ocserv

mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00

Author	SHA1	Message	Date
Alan Jowett	3436705a9c	Allow setup of new DTLS session while processing on old session Resolves: #359 Signed-off-by: Alan Jowett alan.jowett@microsoft.com	2020-10-19 10:36:03 -06:00
Alan Jowett	ce66485ee6	Uses fork/exec to limit memory footprint of ocserv-worker processes Capture all the required worker process state in a protobuf and pass to worker via env. Snapshot all config files to ensure ocserv-sm and ocserv-worker remain in sync. Split ocserv-worker functionality into it's own executable with minimal dependencies. Resolves: #285 Signed-off-by: Alan Jowett alanjo@microsoft.com	2020-05-25 08:33:16 +02:00
Nikos Mavrogiannopoulos	ba6921ed9a	Introduced the notion of virtual hosts This provides virtualized server configurations which take effect after client connection when client hello is received. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2018-03-06 20:42:31 +01:00
Nikos Mavrogiannopoulos	83bea71e38	tests: added unit test for cstp_recv_nb() Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-03-24 20:07:47 +01:00
Nikos Mavrogiannopoulos	0792d7a135	cstp_recv_nb: improve operation under receiving from UNIX socket That is, ensure that all possible packet size combinations are correctly received. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-03-24 19:07:51 +01:00
Nikos Mavrogiannopoulos	fdea01f4f5	Do not log the internal session ID nor re-use it in radius Use instead a value derived from it, to avoid access to the debugging log files, or radius result to access to the server. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-01-29 15:48:46 +01:00
Nikos Mavrogiannopoulos	bcb2ec6505	ocserv: pre-load the OCSP response file That allows the worker processes to serve OCSP responses, even when they have no access to the actual file.	2016-11-11 09:17:31 +01:00
Nikos Mavrogiannopoulos	b5f5f2a0c0	Enhanced the openconnect protocol DTLS negotiation If the client's X-DTLS-CipherSuite contains the PSK keyword, the server will reply with "X-DTLS-CipherSuite: PSK" and will enable DTLS-PSK negotiation on the DTLS channel. The ciphersuite set in the DTLS channel, must match the one set in TLS one. That, makes the protocol consistent in security properties (DTLS and TLS channel will match cipher/mac combinations), and allows the protocol to use any new DTLS versions, as well as new DTLS ciphersuites without any code changes. That change still requires to client to pretend it is resuming by setting in the DTLS client hello the session ID provided by X-DTLS-Session-ID.	2016-08-05 09:07:11 +02:00
Nikos Mavrogiannopoulos	b6df22c8c3	Reload the certificates and private keys on SIGHUP Until now this part of the configuration was static, but there is the need to reload certificates and keys, e.g., on renewal.	2016-01-26 12:51:05 +01:00
Nikos Mavrogiannopoulos	f80f513e4a	tlslib: abstracted the recv_packet functions	2016-01-19 14:33:03 +01:00
Nikos Mavrogiannopoulos	f5e5bde862	tls_recv -> cstp_recv	2016-01-19 14:02:21 +01:00
Nikos Mavrogiannopoulos	9b6c4f3a26	cleaned up the fatal error checking in TLS/DTLS sessions	2016-01-19 13:19:57 +01:00
Nikos Mavrogiannopoulos	1955394cfa	When receiving from unix socket attempt to reconstruct the CSTP packets That is because it may happen that the sender sends a complete packet into multiple chunks. Resolves #22	2016-01-02 00:13:56 +02:00
Nikos Mavrogiannopoulos	090c51cf1f	check the CRL periodically and reload it when modified	2015-09-14 17:55:59 +02:00
Nikos Mavrogiannopoulos	a9d562064a	tlslib: define DTLS1_2 when needed	2015-03-31 13:37:43 +02:00
Nikos Mavrogiannopoulos	2ab42ed1f2	simplified FATAL_ERR_CMD()	2014-10-05 14:47:21 +02:00
Nikos Mavrogiannopoulos	0390f21db6	added recv_timeout() to replace force_read_timeout() in socket reading	2014-10-05 14:41:45 +02:00
Nikos Mavrogiannopoulos	4ea5a56ace	Allow the CSTP layer to operate without TLS That also introduces a unix domain socket under which connections to the server can occur.	2014-09-23 16:08:29 +02:00
Nikos Mavrogiannopoulos	aaa06e3157	TLS sessions expire the at cookie timeout.	2014-05-27 16:01:14 +02:00
Nikos Mavrogiannopoulos	0586e4c5fa	Simplified the TLS hash table initialization.	2014-05-27 15:00:13 +02:00
Nikos Mavrogiannopoulos	969e684960	Use talloc() for all allocations to reduce the possibility of memory leaks.	2014-05-09 16:13:11 +02:00
Nikos Mavrogiannopoulos	89ddd81c0e	Use exit_worker() or gnutls fatal errors instead of plain exit(). That solves issue with stats not being reported to the main process.	2014-05-04 14:16:47 +02:00
Nikos Mavrogiannopoulos	3f8661a98a	renamed function names for clarity.	2014-04-16 11:49:13 +02:00
Nikos Mavrogiannopoulos	ee12a7509d	renamed function for consistency	2014-04-06 10:02:16 +02:00
Nikos Mavrogiannopoulos	bd9aaa1228	Revert "Try to read more than a single packet from the TUN device." This reverts commit `019126abfd`.	2014-04-06 09:08:44 +02:00
Nikos Mavrogiannopoulos	019126abfd	Try to read more than a single packet from the TUN device.	2014-04-03 13:54:56 +02:00
Nikos Mavrogiannopoulos	d00319faf4	Updates in CRL handling. Ensure reload on SIGHUP, and do print an appropriate error when an empty CRL file is encountered.	2014-04-02 12:55:43 +02:00
Nikos Mavrogiannopoulos	4f9e06d16d	Do not block in TLS and DTLS reads This prevents an issue where a client disconnects but the server is blocked on a DTLS read without being able to detect the disconnection.	2014-03-09 21:40:07 +01:00
Nikos Mavrogiannopoulos	3d0a69e5f6	Indicate properly the status of TLS authentication when a client has reconnected.	2014-01-12 10:16:10 +01:00
Nikos Mavrogiannopoulos	cdba1ae374	Try to release as much memory as possible to be able to detect real memory leaks.	2014-01-09 17:27:49 +01:00
Nikos Mavrogiannopoulos	85f4db201c	updated license information and authors	2013-11-05 19:38:30 +01:00
Nikos Mavrogiannopoulos	009e76cac3	Do not wait for socket to be ready when sending DTLS data.	2013-10-04 09:40:46 +02:00
Nikos Mavrogiannopoulos	e9be6eff7d	corrected values returned in X-CSTP-MTU and X-DTLS-MTU	2013-06-10 19:39:19 +02:00
Nikos Mavrogiannopoulos	376fea950f	removed session ticket support	2013-03-24 18:53:30 +01:00
Nikos Mavrogiannopoulos	5a4ce846b7	The TLS private keys are kept into a privileged process. That process is called security-module (sec-mod) and communicates with the workers using a unix domain socket.	2013-03-15 17:47:38 +01:00
Nikos Mavrogiannopoulos	1eeb33d5d7	enable session tickets.	2013-03-11 19:49:33 +01:00
Nikos Mavrogiannopoulos	a0f1867c58	Allow setting DH parameters.	2013-03-07 09:19:25 +01:00
Nikos Mavrogiannopoulos	41e8d020b5	Several updates to handle URLs requested by the cisco client.	2013-03-01 19:52:10 +01:00
Nikos Mavrogiannopoulos	214bec96f0	Load PINs early.	2013-02-19 07:35:11 +01:00
Nikos Mavrogiannopoulos	334338c73b	Enable maintainance when maximum TLS sessions have been reached. Set more sane defaults for max sessions.	2013-02-14 08:11:16 +01:00
Nikos Mavrogiannopoulos	121b2491aa	HUP signal reloads configuration	2013-02-12 18:57:05 +01:00
Nikos Mavrogiannopoulos	288766f628	use gnutls cork() and uncork() when available	2013-02-08 18:20:19 +01:00
Nikos Mavrogiannopoulos	bacf821953	cleaned up TLS code which was moved to tlslib	2013-02-08 18:20:17 +01:00
Nikos Mavrogiannopoulos	4370f88001	dropped dependency on gdbm. Cookies are stored in a hash.	2013-02-07 00:57:17 +01:00
Nikos Mavrogiannopoulos	10d9b144be	Use CCAN hashes and lists.	2013-02-06 09:20:08 +01:00
Nikos Mavrogiannopoulos	1e0bcc269d	reorganized headers	2013-02-05 22:11:38 +01:00
Nikos Mavrogiannopoulos	2e43570fde	deinitialize the TLS cache prior to fork	2013-02-05 09:03:58 +01:00
Nikos Mavrogiannopoulos	ceca403691	Added automatic TLS session expiration.	2013-02-04 19:16:04 +01:00
Nikos Mavrogiannopoulos	1fb76ce890	Added session resumption to TLS server.	2013-02-03 21:23:29 +01:00
Nikos Mavrogiannopoulos	04f9a4ae9e	tls_print -> tls_puts to distinguish from printf	2013-01-13 13:32:48 +01:00

1 2

51 Commits