Accepting request 894668 from network:vpn

Would be good to have the update to version 1.1.2 in Factory OBS-URL: https://build.opensuse.org/request/show/894668 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ocserv?expand=0&rev=16
2021-06-09 19:51:54 +00:00 · 2021-06-09 19:51:54 +00:00 · 1c6b53f1e7
commit 1c6b53f1e7
parent a3ebb9897d 08902fbc93
8 changed files with 76 additions and 37 deletions
--- a/ocserv-1.1.0.tar.xz
+++ b/ocserv-1.1.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a3fafe847b08bdec5a9acd72e698dfd77ce9799cb19146677526e6794b94a779
-size 806964
--- a/ocserv-1.1.0.tar.xz.sig
+++ b/ocserv-1.1.0.tar.xz.sig
--- a/ocserv-1.1.2.tar.xz
+++ b/ocserv-1.1.2.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd
+size 824924
--- a/ocserv-1.1.2.tar.xz.sig
+++ b/ocserv-1.1.2.tar.xz.sig
--- a/ocserv-enable-systemd.patch
+++ b/ocserv-enable-systemd.patch
@ -1,8 +1,8 @@
-Index: ocserv-0.10.5/configure.ac
-===================================================================
--- ocserv-0.10.5.orig/configure.ac
-+++ ocserv-0.10.5/configure.ac
-@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd,
+diff --git a/configure.ac b/configure.ac
+index 2e4a0e8..81ac3bd 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -423,11 +423,7 @@ AC_ARG_ENABLE(systemd,
 
 if [ test "$systemd_enabled" = "yes" ];then
 AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>], [sd_listen_fds(0);])
@ -13,4 +13,4 @@ Index: ocserv-0.10.5/configure.ac
 - fi
 fi
 
- AC_ARG_ENABLE(anyconnect-compat,
+ AC_ARG_ENABLE(namespaces,
--- a/ocserv.changes
+++ b/ocserv.changes
@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Mon Dec  7 15:32:12 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.1.2
+  * Allow setup of new DTLS session concurrent with old session.
+  * Fixed an infinite loop on sec-mod crash when server-drain-ms
+    is set.
+  * Don't apply BanIP checks to clients on the same subnet.
+  * Don't attempt TLS if the client closes the connection with
+    zero data sent.
+  * Increased the maximum configuration line; this allows banner
+    messages longer than 200 characters.
+  * Removed the listen-clear-file config option. This option was
+    incompatible with several clients, and thus is unusable for a
+    generic server.
+
+-------------------------------------------------------------------
+Mon Sep 21 15:27:14 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.1.1:
+  * Improved rate-limit-ms and made it dependent on secmod backlog.
+    This makes the server more resilient (and prevents connection
+    failures) on multiple concurrent connections
+  - Added namespace support for listen address by introducing the
+    listen-netns option.
+  - Disable TLS1.3 when cisco client compatibility is enabled. New
+    anyconnect clients seem to supporting TLS1.3 but are unable to
+     handle a client with an RSA key.
+  - Enable a race free user disconnection via occtl.
+  - Added the config option of a pre-login-banner.
+  - Ocserv siwtched to using multiple ocserv-sm processes to
+    improve scale, with the number of ocserv-sm process dependent
+    on maximum clients and number of CPUs. Configuration option
+    sec-mod-scale can be used to override the heuristics.
+  - Fixed issue with group selection on radius servers sending
+    multiple group class attribute.
+- Update patch:
+  * ocserv-enable-systemd.patch
+  * ocserv.config.patch
+
 -------------------------------------------------------------------
 Wed Aug 19 10:46:22 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>

--- a/ocserv.config.patch
+++ b/ocserv.config.patch
@ -1,7 +1,7 @@
-Index: ocserv-0.12.0/doc/sample.config
-===================================================================
--- ocserv-0.12.0.orig/doc/sample.config
-+++ ocserv-0.12.0/doc/sample.config
+diff --git a/doc/sample.config b/doc/sample.config
+index 6a677c9..1cd1d96 100644
+--- a/doc/sample.config
+++ b/doc/sample.config
@@ -48,7 +48,7 @@
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
@ -11,8 +11,8 @@ Index: ocserv-0.12.0/doc/sample.config
 #auth = "certificate"
 #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
-@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]"
- #listen-host-is-dyndns = true
+@@ -90,8 +90,8 @@ auth = "plain[passwd=./sample.passwd]"
+ # listen-netns = "foo"
 
 # TCP and UDP port number
 -tcp-port = 443
@ -20,9 +20,9 @@ Index: ocserv-0.12.0/doc/sample.config
 +tcp-port = 9000
 +udp-port = 9001
 
