From 74a3d776b371b5be7e762aa7b691f0a3a4854da975e539ff2fdc4a75141863ba Mon Sep 17 00:00:00 2001 From: Marguerite Su Date: Sun, 13 May 2018 01:22:59 +0000 Subject: [PATCH] Accepting request 606481 from home:stawidy:branches:network:vpn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to version 0.12.0 * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP. * Increased possibilities of allowed combinations of authentication methods. * Corrected regression since 0.11.8 with OTP authentication. * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port. * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl. * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use. * Corrected crash on certain cases when proxy protocol is in use. - Update ocserv.config.patch due to upstream changes OBS-URL: https://build.opensuse.org/request/show/606481 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=18 --- ocserv-0.11.10.tar.xz | 3 -- ocserv-0.12.0.tar.xz | 3 ++ ocserv.changes | 13 ++++++++ ocserv.config.patch | 70 ++++++++++++++++++++++++++++++------------- ocserv.spec | 6 ++-- 5 files changed, 68 insertions(+), 27 deletions(-) delete mode 100644 ocserv-0.11.10.tar.xz create mode 100644 ocserv-0.12.0.tar.xz diff --git a/ocserv-0.11.10.tar.xz b/ocserv-0.11.10.tar.xz deleted file mode 100644 index cb949f9..0000000 --- a/ocserv-0.11.10.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:52c821dcd234a8f0d61f440ce3c80d0b23051d7fbd74c6d47dc2b884ae25966a -size 784420 diff --git a/ocserv-0.12.0.tar.xz b/ocserv-0.12.0.tar.xz new file mode 100644 index 0000000..e72574e --- /dev/null +++ b/ocserv-0.12.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fdbb7241013341975640bb9851b14ed16c786029466e81b79cdfbce21f7dc89f +size 679420 diff --git a/ocserv.changes b/ocserv.changes index 483621c..eceecf3 100644 --- a/ocserv.changes +++ b/ocserv.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri May 11 08:08:54 UTC 2018 - duyizhaozj321@yahoo.com + +- Update to version 0.12.0 + * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP. + * Increased possibilities of allowed combinations of authentication methods. + * Corrected regression since 0.11.8 with OTP authentication. + * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port. + * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl. + * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use. + * Corrected crash on certain cases when proxy protocol is in use. +- Update ocserv.config.patch due to upstream changes + ------------------------------------------------------------------- Tue Feb 27 02:50:33 UTC 2018 - i@marguerite.su diff --git a/ocserv.config.patch b/ocserv.config.patch index 11526f8..bd8b552 100644 --- a/ocserv.config.patch +++ b/ocserv.config.patch @@ -1,8 +1,8 @@ -Index: ocserv-0.11.10/doc/sample.config +Index: ocserv-0.12.0/doc/sample.config =================================================================== ---- ocserv-0.11.10.orig/doc/sample.config -+++ ocserv-0.11.10/doc/sample.config -@@ -47,7 +47,7 @@ +--- ocserv-0.12.0.orig/doc/sample.config ++++ ocserv-0.12.0/doc/sample.config +@@ -48,7 +48,7 @@ #auth = "pam" #auth = "pam[gid-min=1000]" #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" @@ -11,7 +11,7 @@ Index: ocserv-0.11.10/doc/sample.config #auth = "certificate" #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" -@@ -80,8 +80,8 @@ auth = "plain[passwd=./sample.passwd]" +@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]" #listen-host-is-dyndns = true # TCP and UDP port number @@ -22,27 +22,27 @@ Index: ocserv-0.11.10/doc/sample.config # Accept connections using a socket file. It accepts HTTP # connections (i.e., without SSL/TLS unlike its TCP counterpart), -@@ -124,8 +124,8 @@ socket-file = /var/run/ocserv-socket - # - # There may be multiple server-cert and server-key directives, - # but each key should correspond to the preceding certificate. +@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket + + #server-cert = /etc/ocserv/server-cert.pem + #server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem +server-cert = /etc/ocserv/certificates/server-cert.pem +server-key = /etc/ocserv/certificates/server-key.pem - # Diffie-Hellman parameters. Only needed if you require support - # for the DHE ciphersuites (by default this server supports ECDHE). -@@ -151,7 +151,7 @@ server-key = ../tests/certs/server-key.p - # The Certificate Authority that will be used to verify + # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 + # versions of GnuTLS for supporting DHE ciphersuites. +@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem # client certificates (public keys) if certificate authentication # is set. + #ca-cert = /etc/ocserv/ca.pem -ca-cert = ../tests/certs/ca.pem +ca-cert = /etc/ocserv/certificates/ca-cert.pem ### All configuration options below this line are reloaded on a SIGHUP. -@@ -171,7 +171,7 @@ ca-cert = ../tests/certs/ca.pem +@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem # the isolation was tested at. If you get random failures on worker processes, try # disabling that option and report the failures you, along with system and debugging # information at: https://gitlab.com/ocserv/ocserv/issues @@ -51,7 +51,7 @@ Index: ocserv-0.11.10/doc/sample.config # A banner to be displayed on clients #banner = "Welcome" -@@ -234,7 +234,7 @@ mobile-dpd = 1800 +@@ -243,7 +243,7 @@ mobile-dpd = 1800 switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) @@ -60,7 +60,7 @@ Index: ocserv-0.11.10/doc/sample.config # If you have a certificate from a CA that provides an OCSP # service you may provide a fresh OCSP status response within -@@ -398,8 +398,8 @@ rekey-method = ssl +@@ -407,8 +407,8 @@ rekey-method = ssl # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes # output from the tun device, and the duration of the session in seconds. @@ -71,7 +71,7 @@ Index: ocserv-0.11.10/doc/sample.config # UTMP # Register the connected clients to utmp. This will allow viewing -@@ -469,7 +469,8 @@ ipv4-netmask = 255.255.255.0 +@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0 # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 @@ -81,7 +81,7 @@ Index: ocserv-0.11.10/doc/sample.config # The NBNS server (if any) #nbns = 192.168.1.3 -@@ -508,8 +509,8 @@ ping-leases = false +@@ -517,8 +518,8 @@ ping-leases = false # comment out all routes from the server, or use the special keyword # 'default'. @@ -92,10 +92,38 @@ Index: ocserv-0.11.10/doc/sample.config #route = fef4:db8:1000:1001::/64 #route = default -Index: ocserv-0.11.10/doc/systemd/socket-activated/ocserv.socket +@@ -682,18 +683,18 @@ dtls-legacy = true + # An example virtual host with different authentication methods serviced + # by this server. + +-[vhost:www.example.com] +-auth = "certificate" ++#[vhost:www.example.com] ++#auth = "certificate" + +-ca-cert = ../tests/certs/ca.pem ++#ca-cert = ../tests/certs/ca.pem + + # The certificate set here must include a 'dns_name' corresponding to + # the virtual host name. + +-server-cert = ../tests/certs/server-cert-secp521r1.pem +-server-key = ../tests/certs/server-key-secp521r1.pem ++#server-cert = ../tests/certs/server-cert-secp521r1.pem ++#server-key = ../tests/certs/server-key-secp521r1.pem + +-ipv4-network = 192.168.2.0 +-ipv4-netmask = 255.255.255.0 ++#ipv4-network = 192.168.2.0 ++#ipv4-netmask = 255.255.255.0 + +-cert-user-oid = 0.9.2342.19200300.100.1.1 ++#cert-user-oid = 0.9.2342.19200300.100.1.1 + +Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket =================================================================== ---- ocserv-0.11.10.orig/doc/systemd/socket-activated/ocserv.socket -+++ ocserv-0.11.10/doc/systemd/socket-activated/ocserv.socket +--- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket ++++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket @@ -2,8 +2,8 @@ Description=OpenConnect SSL VPN server Socket diff --git a/ocserv.spec b/ocserv.spec index 45cf16f..9f0972b 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -17,10 +17,10 @@ Name: ocserv -Version: 0.11.10 +Version: 0.12.0 Release: 0 Summary: OpenConnect VPN Server -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Networking/Security Url: http://www.infradead.org/ocserv #Source: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz @@ -59,6 +59,7 @@ BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: protobuf-c BuildRequires: readline-devel +BuildRequires: ruby2.5-rubygem-ronn BuildRequires: systemd-devel # /usr/bin/certtool for generating certificates Requires: gnutls >= 3.1.10 @@ -93,7 +94,6 @@ A management interface allows for viewing and querying logged-in users. %patch1 -p1 %patch2 -p1 %patch3 -p1 -sed -i "s/\@AUTOGEN\@/autogen/" doc/Makefile.am autoreconf -fiv %build