Accepting request 853618 from home:mnhauke:network

- Update to version 1.1.2
  * Allow setup of new DTLS session concurrent with old session.
  * Fixed an infinite loop on sec-mod crash when server-drain-ms
    is set.
  * Don't apply BanIP checks to clients on the same subnet.
  * Don't attempt TLS if the client closes the connection with
    zero data sent.
  * Increased the maximum configuration line; this allows banner
    messages longer than 200 characters.
  * Removed the listen-clear-file config option. This option was
    incompatible with several clients, and thus is unusable for a
    generic server.

- Update to version 1.1.1:
  * Improved rate-limit-ms and made it dependent on secmod backlog.
    This makes the server more resilient (and prevents connection
    failures) on multiple concurrent connections
  - Added namespace support for listen address by introducing the
    listen-netns option.
  - Disable TLS1.3 when cisco client compatibility is enabled. New
    anyconnect clients seem to supporting TLS1.3 but are unable to
     handle a client with an RSA key.
  - Enable a race free user disconnection via occtl.
  - Added the config option of a pre-login-banner.
  - Ocserv siwtched to using multiple ocserv-sm processes to
    improve scale, with the number of ocserv-sm process dependent
    on maximum clients and number of CPUs. Configuration option
    sec-mod-scale can be used to override the heuristics.
  - Fixed issue with group selection on radius servers sending
    multiple group class attribute.

OBS-URL: https://build.opensuse.org/request/show/853618
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=37

ocserv-1.1.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a3fafe847b08bdec5a9acd72e698dfd77ce9799cb19146677526e6794b94a779
-size 806964

ocserv-1.1.2.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd
+size 824924

ocserv-enable-systemd.patch

@@ -1,8 +1,8 @@
-Index: ocserv-0.10.5/configure.ac
+diff --git a/configure.ac b/configure.ac
-===================================================================
+index 2e4a0e8..81ac3bd 100644
---- ocserv-0.10.5.orig/configure.ac
+--- a/configure.ac
-+++ ocserv-0.10.5/configure.ac
++++ b/configure.ac
-@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd,
+@@ -423,11 +423,7 @@ AC_ARG_ENABLE(systemd,
  
  if [ test "$systemd_enabled" = "yes" ];then
  AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>], [sd_listen_fds(0);])
@@ -13,4 +13,4 @@ Index: ocserv-0.10.5/configure.ac
 - fi
  fi
  
- AC_ARG_ENABLE(anyconnect-compat,
+ AC_ARG_ENABLE(namespaces,

ocserv.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Mon Dec  7 15:32:12 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.1.2
+  * Allow setup of new DTLS session concurrent with old session.
+  * Fixed an infinite loop on sec-mod crash when server-drain-ms
+    is set.
+  * Don't apply BanIP checks to clients on the same subnet.
+  * Don't attempt TLS if the client closes the connection with
+    zero data sent.
+  * Increased the maximum configuration line; this allows banner
+    messages longer than 200 characters.
+  * Removed the listen-clear-file config option. This option was
+    incompatible with several clients, and thus is unusable for a
+    generic server.
+
+-------------------------------------------------------------------
+Mon Sep 21 15:27:14 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.1.1:
+  * Improved rate-limit-ms and made it dependent on secmod backlog.
+    This makes the server more resilient (and prevents connection
+    failures) on multiple concurrent connections
+  - Added namespace support for listen address by introducing the
+    listen-netns option.
+  - Disable TLS1.3 when cisco client compatibility is enabled. New
+    anyconnect clients seem to supporting TLS1.3 but are unable to
+     handle a client with an RSA key.
+  - Enable a race free user disconnection via occtl.
+  - Added the config option of a pre-login-banner.
+  - Ocserv siwtched to using multiple ocserv-sm processes to
+    improve scale, with the number of ocserv-sm process dependent
+    on maximum clients and number of CPUs. Configuration option
+    sec-mod-scale can be used to override the heuristics.
+  - Fixed issue with group selection on radius servers sending
+    multiple group class attribute.
+- Update patch:
+  * ocserv-enable-systemd.patch
+  * ocserv.config.patch
+
 -------------------------------------------------------------------
 Wed Aug 19 10:46:22 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
 

ocserv.config.patch

@@ -1,7 +1,7 @@
-Index: ocserv-0.12.0/doc/sample.config
+diff --git a/doc/sample.config b/doc/sample.config
-===================================================================
+index 6a677c9..1cd1d96 100644
---- ocserv-0.12.0.orig/doc/sample.config
+--- a/doc/sample.config
-+++ ocserv-0.12.0/doc/sample.config
++++ b/doc/sample.config
 @@ -48,7 +48,7 @@
  #auth = "pam"
  #auth = "pam[gid-min=1000]"
@@ -11,8 +11,8 @@ Index: ocserv-0.12.0/doc/sample.config
  #auth = "certificate"
  #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
  
