Accepting request 1108560 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/1108560 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ocserv?expand=0&rev=21
2023-09-02 20:07:48 +00:00 · 2023-09-02 20:07:48 +00:00 · 7e76745268
commit 7e76745268
parent eaff1c7bee 2a734b5edd
7 changed files with 44 additions and 93 deletions
--- a/ocserv-1.1.6.tar.xz
+++ b/ocserv-1.1.6.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6a6cbe92212e32280426a51c634adc3d4803579dd049cfdb7e014714cc82c693
-size 839744
--- a/ocserv-1.1.6.tar.xz.sig
+++ b/ocserv-1.1.6.tar.xz.sig
--- a/ocserv-1.2.1.tar.xz
+++ b/ocserv-1.2.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:de54473ba68d42a8469e434f541ae6b3cf3d98f0936ad0eadfa2c2484810d994
+size 749592
--- a/ocserv-1.2.1.tar.xz.sig
+++ b/ocserv-1.2.1.tar.xz.sig
--- a/ocserv.changes
+++ b/ocserv.changes
@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Tue Aug 29 12:37:56 UTC 2023 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 1.2.1
+  * Accept the Clavister OneConnect VPN Android client.
+  * No longer require to set device name per vhost.
+  * Account the correct number of points when proxyproto is in use
+  * nuttcp tests were replaced with iperf3 that is available
+    in more environments
+  * occtl: fix duplicate key in `occtl --json show users` output
+- Update to version 1.2.0
+  * Add support for Cisco Enterprise phones to authenticate via
+    the /svc endpoint and the 'cisco-svc-client-compat' config
+    option.
+  * Enhanced radius group support to enable radius servers send
+    multiple group class attributes
+    See doc/README-radius.md for more information.
+  * Enhanced the seccomp filters to open files related to FIPS
+    compliance on SuSe.
+  * Added "Camouflage" functionality that makes ocserv look like a
+    web server to unauthorized parties.
+  * Avoid login failure when the end point of server URI
+    contains a query string.
+  * Make sure we print proper JSON with `occtl --debug --json`
+  * Eliminated the need for using the gnulib portability library.
+- Update to version 1.1.7
+  * Emit a LOG_ERR error message with plain authentication fails
+  * The bundled inih was updated to r56.
+  * The bundled protobuf-c was updated to 1.4.1.
+  * Enhanced the seccomp filters for ARMv7 compatibility and musl
+    libc
+  * HTTP headers always capitalised as in RFC 9110
+
 -------------------------------------------------------------------
 Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>

--- a/ocserv.config.patch
+++ b/ocserv.config.patch
@ -1,5 +1,5 @@
 diff --git a/doc/sample.config b/doc/sample.config
-index 0e33484f..60ab3e93 100644
+index 4c8c8c6..7a4697f 100644
 --- a/doc/sample.config
 +++ b/doc/sample.config
@@ -48,7 +48,7 @@
@ -22,18 +22,19 @@ index 0e33484f..60ab3e93 100644
 
 # The user the worker processes will be run as. This should be a dedicated
 # unprivileged user (e.g., 'ocserv') and no other services should run as this
-@@ -126,8 +126,8 @@ socket-file = /var/run/ocserv-socket
+@@ -126,9 +126,8 @@ socket-file = /var/run/ocserv-socket
 
 #server-cert = /etc/ocserv/server-cert.pem
 #server-key = /etc/ocserv/server-key.pem
 -server-cert = ../tests/certs/server-cert.pem
 -server-key = ../tests/certs/server-key.pem
+-
 +server-cert = /etc/ocserv/certificates/server-cert.pem
 +server-key = /etc/ocserv/certificates/server-key.pem
- 
 # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
 # versions of GnuTLS for supporting DHE ciphersuites.
-@@ -154,7 +154,7 @@ server-key = ../tests/certs/server-key.pem
+ # Can be generated using:
+@@ -154,7 +153,7 @@ server-key = ../tests/certs/server-key.pem
 # client certificates (public keys) if certificate authentication
 # is set.
 #ca-cert = /etc/ocserv/ca.pem
@ -42,16 +43,7 @@ index 0e33484f..60ab3e93 100644
 
