mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
* Add a simple username/password back-end in addition to PAM
|
|
|
|
* Fix SIGHUP handling on the main server.
|
|
|
|
* Keep the TLS key and certificates into the privileged process and use IPC
|
|
for operations (this will make the privileged process a bottleneck).
|
|
|
|
* Add path MTU discovery.
|
|
|
|
* Think how the DTLS part can use better negotiation of algorithms and DTLS
|
|
versions than the current openssl string approach (using PSK ciphersuites
|
|
seem to be like a solution, but then we could not use the session ID to
|
|
forward the UDP connection to the proper worker).
|
|
|
|
* Certificate authentication to the main process. Possibly that is just
|
|
wishful thinking. To verify the TLS client certificate verify signature one
|
|
needs instead of the signature, the contents of all the handshake messages,
|
|
and knowledge of the negotiated TLS version, in addition to being able to
|
|
select the server hello random. That could be done sanely only if gnutls
|
|
provided facilities to set the server hello random, and override the client
|
|
signature verification. Even in that case the handshake data need to be
|
|
transferred to the main thread.
|
|
|
|
* Try adding salsa20-12 and UMAC as encryption algorithms for DTLS to reduce
|
|
CPU load.
|