c4052e0aeb
- actually verify tarballs - use as many pkgconfig and rubygem names OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=57
515 lines
24 KiB
Plaintext
515 lines
24 KiB
Plaintext
-------------------------------------------------------------------
|
||
Sat Nov 30 00:19:36 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
|
||
|
||
- use https for downloading sources (over ftp)
|
||
- actually verify tarballs
|
||
- use as many pkgconfig and rubygem names
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Aug 23 15:09:09 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- BuildRequire /usr/bin/ronn instead of rubygem(ronn): there are
|
||
alternatives around and the build does not care wich one is used.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed May 15 12:58:13 UTC 2024 - Андрей Кувшинов <m407@mail.ru>
|
||
|
||
- Update to version 1.3.0
|
||
* Switch to https://github.com/nodejs/llhttp from http-parser.
|
||
http-parser was a liability as an unmaintained project (#598)
|
||
* Bump the number of groups per account from 128 to 512 (#219)
|
||
* Allow connecting users to select an authgroup by appending the
|
||
group name to the URL, as in https://vpn.example.com/groupname;
|
||
this introduces the select-group-by-url config option (#597).
|
||
* Informational messages due to configuration loading are not printed
|
||
during worker initialization.
|
||
- Update to version 1.2.4
|
||
* Get connection speed limits (traffic shaping) from RADIUS (#554)
|
||
* Fix logging to stderr: add missing newline.
|
||
* Fixed compatibility with AnyConnect clients on Linux (#544)
|
||
* Detect the new AnyConnect-compatible identifier of OpenConnect clients
|
||
* occtl: Print bit rates as kb/s.
|
||
- Update to version 1.2.3
|
||
* Treat unknown clients as capable of IPv6 routes and DNS servers
|
||
* Introduced new ocserv options --log-stderr and --syslog that redirect
|
||
logging to stderr or syslog explicitly. The stderr option allows for better
|
||
integration with logging on containers or under systemd. The default remains
|
||
syslog.
|
||
* Warn when more than 2 DNS server IPv6 addresses are sent by Radius.
|
||
* Improved server shutdown (#563)
|
||
* Modified Camouflage functionality to allow AnyConnect clients (#544)
|
||
* ocserv-fw: Move under libexec.
|
||
* ocserv-fw: Fixed clean_all_rules logic on multiple similar devices (!384)
|
||
* occtl: added machine-readable raw_connected_at field for user stats
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 26 12:40:44 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- Use %autosetup macro. Allows to eliminate the usage of deprecated
|
||
PatchN.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 25 08:41:26 UTC 2023 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Update to version 1.2.2
|
||
* Fix session and accounting data tracking of ocserv. This
|
||
reverts fix for #444 (#541)
|
||
* No longer account ICMP and IGMP data for idle session detection
|
||
- Update URL
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Aug 29 12:37:56 UTC 2023 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Update to version 1.2.1
|
||
* Accept the Clavister OneConnect VPN Android client.
|
||
* No longer require to set device name per vhost.
|
||
* Account the correct number of points when proxyproto is in use
|
||
* nuttcp tests were replaced with iperf3 that is available
|
||
in more environments
|
||
* occtl: fix duplicate key in `occtl --json show users` output
|
||
- Update to version 1.2.0
|
||
* Add support for Cisco Enterprise phones to authenticate via
|
||
the /svc endpoint and the 'cisco-svc-client-compat' config
|
||
option.
|
||
* Enhanced radius group support to enable radius servers send
|
||
multiple group class attributes
|
||
See doc/README-radius.md for more information.
|
||
* Enhanced the seccomp filters to open files related to FIPS
|
||
compliance on SuSe.
|
||
* Added "Camouflage" functionality that makes ocserv look like a
|
||
web server to unauthorized parties.
|
||
* Avoid login failure when the end point of server URI
|
||
contains a query string.
|
||
* Make sure we print proper JSON with `occtl --debug --json`
|
||
* Eliminated the need for using the gnulib portability library.
|
||
- Update to version 1.1.7
|
||
* Emit a LOG_ERR error message with plain authentication fails
|
||
* The bundled inih was updated to r56.
|
||
* The bundled protobuf-c was updated to 1.4.1.
|
||
* Enhanced the seccomp filters for ARMv7 compatibility and musl
|
||
libc
|
||
* HTTP headers always capitalised as in RFC 9110
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||
|
||
- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
|
||
installed into /etc by a more tailored mechanism. Enabling IP routing
|
||
globally and permanently, just because the package is installed is quite
|
||
invasive. This new script will be invoked before and after the ocserv
|
||
service to switch on and off forwarding, if necessary (bsc#1174722).
