updated to 0.11.5

.gitignore

@@ -48,3 +48,5 @@
 /ocserv-0.11.4.tar.xz
 /ocserv-0.11.4.tar.xz.sig
 /gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
+/ocserv-0.11.5.tar.xz
+/ocserv-0.11.5.tar.xz.sig

ocserv-0.11.4-getrandom.patch

@@ -1,24 +0,0 @@
-From cc1dbf1c246375c175b4392e3c6ca2139b0c355a Mon Sep 17 00:00:00 2001
-From: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Date: Wed, 14 Sep 2016 10:20:41 +0200
-Subject: [PATCH] seccomp: added getrandom() to the accepted list of calls
-
----
- src/worker-privs.c | 1 +
- 1 file changed, 1 insertion(+), 0 deletions(-)
-
-diff --git a/src/worker-privs.c b/src/worker-privs.c
-index 1557c59..33dc46c 100644
---- a/src/worker-privs.c
-+++ b/src/worker-privs.c
-@@ -61,6 +61,7 @@ int disable_system_calls(struct worker_st *ws)
- 	ADD_SYSCALL(alarm, 0);
- 	ADD_SYSCALL(getpid, 0);
- 	ADD_SYSCALL(brk, 0);
-+	ADD_SYSCALL(getrandom, 0); /* used by gnutls 3.5.x */
- 
- 	ADD_SYSCALL(recvmsg, 0);
- 	ADD_SYSCALL(sendmsg, 0);
---
-libgit2 0.24.0
-

ocserv.conf

@@ -256,6 +256,14 @@ tls-priorities = "@SYSTEM"
 # on the main channel.
 #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
 
+# That option requires the established DTLS channel to use the same
+# cipher as the primary TLS channel. This cannot be combined with
+# listen-clear-file since the ciphersuite information is not available
+# in that configuration. Note also, that this option implies that
+# dtls-legacy option is false; this option cannot be enforced
+# in the legacy/compat protocol.
+#match-tls-dtls-ciphers = true
+
 # The time (in seconds) that a client is allowed to stay connected prior
 # to authentication
 auth-timeout = 240
@@ -546,13 +554,25 @@ ping-leases = false
 # The following options are for (experimental) AnyConnect client 
 # compatibility. 
 
-# This option must be set to true to support legacy CISCO clients.
-# A side effect of this option is that it will no longer be required 
-# for clients to present their certificate on every connection.
-# That is they may resume a cookie without presenting a certificate
-# (when certificate authentication is used).
+# This option will enable the pre-draft-DTLS version of DTLS, and
+# will not require clients to present their certificate on every TLS
+# connection. It must be set to true to support legacy CISCO clients
+# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
 cisco-client-compat = true
 
+# This option allows to disable the DTLS-PSK negotiation (enabled by default).
+# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
+# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
+# DTLS channel to negotiate its ciphers and the DTLS protocol version.
+#dtls-psk = false
+
+# This option allows to disable the legacy DTLS negotiation (enabled by default,
+# but that may change in the future).
+# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
+# from AnyConnect protocol. It has several limitations, that are addressed
+# by the dtls-psk protocol supported by openconnect 7.08+.
+dtls-legacy = true
+
 # Client profile xml. A sample file exists in doc/profile.xml.
 # It is required by some of the CISCO clients.
 # This file must be accessible from inside the worker's chroot. 

ocserv.spec

@@ -1,8 +1,8 @@
 %global _hardened_build 1
 
 Name:		ocserv
-Version:	0.11.4
-Release:	3%{?dist}
+Version:	0.11.5
+Release:	1%{?dist}
 Summary:	OpenConnect SSL VPN server
 
 # For a breakdown of the licensing, see PACKAGE-LICENSING 
@@ -19,7 +19,6 @@ Source6:	PACKAGE-LICENSING
 Source8:	ocserv-genkey
 Source9:	ocserv-script
 Source10:	gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
-Patch0:		ocserv-0.11.4-getrandom.patch
 
 # Taken from upstream:
 # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
@@ -79,8 +78,6 @@ to provide the secure VPN service.
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
 %setup -q
 
-%patch0 -p1 -b .getrandom
-
 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
 rm -rf src/protobuf/protobuf-c/
 rm -rf src/ccan/talloc

sources

@@ -1,4 +1,4 @@
 310168e221d6e810022b270e32bf9662  gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 c144d7522377a701cb9e63a20098e122  gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
-645b8f26d2aa40bfe4c32c8de7c8c87e  ocserv-0.11.4.tar.xz
-a036652f70660c5041adbea14aabf934  ocserv-0.11.4.tar.xz.sig
+fbda999ce0b528d001bb46b3db6f5d49  ocserv-0.11.5.tar.xz
+f008f957a95feb8ef675ff1af09e3b53  ocserv-0.11.5.tar.xz.sig