diff --git a/.gitignore b/.gitignore index 1435b3a..2113177 100644 --- a/.gitignore +++ b/.gitignore @@ -239,3 +239,5 @@ /ocserv-1.1.6.tar.xz /ocserv-1.1.7.tar.xz /ocserv-1.1.7.tar.xz.sig +/ocserv-1.2.0.tar.xz +/ocserv-1.2.0.tar.xz.sig diff --git a/expired-certs.patch b/expired-certs.patch deleted file mode 100644 index 443bd7b..0000000 --- a/expired-certs.patch +++ /dev/null @@ -1,2308 +0,0 @@ -diff --git a/tests/Makefile.am b/tests/Makefile.am -index d965eae..ecc417c 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -44,7 +44,8 @@ EXTRA_DIST = certs/ca-key.pem certs/ca.pem ns.sh common.sh certs/server-cert.pem - data/disconnect-user2.config data/ping-leases.config data/haproxy-proxyproto.config \ - data/haproxy-proxyproto.cfg scripts/proxy-connectscript data/haproxy-proxyproto-v1.config \ - data/haproxy-proxyproto-v1.cfg scripts/proxy-connectscript-v1 data/test-multiple-client-ip.config \ -- data/test-client-bypass-protocol.config asan.supp -+ data/test-client-bypass-protocol.config asan.supp certs/ca.tmpl certs/server-cert.tmpl \ -+ certs/user-cert.tmpl - - xfail_scripts = - dist_check_SCRIPTS = ocpasswd-test -@@ -176,6 +177,25 @@ gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS) - gen_oidc_test_data_SOURCES = generate_oidc_test_data.c - gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS) - -+certs/ca.pem: certs/ca-key.pem certs/ca.tmpl -+ certtool --generate-self-signed --template certs/ca.tmpl --load-privkey certs/ca-key.pem --outfile certs/ca.pem -+ -+certs/server-cert-ca.pem: certs/ca.pem certs/server-cert.pem -+ cat certs/server-cert.pem certs/ca.pem > certs/server-cert-ca.pem -+ -+certs/server-cert.pem: certs/server-cert.tmpl certs/ca.pem certs/server-key.pem certs/ca-key.pem -+ certtool --generate-certificate --template certs/server-cert.tmpl --load-privkey certs/server-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/server-cert.pem -+ -+certs/user-cert.pem: certs/user-cert.tmpl certs/ca.pem certs/user-key.pem certs/ca-key.pem -+ certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate certs/ca.pem --load-ca-privkey certs/ca-key.pem --outfile certs/user-cert.pem -+ -+# make the user certificate invalid by signing it with another CA -+certs/user-cert-invalid.pem: certs/user-cert.tmpl -+ certtool --generate-privkey --outfile ca-key.tmp -+ certtool --generate-self-signed --template certs/ca.tmpl --load-privkey ca-key.tmp --outfile ca.tmp -+ certtool --generate-certificate --template certs/user-cert.tmpl --load-privkey certs/user-key.pem --load-ca-certificate ca.tmp --load-ca-privkey ca-key.tmp --outfile certs/user-cert-invalid.pem -+ rm -f ca-key.tmp ca.tmp -+ - if ENABLE_OIDC_AUTH_TESTS - check_PROGRAMS += gen_oidc_test_data - dist_check_SCRIPTS += test-oidc -diff --git a/tests/apple-ios b/tests/apple-ios -index 897d823..45b0cd3 100755 ---- a/tests/apple-ios -+++ b/tests/apple-ios -@@ -54,11 +54,11 @@ wait_server $PID - sleep 2 - - echo " * Connecting to obtain cookie... " --( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null ) || - fail $PID "Could not receive cookie from server" - - echo " * Re-connect to force script run with platform... " --echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - sleep 5 - -@@ -87,7 +87,7 @@ fi - rm -f ${TMPFILE} - - echo " * Re-connecting to force script run with user agent... " --echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT --verbose --useragent="Cisco AnyConnect VPN Agent for Apple" localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - sleep 5 - -@@ -114,7 +114,7 @@ fi - sleep 5 - echo " - Check server status" - --( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo " - Killing server" -diff --git a/tests/banner b/tests/banner -index 44954e2..08f8f19 100755 ---- a/tests/banner -+++ b/tests/banner -@@ -50,7 +50,7 @@ wait_server $PID - sleep 3 - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) || - fail $PID "Could not receive cookie from server" - - grep "${BANNER}" ${TMPFILE} >/dev/null -@@ -61,7 +61,7 @@ if test $? != 0;then - fi - - echo "Connecting to obtain cookie with wrong password... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >${TMPFILE} 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >${TMPFILE} 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - grep "${BANNER}" ${TMPFILE} >/dev/null -diff --git a/tests/certs/ca-key.pem b/tests/certs/ca-key.pem -index 9bd0754..ee5599c 100644 ---- a/tests/certs/ca-key.pem -+++ b/tests/certs/ca-key.pem -@@ -31,25 +31,3 @@ y1hvTfWRAoGZALNT3AbF9EDnJmZlS30MWtBggw83UhszC8XN2tY30AsvsDOS6a0F - UVhyNvBTKo6lPqXqUsVxp16TKeeQKF+DuYuuNZN3pXXsHTiHkRMDCRVEqz7UnZEc - /Bq/Kh2aOkelkX2S27QzTZGL - -----END RSA PRIVATE KEY----- -------BEGIN CERTIFICATE----- --MIIDtDCCAmygAwIBAgIETeC0yjANBgkqhkiG9w0BAQsFADAZMRcwFQYDVQQDEw5H --bnVUTFMgVGVzdCBDQTAeFw0xMTA1MjgwODM5MzlaFw0zODEwMTIwODM5NDBaMC8x --LTArBgNVBAMTJEdudVRMUyBUZXN0IFNlcnZlciAoUlNBIGNlcnRpZmljYXRlKTCC --AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/HsqwfvTYvO1D --hmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJl1U1F/Oh --ckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyWDrJsHDWq --58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuhzSVim5mB --VAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKtc+UZBZ03 --U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b7eujbZ3L --xTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Epn4B5qnUC --AwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAT --BgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBR2 --B1hM6rUp9S2ABoyDSoINCeyT3jAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVVG45T --AQPvzzANBgkqhkiG9w0BAQsFAAOCATEAdNWmTsh5uIfngyhOWwm7pK2+vgUMY8nH --gMoMFHt0yuxuImcUMXu3LRS1dZSoCJACBpTFGi/Dg2U0qvOHQcEmc3OwNqHB90R3 --LG5jUSCtq/bYW7h/6Gd9KeWCgZczaHbQ9IPTjLH1dLswVPt+fXKB6Eh0ggSrGATE --/wRZT/XgDCW8t4C+2+TmJ8ZEzvU87KAPQ9rUBS1+p3EUAR/FfMApApsEig1IZ+ZD --5joaGBW7zh1H0B9mEKidRvD7yuRJyzAcvD25nT15NLW0QR3dEeXosLc720xxJl1h --h8NJ7YOvn323mOjR9er4i4D6iJlXmJ8tvN9vakCankWvBzb7plFn2sfMQqICFpRc --w075D8hdQxfpGffL2tEeKSgjyNHXS7x3dFhUpN3IQjUi2x4f2e/ZXg== -------END CERTIFICATE----- -diff --git a/tests/certs/ca.pem b/tests/certs/ca.pem -index c4058ee..02f0b76 100644 ---- a/tests/certs/ca.pem -+++ b/tests/certs/ca.pem -@@ -1,20 +1,20 @@ - -----BEGIN CERTIFICATE----- --MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD --EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw --fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ --l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW --DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh --zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt --c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b --7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep --n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA --MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC --ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT --z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP --g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX --ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk --x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH --yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg --fJbi9Ui2FmXEeKkX34f1ONNj9Q== -+MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC -+Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 -+2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV -+NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y -+bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l -+YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl -+GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r -+o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A -+eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G -+A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA -+foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f -+9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL -+ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm -+Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La -+oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG -+f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL -+9xKfQ96Q7wrYOCjmuaCLbw== - -----END CERTIFICATE----- -diff --git a/tests/certs/ca.tmpl b/tests/certs/ca.tmpl -new file mode 100644 -index 0000000..da5cc3f ---- /dev/null -+++ b/tests/certs/ca.tmpl -@@ -0,0 +1,6 @@ -+cn = CA -+ca -+cert_signing_key -+expiration_days = -1 -+activation_date = "2013-02-13 16:32:12" -+serial = 0x51d82ecc -diff --git a/tests/certs/server-cert-ca.pem b/tests/certs/server-cert-ca.pem -index 818101a..8ffaad3 100644 ---- a/tests/certs/server-cert-ca.pem -+++ b/tests/certs/server-cert-ca.pem -@@ -1,42 +1,42 @@ - -----BEGIN CERTIFICATE----- --MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD --Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs --PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 --u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd --YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ --IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 --KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 --7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU --yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL --gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg --ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 --UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s --9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 --GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C --zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ --eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF --FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j --LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM --zzJKdNg= -+MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ -+bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U -+sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR -+7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc -+dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb -+pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT -+2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q -+CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ -+3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ -+bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd -+BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ -+MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq -+l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb -+g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE -+x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM -+5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 -+FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps -+g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE -+xs8= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- --MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD --EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw --fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ --l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW --DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh --zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt --c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b --7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep --n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA --MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC --ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT --z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP --g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX --ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk --x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH --yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg --fJbi9Ui2FmXEeKkX34f1ONNj9Q== -+MIIDPDCCAfSgAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzAyMTMxNTMyMTJaGA85OTk5MTIzMTIzNTk1OVowDTELMAkGA1UEAxMC -+Q0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7KsH70 -+2LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8WyZdV -+NRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITclg6y -+bBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7oc0l -+YpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLyrXPl -+GQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+G+3r -+o22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjehKZ+A -+eap1AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMB0G -+A1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOCATEA -+foqPGdiyJYHih4J5YHwFPQxmkOzPHSa13K/q8sDvobE+HFTzrlTbAFC8bS38Bv2f -+9ZrPME4JvnsGdRGYwxS3LUmNdHHWR8LkvGXBE3u/TZsJfPtOR8JwdulQXpRw7hhL -+ew/mR5IEHZrUZgnnI4dg1kJhE1JPTvmtgqcE1CsikVQ14NvG/ehJbJyPgKTq/Zxm -+Ru4B5N+Jef/LaOqZvK4xK8x2ZaZ/L/ANou+7EY4DoWAkOEEoCU8DQHLAFgf6B7La -+oemLQGNHcBpba81jlS5EXXGJccOvfbw0MJTP3ZvyVIlEYu/X4roC7EJP/UkCZUJG -+f79Nc28q2/2D8tuFOqG7UbP7r2cWSa8OO3cI/V1W1k3iWZ63WltqDwFC0c8iqYFL -+9xKfQ96Q7wrYOCjmuaCLbw== - -----END CERTIFICATE----- -diff --git a/tests/certs/server-cert.pem b/tests/certs/server-cert.pem -index 4acde02..b304b47 100644 ---- a/tests/certs/server-cert.pem -+++ b/tests/certs/server-cert.pem -@@ -1,22 +1,22 @@ - -----BEGIN CERTIFICATE----- --MIIDkTCCAkmgAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTEyOVoYDzIwMjMwNTE1MTQ1MTI5WjAUMRIwEAYDVQQD --Ewlsb2NhbGhvc3QwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQCnOivs --PxSwLBn28W6QHb+OqfbpcIQJh/NQ81/DlFD6LGTWV4BY4Zb87tC9BBV+X3+lM/j8 --u5HvN3nDWtv4Ge0DryLW6Tcs6FPCt4srEfCkh5l54LrMmWbhFgkVlN5fTqoY0lnd --YJx2X8WWldRjeL+8E7nFUcFStWrgi9AzgMFrjsL4pql97YAZRXcMoQXVjbRmzVLZ --IVumQy7c+tl7Eqz8lx/xS/5Fx9tIRunqNS5jEUs8Nn5E6FvraAcy+eI0gXTGk759 --KNPYisSqAuFAmmt/XDTTvvOo6dpAseXqtR2/LjZJWOlXdiZ/yjHg5+RKQ5dt3dk5 --7lAIWER9egIOo/+GAkyek0ZJ5GWU6VxTsFcIl6oy3S7EtB0NCIM7hvhy32QrJ5ZU --yNncTSf6qMVoedgdAgMBAAGjgY0wgYowDAYDVR0TAQH/BAIwADAUBgNVHREEDTAL --gglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweg --ADAdBgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0 --UwqJMThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAK7dBCSwM/OJw+6s --9MJAb7Ygi9xhHSq30Hg3M7DaPC7J9rZB6+IAVb3poOZAtDDtyTqvXH7qY5UMjJC9 --GsFmHPI/OSk2xuJJpG+ZJaP54b7kzTtUD6UCHETsgBk2aNuqNhjXR2fYnR9QME0C --zZWIDV+5DFEBI97ln30N6PcXvIxp7Rsac3qwzvwt3zL+23kTwgM+DoRPoPO0PHr/ --eQ9hvRU5wA2Vc47zhUXIFy1Jmx7Sf//pw0/wq46VUAjDZ5B09EoCpzBNvOD7P+cF --FQQ7SId8h8OQ2uOWxT2baeJX0pVbVv+qwOOB1F0q3sjx0dZa/2rxOUZ3wnHG9j8j --LZSUkZxGpPQffCSpSPma5RhYff8/BncdA8soT0dyEfXIX5V91IXnrlI8XZrADvJM --zzJKdNg= -+MIIDjjCCAkagAwIBAgIEUdgu8DANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJ -+bG9jYWxob3N0MIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEApzor7D8U -+sCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7QvQQVfl9/pTP4/LuR -+7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJFZTeX06qGNJZ3WCc -+dl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3DKEF1Y20Zs1S2SFb -+pkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gHMvniNIF0xpO+fSjT -+2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox4OfkSkOXbd3ZOe5Q -+CFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiDO4b4ct9kKyeWVMjZ -+3E0n+qjFaHnYHQIDAQABo4GMMIGJMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJ -+bG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAd -+BgNVHQ4EFgQUqCVH9o9E1jUb72ys0de5boT536MwHwYDVR0jBBgwFoAUSCM0UwqJ -+MThKWurKttKm3s4dKxgwDQYJKoZIhvcNAQELBQADggExAGQoUMiZVg6+Ibj8kyfq -+l/vfu4QxlUlqAbm/b9PVdOLrhz+T986HMFhL0b2HUGg5Mb0NZcgHjH4VLkei4AIb -+g/1nGdJ2I6EcLiQOvO4h2F3CoU6HkEGVEUXFaBd19tSDm7aM+2h7oPb3Vs3YT9QE -+x7ejmVeA+Qr9+H9xHyModpA1PkKRW31TOYtjUXHdHObT1uar++C1JLHn49ooKDZM -+5p9a4ExQVYd6WMRXKC83py1V4Ne5kBxC/l+3QkVZnMwByChySP7SEMa9yGv4KFM9 -+FT7XvxQsrkqPi5bCllUyGDrVeyTpyPDrb4BKgAu/Cy4tyDxLzBTZ5TXDH7E1IBps -+g1k5llFIyGdO5vQrX8vF61tqK5DBhgVvwu0k/m2lP9esLfaF7I5oGAbUKGhRr8mE -+xs8= - -----END CERTIFICATE----- -diff --git a/tests/certs/server-cert.tmpl b/tests/certs/server-cert.tmpl -new file mode 100644 -index 0000000..82e34ca ---- /dev/null -+++ b/tests/certs/server-cert.tmpl -@@ -0,0 +1,8 @@ -+cn = localhost -+dns_name = localhost -+tls_www_server -+signing_key -+encryption_key -+expiration_days = -1 -+activation_date = "2013-06-06 14:51:29" -+serial = 0x51d82ef0 -diff --git a/tests/certs/user-cert-invalid.pem b/tests/certs/user-cert-invalid.pem -index 0175bdf..4f5dd96 100644 ---- a/tests/certs/user-cert-invalid.pem -+++ b/tests/certs/user-cert-invalid.pem -@@ -1,107 +1,23 @@ --X.509 Certificate Information: -- Version: 3 -- Serial Number (hex): 51d82f14 -- Issuer: CN=CA -- Validity: -- Not Before: Sat Jul 06 14:52:05 UTC 2013 -- Not After: Mon May 15 14:52:05 UTC 2023 -- Subject: CN=A user,UID=test -- Subject Public Key Algorithm: RSA -- Algorithm Security Level: Medium (2432 bits) -- Modulus (bits 2432): -- 00:ab:54:98:fc:a9:c6:15:95:9d:a6:c1:94:84:94:91 -- 79:1e:78:db:2d:48:51:99:65:01:02:c0:40:52:49:5d -- eb:70:bc:26:ef:68:39:1e:04:91:e2:db:cb:6f:93:40 -- 45:1e:22:8e:71:5a:58:89:28:79:5e:1a:32:25:3e:8b -- 9d:3b:34:7f:19:f8:d0:2f:37:b7:62:32:b7:53:a5:43 -- 2c:c5:5d:ec:ac:f9:35:fa:14:2b:34:66:f1:d6:a7:a1 -- d0:83:9a:56:f4:19:83:bc:bf:11:74:30:2d:a8:28:5b -- a2:ab:7a:c6:cd:9c:5c:f8:51:e9:a9:0c:48:db:71:bb -- b1:34:77:f7:ee:de:5d:78:c0:48:0a:37:0d:65:1e:3b -- 2b:14:03:89:72:f2:52:ed:5f:00:c5:06:60:ea:80:20 -- d0:43:ec:66:bc:d2:26:db:f0:29:3e:6a:f9:62:20:be -- 58:26:44:ba:d7:8c:6f:76:a6:05:20:e4:98:b7:c4:72 -- 7a:5d:df:4f:0d:23:ec:2e:9c:71:ec:30:f9:14:5f:c8 -- 75:0b:ab:67:f6:7d:fb:4d:76:64:4a:a5:d5:fa:b4:08 -- 50:9d:13:c7:8f:c2:79:b0:b4:3e:2f:89:d3:33:27:4d -- 9f:8b:d3:60:24:07:ab:b2:72:3d:29:a5:c4:4a:ec:3c -- 04:d2:49:3e:26:1b:ec:7a:10:3d:ca:45:5a:80:8b:4d -- 2a:96:63:4f:2d:63:28:0f:3b:47:47:ca:7c:2c:15:41 -- 32:d5:e0:c9:be:a5:55:2c:b3:6b:46:2a:56:b1:1b:ed -- 29 -- Exponent (bits 24): -- 01:00:01 -- Extensions: -- Basic Constraints (critical): -- Certificate Authority (CA): FALSE -- Key Purpose (not critical): -- TLS WWW Client. -- Key Usage (critical): -- Digital signature. -- Key encipherment. -- Subject Key Identifier (not critical): -- 8b01094b3b91ece321b91dec8d6b4c5d9e40805e -- Authority Key Identifier (not critical): -- 482334530a8931384a5aeacab6d2a6dece1d2b18 -- Signature Algorithm: RSA-SHA256 -- Signature: -- 6b:bd:e2:90:d7:11:cf:6c:0d:e3:bd:f4:61:cd:57:83 -- 41:be:2a:92:46:dd:fa:44:6c:60:1c:ef:3e:1e:2f:e1 -- e2:5b:45:88:6a:1e:50:2d:8d:96:c4:c7:80:75:59:7b -- 54:6b:fb:86:b0:f1:6d:45:09:db:48:de:20:0a:87:60 -- 30:5e:35:f0:52:c4:55:44:c1:ff:e1:7c:3d:d6:6d:58 -- ca:1c:fd:bf:04:9a:9b:10:35:05:fc:d1:01:3c:af:bb -- 64:31:5e:59:8f:ef:6f:0d:35:e5:c0:07:77:0e:31:20 -- 8e:e3:2e:f1:a6:4d:f1:be:85:5b:df:04:48:9d:8c:c9 -- c9:c1:b8:e3:e2:d2:4b:55:83:e9:d8:7b:71:2f:8e:89 -- fc:4d:a7:f1:b0:bf:47:9b:97:c4:85:dd:c3:3d:38:15 -- 36:08:73:10:87:08:f6:e6:1c:4e:29:a8:a5:f5:24:b8 -- 0d:e9:d9:b8:19:27:1d:73:35:fe:7b:81:1f:4a:81:6a -- 93:cd:a2:71:d7:60:0e:08:ee:ea:c8:2b:44:1b:e4:45 -- 6c:fe:44:68:d6:86:ad:89:4f:7e:9f:f9:1a:2a:97:0f -- 6b:eb:5d:6e:38:b3:5b:13:b9:e3:4a:10:32:5b:dc:a9 -- b4:a1:4e:b3:f9:4f:91:de:bc:cc:36:91:44:ba:e0:34 -- 74:f7:68:b4:7b:0e:db:4e:ec:28:03:01:cf:0a:63:c4 -- 23:75:0b:4b:41:9d:e0:68:b3:cb:bf:b5:5c:3d:52:93 -- 20:ba:ea:b8:f0:8c:f7:a6:ec:cd:a3:aa:4f:2a:ff:20 --Other Information: -- SHA1 fingerprint: -- 5509a76b8738216938cdb3ec25048812737170de -- SHA256 fingerprint: -- c93e38ef35f1a9c485a27b161e708f2d45bf8768eb53a23fec841a8f35d6e478 -- Public Key ID: -- 8b01094b3b91ece321b91dec8d6b4c5d9e40805e -- Public key's random art: -- +--[ RSA 2432]----+ -- | o=o | -- |..oE.. | -- |.+=.o | -- |o.*.... | -- | * B +..S | -- |. * o oo . | -- | o . . . | -- | + | -- | . | -- +-----------------+ -- - -----BEGIN CERTIFICATE----- --MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD --EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF --AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw --vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF --Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 --d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm --RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd --E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW --Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB --Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD --VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 --SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveKQ1xHPbA3jvfRhzVeD --Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg --MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg --juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV --NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF --bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 --dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g -+MIID2TCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG -+QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD -+ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm -+72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s -+rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 -+7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 -+14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH -+j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP -+LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ -+BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O -+BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFAV+KcZC+G2nf/6V -+sElx119oZKWUMA0GCSqGSIb3DQEBCwUAA4IBgQCTOjwtK5sDPFdbWWlScDX9xfNf -+tnqRL22Id6VIRcAiuu6KVAYRNs3Pdv65H9orSaohrBRfWKEqAi51bhvDQvzhbw7u -+881txF+6s0fauArxAUai3e11eCil3gt0JOQVephmPKw6pVq9mMieho5I2SQ8CXoQ -+pSrselGaOTp8CK1r90pn8RGiJrZ3xJu5Yezb3AWCs3IOHhRT1Rc5mFnvs9VVR64h -+Pvlr9yBOf/pBEuylQr00plhsZdLra/nIspsGnOIiuM4eIliP6bQwE06u1LxlCbgB -+CAGTQ86vbO2xT1i8dZeq8TJ72OatmRboUBncaZNIT3rUTZxZYkYhkNtVTKnv/8qq -+LZI23qtcWLEAsc1O0Xva22wjkg5QE06AiWdcwK3f/Qpvj5yO9+PL7X4lP47n5D6m -+t1S6xisKgjo/IP9Wk3mPNaNDN3hZCaFRYEHn4CYrlXHqjg1w7quCKApYzrh5/L1Y -+b9U/qzwF7SatFovndYtf02bjcrHC/TA53IdiQPA= - -----END CERTIFICATE----- -diff --git a/tests/certs/user-cert.pem b/tests/certs/user-cert.pem -index ef5114c..32ab235 100644 ---- a/tests/certs/user-cert.pem -+++ b/tests/certs/user-cert.pem -@@ -1,21 +1,21 @@ - -----BEGIN CERTIFICATE----- --MIIDjDCCAkSgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD --QTAiGA8yMDEzMDcwNjE0NTIwNVoYDzIwMjMwNTE1MTQ1MjA1WjAnMQ8wDQYDVQQD --EwZBIHVzZXIxFDASBgoJkiaJk/IsZAEBEwR0ZXN0MIIBUjANBgkqhkiG9w0BAQEF --AAOCAT8AMIIBOgKCATEAq1SY/KnGFZWdpsGUhJSReR542y1IUZllAQLAQFJJXetw --vCbvaDkeBJHi28tvk0BFHiKOcVpYiSh5XhoyJT6LnTs0fxn40C83t2Iyt1OlQyzF --Xeys+TX6FCs0ZvHWp6HQg5pW9BmDvL8RdDAtqChboqt6xs2cXPhR6akMSNtxu7E0 --d/fu3l14wEgKNw1lHjsrFAOJcvJS7V8AxQZg6oAg0EPsZrzSJtvwKT5q+WIgvlgm --RLrXjG92pgUg5Ji3xHJ6Xd9PDSPsLpxx7DD5FF/IdQurZ/Z9+012ZEql1fq0CFCd --E8ePwnmwtD4vidMzJ02fi9NgJAersnI9KaXESuw8BNJJPiYb7HoQPcpFWoCLTSqW --Y08tYygPO0dHynwsFUEy1eDJvqVVLLNrRipWsRvtKQIDAQABo3YwdDAMBgNVHRMB --Af8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYD --VR0OBBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4 --SlrqyrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQBrveOQ1xHPbA3jvfRhzVeD --Qb4qkkbd+kRsYBzvPh4v4eJbRYhqHlAtjZbEx4B1WXtUa/uGsPFtRQnbSN4gCodg --MF418FLEVUTB/+F8PdZtWMoc/b8EmpsQNQX80QE8r7tkMV5Zj+9vDTXlwAd3DjEg --juMu8aZN8b6FW98ESJ2MycnBuOPi0ktVg+nYe3Evjon8TafxsL9Hm5fEhd3DPTgV --NghzEIcI9uYcTimopfUkuA3p2bgZJx1zNf57gR9KgWqTzaJx12AOCO7qyCtEG+RF --bP5EaNaGrYlPfp/5GiqXD2vrXW44s1sTueNKEDJb3Km0oU6z+U+R3rzMNpFEuuA0 --dPdotHsO207sKAMBzwpjxCN1C0tBneBos8u/tVw9UpMguuq48Iz3puzNo6pPKv8g -+MIIDiTCCAkGgAwIBAgIEUdgvFDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD -+QTAgFw0xMzA2MDYxMjUxMjlaGA85OTk5MTIzMTIzNTk1OVowJzEPMA0GA1UEAxMG -+QSB1c2VyMRQwEgYKCZImiZPyLGQBARMEdGVzdDCCAVIwDQYJKoZIhvcNAQEBBQAD -+ggE/ADCCAToCggExAKtUmPypxhWVnabBlISUkXkeeNstSFGZZQECwEBSSV3rcLwm -+72g5HgSR4tvLb5NARR4ijnFaWIkoeV4aMiU+i507NH8Z+NAvN7diMrdTpUMsxV3s -+rPk1+hQrNGbx1qeh0IOaVvQZg7y/EXQwLagoW6KresbNnFz4UempDEjbcbuxNHf3 -+7t5deMBICjcNZR47KxQDiXLyUu1fAMUGYOqAINBD7Ga80ibb8Ck+avliIL5YJkS6 -+14xvdqYFIOSYt8Ryel3fTw0j7C6cceww+RRfyHULq2f2fftNdmRKpdX6tAhQnRPH -+j8J5sLQ+L4nTMydNn4vTYCQHq7JyPSmlxErsPATSST4mG+x6ED3KRVqAi00qlmNP -+LWMoDztHR8p8LBVBMtXgyb6lVSyza0YqVrEb7SkCAwEAAaN1MHMwDAYDVR0TAQH/ -+BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O -+BBYEFIsBCUs7kezjIbkd7I1rTF2eQIBeMB8GA1UdIwQYMBaAFEgjNFMKiTE4Slrq -+yrbSpt7OHSsYMA0GCSqGSIb3DQEBCwUAA4IBMQAp51Ks5DDWVlLB6fMM2NJV80sX -+Rx6U1g6ovA7N5BDQiF6FYzVZECMH3d9nyZssHbkzb6qyO1m58P0cNkVurEH27+Z2 -+xdkNw5bbcvNDVhfVSjwa6nyTLfhf7vOTWaIxGGmffP72PIe87N6QmyCCGG0IXIkO -+kcTAE8IgX6k1mEr1Xy2ZtFVgKjPPLxsixIJ7TEktvJR1RqWQfbsOS8f13lvS1Vhh -+vc+UMbIQnz+jl4qNV/AX7GfpEYiBkbrgcjsggl/KMuwcauhEDdvfIQjcyRbQN36p -+KcVEXDpnG54sAfXAs9Z+adbvmu0ONAMCDuxKCT2eG1SGVrtiT5+7kCMso1eKz/5A -+r1XP0RgCKFExIRYb1elFpLc8wmJbN4qof2zisKG8UajFIHzIGateiu53enNn - -----END CERTIFICATE----- -diff --git a/tests/certs/user-cert.tmpl b/tests/certs/user-cert.tmpl -new file mode 100644 -index 0000000..6a60496 ---- /dev/null -+++ b/tests/certs/user-cert.tmpl -@@ -0,0 +1,7 @@ -+dn = "uid=test,cn=A user" -+tls_www_client -+signing_key -+encryption_key -+expiration_days = -1 -+activation_date = "2013-06-06 14:51:29" -+serial = 0x51d82f14 -diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh -index fb9e2ac..07443a0 100755 ---- a/tests/cipher-common.sh -+++ b/tests/cipher-common.sh -@@ -91,14 +91,14 @@ fi - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= ${CSTR} -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/disconnect-user b/tests/disconnect-user -index 67a016e..bf4c7ab 100755 ---- a/tests/disconnect-user -+++ b/tests/disconnect-user -@@ -77,7 +77,7 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -@@ -85,7 +85,7 @@ fi - - eval $(cat ${TMPFILE}) - echo " * Connecting to ${ADDRESS}:${PORT}..." --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -105,7 +105,7 @@ if test $? != 0;then - fi - - echo " * Re-connecting to obtain cookie after disconnect... " --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? = 0;then - echo "Succeeded using the cookie to connect" - exit 1 -diff --git a/tests/disconnect-user2 b/tests/disconnect-user2 -index ef8c3c1..e00cc67 100755 ---- a/tests/disconnect-user2 -+++ b/tests/disconnect-user2 -@@ -75,7 +75,7 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${TMPFILE} ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${TMPFILE} ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -@@ -83,7 +83,7 @@ fi - - eval $(cat ${TMPFILE}) - echo " * Connecting to ${ADDRESS}:${PORT}..." --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -103,7 +103,7 @@ if test $? != 0;then - fi - - echo " * Re-connecting to obtain cookie after disconnect... " --( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) -+( ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${PORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script -C "${COOKIE}" --pid-file=${CLIPID} -b ) - if test $? = 0;then - echo "Succeeded using the cookie to connect" - exit 1 -diff --git a/tests/drain-server b/tests/drain-server -index be51cd4..808067f 100755 ---- a/tests/drain-server -+++ b/tests/drain-server -@@ -35,7 +35,7 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - if ! test -f ${PIDFILE};then -@@ -48,7 +48,7 @@ kill -15 $(cat $PIDFILE) - sleep 1 - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) && - fail $PID "Server is still listening" - - wait -diff --git a/tests/drain-server-fail b/tests/drain-server-fail -index d61106e..a2c495d 100755 ---- a/tests/drain-server-fail -+++ b/tests/drain-server-fail -@@ -48,7 +48,7 @@ launch_simple_sr_server -d 3 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - if ! test -f ${PIDFILE};then -diff --git a/tests/flowcontrol b/tests/flowcontrol -index fb60f67..7ef6b70 100755 ---- a/tests/flowcontrol -+++ b/tests/flowcontrol -@@ -37,39 +37,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with wrong password... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with empty password... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with wrong username... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - # test locked account - - echo "Connecting to obtain cookie with locked account... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - #test special characters - - echo "Connecting to obtain cookie with special password... " --( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with empty password... " --( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - #echo "Normal connection... " --#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - if ! test -f ${PIDFILE};then -diff --git a/tests/haproxy-auth b/tests/haproxy-auth -index b653714..5261860 100755 ---- a/tests/haproxy-auth -+++ b/tests/haproxy-auth -@@ -51,7 +51,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT - wait_server ${HAPID} - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - kill ${HAPID} - fail ${PID} "Could not receive cookie from server" -@@ -66,7 +66,7 @@ LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT - wait_server ${HAPID} - - echo "Re-connecting to obtain cookie after haproxy restart... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - kill ${HAPID} - fail ${PID} "Could not receive cookie from server" -diff --git a/tests/haproxy-connect b/tests/haproxy-connect -index c42b76c..662c08f 100755 ---- a/tests/haproxy-connect -+++ b/tests/haproxy-connect -@@ -91,14 +91,14 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -135,7 +135,7 @@ set +e - sleep 3 - - echo " * Re-connecting to obtain cookie after haproxy restart... " --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not receive cookie from server on reconnection" - exit 1 -diff --git a/tests/haproxy-proxyproto b/tests/haproxy-proxyproto -index 70c1390..54e413c 100755 ---- a/tests/haproxy-proxyproto -+++ b/tests/haproxy-proxyproto -@@ -94,14 +94,14 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/haproxy-proxyproto-v1 b/tests/haproxy-proxyproto-v1 -index d274575..f767581 100755 ---- a/tests/haproxy-proxyproto-v1 -+++ b/tests/haproxy-proxyproto-v1 -@@ -94,14 +94,14 @@ sleep 3 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${HAPORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} -q ${ADDRESS}:${HAPORT} -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/ipv6-iface b/tests/ipv6-iface -index d5262e5..9b78d5e 100755 ---- a/tests/ipv6-iface -+++ b/tests/ipv6-iface -@@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - wait_server $PID - - echo -n "Connecting