Accepting request 606702 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/606702 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ocserv?expand=0&rev=7
2018-05-16 09:39:41 +00:00 · 2018-05-16 09:39:41 +00:00 · 183a4ad899
commit 183a4ad899
parent e1fbbbb5a0 74a3d776b3
5 changed files with 68 additions and 27 deletions
--- a/ocserv-0.11.10.tar.xz
+++ b/ocserv-0.11.10.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:52c821dcd234a8f0d61f440ce3c80d0b23051d7fbd74c6d47dc2b884ae25966a
-size 784420
--- a/ocserv-0.12.0.tar.xz
+++ b/ocserv-0.12.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fdbb7241013341975640bb9851b14ed16c786029466e81b79cdfbce21f7dc89f
+size 679420
--- a/ocserv.changes
+++ b/ocserv.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri May 11 08:08:54 UTC 2018 - duyizhaozj321@yahoo.com
+
+- Update to version 0.12.0
+  * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
+  * Increased possibilities of allowed combinations of authentication methods.
+  * Corrected regression since 0.11.8 with OTP authentication.
+  * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
+  * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
+  * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
+  * Corrected crash on certain cases when proxy protocol is in use.
+- Update ocserv.config.patch due to upstream changes
+
 -------------------------------------------------------------------
 Tue Feb 27 02:50:33 UTC 2018 - i@marguerite.su

--- a/ocserv.config.patch
+++ b/ocserv.config.patch
@ -1,8 +1,8 @@
-Index: ocserv-0.11.10/doc/sample.config
+Index: ocserv-0.12.0/doc/sample.config
 ===================================================================
--- ocserv-0.11.10.orig/doc/sample.config
-+++ ocserv-0.11.10/doc/sample.config
-@@ -47,7 +47,7 @@
+--- ocserv-0.12.0.orig/doc/sample.config
+++ ocserv-0.12.0/doc/sample.config
+@@ -48,7 +48,7 @@
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
 #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
@ -11,7 +11,7 @@ Index: ocserv-0.11.10/doc/sample.config
 #auth = "certificate"
 #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
-@@ -80,8 +80,8 @@ auth = "plain[passwd=./sample.passwd]"
+@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]"
 #listen-host-is-dyndns = true
 
 # TCP and UDP port number
@ -22,27 +22,27 @@ Index: ocserv-0.11.10/doc/sample.config
 
 # Accept connections using a socket file. It accepts HTTP
 # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -124,8 +124,8 @@ socket-file = /var/run/ocserv-socket
- #
- # There may be multiple server-cert and server-key directives,
- # but each key should correspond to the preceding certificate.
+@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket
+ 
+ #server-cert = /etc/ocserv/server-cert.pem
+ #server-key = /etc/ocserv/server-key.pem
 -server-cert = ../tests/certs/server-cert.pem
 -server-key = ../tests/certs/server-key.pem
 +server-cert = /etc/ocserv/certificates/server-cert.pem
 +server-key = /etc/ocserv/certificates/server-key.pem
 
- # Diffie-Hellman parameters. Only needed if you require support
- # for the DHE ciphersuites (by default this server supports ECDHE).
-@@ -151,7 +151,7 @@ server-key = ../tests/certs/server-key.p
- # The Certificate Authority that will be used to verify
+ # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
+ # versions of GnuTLS for supporting DHE ciphersuites.
+@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem
 # client certificates (public keys) if certificate authentication
 # is set.
+ #ca-cert = /etc/ocserv/ca.pem
 -ca-cert = ../tests/certs/ca.pem
 +ca-cert = /etc/ocserv/certificates/ca-cert.pem
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
-@@ -171,7 +171,7 @@ ca-cert = ../tests/certs/ca.pem
+@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
 # the isolation was tested at. If you get random failures on worker processes, try
 # disabling that option and report the failures you, along with system and debugging
 # information at: https://gitlab.com/ocserv/ocserv/issues
@ -51,7 +51,7 @@ Index: ocserv-0.11.10/doc/sample.config
 
