- Update to release 9.10:
* Fix external browser authentication with KDE plasma-nm < 5.26.
* Always redirect stdout to stderr when spawning external browser.
* Increase default queue length to 32 packets.
* Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array.
* Handle idiosyncratic variation in search domain separators for all protocols
* Support region selection field for Pulse authentication
* Support modified configuration packet from Pulse 9.1R16 servers
* Allow hidden form fields to be populated or converted to text fields on the command line
* Support yet another strange way of encoding challenge-based 2FA for GlobalProtect
* Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments
* Parrot a GlobalProtect server's software version, if present, as the client version (!333)
* Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389).
* Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418).
* Support F5 VPNs which encode authentication forms only in JSON, not in HTML.
* Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet .
* Support "FTM-push" token mode for Fortinet VPNs .
* Send IPv6-compatible version string in Pulse IF/T session establishment
* Add --no-external-auth option to not advertise external-browser authentication
* Many small improvements in server response parsing, and better logging messages and documentation.
* Suppo split-exclude routes for Fortinet
OBS-URL: https://build.opensuse.org/request/show/1085378
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=95
- Fix CVE-2020-12105 (boo#1170452)
- Introduce subpackage for bash-completion
- Update to 8.0.9:
* Add bash completion support.
* Give more helpful error in case of Pulse servers asking for
TNCC.
* Sanitize non-canonical Legacy IP network addresses.
* Fix OpenSSL validation for trusted but invalid certificates
(CVE-2020-12105).
* Convert tncc-wrapper.py to Python 3, and include modernized
tncc-emulate.py as well. (!91)
* Disable Nagle's algorithm for TLS sockets, to improve
interactivity when tunnel runs over TCP rather than UDP.
* GlobalProtect: more resilient handling of periodic HIP check
and login arguments, and predictable naming of challenge forms.
* Work around PKCS#11 tokens which forget to set
CKF_LOGIN_REQUIRED.
- Update to 8.0.8:
* Fix check of pin-sha256: public key hashes to be case sensitive
* Don't give non-functioning stderr to CSD trojan scripts.
* Fix crash with uninitialised OIDC token.
- Update to 8.0.7:
* Don't abort Pulse connection when server-provided certificate
MD5 doesn't match.
* Fix off-by-one in check for bad GnuTLS versions, and add build
and run time checks.
* Don't abort connection if CSD wrapper script returns non-zero
(for now).
* Make --passtos work for protocols that use ESP, in addition
to DTLS.
OBS-URL: https://build.opensuse.org/request/show/799557
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=83
- Update to 8.01:
* Clear form submissions (which may include passwords) before freeing (CVE-2018-20319).
* Allow form responses to be provided on command line.
* Add support for SSL keys stored in TPM2.
* Fix ESP rekey when replay protection is disabled.
* Drop support for GnuTLS older than 3.2.10.
* Fix --passwd-on-stdin for Windows to not forcibly open console.
* Fix portability of shell scripts in test suite.
* Add Google Authenticator TOTP support for Juniper.
* Add RFC7469 key PIN support for cert hashes.
* Add protocol method to securely log out the Juniper session.
* Relax requirements for Juniper hostname packet response to support old gateways.
* Add API functions to query the supported protocols.
* Verify ESP sequence numbers and warn even if replay protection is disabled.
* Add support for PAN GlobalProtect VPN protocol (--protocol=gp).
* Reorganize listing of command-line options, and include information on supported protocols.
* SIGTERM cleans up the session similarly to SIGINT.
* Fix memset_s() arguments.
* Fix OpenBSD build.
- Explicitely enable all the features as needed to stop build if
something is missing
- Run tests
- Folow the library packaging guidelines
OBS-URL: https://build.opensuse.org/request/show/664649
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=72
- Add explicit python2-base and python2-xml BuildRequires: the
buildsystem checks for python2 and disables building the
documentation if not found. Buildinf the documentation in plus
depends on the xml modules.
