mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
* IPv6 support is probably broken or non-optimal. See how it can be
|
|
improved.
|
|
|
|
* Think how the DTLS part can use better negotiation of algorithms and DTLS
|
|
versions than the current openssl string approach (using PSK ciphersuites
|
|
seem to be like a solution, but then we could not use the session ID to
|
|
forward the UDP connection to the proper worker).
|
|
|
|
* Certificate authentication to the main process. Possibly that is just
|
|
wishful thinking. To verify the TLS client certificate verify signature
|
|
packet one needs instead of the signature, the contents of all the handshake
|
|
messages, and knowledge of the negotiated TLS version, in addition to being
|
|
able to select the server hello random. That could be done sanely only if
|
|
gnutls provided facilities to set the server hello random, and override the
|
|
client signature verification at an early stage before data are hashed
|
|
(to verify that the set random value was present in the handshake).
|
|
|
|
* When a TUN device is in use and cannot be assigned mark it as such and
|
|
continue.
|
|
|
|
* When a user (IP) gets into the BAN list multiple times, disable it for
|
|
longer time.
|
|
|
|
* Change into hashtables the lists that are used during a client
|
|
connection.
|