiannopoulos
3a74ea81ea doc: dist_man_MANS are defined unconditionally 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2018-04-23 11:16:56 +02:00
Nikos Mavrogiannopoulos
601ce35a89 doc: added missing file 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-04-22 10:54:58 +02:00
Nikos Mavrogiannopoulos
2ae4c2b2ed sample.config: the example paths reflect real system paths 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-04-15 17:25:27 +02:00
Nikos Mavrogiannopoulos
8245843166 updated URI 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-03-10 08:05:07 +01:00
Nikos Mavrogiannopoulos
ecf9132495 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-03-06 20:42:33 +01:00
Nikos Mavrogiannopoulos
ba6921ed9a Introduced the notion of virtual hosts 
This provides virtualized server configurations which take
effect after client connection when client hello is received.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-03-06 20:42:31 +01:00
Nikos Mavrogiannopoulos
b7a14f1c4a doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-02-19 20:18:38 +01:00
Nikos Mavrogiannopoulos
a157fc7068 doc: clarify auth and enable-auth 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2018-02-19 15:41:36 +01:00
Nikos Mavrogiannopoulos
760199a33c doc: man-pages are modified to be generated using ronn 
That eliminates the need for autogen and also combines
doc/sample.config and manpage contents. Now the doc/sample.config
is the primary config documentation location.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-01-23 21:07:18 +01:00
Nikos Mavrogiannopoulos
bdb5ae4516 sample.config: added session-timeout parameter 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-12-11 08:26:48 +01:00
Nikos Mavrogiannopoulos
6ac543e3a0 document that not all methods can be combined 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-05-31 09:34:23 +02:00
Nikos Mavrogiannopoulos
0d8ee5e6a9 config: increased the default max-ban-score to 8 wrong password attempts 
This still prevents abuse, while allowing few more attempts than 5, which
are typically easily reached through software which remembers passwords.
At the same time increase the default ban time to 20 minutes.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-04-23 19:09:39 +02:00
Nikos Mavrogiannopoulos
e8b19309f1 sample.config: added server-stats-reset-time 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-04-14 16:39:00 +03:00
Nikos Mavrogiannopoulos
b2e199577d doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-04-14 11:36:42 +03:00
Nikos Mavrogiannopoulos
18fa25fea2 doc update 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-28 08:08:49 +02:00
Nikos Mavrogiannopoulos
fa3dad2e37 doc: document limitations of listen-clear-file 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-03-25 19:55:46 +01:00
Nikos Mavrogiannopoulos
3033591343 doc update [ci skip] 2017-01-29 15:29:51 +01:00
Johannes Sjøkvist
ae2fd78580 Add support for oid 2.5.29.17 RFC822Name 
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.

Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-28 15:04:20 +01:00
Nikos Mavrogiannopoulos
3d940695d8 Added contribution guide and require DCO 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-01-10 16:52:18 +01:00
Nikos Mavrogiannopoulos
0b47b305de improved documentation of user-profile option 2017-01-04 16:20:57 +01:00
Mike Miller
34fd11d3a8 Fix typos in man pages, config files, and comments 
Signed-off-by: Mike Miller <mtmiller@debian.org>
 2016-12-13 18:01:23 -08:00
Nikos Mavrogiannopoulos
1b7e00ed02 Use unique names for autogen files 
This addresses issue in parallel builds caused by autogen
using the same temporary files for both occtl and ocpasswd
files.

Resolves #76
 2016-12-13 09:39:51 +01:00
Nikos Mavrogiannopoulos
b5c39e2edf sample.config: include switch-to-tcp-timeout directive 2016-11-15 14:57:48 +01:00
Nikos Mavrogiannopoulos
135ee6dd75 doc update 2016-10-20 16:28:49 +02:00
Nikos Mavrogiannopoulos
f0f25dde00 doc: point to README-radius.md for radius configuration attributes 2016-10-09 17:39:37 +02:00
Nikos Mavrogiannopoulos
7f1297959b doc: mention about NAS-Port in radius README file 2016-09-27 15:41:48 +02:00
Nikos Mavrogiannopoulos
5fce6c8c86 Use the X-AnyConnect-Identifier-Platform header to identify mobile clients 
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
 2016-09-25 15:44:43 +02:00
Nikos Mavrogiannopoulos
445b9070a6 untied the cisco-client-compat option from the DTLS-LEGACY protocol 
Introduced instead the 'dtls-legacy' config option which can be used
to explicitly disable the legacy DTLS protocol.
 2016-09-22 15:43:50 +02:00
Nikos Mavrogiannopoulos
bd87c7607e renamed match-tls-and-dtls-ciphers to match-tls-dtls-ciphers 2016-09-22 15:26:02 +02:00
Nikos Mavrogiannopoulos
4c85fa97f0 Added configuration option 'dtls-psk' 
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
 2016-09-22 15:20:35 +02:00
Nikos Mavrogiannopoulos
555d2cb03e Added the match-tls-and-dtls-ciphers config option 
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
 2016-09-13 13:25:35 +02:00
Nikos Mavrogiannopoulos
982348df88 Reworked MTU discovery 
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
 2016-08-04 07:57:37 +02:00
Nikos Mavrogiannopoulos
53a54b0e39 doc: documented about krb5-k5tls plugin 
This plugin is required in Debian and Ubuntu based distributions
for kinit to be able to use KKDCP servers. Suggested by Jochen Hein.
 2016-07-13 09:08:46 +02:00
Nikos Mavrogiannopoulos
7254f3b2e7 document how a certificate may hold multiple groups 2016-07-04 10:50:40 +02:00
Nikos Mavrogiannopoulos
0c093ad8f3 ocserv: allow overriding hostname on the per-user configuration 
This allows for the administrator to set specific hostnames, or even
empty hostname for specific users.
 2016-06-18 11:08:53 +02:00
Nikos Mavrogiannopoulos
f2bef25cdc sample.config: use new paths 2016-06-17 11:54:07 +02:00
Nikos Mavrogiannopoulos
3eb5dd360e doc update 2016-04-17 10:45:26 +02:00
Nikos Mavrogiannopoulos
ade786a0f1 radius: replace experimental Group-Name with Class attribute 
The current format allows to handle multiple groups and is used
by several radius servers.

Suggested by Yick Xie.
 2016-04-01 15:33:11 +02:00
Nikos Mavrogiannopoulos
0b4333d7ee ocserv: warn when conflicting supplemental config options are specified 
That is, do not allow radius' groupconfig=true option to be combined
with config-per-user/group. This reduces frustration since these options
are incompatible.
 2016-04-01 15:32:27 +02:00
Nikos Mavrogiannopoulos
435c78fa3d doc: eliminated references to HOSTNAME 
It was never available in the up/down scripts.
 2016-03-05 16:45:39 +01:00
Nikos Mavrogiannopoulos
63d3b98cad use more consistent naming in internal messages 2016-03-05 14:00:50 +01:00
Nikos Mavrogiannopoulos
010257c6a2 Simplified cookie handling 
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
 2016-02-23 15:31:17 +01:00
Nikos Mavrogiannopoulos
aa6bd829d4 increased the default cookie rekey time to 3 days 2016-02-21 12:43:20 +01:00
Nikos Mavrogiannopoulos
b130bd9214 config: increased the default auth-timeout value to 4mins 
This provides slow users more time to enter their username,
password.
 2016-02-13 14:49:08 +01:00
Nikos Mavrogiannopoulos
89f02bad02 config: put kkdcp options into brackets 
That is not necessary for the existing examples, but may be
in future ones, as they may contain characters that libopts doesn't
like.
 2016-02-08 19:27:39 +01:00