So far we relied on other packages pulling in python2 for us.
The package that pulled in python2/python2-xml so far used to be gtk2-devel. But no more.
OBS-URL: https://build.opensuse.org/request/show/555267
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=64
* Fix alignment issue which broke LZS compression on ARM etc.
* Support HTTP authentication to servers, not just proxies.
* Add SHA256/SHA512 support for OATH.
* Remove liboath dependency.
* Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2.
* Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711).
* Fix build with OpenSSL HEAD (OpenSSL 1.1.x).
* Preliminary support for Juniper SSL VPN.
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=51
* Change default behaviour to enable only stateless compression.
* Add --compression argument and openconnect_set_compression_mode().
* Add support for LZS compression
* Add support for LZ4 compression
- Add liblz4-devel dependency for LZ4 compression support.
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=48
* Add support for GnuTLS 3.4 system: keys including Windows certificate store.
* Add support for HOTP/TOTP keys from Yubikey NEO devices.
* Add ---no-system-trust option to disable default certificate authorities.
* Improve libiconv and libintl detection.
* Stop calling setenv() from library functions.
* Support utun driver on OS X.
* Change library API so string ownership is never transferred.
* Support new NDIS6 TAP-Windows driver shipped with OpenVPN 2.3.4.
* Support using PSKC (RFC6030) token files for HOTP/TOTP tokens.
* Support for updating HOTP token storage when token is used.
* Support for reading OTP token data from a file.
* Add full character set handling for legacy non-UTF8 systems (including Windows).
* Fix legacy (i.e. not XML POST) submission of non-ASCII form entries (even in UTF-8 locales).
* Avoid retrying without XML POST, when we failed to even reach the server.
* Fix off-by-one in parameter substitution in error messages.
* Improve reporting when GSSAPI auth requested but not compiled in.
* Fix parsing of split include routes on Windows.
* Fix crash on invocation with --token-mode but no --token-secret.
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=42
* Support SOCKS proxy authentication (password, GSSAPI).
* Support HTTP proxy authentication (Basic, Digest, NTLM and GSSAPI).
* Download XML profile in XML POST mode.
* Fix a couple of bugs involving DTLS rekeying.
* Fix problems seen when building or connecting without DTLS enabled.
* Fix tun error handling on Windows hosts.
* Skip password prompts when using PKCS#8 and PKCS#12 certificates with
empty passwords.
* Fix several minor memory leaks and error paths.
* Update several Android dependencies, and make the download process more
robust.
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=38
- Update to Version 5.99
* Add RFC4226 HOTP token support.
* Tolerate servers closing connection uncleanly after HTTP/1.0 response
(Ubuntu #1225276).
* Add support for IPv6 split tunnel configuration.
* Add Windows support with MinGW (tested with both IPv6 and Legacy IP with
latest vpnc-script-win.js)
* Change library API to support updating the auth form when the authgroup
is changed (Ubuntu #1229195).
* Change --os mac to --os mac-intel, to match the identifier used by Cisco
clients.
* Add new API functions to support invoking the VPN mainloop directly from
an application.
* Add JNI interface and sample Java application.
* Fix junk in --cookieonly output when CSD is enabled.
* Enable TOTP, stoken, and JNI support in the Android builds.
* Add --pfs option to enforce perfect forward secrecy.
* Enable elliptic curves with GnuTLS 3.2.9+, where there is a workaround for
certain firewalls that fail with client hellos between 256 and 512 bytes.
* Add padding when sending password, to avoid leakage of password and
username length.
* Add support for DTLS 1.2 and AES-GCM when connecting to ocserv.
* Add support for server name indication when compiled with GnuTLS 3.2.9+.
OBS-URL: https://build.opensuse.org/request/show/224743
OBS-URL: https://build.opensuse.org/package/show/network/openconnect?expand=0&rev=36