 # A banner to be displayed on clients
 #banner = "Welcome"
-@@ -234,7 +234,7 @@ mobile-dpd = 1800
+@@ -243,7 +243,7 @@ mobile-dpd = 1800
 switch-to-tcp-timeout = 25
 
 # MTU discovery (DPD must be enabled)
@ -60,7 +60,7 @@ Index: ocserv-0.11.10/doc/sample.config
 
 # If you have a certificate from a CA that provides an OCSP
 # service you may provide a fresh OCSP status response within
-@@ -398,8 +398,8 @@ rekey-method = ssl
+@@ -407,8 +407,8 @@ rekey-method = ssl
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
 # output from the tun device, and the duration of the session in seconds.
 
@ -71,7 +71,7 @@ Index: ocserv-0.11.10/doc/sample.config
 
 # UTMP
 # Register the connected clients to utmp. This will allow viewing
-@@ -469,7 +469,8 @@ ipv4-netmask = 255.255.255.0
+@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0
 # The advertized DNS server. Use multiple lines for
 # multiple servers.
 # dns = fc00::4be0
@ -81,7 +81,7 @@ Index: ocserv-0.11.10/doc/sample.config
 
 # The NBNS server (if any)
 #nbns = 192.168.1.3
-@@ -508,8 +509,8 @@ ping-leases = false
+@@ -517,8 +518,8 @@ ping-leases = false
 # comment out all routes from the server, or use the special keyword
 # 'default'.
 
@ -92,10 +92,38 @@ Index: ocserv-0.11.10/doc/sample.config
 #route = fef4:db8:1000:1001::/64
 #route = default
 
-Index: ocserv-0.11.10/doc/systemd/socket-activated/ocserv.socket
+@@ -682,18 +683,18 @@ dtls-legacy = true
+ # An example virtual host with different authentication methods serviced
+ # by this server.
+ 
+-[vhost:www.example.com]
+-auth = "certificate"
+#[vhost:www.example.com]
+#auth = "certificate"
+ 
+-ca-cert = ../tests/certs/ca.pem
+#ca-cert = ../tests/certs/ca.pem
+ 
+ # The certificate set here must include a 'dns_name' corresponding to
+ # the virtual host name.
+ 
+-server-cert = ../tests/certs/server-cert-secp521r1.pem
+-server-key = ../tests/certs/server-key-secp521r1.pem
+#server-cert = ../tests/certs/server-cert-secp521r1.pem
+#server-key = ../tests/certs/server-key-secp521r1.pem
+ 
+-ipv4-network = 192.168.2.0
+-ipv4-netmask = 255.255.255.0
+#ipv4-network = 192.168.2.0
+#ipv4-netmask = 255.255.255.0
+ 
+-cert-user-oid = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+ 
+Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
 ===================================================================
--- ocserv-0.11.10.orig/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.11.10/doc/systemd/socket-activated/ocserv.socket
+--- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket
+++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
@@ -2,8 +2,8 @@
 Description=OpenConnect SSL VPN server Socket
 
--- a/ocserv.spec
+++ b/ocserv.spec
@ -17,10 +17,10 @@


 Name:           ocserv
-Version:        0.11.10
+Version:        0.12.0
 Release:        0
 Summary:        OpenConnect VPN Server
-License:        GPL-2.0
+License:        GPL-2.0-only
 Group:          Productivity/Networking/Security
 Url:            http://www.infradead.org/ocserv
 #Source:         ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
@ -59,6 +59,7 @@ BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  protobuf-c
 BuildRequires:  readline-devel
+BuildRequires:  ruby2.5-rubygem-ronn
 BuildRequires:  systemd-devel
 # /usr/bin/certtool for generating certificates
 Requires:       gnutls >= 3.1.10
@ -93,7 +94,6 @@ A management interface allows for viewing and querying logged-in users.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-sed -i "s/\@AUTOGEN\@/autogen/" doc/Makefile.am
 autoreconf -fiv

 %build