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Aug 14 14:11:34 UTC 2022 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 1.1.6
|
||
* Fixed compatibility with clients on Windows ARM64.
|
||
* Added futex() to the accepted list of seccomp.
|
||
It is required by Fedora 36’s libc.
|
||
* Work around change of returned error code in GnuTLS 3.7.3
|
||
for gnutls_privkey_import_x509_raw().
|
||
|
||
- Changes in version 1.1.5
|
||
* Fixed manpage output.
|
||
|
||
- Changes in version 1.1.4
|
||
* Added newfstatat() and epoll_pwait() to the accepted list of
|
||
seccomp calls. This improves compatibility with certain libcs
|
||
and aarch64.
|
||
* Do not allow assigning the same IPv6 as tun device address and
|
||
to the client. This allows using /127 as prefix (#430).
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 20 07:49:38 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- explicitly buildignore libevent-devel, which is pulled in by
|
||
ubound. We use libev here and can get away with this.
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Jun 5 10:37:15 UTC 2021 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Update to version 1.1.3
|
||
* No longer close stdin and stdout on worker processes as they
|
||
are already closed in main process.
|
||
* Advertise X-CSTP-Session-Timeout.
|
||
* No longer recommend building with system's libpcl but rather
|
||
the bundled as it is not a very common shared library.
|
||
* Corrected busyloop on failed DTLS handshakes.
|
||
* Emit OWASP best practice headers for HTTP.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Dec 7 15:32:12 UTC 2020 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Update to version 1.1.2
|
||
* Allow setup of new DTLS session concurrent with old session.
|
||
* Fixed an infinite loop on sec-mod crash when server-drain-ms
|
||
is set.
|
||
* Don't apply BanIP checks to clients on the same subnet.
|
||
* Don't attempt TLS if the client closes the connection with
|
||
zero data sent.
|
||
* Increased the maximum configuration line; this allows banner
|
||
messages longer than 200 characters.
|
||
* Removed the listen-clear-file config option. This option was
|
||
incompatible with several clients, and thus is unusable for a
|
||
generic server.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Sep 21 15:27:14 UTC 2020 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Update to version 1.1.1:
|
||
* Improved rate-limit-ms and made it dependent on secmod backlog.
|
||
This makes the server more resilient (and prevents connection
|
||
failures) on multiple concurrent connections
|
||
- Added namespace support for listen address by introducing the
|
||
listen-netns option.
|
||
- Disable TLS1.3 when cisco client compatibility is enabled. New
|
||
anyconnect clients seem to supporting TLS1.3 but are unable to
|
||
handle a client with an RSA key.
|
||
- Enable a race free user disconnection via occtl.
|
||
- Added the config option of a pre-login-banner.
|
||
- Ocserv siwtched to using multiple ocserv-sm processes to
|
||
improve scale, with the number of ocserv-sm process dependent
|
||
on maximum clients and number of CPUs. Configuration option
|
||
sec-mod-scale can be used to override the heuristics.
|
||
- Fixed issue with group selection on radius servers sending
|
||
multiple group class attribute.
|
||
- Update patch:
|
||
* ocserv-enable-systemd.patch
|
||
* ocserv.config.patch
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Aug 19 10:46:22 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
|
||
|
||
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jul 3 17:34:58 UTC 2020 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 1.1.0:
|
||
* Switch from fork to fork/exec model to achieve better scaling
|
||
and ASLR protection. This introduces an ocserv-worker application
|
||
which should be installed at the same path as ocserv (#285).
|
||
* When Linux OOM takes control kill ocserv workers before
|
||
ocserv-main or ocserv-secmod (#283).
|
||
* Disable TCP queuing on the TLS port.
|
||
* Fix leak of GnuTLS session when DTLS connection is
|
||
re-established (#293).
|
||
- Verify source with keyring before build.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 21 17:20:49 UTC 2020 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Add signature and keyring for source verification
|
||
- Build with support for maxminddb
|
||
- Build with support for OATH
|
||
- Update to version 1.0.1
|
||
* Prevent clients that use broken versions of gnutls from
|
||
connecting using DTLS.
|
||
* occtl: added machine-readable fields in json output.
|
||
* occtl: IPs in ban list value is now reflecting the actual
|
||
banned IPs rather than the database size.