 # The number of sub-processes to use for the security module (authentication)
 # processes. Typically this should not be set as the number of processes
-@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
- # the isolation was tested at. If you get random failures on worker processes, try
- # disabling that option and report the failures you, along with system and debugging
- # information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-+isolate-workers = false
- 
- # A banner to be displayed on clients after connection
- #banner = "Welcome"
-@@ -249,7 +249,7 @@ mobile-dpd = 1800
+@@ -249,7 +248,7 @@ mobile-dpd = 1800
 switch-to-tcp-timeout = 25
 
 # MTU discovery (DPD must be enabled)
@ -60,77 +52,3 @@ index 0e33484f..60ab3e93 100644
 
 # To enable load-balancer connection draining, set server-drain-ms to a value
 # higher than your load-balancer health probe interval.
-@@ -415,8 +415,8 @@ rekey-method = ssl
- # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
- # output from the tun device, and the duration of the session in seconds.
- 
-#connect-script = /usr/bin/myscript
-#disconnect-script = /usr/bin/myscript
-+#connect-script = /usr/bin/ocserv-script
-+#disconnect-script = /usr/bin/ocserv-script
- 
- # This script is to be called when the client's advertised hostname becomes
- # available. It will contain REASON with "host-update" value and the
-@@ -506,7 +506,8 @@ ipv4-netmask = 255.255.255.0
- # The advertised DNS server. Use multiple lines for
- # multiple servers.
- # dns = fc00::4be0
-dns = 192.168.1.2
-+dns = 8.8.8.8
-+dns = 8.8.4.4
- 
- # The NBNS server (if any)
- #nbns = 192.168.1.3
-@@ -545,8 +546,8 @@ ping-leases = false
- # comment out all routes from the server, or use the special keyword
- # 'default'.
- 
-route = 10.10.10.0/255.255.255.0
-route = 192.168.0.0/255.255.0.0
-+#route = 10.10.10.0/255.255.255.0
-+#route = 192.168.0.0/255.255.0.0
- #route = fef4:db8:1000:1001::/64
- #route = default
- 
-@@ -719,18 +720,18 @@ client-bypass-protocol = false
- # An example virtual host with different authentication methods serviced
- # by this server.
- 
-[vhost:www.example.com]
-auth = "certificate"
-+#[vhost:www.example.com]
-+#auth = "certificate"
- 
-ca-cert = ../tests/certs/ca.pem
-+#ca-cert = ../tests/certs/ca.pem
- 
- # The certificate set here must include a 'dns_name' corresponding to
- # the virtual host name.
- 
-server-cert = ../tests/certs/server-cert-secp521r1.pem
-server-key = ../tests/certs/server-key-secp521r1.pem
-+#server-cert = ../tests/certs/server-cert-secp521r1.pem
-+#server-key = ../tests/certs/server-key-secp521r1.pem
- 
-ipv4-network = 192.168.2.0
-ipv4-netmask = 255.255.255.0
-+#ipv4-network = 192.168.2.0
-+#ipv4-netmask = 255.255.255.0
- 
-cert-user-oid = 0.9.2342.19200300.100.1.1
-+#cert-user-oid = 0.9.2342.19200300.100.1.1
-diff --git a/doc/systemd/socket-activated/ocserv.socket b/doc/systemd/socket-activated/ocserv.socket
-index 9444f190..a0ac362a 100644
--- a/doc/systemd/socket-activated/ocserv.socket
-+++ b/doc/systemd/socket-activated/ocserv.socket
-@@ -2,8 +2,8 @@
- Description=OpenConnect SSL VPN server Socket
- 
- [Socket]
-ListenStream=443
-ListenDatagram=443
-+ListenStream=9000
-+ListenDatagram=9001
- BindIPv6Only=default
- Accept=false
- ReusePort=true
--- a/ocserv.spec
+++ b/ocserv.spec
@ -17,7 +17,7 @@


 Name:           ocserv
-Version:        1.1.6
+Version:        1.2.1
 Release:        0
 Summary:        OpenConnect VPN Server
 License:        GPL-2.0-only
@ -149,7 +149,7 @@ sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable' %
 %files
 %defattr(-,root,root)
 %doc AUTHORS NEWS README.md
-%license COPYING LICENSE
+%license COPYING
 %config %{_sysconfdir}/ocserv
 %if 0%{suse_version} >= 1500
 %dir %{_prefix}/lib/firewalld