Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

ocserv-1.1.3-1.1 RPM for armv7hl

From OpenSuSE Ports Tumbleweed for armv7hl

Name: ocserv Distribution: openSUSE Tumbleweed
Version: 1.1.3 Vendor: openSUSE
Release: 1.1 Build date: Wed Jun 23 21:52:22 2021
Group: Productivity/Networking/Security Build host: armbuild21
Size: 690785 Source RPM: ocserv-1.1.3-1.1.src.rpm
Summary: OpenConnect VPN Server
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. The server
is implemented primarily for the GNU/Linux platform but its code
is designed to be portable to other UNIX variants as well.

Ocserv's main features are security through privilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP. Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process.
A management interface allows for viewing and querying logged-in users.






* Sat Jun 05 2021 Martin Hauke <>
  - Update to version 1.1.3
    * No longer close stdin and stdout on worker processes as they
      are already closed in main process.
    * Advertise X-CSTP-Session-Timeout.
    * No longer recommend building with system's libpcl but rather
      the bundled as it is not a very common shared library.
    * Corrected busyloop on failed DTLS handshakes.
    * Emit OWASP best practice headers for HTTP.
* Mon Dec 07 2020 Martin Hauke <>
  - Update to version 1.1.2
    * Allow setup of new DTLS session concurrent with old session.
    * Fixed an infinite loop on sec-mod crash when server-drain-ms
      is set.
    * Don't apply BanIP checks to clients on the same subnet.
    * Don't attempt TLS if the client closes the connection with
      zero data sent.
    * Increased the maximum configuration line; this allows banner
      messages longer than 200 characters.
    * Removed the listen-clear-file config option. This option was
      incompatible with several clients, and thus is unusable for a
      generic server.
* Mon Sep 21 2020 Martin Hauke <>
  - Update to version 1.1.1:
    * Improved rate-limit-ms and made it dependent on secmod backlog.
      This makes the server more resilient (and prevents connection
      failures) on multiple concurrent connections
    - Added namespace support for listen address by introducing the
      listen-netns option.
    - Disable TLS1.3 when cisco client compatibility is enabled. New
      anyconnect clients seem to supporting TLS1.3 but are unable to
      handle a client with an RSA key.
    - Enable a race free user disconnection via occtl.
    - Added the config option of a pre-login-banner.
    - Ocserv siwtched to using multiple ocserv-sm processes to
      improve scale, with the number of ocserv-sm process dependent
      on maximum clients and number of CPUs. Configuration option
      sec-mod-scale can be used to override the heuristics.
    - Fixed issue with group selection on radius servers sending
      multiple group class attribute.
  - Update patch:
    * ocserv-enable-systemd.patch
    * ocserv.config.patch
* Wed Aug 19 2020 Callum Farmer <>
  - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
* Fri Jul 03 2020 Michael Du <>
  - Update to version 1.1.0:
    * Switch from fork to fork/exec model to achieve better scaling
      and ASLR protection. This introduces an ocserv-worker application
      which should be installed at the same path as ocserv (#285).
    * When Linux OOM takes control kill ocserv workers before
      ocserv-main or ocserv-secmod (#283).
    * Disable TCP queuing on the TLS port.
    * Fix leak of GnuTLS session when DTLS connection is
      re-established (#293).
  - Verify source with keyring before build.
* Tue Apr 21 2020 Martin Hauke <>
  - Add signature and keyring for source verification
  - Build with support for maxminddb
  - Build with support for OATH
  - Update to version 1.0.1
    * Prevent clients that use broken versions of gnutls from
      connecting using DTLS.
    * occtl: added machine-readable fields in json output.
    * occtl: IPs in ban list value is now reflecting the actual
      banned IPs rather than the database size.
  - Update to version 1.0.0
    * Avoid crash on invalid configuration values.
    * Updated manpage generation to work with newer versions of ronn.
    * Ensure scripts have all the information on all disconnection
    * Several updates to further restrict the control that worker
      processes have on the main process.
    * Add support for RFC6750 bearer tokens. This adds the "auth=oidc"
      config option. See doc/ for more information.
      variables when connect/disconnect scripts execute.
    * Corrected issue with DTLS-PSK negotiation which prevented it
      from being enabled.
    * Improved IPv6 handling of AnyConnect client for Apple ios.
    * Fixed issue with Radius accounting.
  - Update to version 0.12.6
    * Improved IPv6 support for anyconnect clients.
    * The 'split-dns' configuration directive can be used per-user.
    * The max-same-clients=1 configuration option no longer refuses
      the reconnection of an already connected user.
    * Added openat() to the accepted list of seccomp calls. This
      allows ocserv to run under certain libcs.
  - Update to version 0.12.5
    * Added configuration option udp-listen-host. This option
      supports different listen addresses for tcp and udp such as
      haproxy for tcp, but support dtls at the same time.
    * occtl: fixed json output of show status command. Introduced
      tests for checking its json output using yajl.
    * occtl: use maxminddb when available.
  - Update to version 0.12.4
    * Added support for radius access-challenge (multifactor)
    * Fixed race condition when connect-script and disconnect-script
      are set, which could potentially cause a crash.
    * Perform quicker cleanup of sessions which their user explicitly
* Thu Dec 19 2019 Dominique Leuenberger <>
  - BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
    Allow OBS to shortcut through the -mini flavors.
* Wed Jul 24 2019
  - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
    firewalld, see [1].
* Tue Apr 23 2019 Michael Du <>
  - Update to version 0.12.3:
    * Fixed crash when no DTLS ciphersuite is negotiated.
    * Fixed crash happening arbitrarily depending on handled string
      sizes (#197).
    * Fixed compatibility issue with GnuTLS 3.3.x (#201).
    * occtl: print the TLS session information, even if the DTLS
      channel is not established.
* Fri Jan 25 2019 Michael Du <>
  - Update to version 0.12.2:
    * Added support for AES256-SHA legacy cipher. This allows the
      anyconnect clients to use AES256.
    * Added support for the DTLS1.2 protocol hack used by new
      Anyconnect clients.
* Thu May 17 2018
  - Update to version 0.12.1:
    * Fixed crash on initialization when server was running on background
    * Work around issues with GnuTLS 3.4.x on ubuntu 16.04, at the cost of a memory leak on key reload
* Fri May 11 2018
  - Update to version 0.12.0
    * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
    * Increased possibilities of allowed combinations of authentication methods.
    * Corrected regression since 0.11.8 with OTP authentication.
    * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
    * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
    * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
    * Corrected crash on certain cases when proxy protocol is in use.
  - Update ocserv.config.patch due to upstream changes
* Tue Feb 27 2018
  - add firewalld service
* Sat Feb 24 2018
  - update version 0.11.10
    * see NEWS
  - drop boo1021353-ocserv-doc-racing-in-parallel-build.patch
    * upstreamed
  - add ocserv-LZ4_compress_default.patch
    * leap doesn't have LZ4_compress_default



Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Nov 19 23:17:08 2021