- # Accept connections using a socket file. It accepts HTTP
- # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket
+ # The user the worker processes will be run as. This should be a dedicated
+ # unprivileged user (e.g., 'ocserv') and no other services should run as this
+@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket
 
 #server-cert = /etc/ocserv/server-cert.pem
 #server-key = /etc/ocserv/server-key.pem
@ -33,7 +33,7 @@ Index: ocserv-0.12.0/doc/sample.config
 
 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
 # versions of GnuTLS for supporting DHE ciphersuites.
-@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem
+@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem
 # client certificates (public keys) if certificate authentication
 # is set.
 #ca-cert = /etc/ocserv/ca.pem
@ -42,25 +42,25 @@ Index: ocserv-0.12.0/doc/sample.config
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
-@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
+@@ -174,7 +174,7 @@ ca-cert = ../tests/certs/ca.pem
 # the isolation was tested at. If you get random failures on worker processes, try
 # disabling that option and report the failures you, along with system and debugging
 # information at: https://gitlab.com/ocserv/ocserv/issues
 -isolate-workers = true
 +isolate-workers = false
 
- # A banner to be displayed on clients
+ # A banner to be displayed on clients after connection
 #banner = "Welcome"
-@@ -243,7 +243,7 @@ mobile-dpd = 1800
+@@ -242,7 +242,7 @@ mobile-dpd = 1800
 switch-to-tcp-timeout = 25
 
 # MTU discovery (DPD must be enabled)
 -try-mtu-discovery = false
 +try-mtu-discovery = true
 
- # If you have a certificate from a CA that provides an OCSP
- # service you may provide a fresh OCSP status response within
-@@ -407,8 +407,8 @@ rekey-method = ssl
+ # To enable load-balancer connection draining, set server-drain-ms to a value
+ # higher than your load-balancer health probe interval.
+@@ -412,8 +412,8 @@ rekey-method = ssl
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
 # output from the tun device, and the duration of the session in seconds.
 
@ -69,9 +69,9 @@ Index: ocserv-0.12.0/doc/sample.config
 +#connect-script = /usr/bin/ocserv-script
 +#disconnect-script = /usr/bin/ocserv-script
 
- # UTMP
- # Register the connected clients to utmp. This will allow viewing
-@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0
+ # This script is to be called when the client's advertised hostname becomes
+ # available. It will contain REASON with "host-update" value and the
+@@ -491,7 +491,8 @@ ipv4-netmask = 255.255.255.0
 # The advertized DNS server. Use multiple lines for
 # multiple servers.
 # dns = fc00::4be0
@ -81,7 +81,7 @@ Index: ocserv-0.12.0/doc/sample.config
 
 # The NBNS server (if any)
 #nbns = 192.168.1.3
-@@ -517,8 +518,8 @@ ping-leases = false
+@@ -530,8 +531,8 @@ ping-leases = false
 # comment out all routes from the server, or use the special keyword
 # 'default'.
 
@ -92,7 +92,7 @@ Index: ocserv-0.12.0/doc/sample.config
 #route = fef4:db8:1000:1001::/64
 #route = default
 
-@@ -682,18 +683,18 @@ dtls-legacy = true
+@@ -698,18 +699,18 @@ dtls-legacy = true
 # An example virtual host with different authentication methods serviced
 # by this server.
 
@ -119,11 +119,10 @@ Index: ocserv-0.12.0/doc/sample.config
 
 -cert-user-oid = 0.9.2342.19200300.100.1.1
 +#cert-user-oid = 0.9.2342.19200300.100.1.1
- 
-Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
-===================================================================
--- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
+diff --git a/doc/systemd/socket-activated/ocserv.socket b/doc/systemd/socket-activated/ocserv.socket
+index 9444f19..a0ac362 100644
+--- a/doc/systemd/socket-activated/ocserv.socket
+++ b/doc/systemd/socket-activated/ocserv.socket
@@ -2,8 +2,8 @@
 Description=OpenConnect SSL VPN server Socket
 
--- a/ocserv.spec
+++ b/ocserv.spec
@ -17,7 +17,7 @@


 Name:           ocserv
-Version:        1.1.0
+Version:        1.1.2
 Release:        0
 Summary:        OpenConnect VPN Server
 License:        GPL-2.0-only
@ -144,7 +144,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd

 %files
 %defattr(-,root,root)
-%doc AUTHORS NEWS README.md TODO
+%doc AUTHORS NEWS README.md
 %license COPYING LICENSE
 %config %{_sysconfdir}/ocserv
 %config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf