GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
2,667 Commits 19 Branches 88 Tags
f0f25dde00a423af0c87f5c00a14cf1d78d9d5a2
Commit Graph

244 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
f0f25dde00 doc: point to README-radius.md for radius configuration attributes 2016-10-09 17:39:37 +02:00
Nikos Mavrogiannopoulos
7f1297959b doc: mention about NAS-Port in radius README file 2016-09-27 15:41:48 +02:00
Nikos Mavrogiannopoulos
5fce6c8c86 Use the X-AnyConnect-Identifier-Platform header to identify mobile clients 
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
 2016-09-25 15:44:43 +02:00
Nikos Mavrogiannopoulos
445b9070a6 untied the cisco-client-compat option from the DTLS-LEGACY protocol 
Introduced instead the 'dtls-legacy' config option which can be used
to explicitly disable the legacy DTLS protocol.
 2016-09-22 15:43:50 +02:00
Nikos Mavrogiannopoulos
bd87c7607e renamed match-tls-and-dtls-ciphers to match-tls-dtls-ciphers 2016-09-22 15:26:02 +02:00
Nikos Mavrogiannopoulos
4c85fa97f0 Added configuration option 'dtls-psk' 
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
 2016-09-22 15:20:35 +02:00
Nikos Mavrogiannopoulos
555d2cb03e Added the match-tls-and-dtls-ciphers config option 
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
 2016-09-13 13:25:35 +02:00
Nikos Mavrogiannopoulos
982348df88 Reworked MTU discovery 
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
 2016-08-04 07:57:37 +02:00
Nikos Mavrogiannopoulos
53a54b0e39 doc: documented about krb5-k5tls plugin 
This plugin is required in Debian and Ubuntu based distributions
for kinit to be able to use KKDCP servers. Suggested by Jochen Hein.
 2016-07-13 09:08:46 +02:00
Nikos Mavrogiannopoulos
7254f3b2e7 document how a certificate may hold multiple groups 2016-07-04 10:50:40 +02:00
Nikos Mavrogiannopoulos
0c093ad8f3 ocserv: allow overriding hostname on the per-user configuration 
This allows for the administrator to set specific hostnames, or even
empty hostname for specific users.
 2016-06-18 11:08:53 +02:00
Nikos Mavrogiannopoulos
f2bef25cdc sample.config: use new paths 2016-06-17 11:54:07 +02:00
Nikos Mavrogiannopoulos
3eb5dd360e doc update 2016-04-17 10:45:26 +02:00
Nikos Mavrogiannopoulos
ade786a0f1 radius: replace experimental Group-Name with Class attribute 
The current format allows to handle multiple groups and is used
by several radius servers.

Suggested by Yick Xie.
 2016-04-01 15:33:11 +02:00
Nikos Mavrogiannopoulos
0b4333d7ee ocserv: warn when conflicting supplemental config options are specified 
That is, do not allow radius' groupconfig=true option to be combined
with config-per-user/group. This reduces frustration since these options
are incompatible.
 2016-04-01 15:32:27 +02:00
Nikos Mavrogiannopoulos
435c78fa3d doc: eliminated references to HOSTNAME 
It was never available in the up/down scripts.
 2016-03-05 16:45:39 +01:00
Nikos Mavrogiannopoulos
63d3b98cad use more consistent naming in internal messages 2016-03-05 14:00:50 +01:00
Nikos Mavrogiannopoulos
010257c6a2 Simplified cookie handling 
This change set eliminates the need for cryptographically authenticated
cookies and relies on sec-module providing accurate information on
the SID provided by the client.
 2016-02-23 15:31:17 +01:00
Nikos Mavrogiannopoulos
aa6bd829d4 increased the default cookie rekey time to 3 days 2016-02-21 12:43:20 +01:00
Nikos Mavrogiannopoulos
b130bd9214 config: increased the default auth-timeout value to 4mins 
This provides slow users more time to enter their username,
password.
 2016-02-13 14:49:08 +01:00
Nikos Mavrogiannopoulos
89f02bad02 config: put kkdcp options into brackets 
That is not necessary for the existing examples, but may be
in future ones, as they may contain characters that libopts doesn't
like.
 2016-02-08 19:27:39 +01:00
Nikos Mavrogiannopoulos
b6df22c8c3 Reload the certificates and private keys on SIGHUP 
Until now this part of the configuration was static, but
there is the need to reload certificates and keys, e.g., on
renewal.
