This checks the functionality of idle-timeout and
session-timeout as well as whether the cookies are
invalidated after the user is disconnected.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Each cookie is valid for its IP address and when reconnected it must
reach the same sec-mod that contains the corresponding session
information.
This reverts commit 4ec99609ca.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
We have been checking the return value of rc_avpair_add() in all cases,
except the PW_NAS_IP_ADDRESS/PW_NAS_IPV6_ADDRESS cases.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
When the proxy protocol is used ensure that authentication failure
will credit the right number of points to the actual client IP
address.
Resolves: #529
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Also measure whether ban points are credited to the right
address for failed attempts.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
* `TX` key is present twice in `occtl --json show users` output, the first
key turns out to be the Limit TX configured.
Signed-off-by: Florian Domain <f.domain@criteo.com>
This does the release of the tarballs, the git tagging and
the release of gitlab.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
iperf3 is consistently included in all distributions we
are testing at, in contrast with nuttcp.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
It is not necessary to specify the device config directive on
each virtual host configuration. Ensure that we don't require it
by mistake. This also introduces a traffic test when operating
with virtual hosts.
Resolves: #480
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The clavister oneconnect VPN client for android issues an
incorrect URL for the connection. Accept it.
Resolves: #485
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
These macros were part of the gnulib, and they are not available
by default on system. They become available pretty randomly as they
get installed by arbitrary software (e.g., gettext-devel on my system).
We now make them available unconditionally ensuring we can compile
ocserv on a freshly installed system.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This also moves any static analyzers checks early in the testing
phases ti catch basic errors faster.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
