mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
36 lines
1.5 KiB
Plaintext
36 lines
1.5 KiB
Plaintext
Short term items:
|
|
|
|
* Add user-profile to the group configured options.
|
|
|
|
* Think for ways for ocserv to co-exist on the same system with
|
|
an HTTPS server (while sharing the same port). A possible way is
|
|
through sniproxy -for low-traffic sites.
|
|
|
|
* When a user (IP) gets into the BAN list multiple times, disable it for
|
|
longer time (or should we drop this functionality altogether and rely
|
|
on PAM handling that?)
|
|
|
|
* Change into hashtables the lists that are used during a client
|
|
connection.
|
|
|
|
* Give each worker a limited number of accesses to the security module.
|
|
|
|
Long term items:
|
|
|
|
* Think how the DTLS part can use better negotiation of algorithms and DTLS
|
|
is negotiated properly. Using PSK ciphersuites seem to be like a solution,
|
|
but that would require a new protocol to be implemented in openconnect
|
|
client and ocserv.
|
|
|
|
* Certificate authentication to the security module. Possibly that is just
|
|
wishful thinking. To verify the TLS client certificate verify signature
|
|
one needs in addition to the signature, the contents of all the handshake
|
|
messages, and knowledge of the negotiated TLS version, as well as being
|
|
able to select the server hello random. That could be done sanely only if
|
|
gnutls provided facilities to set the server hello random, and override the
|
|
client signature verification at an early stage before data are hashed
|
|
(to verify that the set random value was present in the handshake).
|
|
However, the complexity required to implement that may in fact reduce
|
|
security rather than increase it.
|
|
|