 2016-01-26 12:51:05 +01:00
Nikos Mavrogiannopoulos
c61e5eb47b doc: document that ocserv-fw requiring options are available in Linux systems only 2016-01-25 11:16:06 +01:00
Nikos Mavrogiannopoulos
d0fc4ce92b doc: added more info on isolate-workers 2016-01-20 13:12:37 +01:00
Nikos Mavrogiannopoulos
c662641768 README.radius: added Connect-Info attribute 2016-01-17 23:13:04 +01:00
Nikos Mavrogiannopoulos
e4cedfb898 README-radius: added more text for Framed-Route format 2016-01-01 23:35:24 +02:00
Nikos Mavrogiannopoulos
3b0342c678 doc update 2015-12-08 14:35:30 +01:00
Nikos Mavrogiannopoulos
14d19b3e9a Enhanced configuration option 'restrict-user-to-ports' 
This enhancement allows to negate the rules and allow the user connecting
to all ports except the specified.
 2015-12-07 11:15:56 +01:00
Nikos Mavrogiannopoulos
d910c8952b doc: list 'route=default' as an example 2015-12-02 10:41:16 +01:00
Nikos Mavrogiannopoulos
eabfbe8473 Added configuration option 'restrict-user-to-ports' 
This option is intended to allow restricting users to accessing
specific ports once they enter the VPN. The rules set using this
option will be enforced by the ocserv-fw script.
 2015-12-02 10:38:12 +01:00
Nikos Mavrogiannopoulos
53376c96a2 doc: document the behavior of restrict-user-to-routes in case of defaultroute 2015-11-29 20:24:32 +01:00
Nikos Mavrogiannopoulos
f86fb99b50 doc update 2015-11-24 00:29:31 +01:00
Nikos Mavrogiannopoulos
c7fe48f372 scripts: export the routes,no-routes and dns servers 2015-11-23 10:53:43 +01:00
Nikos Mavrogiannopoulos
8d03519fb2 doc update 2015-11-17 11:02:26 +01:00
Nikos Mavrogiannopoulos
2473633b8d Added cookie key rotation 2015-11-17 08:33:38 +01:00
Nikos Mavrogiannopoulos
8cb807d27d design.md: document a possible optimization in IPC protocol 2015-11-13 12:46:36 +01:00
Nikos Mavrogiannopoulos
65004a55df Added configuration option tunnel-all-dns 2015-11-10 13:50:03 +01:00
Nikos Mavrogiannopoulos
5138a39116 Added a draft design document 2015-11-10 13:49:56 +01:00
Nikos Mavrogiannopoulos
0b8f4beb8b Added user-specific configuration options dpd, mobile-dpd, keepalive, max-same-clients 2015-11-10 13:49:13 +01:00
Nikos Mavrogiannopoulos
d72424b9c0 doc update 2015-10-30 14:40:49 +01:00
Nikos Mavrogiannopoulos
4ae1c3e2ff occtl and ocpasswd were moved into separate directories 2015-10-30 13:51:19 +01:00
Nikos Mavrogiannopoulos
5a10283125 Added the config option expose-iroutes 
This allows the server to advertise routes offered by few clients
to all clients except the ones offering them.
 2015-10-25 22:43:54 +01:00
Nikos Mavrogiannopoulos
40bd1550c1 ipv6: introduced ipv6-subnet-prefix config option 
That option allows to specify the IPv6 subnet prefix to be given
to client. That is, allow providing the clients networks larger
than /128. Set the option to 128 to simulate the previous behavior
of ocserv.
 2015-10-24 19:26:48 +02:00
Nikos Mavrogiannopoulos
e5d02eb228 plain auth: support OTP authentication using usersfile 
That adds a dependency on liboath.
 2015-09-25 15:03:38 +02:00
Nikos Mavrogiannopoulos
568d6fa767 mention the possibility of proxy arp 2015-09-24 09:52:18 +02:00
Nikos Mavrogiannopoulos
a135c90e54 README-radius: use /etc/radcli for paths 2015-09-23 00:07:16 +02:00
Nikos Mavrogiannopoulos
a8ea052bbf doc: converted README.radius to markdown and link it from README.md 2015-09-19 20:43:44 +02:00
Nikos Mavrogiannopoulos
0461787fcc doc update 2015-09-18 16:45:53 +02:00
Nikos Mavrogiannopoulos
1bfa6e7648 Reinstated the PAM accounting method 
It can be used to check for a valid PAM account, even when
certificates or another authentication method is in use.
 2015-09-18 16:45:32 +02:00
Nikos Mavrogiannopoulos
f2caadbe83 updated documentation for CRL reload 2015-09-14 17:59:58 +02:00