diff --git a/ocserv-1.1.6.tar.xz b/ocserv-1.1.6.tar.xz deleted file mode 100644 index f886200..0000000 --- a/ocserv-1.1.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6a6cbe92212e32280426a51c634adc3d4803579dd049cfdb7e014714cc82c693 -size 839744 diff --git a/ocserv-1.1.6.tar.xz.sig b/ocserv-1.1.6.tar.xz.sig deleted file mode 100644 index c06d1ef..0000000 Binary files a/ocserv-1.1.6.tar.xz.sig and /dev/null differ diff --git a/ocserv-1.2.1.tar.xz b/ocserv-1.2.1.tar.xz new file mode 100644 index 0000000..97f63ce --- /dev/null +++ b/ocserv-1.2.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:de54473ba68d42a8469e434f541ae6b3cf3d98f0936ad0eadfa2c2484810d994 +size 749592 diff --git a/ocserv-1.2.1.tar.xz.sig b/ocserv-1.2.1.tar.xz.sig new file mode 100644 index 0000000..8cac5a3 Binary files /dev/null and b/ocserv-1.2.1.tar.xz.sig differ diff --git a/ocserv.changes b/ocserv.changes index acaadbe..e891146 100644 --- a/ocserv.changes +++ b/ocserv.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Tue Aug 29 12:37:56 UTC 2023 - Martin Hauke + +- Update to version 1.2.1 + * Accept the Clavister OneConnect VPN Android client. + * No longer require to set device name per vhost. + * Account the correct number of points when proxyproto is in use + * nuttcp tests were replaced with iperf3 that is available + in more environments + * occtl: fix duplicate key in `occtl --json show users` output +- Update to version 1.2.0 + * Add support for Cisco Enterprise phones to authenticate via + the /svc endpoint and the 'cisco-svc-client-compat' config + option. + * Enhanced radius group support to enable radius servers send + multiple group class attributes + See doc/README-radius.md for more information. + * Enhanced the seccomp filters to open files related to FIPS + compliance on SuSe. + * Added "Camouflage" functionality that makes ocserv look like a + web server to unauthorized parties. + * Avoid login failure when the end point of server URI + contains a query string. + * Make sure we print proper JSON with `occtl --debug --json` + * Eliminated the need for using the gnulib portability library. +- Update to version 1.1.7 + * Emit a LOG_ERR error message with plain authentication fails + * The bundled inih was updated to r56. + * The bundled protobuf-c was updated to 1.4.1. + * Enhanced the seccomp filters for ARMv7 compatibility and musl + libc + * HTTP headers always capitalised as in RFC 9110 + ------------------------------------------------------------------- Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner diff --git a/ocserv.config.patch b/ocserv.config.patch index 838b239..ec6c8e8 100644 --- a/ocserv.config.patch +++ b/ocserv.config.patch @@ -1,5 +1,5 @@ diff --git a/doc/sample.config b/doc/sample.config -index 0e33484f..60ab3e93 100644 +index 4c8c8c6..7a4697f 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -48,7 +48,7 @@ @@ -22,18 +22,19 @@ index 0e33484f..60ab3e93 100644 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this -@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket +@@ -126,9 +126,8 @@ socket-file = /var/run/ocserv-socket #server-cert = /etc/ocserv/server-cert.pem #server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem +- +server-cert = /etc/ocserv/certificates/server-cert.pem +server-key = /etc/ocserv/certificates/server-key.pem - # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 # versions of GnuTLS for supporting DHE ciphersuites. -@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem + # Can be generated using: +@@ -154,7 +153,7 @@ server-key = ../tests/certs/server-key.pem # client certificates (public keys) if certificate authentication # is set. #ca-cert = /etc/ocserv/ca.pem @@ -42,16 +43,7 @@ index 0e33484f..60ab3e93 100644 # The number of sub-processes