From 4cfe8c0e027fa9b6d65a0c4ae7e9fa437486c32d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 23 Sep 2016 10:54:38 +0200 Subject: [PATCH] updated to 0.11.5 --- .gitignore | 2 ++ ocserv-0.11.4-getrandom.patch | 24 ------------------------ ocserv.conf | 30 +++++++++++++++++++++++++----- ocserv.spec | 7 ++----- sources | 4 ++-- 5 files changed, 31 insertions(+), 36 deletions(-) delete mode 100644 ocserv-0.11.4-getrandom.patch diff --git a/.gitignore b/.gitignore index fa6eaeb..30d44e6 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,5 @@ /ocserv-0.11.4.tar.xz /ocserv-0.11.4.tar.xz.sig /gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-0.11.5.tar.xz +/ocserv-0.11.5.tar.xz.sig diff --git a/ocserv-0.11.4-getrandom.patch b/ocserv-0.11.4-getrandom.patch deleted file mode 100644 index ffe15ea..0000000 --- a/ocserv-0.11.4-getrandom.patch +++ /dev/null @@ -1,24 +0,0 @@ -From cc1dbf1c246375c175b4392e3c6ca2139b0c355a Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Wed, 14 Sep 2016 10:20:41 +0200 -Subject: [PATCH] seccomp: added getrandom() to the accepted list of calls - ---- - src/worker-privs.c | 1 + - 1 file changed, 1 insertion(+), 0 deletions(-) - -diff --git a/src/worker-privs.c b/src/worker-privs.c -index 1557c59..33dc46c 100644 ---- a/src/worker-privs.c -+++ b/src/worker-privs.c -@@ -61,6 +61,7 @@ int disable_system_calls(struct worker_st *ws) - ADD_SYSCALL(alarm, 0); - ADD_SYSCALL(getpid, 0); - ADD_SYSCALL(brk, 0); -+ ADD_SYSCALL(getrandom, 0); /* used by gnutls 3.5.x */ - - ADD_SYSCALL(recvmsg, 0); - ADD_SYSCALL(sendmsg, 0); --- -libgit2 0.24.0 - diff --git a/ocserv.conf b/ocserv.conf index c7f9ad1..53c626e 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -256,6 +256,14 @@ tls-priorities = "@SYSTEM" # on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +# That option requires the established DTLS channel to use the same +# cipher as the primary TLS channel. This cannot be combined with +# listen-clear-file since the ciphersuite information is not available +# in that configuration. Note also, that this option implies that +# dtls-legacy option is false; this option cannot be enforced +# in the legacy/compat protocol. +#match-tls-dtls-ciphers = true + # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth-timeout = 240 @@ -546,13 +554,25 @@ ping-leases = false # The following options are for (experimental) AnyConnect client # compatibility. -# This option must be set to true to support legacy CISCO clients. -# A side effect of this option is that it will no longer be required -# for clients to present their certificate on every connection. -# That is they may resume a cookie without presenting a certificate -# (when certificate authentication is used). +# This option will enable the pre-draft-DTLS version of DTLS, and +# will not require clients to present their certificate on every TLS +# connection. It must be set to true to support legacy CISCO clients +# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat = true +# This option allows to disable the DTLS-PSK negotiation (enabled by default). +# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate +# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the +# DTLS channel to negotiate its ciphers and the DTLS protocol version. +#dtls-psk = false + +# This option allows to disable the legacy DTLS negotiation (enabled by default, +# but that may change in the future). +# The legacy DTLS uses a pre-draft version of the DTLS protocol and was +# from AnyConnect protocol. It has several limitations, that are addressed +# by the dtls-psk protocol supported by openconnect 7.08+. +dtls-legacy = true + # Client profile xml. A sample file exists in doc/profile.xml. # It is required by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. diff --git a/ocserv.spec b/ocserv.spec index 8bf3700..8640f7e 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.4 -Release: 3%{?dist} +Version: 0.11.5 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -19,7 +19,6 @@ Source6: PACKAGE-LICENSING Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg -Patch0: ocserv-0.11.4-getrandom.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -79,8 +78,6 @@ to provide the secure VPN service. gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %setup -q -%patch0 -p1 -b .getrandom - rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -rf src/protobuf/protobuf-c/ rm -rf src/ccan/talloc diff --git a/sources b/sources index 44d23cb..197a6c2 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ 310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg c144d7522377a701cb9e63a20098e122 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg -645b8f26d2aa40bfe4c32c8de7c8c87e ocserv-0.11.4.tar.xz -a036652f70660c5041adbea14aabf934 ocserv-0.11.4.tar.xz.sig +fbda999ce0b528d001bb46b3db6f5d49 ocserv-0.11.5.tar.xz +f008f957a95feb8ef675ff1af09e3b53 ocserv-0.11.5.tar.xz.sig