forked from pool/ocserv
c9af49cb23
- Update to version 1.1.0: * Switch from fork to fork/exec model to achieve better scaling and ASLR protection. This introduces an ocserv-worker application which should be installed at the same path as ocserv (#285). * When Linux OOM takes control kill ocserv workers before ocserv-main or ocserv-secmod (#283). * Disable TCP queuing on the TLS port. * Fix leak of GnuTLS session when DTLS connection is re-established (#293). - Verify source with keyring before build. OBS-URL: https://build.opensuse.org/request/show/818634 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=31
331 lines
15 KiB
Plaintext
331 lines
15 KiB
Plaintext
-------------------------------------------------------------------
|
||
Fri Jul 3 17:34:58 UTC 2020 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 1.1.0:
|
||
* Switch from fork to fork/exec model to achieve better scaling
|
||
and ASLR protection. This introduces an ocserv-worker application
|
||
which should be installed at the same path as ocserv (#285).
|
||
* When Linux OOM takes control kill ocserv workers before
|
||
ocserv-main or ocserv-secmod (#283).
|
||
* Disable TCP queuing on the TLS port.
|
||
* Fix leak of GnuTLS session when DTLS connection is
|
||
re-established (#293).
|
||
- Verify source with keyring before build.
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 21 17:20:49 UTC 2020 - Martin Hauke <mardnh@gmx.de>
|
||
|
||
- Add signature and keyring for source verification
|
||
- Build with support for maxminddb
|
||
- Build with support for OATH
|
||
- Update to version 1.0.1
|
||
* Prevent clients that use broken versions of gnutls from
|
||
connecting using DTLS.
|
||
* occtl: added machine-readable fields in json output.
|
||
* occtl: IPs in ban list value is now reflecting the actual
|
||
banned IPs rather than the database size.
|
||
- Update to version 1.0.0
|
||
* Avoid crash on invalid configuration values.
|
||
* Updated manpage generation to work with newer versions of ronn.
|
||
* Ensure scripts have all the information on all disconnection
|
||
types.
|
||
* Several updates to further restrict the control that worker
|
||
processes have on the main process.
|
||
* Add support for RFC6750 bearer tokens. This adds the "auth=oidc"
|
||
config option. See doc/README-oidc.md for more information.
|
||
* Add USER_AGENT, DEVICE_TYPE and DEVICE_PLATFORM environment
|
||
variables when connect/disconnect scripts execute.
|
||
* Corrected issue with DTLS-PSK negotiation which prevented it
|
||
from being enabled.
|
||
* Improved IPv6 handling of AnyConnect client for Apple ios.
|
||
* Fixed issue with Radius accounting.
|
||
- Update to version 0.12.6
|
||
* Improved IPv6 support for anyconnect clients.
|
||
* The 'split-dns' configuration directive can be used per-user.
|
||
* The max-same-clients=1 configuration option no longer refuses
|
||
the reconnection of an already connected user.
|
||
* Added openat() to the accepted list of seccomp calls. This
|
||
allows ocserv to run under certain libcs.
|
||
- Update to version 0.12.5
|
||
* Added configuration option udp-listen-host. This option
|
||
supports different listen addresses for tcp and udp such as
|
||
haproxy for tcp, but support dtls at the same time.
|
||
* occtl: fixed json output of show status command. Introduced
|
||
tests for checking its json output using yajl.
|
||
* occtl: use maxminddb when available.
|
||
- Update to version 0.12.4
|
||
* Added support for radius access-challenge (multifactor)
|
||
authentication.
|
||
* Fixed race condition when connect-script and disconnect-script
|
||
are set, which could potentially cause a crash.
|
||
* Perform quicker cleanup of sessions which their user explicitly
|
||
disconnected.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Dec 19 14:56:10 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
||
|
||
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
|
||
Allow OBS to shortcut through the -mini flavors.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Jul 24 13:28:00 UTC 2019 - matthias.gerstner@suse.com
|
||
|
||
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
|
||
firewalld, see [1].