|
||
- Update to version 1.0.0
|
||
* Avoid crash on invalid configuration values.
|
||
* Updated manpage generation to work with newer versions of ronn.
|
||
* Ensure scripts have all the information on all disconnection
|
||
types.
|
||
* Several updates to further restrict the control that worker
|
||
processes have on the main process.
|
||
* Add support for RFC6750 bearer tokens. This adds the "auth=oidc"
|
||
config option. See doc/README-oidc.md for more information.
|
||
* Add USER_AGENT, DEVICE_TYPE and DEVICE_PLATFORM environment
|
||
variables when connect/disconnect scripts execute.
|
||
* Corrected issue with DTLS-PSK negotiation which prevented it
|
||
from being enabled.
|
||
* Improved IPv6 handling of AnyConnect client for Apple ios.
|
||
* Fixed issue with Radius accounting.
|
||
- Update to version 0.12.6
|
||
* Improved IPv6 support for anyconnect clients.
|
||
* The 'split-dns' configuration directive can be used per-user.
|
||
* The max-same-clients=1 configuration option no longer refuses
|
||
the reconnection of an already connected user.
|
||
* Added openat() to the accepted list of seccomp calls. This
|
||
allows ocserv to run under certain libcs.
|
||
- Update to version 0.12.5
|
||
* Added configuration option udp-listen-host. This option
|
||
supports different listen addresses for tcp and udp such as
|
||
haproxy for tcp, but support dtls at the same time.
|
||
* occtl: fixed json output of show status command. Introduced
|
||
tests for checking its json output using yajl.
|
||
* occtl: use maxminddb when available.
|
||
- Update to version 0.12.4
|
||
* Added support for radius access-challenge (multifactor)
|
||
authentication.
|
||
* Fixed race condition when connect-script and disconnect-script
|
||
are set, which could potentially cause a crash.
|
||
* Perform quicker cleanup of sessions which their user explicitly
|
||
disconnected.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 19 14:56:10 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
|
||
Allow OBS to shortcut through the -mini flavors.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 24 13:28:00 UTC 2019 - matthias.gerstner@suse.com
|
||
|
||
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
|
||
firewalld, see [1].
|
||
|
||
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 23 09:08:03 UTC 2019 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 0.12.3:
|
||
* Fixed crash when no DTLS ciphersuite is negotiated.
|
||
* Fixed crash happening arbitrarily depending on handled string
|
||
sizes (#197).
|
||
* Fixed compatibility issue with GnuTLS 3.3.x (#201).
|
||
* occtl: print the TLS session information, even if the DTLS
|
||
channel is not established.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 25 14:54:35 UTC 2019 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 0.12.2:
|
||
* Added support for AES256-SHA legacy cipher. This allows the
|
||
anyconnect clients to use AES256.
|
||
* Added support for the DTLS1.2 protocol hack used by new
|
||
Anyconnect clients.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 17 10:48:43 UTC 2018 - duyizhaozj321@yahoo.com
|
||
|
||
- Update to version 0.12.1:
|
||
* Fixed crash on initialization when server was running on background
|
||
* Work around issues with GnuTLS 3.4.x on ubuntu 16.04, at the cost of a memory leak on key reload
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 11 08:08:54 UTC 2018 - duyizhaozj321@yahoo.com
|
||
|
||
- Update to version 0.12.0
|
||
* Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
|
||
* Increased possibilities of allowed combinations of authentication methods.
|
||
* Corrected regression since 0.11.8 with OTP authentication.
|
||
* Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
|
||
* Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
|
||
* Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
|
||
* Corrected crash on certain cases when proxy protocol is in use.
|
||
- Update ocserv.config.patch due to upstream changes
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 27 02:50:33 UTC 2018 - i@marguerite.su
|
||
|
||
- add firewalld service
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Feb 24 05:43:55 UTC 2018 - i@marguerite.su
|
||
|
||
- update version 0.11.10
|
||
* see NEWS
|
||
- drop boo1021353-ocserv-doc-racing-in-parallel-build.patch
|
||
* upstreamed
|
||
- add ocserv-LZ4_compress_default.patch
|
||
* leap doesn't have LZ4_compress_default
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 11 08:35:51 UTC 2017 - dimstar@opensuse.org
|
||
|
||
- Use readline (current) instead of readline5:
|
||
+ Replace readline5-devel BuildRequires with readline-devel.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 23 16:35:52 UTC 2017 - i@marguerite.su
|
||
|
||
- fix boo#1021353: ocserv randomly misbuilds man pages
|
||
- add patch: boo1021353-ocserv-doc-racing-in-parallel-build.patch
|
||
* occtl and ocpasswd are both built from args.def, which
|
||
will cause a racing problem in parallel builds that autogen
|
||
write contents randomly. fixed by adding a prefix to make
|
||
them different in filename.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 21 10:59:26 UTC 2016 - i@marguerite.su
|
||
|
||
- update version 0.11.6
|
||
* cserv: Improved detection of mobile clients
|
||
* ocserv: Update the worker's ID on Radius accounting messages.
