- Update to version 1.1.3
* No longer close stdin and stdout on worker processes as they
are already closed in main process.
* Advertise X-CSTP-Session-Timeout.
* No longer recommend building with system's libpcl but rather
the bundled as it is not a very common shared library.
* Corrected busyloop on failed DTLS handshakes.
* Emit OWASP best practice headers for HTTP.
OBS-URL: https://build.opensuse.org/request/show/897666
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=39
- Update to version 1.1.2
* Allow setup of new DTLS session concurrent with old session.
* Fixed an infinite loop on sec-mod crash when server-drain-ms
is set.
* Don't apply BanIP checks to clients on the same subnet.
* Don't attempt TLS if the client closes the connection with
zero data sent.
* Increased the maximum configuration line; this allows banner
messages longer than 200 characters.
* Removed the listen-clear-file config option. This option was
incompatible with several clients, and thus is unusable for a
generic server.
- Update to version 1.1.1:
* Improved rate-limit-ms and made it dependent on secmod backlog.
This makes the server more resilient (and prevents connection
failures) on multiple concurrent connections
- Added namespace support for listen address by introducing the
listen-netns option.
- Disable TLS1.3 when cisco client compatibility is enabled. New
anyconnect clients seem to supporting TLS1.3 but are unable to
handle a client with an RSA key.
- Enable a race free user disconnection via occtl.
- Added the config option of a pre-login-banner.
- Ocserv siwtched to using multiple ocserv-sm processes to
improve scale, with the number of ocserv-sm process dependent
on maximum clients and number of CPUs. Configuration option
sec-mod-scale can be used to override the heuristics.
- Fixed issue with group selection on radius servers sending
multiple group class attribute.
OBS-URL: https://build.opensuse.org/request/show/853618
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=37
- Update to version 1.1.0:
* Switch from fork to fork/exec model to achieve better scaling
and ASLR protection. This introduces an ocserv-worker application
which should be installed at the same path as ocserv (#285).
* When Linux OOM takes control kill ocserv workers before
ocserv-main or ocserv-secmod (#283).
* Disable TCP queuing on the TLS port.
* Fix leak of GnuTLS session when DTLS connection is
re-established (#293).
- Verify source with keyring before build.
OBS-URL: https://build.opensuse.org/request/show/818634
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=31
- Add signature and keyring for source verification
- Build with support for maxminddb
- Build with support for OATH
- Update to version 1.0.1
* Prevent clients that use broken versions of gnutls from
connecting using DTLS.
* occtl: added machine-readable fields in json output.
* occtl: IPs in ban list value is now reflecting the actual
banned IPs rather than the database size.
- Update to version 1.0.0
* Avoid crash on invalid configuration values.
* Updated manpage generation to work with newer versions of ronn.
* Ensure scripts have all the information on all disconnection
types.
* Several updates to further restrict the control that worker
processes have on the main process.
* Add support for RFC6750 bearer tokens. This adds the "auth=oidc"
config option. See doc/README-oidc.md for more information.
* Add USER_AGENT, DEVICE_TYPE and DEVICE_PLATFORM environment
variables when connect/disconnect scripts execute.
* Corrected issue with DTLS-PSK negotiation which prevented it
from being enabled.
* Improved IPv6 handling of AnyConnect client for Apple ios.
* Fixed issue with Radius accounting.
- Update to version 0.12.6
* Improved IPv6 support for anyconnect clients.
* The 'split-dns' configuration directive can be used per-user.
* The max-same-clients=1 configuration option no longer refuses
the reconnection of an already connected user.
* Added openat() to the accepted list of seccomp calls. This
OBS-URL: https://build.opensuse.org/request/show/796111
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=30
- Update to version 0.12.0
* Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
* Increased possibilities of allowed combinations of authentication methods.
* Corrected regression since 0.11.8 with OTP authentication.
* Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
* Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
* Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
* Corrected crash on certain cases when proxy protocol is in use.
- Update ocserv.config.patch due to upstream changes
OBS-URL: https://build.opensuse.org/request/show/606481
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=18