|
||
|
||
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Apr 23 09:08:03 UTC 2019 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 0.12.3:
|
||
* Fixed crash when no DTLS ciphersuite is negotiated.
|
||
* Fixed crash happening arbitrarily depending on handled string
|
||
sizes (#197).
|
||
* Fixed compatibility issue with GnuTLS 3.3.x (#201).
|
||
* occtl: print the TLS session information, even if the DTLS
|
||
channel is not established.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Jan 25 14:54:35 UTC 2019 - Michael Du <duyizhaozj321@yahoo.com>
|
||
|
||
- Update to version 0.12.2:
|
||
* Added support for AES256-SHA legacy cipher. This allows the
|
||
anyconnect clients to use AES256.
|
||
* Added support for the DTLS1.2 protocol hack used by new
|
||
Anyconnect clients.
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 17 10:48:43 UTC 2018 - duyizhaozj321@yahoo.com
|
||
|
||
- Update to version 0.12.1:
|
||
* Fixed crash on initialization when server was running on background
|
||
* Work around issues with GnuTLS 3.4.x on ubuntu 16.04, at the cost of a memory leak on key reload
|
||
|
||
-------------------------------------------------------------------
|
||
Fri May 11 08:08:54 UTC 2018 - duyizhaozj321@yahoo.com
|
||
|
||
- Update to version 0.12.0
|
||
* Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
|
||
* Increased possibilities of allowed combinations of authentication methods.
|
||
* Corrected regression since 0.11.8 with OTP authentication.
|
||
* Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
|
||
* Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
|
||
* Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
|
||
* Corrected crash on certain cases when proxy protocol is in use.
|
||
- Update ocserv.config.patch due to upstream changes
|
||
|
||
-------------------------------------------------------------------
|
||
Tue Feb 27 02:50:33 UTC 2018 - i@marguerite.su
|
||
|
||
- add firewalld service
|
||
|
||
-------------------------------------------------------------------
|
||
Sat Feb 24 05:43:55 UTC 2018 - i@marguerite.su
|
||
|
||
- update version 0.11.10
|
||
* see NEWS
|
||
- drop boo1021353-ocserv-doc-racing-in-parallel-build.patch
|
||
* upstreamed
|
||
- add ocserv-LZ4_compress_default.patch
|
||
* leap doesn't have LZ4_compress_default
|
||
|
||
-------------------------------------------------------------------
|
||
Thu May 11 08:35:51 UTC 2017 - dimstar@opensuse.org
|
||
|
||
- Use readline (current) instead of readline5:
|
||
+ Replace readline5-devel BuildRequires with readline-devel.
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jan 23 16:35:52 UTC 2017 - i@marguerite.su
|
||
|
||
- fix boo#1021353: ocserv randomly misbuilds man pages
|
||
- add patch: boo1021353-ocserv-doc-racing-in-parallel-build.patch
|
||
* occtl and ocpasswd are both built from args.def, which
|
||
will cause a racing problem in parallel builds that autogen
|
||
write contents randomly. fixed by adding a prefix to make
|
||
them different in filename.
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Dec 21 10:59:26 UTC 2016 - i@marguerite.su
|
||
|
||
- update version 0.11.6
|
||
* cserv: Improved detection of mobile clients
|
||
* ocserv: Update the worker's ID on Radius accounting messages.
|
||
That is, even if we initially advertize the ID of the worker
|
||
handling the client as NAS-Port, the client may eventually end-up
|
||
being served by another process with different ID. In that case we make
|
||
sure that the radius server is notified on the next accounting message.
|
||
If you are using radius see doc/README.radius.md about NAS-Port, since
|
||
that behavior may cause issues in freeradius installations.
|
||
* ocserv: Added config option 'switch-to-tcp-timeout'. That allows an
|
||
automatic switch to TCP in case of no received UDP traffic for
|
||
certain time
|
||
* ocserv: Pre-load the OCSP response file; that way worker processes can
|
||
serve it, even if they have no access to it.