|
||
That is, even if we initially advertize the ID of the worker
|
||
handling the client as NAS-Port, the client may eventually end-up
|
||
being served by another process with different ID. In that case we make
|
||
sure that the radius server is notified on the next accounting message.
|
||
If you are using radius see doc/README.radius.md about NAS-Port, since
|
||
that behavior may cause issues in freeradius installations.
|
||
* ocserv: Added config option 'switch-to-tcp-timeout'. That allows an
|
||
automatic switch to TCP in case of no received UDP traffic for
|
||
certain time
|
||
* ocserv: Pre-load the OCSP response file; that way worker processes can
|
||
serve it, even if they have no access to it.
|
||
* ocserv: When compiled with GnuTLS 3.5.6 automatically set DH
|
||
parameters from the known set.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 12 14:10:54 UTC 2016 - i@marguerite.su
|
||
|
||
- update version 0.10.11
|
||
* Corrected the reporting of keepalive to occtl.
|
||
* Handle clients which send the first request to /VPN
|
||
* Prevent a crash in per-user config dir is not available if
|
||
expose-iroutes is set to true.
|
||
- update license: GPL-2.0
|
||
- open ports using ocserv.SuSEfirewall
|
||
- enable ip forwarding using ocserv.sysctl
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 7 16:08:58 UTC 2016 - i@marguerite.su
|
||
|
||
- update version 0.10.10
|
||
* Increase the number of log messages logged in the default level.
|
||
That is added messages that could be of use to administrators.
|
||
* Introduced ipv6-subnet-prefix config option. That option allows
|
||
to specify the IPv6 subnet prefix to be given to client. That is,
|
||
allow providing the clients networks larger than /128. The default
|
||
setting is 128 to keep backwards compatibility.
|
||
* Introduced the expose-iroutes config option. That option allows
|
||
the server to advertise routes offered by some clients to all of
|
||
them. This requires the config-per-user option.
|
||
* When a client has assigned iroutes which cannot be applied, he
|
||
will be denied access.
|
||
* Added restrict-user-to-routes configuration option which will
|
||
execute ocserv-fw script on user connection. The script will
|
||
set firewall rules which deny the user access to any other
|
||
networks than the routes set for the user. This is added as a
|
||
tech preview; details of this option may change on later releases.
|
||
* When banning IPv6 addresses treat a /64 network as a single address.
|
||
* Fixed conflict with isolate-workers and user-profile.
|
||
* occtl: Allow disabling the pager functionality on compile time
|
||
using --with-pager="".
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 21 11:34:00 UTC 2015 - i@marguerite.su
|
||
|
||
- update version 0.10.9
|
||
* When compiled with GnuTLS 3.4 automatically sort the certificate
|
||
list to be imported
|
||
* Reload the CRL during periodic maintaince if its modification
|
||
time changes
|
||
* Address issue with duplicate check failing on IPv6 addresses
|
||
* Added the ability to specify a UsersFile in plain auth for using
|
||
an OTP
|
||
This allows to use an OTP 2nd factor authentication without having
|
||
to rely on PAM. This change, also enables the usage of an empty
|
||
password field in the password file if an OTP file is present
|
||
* Allow loading DER-encoded CRLs
|
||
* Re-added the PAM accounting method. That accounting method can
|
||
be combined with any authentication method, and can be used to
|
||
check for a valid system account
|
||
- changes in 0.10.8
|
||
* Pass the proxy protocol information at earlier stage to main
|
||
process, to allow the correct information to be passed at the
|
||
connect script and occtl
|
||
* Added the IP_REAL_LOCAL environment variable to scripts. This
|
||
passes the local IP the client connected to
|
||
* The PAM accounting method was dropped as there was no practical
|
||
usage of it, the way it was implemented
|
||
* When assigning IPv6 addresses use the whole available netmask
|
||
* occtl: Print the local IP the client connected to, with the
|
||
client information
|
||
* occtl: Print the configured for the client split-dns domains
|
||
- changes in 0.10.7
|
||
* Added a fuzzying factor to CPU intensive, or radius communication
|
||
tasks when initiated by worker process. That avoids a very
|
||
high load periodically, e.g., when multiple clients connect
|
||
at the same time
|
||
* Added support for haproxy's protocol v2 format. That allows
|
||
to report the correct client IP even on proxied sessions.
