This also removes the stop on first error directive
which was set but not used for very long time.
Resolves: #364
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This ignores any items following the first group class attribute.
Resolves: #332
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
There are certain anyconnect clients which seem to fail connecting using
TLS1.3.
Resolves: #318
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This fixes the ban entries listing from printing all the items in
the database, to all the items that are actually banned from
connecting.
Resolves: #272
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
That prevents clients that send an all-zero DTLS client hello from being
able to establish a connection.
That also introduces the OCSERV_ALLOW_BROKEN_CLIENTS environment variable
which when set to 1 it allows broken clients to connect. This is used
mainly to allow test cases to pass to existing vulnerable systems in our
CI.
Resolves: #277
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
We were previously asking rc_aaa() to include NAS-Port pair to
the request which has undesirable results.
Resolves: #269
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When IPv6 is requested by iphone we provide a special route that is
necessary by these clients to use IPv6.
Resolves: #254
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This fixes a regression which prevented DTLS-PSK (or PSK-NEGOTIATE)
from being negotiated.
Resolves: #262
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Export more information to the script, including client device platform,
type and user agent.
Resolves: #256
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
When a client re-uses a cookie and takes over a previous connection
previously the disconnect script of the old connection wouldn't receive
the IP information. Ensure that all information is provided to scripts
at this case.
Resolves: #231
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
When max-same-clients is set to 1 and a user re-using a cookie
connects, check_multiple_users() would prevent the user from
reconnecting. This corrects the issue by taking into account
only valid sessions that have not yet been disconnected.
Resolves: #223
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This removes a trailing comma from the end of the listing, and
adds a missing one.
Resolves: #220
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
When a user explicitly disconnects after the session is open,
cleanup its entry immediatelly. That ensures that a radius
server will be notified sooner, while anyconnect clients which
disconnect early (before session is open), remain unaffected.
Resolves: #210
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This ensures that libev will not be notified by already
terminated and handled scripts.
Resolves: #208
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