|
||
* ocserv: When compiled with GnuTLS 3.5.6 automatically set DH
|
||
parameters from the known set.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 12 14:10:54 UTC 2016 - i@marguerite.su
|
||
|
||
- update version 0.10.11
|
||
* Corrected the reporting of keepalive to occtl.
|
||
* Handle clients which send the first request to /VPN
|
||
* Prevent a crash in per-user config dir is not available if
|
||
expose-iroutes is set to true.
|
||
- update license: GPL-2.0
|
||
- open ports using ocserv.SuSEfirewall
|
||
- enable ip forwarding using ocserv.sysctl
|
||
|
||
-------------------------------------------------------------------
|
||
Thu Jan 7 16:08:58 UTC 2016 - i@marguerite.su
|
||
|
||
- update version 0.10.10
|
||
* Increase the number of log messages logged in the default level.
|
||
That is added messages that could be of use to administrators.
|
||
* Introduced ipv6-subnet-prefix config option. That option allows
|
||
to specify the IPv6 subnet prefix to be given to client. That is,
|
||
allow providing the clients networks larger than /128. The default
|
||
setting is 128 to keep backwards compatibility.
|
||
* Introduced the expose-iroutes config option. That option allows
|
||
the server to advertise routes offered by some clients to all of
|
||
them. This requires the config-per-user option.
|
||
* When a client has assigned iroutes which cannot be applied, he
|
||
will be denied access.
|
||
* Added restrict-user-to-routes configuration option which will
|
||
execute ocserv-fw script on user connection. The script will
|
||
set firewall rules which deny the user access to any other
|
||
networks than the routes set for the user. This is added as a
|
||
tech preview; details of this option may change on later releases.
|
||
* When banning IPv6 addresses treat a /64 network as a single address.
|
||
* Fixed conflict with isolate-workers and user-profile.
|
||
* occtl: Allow disabling the pager functionality on compile time
|
||
using --with-pager="".
|
||
|
||
-------------------------------------------------------------------
|
||
Wed Oct 21 11:34:00 UTC 2015 - i@marguerite.su
|
||
|
||
- update version 0.10.9
|
||
* When compiled with GnuTLS 3.4 automatically sort the certificate
|
||
list to be imported
|
||
* Reload the CRL during periodic maintaince if its modification
|
||
time changes
|
||
* Address issue with duplicate check failing on IPv6 addresses
|
||
* Added the ability to specify a UsersFile in plain auth for using
|
||
an OTP
|
||
This allows to use an OTP 2nd factor authentication without having
|
||
to rely on PAM. This change, also enables the usage of an empty
|
||
password field in the password file if an OTP file is present
|
||
* Allow loading DER-encoded CRLs
|
||
* Re-added the PAM accounting method. That accounting method can
|
||
be combined with any authentication method, and can be used to
|
||
check for a valid system account
|
||
- changes in 0.10.8
|
||
* Pass the proxy protocol information at earlier stage to main
|
||
process, to allow the correct information to be passed at the
|
||
connect script and occtl
|
||
* Added the IP_REAL_LOCAL environment variable to scripts. This
|
||
passes the local IP the client connected to
|
||
* The PAM accounting method was dropped as there was no practical
|
||
usage of it, the way it was implemented
|
||
* When assigning IPv6 addresses use the whole available netmask
|
||
* occtl: Print the local IP the client connected to, with the
|
||
client information
|
||
* occtl: Print the configured for the client split-dns domains
|
||
- changes in 0.10.7
|
||
* Added a fuzzying factor to CPU intensive, or radius communication
|
||
tasks when initiated by worker process. That avoids a very
|
||
high load periodically, e.g., when multiple clients connect
|
||
at the same time
|
||
* Added support for haproxy's protocol v2 format. That allows
|
||
to report the correct client IP even on proxied sessions.
|
||
It introduces the configuration option listen-proxy-proto
|
||
* occtl: added -n/--no-pager option. That allows to disable
|
||
pager explicitly
|
||
* occtl: fixed several cases of invalid JSON output
|
||
- changes in 0.10.6
|
||
* Transmit packets to the last incoming source, allowing faster
|
||
switch of the communication channel
|
||
* The worker processes will utilize the UDP socket address
|
||
(if any), when reporting peer's address if the listen-clear-file
|
||
option is set
|
||
* Lifted the limit on the number of configuration options. That
|
||
allows to add an "unlimited" number of 'route' options
|
||
* Support encrypted key files. That adds the key-pin and srk-pin
|
||
configuration options
|
||
* The dbus communication option has been dropped
|
||
* Radius: depend on radcli radius library
|
||
* occtl: added -j/--json option. That allows to output in a
|
||
JSON format
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Jun 8 13:51:18 UTC 2015 - i@marguerite.su
|
||
|
||
- set isolated-workers to false since we didn't build w/ seccomp yet
|
||
- change systemd socket ports as well
|
||
|
||
-------------------------------------------------------------------
|
||
Sun Jun 7 04:47:47 UTC 2015 - i@marguerite.su
|
||
|
||
- update version 0.10.5
|
||
* Added tgt-freshness-time option for gssapi/Kerberos authentication
|
||
option. That allows to specify the maximum number of seconds after
|
||
which a reauthentication with Kerberos is required to login to VPN.
|
||
* main/sec-mod: impose long timeouts on reads from sec-mod. That
|
||
would prevent issues when reading in a blocked in authentication
|
||
sec-mod.
|
||
* radius: When using radius accounting with certificate
|
||
authentication, properly notify of user session termination.
|
||
* radius: On definitely terminated sessions contact the radius server
|
||
as soon as possible. For sessions that can still be resumed the
|
||
radius server is contacted periodically after the cookies expire.
|
||
* radius: consider Acct-Interim-Interval when seen by the server.
|
||
That will be taken into account if groupconfig=true in radius
|
||
subconfig.
|
||
* Added configuration options persistent-cookies and session-timeout.
|
||
* radius: added support for Route-IPv6-Information,
|
||
Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address,
|
||
Session-Timeout.
|
||
* Corrected desync of main and sec-mod by introducing a synchronous
|
||
communication socket. Reported by Mani Behrouz.
|
||
* PAM: forward the actual prompt to worker process, and not only
|
||
informational messages.
|
||
- drop ocserv-str_init.patch, upstream fixed.
|
||
|
||
-------------------------------------------------------------------
|
||
Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su
|
||
|
||
- add user.tmpl, for certificate login
|
||
- tweak default config more
|
||
- add README.SUSE as setup instructions
|
||
|
||
-------------------------------------------------------------------
|
||
Mon Feb 2 10:04:45 UTC 2015 - i@marguerite.su
|
||
|
||
- initial version 0.9.0.1
|
||
* Added native support for radius. That adds the new auth
|
||
configuration option "radius", which has as parameters
|
||
the freeradius-client configuration file and optionally
|
||
the groupconfig option which instructs to read
|
||
configuration from radius; the stats-report-time option
|
||
enables interim-updates. That adds the dependency to
|
||
freeradius-client (see doc/README.radius).
|
||
* Reply using the same address that received UDP packets
|
||
are sent.
|
||
* Simplify the input of IPv6 network addresses.
|
||
* Use a separate IPC and PID namespace in Linux systems
|
||
for worker processes. That effectively puts each worker
|
||
process in a separate container. This can be enabled at
|
||
compile time using --enable-linux-namespaces.
|
||
* Configuration option 'use-seccomp' was replaced by
|
||
'isolate-workers', which in addition to seccomp it enables
|
||
the Linux namespaces restrictions.
|
||
* Added support for stateless compression using LZ4 and LZS.
|
||
This is disabled by default.
|
||
- disable dbus interface because currently it provides less
|
||
function than unix socket
|
||
- add patch: ocserv-str_init.patch
|
||
- add patch: ocserv-enable-systemd.patch
|
||
- add patch: ocserv.config.patch
|