-@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]"
+@@ -90,8 +90,8 @@ auth = "plain[passwd=./sample.passwd]"
- #listen-host-is-dyndns = true
+ # listen-netns = "foo"
  
  # TCP and UDP port number
 -tcp-port = 443
@@ -20,9 +20,9 @@ Index: ocserv-0.12.0/doc/sample.config
 +tcp-port = 9000
 +udp-port = 9001
  
- # Accept connections using a socket file. It accepts HTTP
+ # The user the worker processes will be run as. This should be a dedicated
- # connections (i.e., without SSL/TLS unlike its TCP counterpart),
+ # unprivileged user (e.g., 'ocserv') and no other services should run as this
-@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket
+@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket
  
  #server-cert = /etc/ocserv/server-cert.pem
  #server-key = /etc/ocserv/server-key.pem
@@ -33,7 +33,7 @@ Index: ocserv-0.12.0/doc/sample.config
  
  # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
  # versions of GnuTLS for supporting DHE ciphersuites.
-@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem
+@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem
  # client certificates (public keys) if certificate authentication
  # is set.
  #ca-cert = /etc/ocserv/ca.pem
@@ -42,25 +42,25 @@ Index: ocserv-0.12.0/doc/sample.config
  
  
  ### All configuration options below this line are reloaded on a SIGHUP.
-@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
+@@ -174,7 +174,7 @@ ca-cert = ../tests/certs/ca.pem
  # the isolation was tested at. If you get random failures on worker processes, try
  # disabling that option and report the failures you, along with system and debugging
  # information at: https://gitlab.com/ocserv/ocserv/issues
 -isolate-workers = true
 +isolate-workers = false
  
- # A banner to be displayed on clients
+ # A banner to be displayed on clients after connection
  #banner = "Welcome"
-@@ -243,7 +243,7 @@ mobile-dpd = 1800
+@@ -242,7 +242,7 @@ mobile-dpd = 1800
  switch-to-tcp-timeout = 25
  
  # MTU discovery (DPD must be enabled)
 -try-mtu-discovery = false
 +try-mtu-discovery = true
  
- # If you have a certificate from a CA that provides an OCSP
+ # To enable load-balancer connection draining, set server-drain-ms to a value
- # service you may provide a fresh OCSP status response within
+ # higher than your load-balancer health probe interval.
-@@ -407,8 +407,8 @@ rekey-method = ssl
+@@ -412,8 +412,8 @@ rekey-method = ssl
  # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
  # output from the tun device, and the duration of the session in seconds.
  
@@ -69,9 +69,9 @@ Index: ocserv-0.12.0/doc/sample.config
 +#connect-script = /usr/bin/ocserv-script
 +#disconnect-script = /usr/bin/ocserv-script
  
- # UTMP
+ # This script is to be called when the client's advertised hostname becomes
- # Register the connected clients to utmp. This will allow viewing
+ # available. It will contain REASON with "host-update" value and the
-@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0
+@@ -491,7 +491,8 @@ ipv4-netmask = 255.255.255.0
  # The advertized DNS server. Use multiple lines for
  # multiple servers.
  # dns = fc00::4be0
@@ -81,7 +81,7 @@ Index: ocserv-0.12.0/doc/sample.config
  
  # The NBNS server (if any)
  #nbns = 192.168.1.3
-@@ -517,8 +518,8 @@ ping-leases = false
+@@ -530,8 +531,8 @@ ping-leases = false
  # comment out all routes from the server, or use the special keyword
  # 'default'.
  
@@ -92,7 +92,7 @@ Index: ocserv-0.12.0/doc/sample.config
  #route = fef4:db8:1000:1001::/64
  #route = default
  
-@@ -682,18 +683,18 @@ dtls-legacy = true
+@@ -698,18 +699,18 @@ dtls-legacy = true
  # An example virtual host with different authentication methods serviced
  # by this server.
  
@@ -119,11 +119,10 @@ Index: ocserv-0.12.0/doc/sample.config
  
 -cert-user-oid = 0.9.2342.19200300.100.1.1
 +#cert-user-oid = 0.9.2342.19200300.100.1.1
- 
+diff --git a/doc/systemd/socket-activated/ocserv.socket b/doc/systemd/socket-activated/ocserv.socket
-Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
+index 9444f19..a0ac362 100644
-===================================================================
+--- a/doc/systemd/socket-activated/ocserv.socket
---- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket
++++ b/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
 @@ -2,8 +2,8 @@
  Description=OpenConnect SSL VPN server Socket
  

ocserv.spec

@@ -17,7 +17,7 @@
 
 
 Name:           ocserv
-Version:        1.1.0
+Version:        1.1.2
 Release:        0
 Summary:        OpenConnect VPN Server
 License:        GPL-2.0-only
@@ -144,7 +144,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 
 %files
 %defattr(-,root,root)
-%doc AUTHORS NEWS README.md TODO
+%doc AUTHORS NEWS README.md
 %license COPYING LICENSE
 %config %{_sysconfdir}/ocserv
 %config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf