Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: ocserv | Distribution: SUSE Linux Enterprise 15 SP6 |
Version: 1.2.2 | Vendor: openSUSE |
Release: bp156.1.6 | Build date: Mon May 13 19:45:16 2024 |
Group: Productivity/Networking/Security | Build host: obs-power9-16 |
Size: 1390092 | Source RPM: ocserv-1.2.2-bp156.1.6.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: https://ocserv.gitlab.io/www/ | |
Summary: OpenConnect VPN Server |
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well. Ocserv's main features are security through privilege separation and sandboxing, accounting, and resilience due to a combined use of TCP and UDP. Authentication occurs in an isolated security module process, and each user is assigned an unprivileged worker process, and a networking (tun) device. That not only eases the control of the resources of each user or group of users, but also prevents data leak (e.g., heartbleed-style attacks), and privilege escalation due to any bug on the VPN handling (worker) process. A management interface allows for viewing and querying logged-in users.
GPL-2.0-only
* Mon Sep 25 2023 Martin Hauke <mardnh@gmx.de> - Update to version 1.2.2 * Fix session and accounting data tracking of ocserv. This reverts fix for #444 (#541) * No longer account ICMP and IGMP data for idle session detection - Update URL * Tue Aug 29 2023 Martin Hauke <mardnh@gmx.de> - Update to version 1.2.1 * Accept the Clavister OneConnect VPN Android client. * No longer require to set device name per vhost. * Account the correct number of points when proxyproto is in use * nuttcp tests were replaced with iperf3 that is available in more environments * occtl: fix duplicate key in `occtl --json show users` output - Update to version 1.2.0 * Add support for Cisco Enterprise phones to authenticate via the /svc endpoint and the 'cisco-svc-client-compat' config option. * Enhanced radius group support to enable radius servers send multiple group class attributes See doc/README-radius.md for more information. * Enhanced the seccomp filters to open files related to FIPS compliance on SuSe. * Added "Camouflage" functionality that makes ocserv look like a web server to unauthorized parties. * Avoid login failure when the end point of server URI contains a query string. * Make sure we print proper JSON with `occtl --debug --json` * Eliminated the need for using the gnulib portability library. - Update to version 1.1.7 * Emit a LOG_ERR error message with plain authentication fails * The bundled inih was updated to r56. * The bundled protobuf-c was updated to 1.4.1. * Enhanced the seccomp filters for ARMv7 compatibility and musl libc * HTTP headers always capitalised as in RFC 9110 * Wed Jan 18 2023 Matthias Gerstner <matthias.gerstner@suse.com> - add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly installed into /etc by a more tailored mechanism. Enabling IP routing globally and permanently, just because the package is installed is quite invasive. This new script will be invoked before and after the ocserv service to switch on and off forwarding, if necessary (bsc#1174722). * Sun Aug 14 2022 Michael Du <duyizhaozj321@yahoo.com> - Update to version 1.1.6 * Fixed compatibility with clients on Windows ARM64. * Added futex() to the accepted list of seccomp. It is required by Fedora 36’s libc. * Work around change of returned error code in GnuTLS 3.7.3 for gnutls_privkey_import_x509_raw(). - Changes in version 1.1.5 * Fixed manpage output. - Changes in version 1.1.4 * Added newfstatat() and epoll_pwait() to the accepted list of seccomp calls. This improves compatibility with certain libcs and aarch64. * Do not allow assigning the same IPv6 as tun device address and to the client. This allows using /127 as prefix (#430). * Mon Jun 20 2022 Dominique Leuenberger <dimstar@opensuse.org> - explicitly buildignore libevent-devel, which is pulled in by ubound. We use libev here and can get away with this. * Sat Jun 05 2021 Martin Hauke <mardnh@gmx.de> - Update to version 1.1.3 * No longer close stdin and stdout on worker processes as they are already closed in main process. * Advertise X-CSTP-Session-Timeout. * No longer recommend building with system's libpcl but rather the bundled as it is not a very common shared library. * Corrected busyloop on failed DTLS handshakes. * Emit OWASP best practice headers for HTTP. * Mon Dec 07 2020 Martin Hauke <mardnh@gmx.de> - Update to version 1.1.2 * Allow setup of new DTLS session concurrent with old session. * Fixed an infinite loop on sec-mod crash when server-drain-ms is set. * Don't apply BanIP checks to clients on the same subnet. * Don't attempt TLS if the client closes the connection with zero data sent. * Increased the maximum configuration line; this allows banner messages longer than 200 characters. * Removed the listen-clear-file config option. This option was incompatible with several clients, and thus is unusable for a generic server. * Mon Sep 21 2020 Martin Hauke <mardnh@gmx.de> - Update to version 1.1.1: * Improved rate-limit-ms and made it dependent on secmod backlog. This makes the server more resilient (and prevents connection failures) on multiple concurrent connections - Added namespace support for listen address by introducing the listen-netns option. - Disable TLS1.3 when cisco client compatibility is enabled. New anyconnect clients seem to supporting TLS1.3 but are unable to handle a client with an RSA key. - Enable a race free user disconnection via occtl. - Added the config option of a pre-login-banner. - Ocserv siwtched to using multiple ocserv-sm processes to improve scale, with the number of ocserv-sm process dependent on maximum clients and number of CPUs. Configuration option sec-mod-scale can be used to override the heuristics. - Fixed issue with group selection on radius servers sending multiple group class attribute. - Update patch: * ocserv-enable-systemd.patch * ocserv.config.patch * Wed Aug 19 2020 Callum Farmer <callumjfarmer13@gmail.com> - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) * Fri Jul 03 2020 Michael Du <duyizhaozj321@yahoo.com> - Update to version 1.1.0: * Switch from fork to fork/exec model to achieve better scaling and ASLR protection. This introduces an ocserv-worker application which should be installed at the same path as ocserv (#285). * When Linux OOM takes control kill ocserv workers before ocserv-main or ocserv-secmod (#283). * Disable TCP queuing on the TLS port. * Fix leak of GnuTLS session when DTLS connection is re-established (#293). - Verify source with keyring before build. * Tue Apr 21 2020 Martin Hauke <mardnh@gmx.de> - Add signature and keyring for source verification - Build with support for maxminddb - Build with support for OATH - Update to version 1.0.1 * Prevent clients that use broken versions of gnutls from connecting using DTLS. * occtl: added machine-readable fields in json output. * occtl: IPs in ban list value is now reflecting the actual banned IPs rather than the database size. - Update to version 1.0.0 * Avoid crash on invalid configuration values. * Updated manpage generation to work with newer versions of ronn. * Ensure scripts have all the information on all disconnection types. * Several updates to further restrict the control that worker processes have on the main process. * Add support for RFC6750 bearer tokens. This adds the "auth=oidc" config option. See doc/README-oidc.md for more information. * Add USER_AGENT, DEVICE_TYPE and DEVICE_PLATFORM environment variables when connect/disconnect scripts execute. * Corrected issue with DTLS-PSK negotiation which prevented it from being enabled. * Improved IPv6 handling of AnyConnect client for Apple ios. * Fixed issue with Radius accounting. - Update to version 0.12.6 * Improved IPv6 support for anyconnect clients. * The 'split-dns' configuration directive can be used per-user. * The max-same-clients=1 configuration option no longer refuses the reconnection of an already connected user. * Added openat() to the accepted list of seccomp calls. This allows ocserv to run under certain libcs. - Update to version 0.12.5 * Added configuration option udp-listen-host. This option supports different listen addresses for tcp and udp such as haproxy for tcp, but support dtls at the same time. * occtl: fixed json output of show status command. Introduced tests for checking its json output using yajl. * occtl: use maxminddb when available. - Update to version 0.12.4 * Added support for radius access-challenge (multifactor) authentication. * Fixed race condition when connect-script and disconnect-script are set, which could potentially cause a crash. * Perform quicker cleanup of sessions which their user explicitly disconnected. * Thu Dec 19 2019 Dominique Leuenberger <dimstar@opensuse.org> - BuildRequire pkgconfig(libsystemd) instead of systemd-devel: Allow OBS to shortcut through the -mini flavors. * Wed Jul 24 2019 matthias.gerstner@suse.com - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html * Tue Apr 23 2019 Michael Du <duyizhaozj321@yahoo.com> - Update to version 0.12.3: * Fixed crash when no DTLS ciphersuite is negotiated. * Fixed crash happening arbitrarily depending on handled string sizes (#197). * Fixed compatibility issue with GnuTLS 3.3.x (#201). * occtl: print the TLS session information, even if the DTLS channel is not established. * Fri Jan 25 2019 Michael Du <duyizhaozj321@yahoo.com> - Update to version 0.12.2: * Added support for AES256-SHA legacy cipher. This allows the anyconnect clients to use AES256. * Added support for the DTLS1.2 protocol hack used by new Anyconnect clients. * Thu May 17 2018 duyizhaozj321@yahoo.com - Update to version 0.12.1: * Fixed crash on initialization when server was running on background * Work around issues with GnuTLS 3.4.x on ubuntu 16.04, at the cost of a memory leak on key reload * Fri May 11 2018 duyizhaozj321@yahoo.com - Update to version 0.12.0 * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP. * Increased possibilities of allowed combinations of authentication methods. * Corrected regression since 0.11.8 with OTP authentication. * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port. * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl. * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use. * Corrected crash on certain cases when proxy protocol is in use. - Update ocserv.config.patch due to upstream changes * Tue Feb 27 2018 i@marguerite.su - add firewalld service * Sat Feb 24 2018 i@marguerite.su - update version 0.11.10 * see NEWS - drop boo1021353-ocserv-doc-racing-in-parallel-build.patch * upstreamed - add ocserv-LZ4_compress_default.patch * leap doesn't have LZ4_compress_default * Thu May 11 2017 dimstar@opensuse.org - Use readline (current) instead of readline5: + Replace readline5-devel BuildRequires with readline-devel. * Mon Jan 23 2017 i@marguerite.su - fix boo#1021353: ocserv randomly misbuilds man pages - add patch: boo1021353-ocserv-doc-racing-in-parallel-build.patch * occtl and ocpasswd are both built from args.def, which will cause a racing problem in parallel builds that autogen write contents randomly. fixed by adding a prefix to make them different in filename. * Wed Dec 21 2016 i@marguerite.su - update version 0.11.6 * cserv: Improved detection of mobile clients * ocserv: Update the worker's ID on Radius accounting messages. That is, even if we initially advertize the ID of the worker handling the client as NAS-Port, the client may eventually end-up being served by another process with different ID. In that case we make sure that the radius server is notified on the next accounting message. If you are using radius see doc/README.radius.md about NAS-Port, since that behavior may cause issues in freeradius installations. * ocserv: Added config option 'switch-to-tcp-timeout'. That allows an automatic switch to TCP in case of no received UDP traffic for certain time * ocserv: Pre-load the OCSP response file; that way worker processes can serve it, even if they have no access to it. * ocserv: When compiled with GnuTLS 3.5.6 automatically set DH parameters from the known set. * Fri Feb 12 2016 i@marguerite.su - update version 0.10.11 * Corrected the reporting of keepalive to occtl. * Handle clients which send the first request to /VPN * Prevent a crash in per-user config dir is not available if expose-iroutes is set to true. - update license: GPL-2.0 - open ports using ocserv.SuSEfirewall - enable ip forwarding using ocserv.sysctl * Thu Jan 07 2016 i@marguerite.su - update version 0.10.10 * Increase the number of log messages logged in the default level. That is added messages that could be of use to administrators. * Introduced ipv6-subnet-prefix config option. That option allows to specify the IPv6 subnet prefix to be given to client. That is, allow providing the clients networks larger than /128. The default setting is 128 to keep backwards compatibility. * Introduced the expose-iroutes config option. That option allows the server to advertise routes offered by some clients to all of them. This requires the config-per-user option. * When a client has assigned iroutes which cannot be applied, he will be denied access. * Added restrict-user-to-routes configuration option which will execute ocserv-fw script on user connection. The script will set firewall rules which deny the user access to any other networks than the routes set for the user. This is added as a tech preview; details of this option may change on later releases. * When banning IPv6 addresses treat a /64 network as a single address. * Fixed conflict with isolate-workers and user-profile. * occtl: Allow disabling the pager functionality on compile time using --with-pager="". * Wed Oct 21 2015 i@marguerite.su - update version 0.10.9 * When compiled with GnuTLS 3.4 automatically sort the certificate list to be imported * Reload the CRL during periodic maintaince if its modification time changes * Address issue with duplicate check failing on IPv6 addresses * Added the ability to specify a UsersFile in plain auth for using an OTP This allows to use an OTP 2nd factor authentication without having to rely on PAM. This change, also enables the usage of an empty password field in the password file if an OTP file is present * Allow loading DER-encoded CRLs * Re-added the PAM accounting method. That accounting method can be combined with any authentication method, and can be used to check for a valid system account - changes in 0.10.8 * Pass the proxy protocol information at earlier stage to main process, to allow the correct information to be passed at the connect script and occtl * Added the IP_REAL_LOCAL environment variable to scripts. This passes the local IP the client connected to * The PAM accounting method was dropped as there was no practical usage of it, the way it was implemented * When assigning IPv6 addresses use the whole available netmask * occtl: Print the local IP the client connected to, with the client information * occtl: Print the configured for the client split-dns domains - changes in 0.10.7 * Added a fuzzying factor to CPU intensive, or radius communication tasks when initiated by worker process. That avoids a very high load periodically, e.g., when multiple clients connect at the same time * Added support for haproxy's protocol v2 format. That allows to report the correct client IP even on proxied sessions. It introduces the configuration option listen-proxy-proto * occtl: added -n/--no-pager option. That allows to disable pager explicitly * occtl: fixed several cases of invalid JSON output - changes in 0.10.6 * Transmit packets to the last incoming source, allowing faster switch of the communication channel * The worker processes will utilize the UDP socket address (if any), when reporting peer's address if the listen-clear-file option is set * Lifted the limit on the number of configuration options. That allows to add an "unlimited" number of 'route' options * Support encrypted key files. That adds the key-pin and srk-pin configuration options * The dbus communication option has been dropped * Radius: depend on radcli radius library * occtl: added -j/--json option. That allows to output in a JSON format * Mon Jun 08 2015 i@marguerite.su - set isolated-workers to false since we didn't build w/ seccomp yet - change systemd socket ports as well * Sun Jun 07 2015 i@marguerite.su - update version 0.10.5 * Added tgt-freshness-time option for gssapi/Kerberos authentication option. That allows to specify the maximum number of seconds after which a reauthentication with Kerberos is required to login to VPN. * main/sec-mod: impose long timeouts on reads from sec-mod. That would prevent issues when reading in a blocked in authentication sec-mod. * radius: When using radius accounting with certificate authentication, properly notify of user session termination. * radius: On definitely terminated sessions contact the radius server as soon as possible. For sessions that can still be resumed the radius server is contacted periodically after the cookies expire. * radius: consider Acct-Interim-Interval when seen by the server. That will be taken into account if groupconfig=true in radius subconfig. * Added configuration options persistent-cookies and session-timeout. * radius: added support for Route-IPv6-Information, Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address, Session-Timeout. * Corrected desync of main and sec-mod by introducing a synchronous communication socket. Reported by Mani Behrouz. * PAM: forward the actual prompt to worker process, and not only informational messages. - drop ocserv-str_init.patch, upstream fixed. * Fri Feb 13 2015 i@marguerite.su - add user.tmpl, for certificate login - tweak default config more - add README.SUSE as setup instructions * Mon Feb 02 2015 i@marguerite.su - initial version 0.9.0.1 * Added native support for radius. That adds the new auth configuration option "radius", which has as parameters the freeradius-client configuration file and optionally the groupconfig option which instructs to read configuration from radius; the stats-report-time option enables interim-updates. That adds the dependency to freeradius-client (see doc/README.radius). * Reply using the same address that received UDP packets are sent. * Simplify the input of IPv6 network addresses. * Use a separate IPC and PID namespace in Linux systems for worker processes. That effectively puts each worker process in a separate container. This can be enabled at compile time using --enable-linux-namespaces. * Configuration option 'use-seccomp' was replaced by 'isolate-workers', which in addition to seccomp it enables the Linux namespaces restrictions. * Added support for stateless compression using LZ4 and LZS. This is disabled by default. - disable dbus interface because currently it provides less function than unix socket - add patch: ocserv-str_init.patch - add patch: ocserv-enable-systemd.patch - add patch: ocserv.config.patch
/etc/ocserv /etc/ocserv/README.SUSE /etc/ocserv/certificates /etc/ocserv/certificates/ca.tmpl /etc/ocserv/certificates/server.tmpl /etc/ocserv/certificates/user.tmpl /etc/ocserv/ocpasswd /etc/ocserv/ocserv.conf /usr/bin/occtl /usr/bin/ocpasswd /usr/bin/ocserv-fw /usr/bin/ocserv-script /usr/lib/firewalld /usr/lib/firewalld/services /usr/lib/firewalld/services/ocserv.xml /usr/lib/systemd/system/ocserv.service /usr/lib/systemd/system/ocserv.socket /usr/sbin/ocserv /usr/sbin/ocserv-forwarding /usr/sbin/ocserv-worker /usr/share/doc/packages/ocserv /usr/share/doc/packages/ocserv/AUTHORS /usr/share/doc/packages/ocserv/NEWS /usr/share/doc/packages/ocserv/README.md /usr/share/licenses/ocserv /usr/share/licenses/ocserv/COPYING /usr/share/man/man8/occtl.8.gz /usr/share/man/man8/ocpasswd.8.gz /usr/share/man/man8/ocserv.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 19:51:39 2024