|
||
It introduces the configuration option listen-proxy-proto
|
||
* occtl: added -n/--no-pager option. That allows to disable
|
||
pager explicitly
|
||
* occtl: fixed several cases of invalid JSON output
|
||
- changes in 0.10.6
|
||
* Transmit packets to the last incoming source, allowing faster
|
||
switch of the communication channel
|
||
* The worker processes will utilize the UDP socket address
|
||
(if any), when reporting peer's address if the listen-clear-file
|
||
option is set
|
||
* Lifted the limit on the number of configuration options. That
|
||
allows to add an "unlimited" number of 'route' options
|
||
* Support encrypted key files. That adds the key-pin and srk-pin
|
||
configuration options
|
||
* The dbus communication option has been dropped
|
||
* Radius: depend on radcli radius library
|
||
* occtl: added -j/--json option. That allows to output in a
|
||
JSON format
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 8 13:51:18 UTC 2015 - i@marguerite.su
|
||
|
||
- set isolated-workers to false since we didn't build w/ seccomp yet
|
||
- change systemd socket ports as well
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jun 7 04:47:47 UTC 2015 - i@marguerite.su
|
||
|
||
- update version 0.10.5
|
||
* Added tgt-freshness-time option for gssapi/Kerberos authentication
|
||
option. That allows to specify the maximum number of seconds after
|
||
which a reauthentication with Kerberos is required to login to VPN.
|
||
* main/sec-mod: impose long timeouts on reads from sec-mod. That
|
||
would prevent issues when reading in a blocked in authentication
|
||
sec-mod.
|
||
* radius: When using radius accounting with certificate
|
||
authentication, properly notify of user session termination.
|
||
* radius: On definitely terminated sessions contact the radius server
|
||
as soon as possible. For sessions that can still be resumed the
|
||
radius server is contacted periodically after the cookies expire.
|
||
* radius: consider Acct-Interim-Interval when seen by the server.
|
||
That will be taken into account if groupconfig=true in radius
|
||
subconfig.
|
||
* Added configuration options persistent-cookies and session-timeout.
|
||
* radius: added support for Route-IPv6-Information,
|
||
Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address,
|
||
Session-Timeout.
|
||
* Corrected desync of main and sec-mod by introducing a synchronous
|
||
communication socket. Reported by Mani Behrouz.
|
||
* PAM: forward the actual prompt to worker process, and not only
|
||
informational messages.
|
||
- drop ocserv-str_init.patch, upstream fixed.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su
|
||
|
||
- add user.tmpl, for certificate login
|
||
- tweak default config more
|
||
- add README.SUSE as setup instructions
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 2 10:04:45 UTC 2015 - i@marguerite.su
|
||
|
||
- initial version 0.9.0.1
|
||
* Added native support for radius. That adds the new auth
|
||
configuration option "radius", which has as parameters
|
||
the freeradius-client configuration file and optionally
|
||
the groupconfig option which instructs to read
|
||
configuration from radius; the stats-report-time option
|
||
enables interim-updates. That adds the dependency to
|
||
freeradius-client (see doc/README.radius).
|
||
* Reply using the same address that received UDP packets
|
||
are sent.
|
||
* Simplify the input of IPv6 network addresses.
|
||
* Use a separate IPC and PID namespace in Linux systems
|
||
for worker processes. That effectively puts each worker
|
||
process in a separate container. This can be enabled at
|
||
compile time using --enable-linux-namespaces.
|
||
* Configuration option 'use-seccomp' was replaced by
|
||
'isolate-workers', which in addition to seccomp it enables
|
||
the Linux namespaces restrictions.
|
||
* Added support for stateless compression using LZ4 and LZS.
|
||
This is disabled by default.
|
||
- disable dbus interface because currently it provides less
|
||
function than unix socket
|
||
- add patch: ocserv-str_init.patch
|
||
- add patch: ocserv-enable-systemd.patch
|
||
- add patch: ocserv.config.patch
|