- Update to version 1.2.1
* Accept the Clavister OneConnect VPN Android client.
* No longer require to set device name per vhost.
* Account the correct number of points when proxyproto is in use
* nuttcp tests were replaced with iperf3 that is available
in more environments
* occtl: fix duplicate key in `occtl --json show users` output
- Update to version 1.2.0
* Add support for Cisco Enterprise phones to authenticate via
the /svc endpoint and the 'cisco-svc-client-compat' config
option.
* Enhanced radius group support to enable radius servers send
multiple group class attributes
See doc/README-radius.md for more information.
* Enhanced the seccomp filters to open files related to FIPS
compliance on SuSe.
* Added "Camouflage" functionality that makes ocserv look like a
web server to unauthorized parties.
* Avoid login failure when the end point of server URI
contains a query string.
* Make sure we print proper JSON with `occtl --debug --json`
* Eliminated the need for using the gnulib portability library.
- Update to version 1.1.7
* Emit a LOG_ERR error message with plain authentication fails
* The bundled inih was updated to r56.
* The bundled protobuf-c was updated to 1.4.1.
* Enhanced the seccomp filters for ARMv7 compatibility and musl
libc
* HTTP headers always capitalised as in RFC 9110
OBS-URL: https://build.opensuse.org/request/show/1107938
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=47
- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
installed into /etc by a more tailored mechanism. Enabling IP routing
globally and permanently, just because the package is installed is quite
invasive. This new script will be invoked before and after the ocserv
service to switch on and off forwarding, if necessary (bsc#1174722).
OBS-URL: https://build.opensuse.org/request/show/1059390
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=45
- Update to version 1.1.6
* Fixed compatibility with clients on Windows ARM64.
* Added futex() to the accepted list of seccomp.
It is required by Fedora 36’s libc.
* Work around change of returned error code in GnuTLS 3.7.3
for gnutls_privkey_import_x509_raw().
- Changes in version 1.1.5
* Fixed manpage output.
- Changes in version 1.1.4
* Added newfstatat() and epoll_pwait() to the accepted list of
seccomp calls. This improves compatibility with certain libcs
and aarch64.
* Do not allow assigning the same IPv6 as tun device address and
to the client. This allows using /127 as prefix (#430).
OBS-URL: https://build.opensuse.org/request/show/995041
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=43
- Update to version 1.1.3
* No longer close stdin and stdout on worker processes as they
are already closed in main process.
* Advertise X-CSTP-Session-Timeout.
* No longer recommend building with system's libpcl but rather
the bundled as it is not a very common shared library.
* Corrected busyloop on failed DTLS handshakes.
* Emit OWASP best practice headers for HTTP.
OBS-URL: https://build.opensuse.org/request/show/897666
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=39
- Update to version 1.1.2
* Allow setup of new DTLS session concurrent with old session.
* Fixed an infinite loop on sec-mod crash when server-drain-ms
is set.
* Don't apply BanIP checks to clients on the same subnet.
* Don't attempt TLS if the client closes the connection with
zero data sent.
* Increased the maximum configuration line; this allows banner
messages longer than 200 characters.
* Removed the listen-clear-file config option. This option was
incompatible with several clients, and thus is unusable for a
generic server.
- Update to version 1.1.1:
* Improved rate-limit-ms and made it dependent on secmod backlog.
This makes the server more resilient (and prevents connection
failures) on multiple concurrent connections
- Added namespace support for listen address by introducing the
listen-netns option.
- Disable TLS1.3 when cisco client compatibility is enabled. New
anyconnect clients seem to supporting TLS1.3 but are unable to
handle a client with an RSA key.
- Enable a race free user disconnection via occtl.
- Added the config option of a pre-login-banner.
- Ocserv siwtched to using multiple ocserv-sm processes to
improve scale, with the number of ocserv-sm process dependent
on maximum clients and number of CPUs. Configuration option
sec-mod-scale can be used to override the heuristics.
- Fixed issue with group selection on radius servers sending
multiple group class attribute.
OBS-URL: https://build.opensuse.org/request/show/853618
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=37
- Update to version 1.1.0:
* Switch from fork to fork/exec model to achieve better scaling
and ASLR protection. This introduces an ocserv-worker application
which should be installed at the same path as ocserv (#285).
* When Linux OOM takes control kill ocserv workers before
ocserv-main or ocserv-secmod (#283).
* Disable TCP queuing on the TLS port.
* Fix leak of GnuTLS session when DTLS connection is
re-established (#293).
- Verify source with keyring before build.
OBS-URL: https://build.opensuse.org/request/show/818634
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=31
- Add signature and keyring for source verification
- Build with support for maxminddb
- Build with support for OATH
- Update to version 1.0.1
* Prevent clients that use broken versions of gnutls from
connecting using DTLS.
* occtl: added machine-readable fields in json output.
* occtl: IPs in ban list value is now reflecting the actual
banned IPs rather than the database size.
- Update to version 1.0.0
* Avoid crash on invalid configuration values.
* Updated manpage generation to work with newer versions of ronn.
* Ensure scripts have all the information on all disconnection
types.
* Several updates to further restrict the control that worker
processes have on the main process.
* Add support for RFC6750 bearer tokens. This adds the "auth=oidc"
config option. See doc/README-oidc.md for more information.
* Add USER_AGENT, DEVICE_TYPE and DEVICE_PLATFORM environment
variables when connect/disconnect scripts execute.
* Corrected issue with DTLS-PSK negotiation which prevented it
from being enabled.
* Improved IPv6 handling of AnyConnect client for Apple ios.
* Fixed issue with Radius accounting.
- Update to version 0.12.6
* Improved IPv6 support for anyconnect clients.
* The 'split-dns' configuration directive can be used per-user.
* The max-same-clients=1 configuration option no longer refuses
the reconnection of an already connected user.
* Added openat() to the accepted list of seccomp calls. This
OBS-URL: https://build.opensuse.org/request/show/796111
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=30
- Update to version 0.12.0
* Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
* Increased possibilities of allowed combinations of authentication methods.
* Corrected regression since 0.11.8 with OTP authentication.
* Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
* Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
* Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
* Corrected crash on certain cases when proxy protocol is in use.
- Update ocserv.config.patch due to upstream changes
OBS-URL: https://build.opensuse.org/request/show/606481
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=18