to use for the security module (authentication) # processes. Typically this should not be set as the number of processes -@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem - # the isolation was tested at. If you get random failures on worker processes, try - # disabling that option and report the failures you, along with system and debugging - # information at: https://gitlab.com/ocserv/ocserv/issues --isolate-workers = true -+isolate-workers = false - - # A banner to be displayed on clients after connection - #banner = "Welcome" -@@ -249,7 +249,7 @@ mobile-dpd = 1800 +@@ -249,7 +248,7 @@ mobile-dpd = 1800 switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) @@ -60,77 +52,3 @@ index 0e33484f..60ab3e93 100644 # To enable load-balancer connection draining, set server-drain-ms to a value # higher than your load-balancer health probe interval. -@@ -415,8 +415,8 @@ rekey-method = ssl - # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes - # output from the tun device, and the duration of the session in seconds. - --#connect-script = /usr/bin/myscript --#disconnect-script = /usr/bin/myscript -+#connect-script = /usr/bin/ocserv-script -+#disconnect-script = /usr/bin/ocserv-script - - # This script is to be called when the client's advertised hostname becomes - # available. It will contain REASON with "host-update" value and the -@@ -506,7 +506,8 @@ ipv4-netmask = 255.255.255.0 - # The advertised DNS server. Use multiple lines for - # multiple servers. - # dns = fc00::4be0 --dns = 192.168.1.2 -+dns = 8.8.8.8 -+dns = 8.8.4.4 - - # The NBNS server (if any) - #nbns = 192.168.1.3 -@@ -545,8 +546,8 @@ ping-leases = false - # comment out all routes from the server, or use the special keyword - # 'default'. - --route = 10.10.10.0/255.255.255.0 --route = 192.168.0.0/255.255.0.0 -+#route = 10.10.10.0/255.255.255.0 -+#route = 192.168.0.0/255.255.0.0 - #route = fef4:db8:1000:1001::/64 - #route = default - -@@ -719,18 +720,18 @@ client-bypass-protocol = false - # An example virtual host with different authentication methods serviced - # by this server. - --[vhost:www.example.com] --auth = "certificate" -+#[vhost:www.example.com] -+#auth = "certificate" - --ca-cert = ../tests/certs/ca.pem -+#ca-cert = ../tests/certs/ca.pem - - # The certificate set here must include a 'dns_name' corresponding to - # the virtual host name. - --server-cert = ../tests/certs/server-cert-secp521r1.pem --server-key = ../tests/certs/server-key-secp521r1.pem -+#server-cert = ../tests/certs/server-cert-secp521r1.pem -+#server-key = ../tests/certs/server-key-secp521r1.pem - --ipv4-network = 192.168.2.0 --ipv4-netmask = 255.255.255.0 -+#ipv4-network = 192.168.2.0 -+#ipv4-netmask = 255.255.255.0 - --cert-user-oid = 0.9.2342.19200300.100.1.1 -+#cert-user-oid = 0.9.2342.19200300.100.1.1 -diff --git a/doc/systemd/socket-activated/ocserv.socket b/doc/systemd/socket-activated/ocserv.socket -index 9444f190..a0ac362a 100644 ---- a/doc/systemd/socket-activated/ocserv.socket -+++ b/doc/systemd/socket-activated/ocserv.socket -@@ -2,8 +2,8 @@ - Description=OpenConnect SSL VPN server Socket - - [Socket] --ListenStream=443 --ListenDatagram=443 -+ListenStream=9000 -+ListenDatagram=9001 - BindIPv6Only=default - Accept=false - ReusePort=true diff --git a/ocserv.spec b/ocserv.spec index bb43c66..73da629 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -17,7 +17,7 @@ Name: ocserv -Version: 1.1.6 +Version: 1.2.1 Release: 0 Summary: OpenConnect VPN Server License: GPL-2.0-only @@ -149,7 +149,7 @@ sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable' % %files %defattr(-,root,root) %doc AUTHORS NEWS README.md -%license COPYING LICENSE +%license COPYING %config %{_sysconfdir}/ocserv %if 0%{suse_version} >= 1500 %dir %{_prefix}/lib/firewalld