to setup interface... " --echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b -+echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/ipv6-small-net b/tests/ipv6-small-net -index 4fc7260..c87b429 100755 ---- a/tests/ipv6-small-net -+++ b/tests/ipv6-small-net -@@ -70,7 +70,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - wait_server $PID - - echo -n "Connecting to setup interface... " --echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b -+echo "test" | ${CMDNS1} $OPENCONNECT -q $ADDRESS:$PORT -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/json b/tests/json -index 72dd4bf..24c66d8 100755 ---- a/tests/json -+++ b/tests/json -@@ -78,7 +78,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - sleep 4 - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/lz4-compression b/tests/lz4-compression -index 76478cf..405b2a2 100755 ---- a/tests/lz4-compression -+++ b/tests/lz4-compression -@@ -81,14 +81,14 @@ sleep 4 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/lzs-compression b/tests/lzs-compression -index c485df2..eef55f0 100755 ---- a/tests/lzs-compression -+++ b/tests/lzs-compression -@@ -81,14 +81,14 @@ sleep 4 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/multiple-routes b/tests/multiple-routes -index b6cc0c5..63c7614 100755 ---- a/tests/multiple-routes -+++ b/tests/multiple-routes -@@ -39,13 +39,13 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || -+( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Re-connecting to get routes... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 - - echo ok - -diff --git a/tests/no-route-default b/tests/no-route-default -index 0c6f4f2..6cc68f0 100755 ---- a/tests/no-route-default -+++ b/tests/no-route-default -@@ -43,7 +43,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -@@ -68,7 +68,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -diff --git a/tests/no-route-group b/tests/no-route-group -index 59ec2f0..25cfaa6 100755 ---- a/tests/no-route-group -+++ b/tests/no-route-group -@@ -43,7 +43,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo "test" | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 -u test --passwd-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - echo ok - -@@ -68,7 +68,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to get routes... " --echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${TMPFILE} 2>&1 -+echo test | timeout 15s $OPENCONNECT -v localhost:$PORT --authgroup group1 --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1 - - echo ok - -diff --git a/tests/ping-leases b/tests/ping-leases -index d97012e..3a43ac5 100755 ---- a/tests/ping-leases -+++ b/tests/ping-leases -@@ -52,12 +52,12 @@ fi - echo "Server started with PID $PID..." - - echo "Connecting to obtain cookie..." --( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | $OPENCONNECT -q localhost:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - - echo "Connecting to ping lease..." --echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true -+echo "test" | timeout 10 $OPENCONNECT localhost:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true - - if test $? != 124;then - fail $PID "Could not connect to server" -diff --git a/tests/radius b/tests/radius -index 859671d..7bc705a 100755 ---- a/tests/radius -+++ b/tests/radius -@@ -98,21 +98,21 @@ sleep 4 - - # Run clients - echo " * Testing wrong username at ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u xxx --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? = 0;then - echo "Connected with incorrect username" - exit 1 - fi - - echo " * Testing wrong password at ${ADDRESS}:${PORT}..." --( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "xxx" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? = 0;then - echo "Connected with incorrect password" - exit 1 - fi - - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 -@@ -120,7 +120,7 @@ fi - - echo " * Connecting to ${ADDRESS}:${PORT} with special IP..." - USERNAME=test-arb --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -148,7 +148,7 @@ sleep 3 - - echo " * Connecting to ${ADDRESS}:${PORT}..." - USERNAME=test --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/radius-config b/tests/radius-config -index 7285091..af9d3f7 100755 ---- a/tests/radius-config -+++ b/tests/radius-config -@@ -123,7 +123,7 @@ sleep 4 - - echo " * Connecting to ${ADDRESS}:${PORT}..." - USERNAME=testtime --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/radius-group b/tests/radius-group -index 1f28cda..9b85889 100755 ---- a/tests/radius-group -+++ b/tests/radius-group -@@ -100,7 +100,7 @@ sleep 4 - - echo " * Tests the radius group functionality" - USERNAME=test-class --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group2 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -137,7 +137,7 @@ sleep 4 - - echo " * Tests the alt radius group functionality" - USERNAME=test-class --( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${USERNAME}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} --authgroup group1 -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/radius-otp b/tests/radius-otp -index 11c3907..9b4fecb 100755 ---- a/tests/radius-otp -+++ b/tests/radius-otp -@@ -111,7 +111,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - sleep 0.5 - echo "$USERNAME-stage$COUNT" - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b >/dev/null 2>&1) - if test $? != 0; then - echo "Could not connect to server" - exit 1 -@@ -151,7 +151,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - sleep 0.5 - echo "$USERNAME-stage" - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with wrong username" - exit 1 -@@ -173,7 +173,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with wrong OTP" - exit 1 -@@ -197,7 +197,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with wrong OTP" - exit 1 -@@ -218,7 +218,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected with blank OTP" - exit 1 -@@ -247,7 +247,7 @@ for (( COUNT=1; COUNT <= 3; COUNT++ )); do - echo "$USERNAME-stage$COUNT" - fi - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Successful connection with the number of OTP retries greater than allowed by the ban system (default 30)." - ${OCCTL} -s ${OCCTL_SOCKET} show ip ban points -@@ -265,7 +265,7 @@ for (( COUNT=1; COUNT <= 17; COUNT++ )); do - sleep 0.5 - echo "$USERNAME-stage$COUNT" - done --} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) -+} | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} -b --cookieonly >/dev/null 2>&1) - if test $? == 0; then - echo "Connected to server - MAX_CHALLENGES test failed" - exit 1 -diff --git a/tests/test-append-routes b/tests/test-append-routes -index be71d22..923d0aa 100755 ---- a/tests/test-append-routes -+++ b/tests/test-append-routes -@@ -41,7 +41,7 @@ wait_server $PID - - echo "Checking if routes are appended... " - --timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 -+timeout 15s $OPENCONNECT localhost:$PORT -v --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 - - echo "cat" - cat ${TMPFILE1} -diff --git a/tests/test-ban b/tests/test-ban -index eb6a874..be4695a 100755 ---- a/tests/test-ban -+++ b/tests/test-ban -@@ -59,15 +59,15 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - sleep 4 - - echo "Connecting with wrong password 5 times... " --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - echo "" - echo "Connecting with correct password... " --eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -n "$COOKIE" ];then - fail $PID "Obtained cookie although should have been banned" -@@ -90,7 +90,7 @@ sleep 25 - echo "" - - echo "Connecting with correct password after ban time... " --eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie even though ban should be lifted" -@@ -99,16 +99,16 @@ fi - echo "" - echo "Checking ban reset time... " - --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - sleep 11 --echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - echo "" - echo "Connecting with correct password after ban reset time... " --eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${CMDNS1} ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie even though ban should be lifted" -diff --git a/tests/test-ban-local b/tests/test-ban-local -index d2a4397..fbe0eb2 100755 ---- a/tests/test-ban-local -+++ b/tests/test-ban-local -@@ -60,15 +60,15 @@ ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$! - sleep 4 - - echo "Connecting with wrong password 5 times... " --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -+echo "notest" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - echo "" - echo "Connecting with correct password... " --eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | ${OPENCONNECT} --passwd-on-stdin -q ${ADDRESS}:${PORT} -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie even though client should be exempt" -diff --git a/tests/test-cert b/tests/test-cert -index 41362aa..7967193 100755 ---- a/tests/test-cert -+++ b/tests/test-cert -@@ -49,19 +49,19 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with invalid certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with invalid certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -80,7 +80,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with DER CRL)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -99,13 +99,13 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with revoked certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with revoked certificate!" - - echo "ok (failed as expected)" - - #echo "Normal connection... " --#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - rm -f "${CRLNAME}" "${CRLTMPLNAME}" -diff --git a/tests/test-cert-opt-pass b/tests/test-cert-opt-pass -index 18893d3..0109ef2 100755 ---- a/tests/test-cert-opt-pass -+++ b/tests/test-cert-opt-pass -@@ -34,7 +34,7 @@ opts=$1 - pass=$2 - rm -f ${OUTFILE} - --echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 -+echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 - if test $? != 0;then - cat ${OUTFILE} - return 1 -diff --git a/tests/test-client-bypass-protocol b/tests/test-client-bypass-protocol -index 09f3cb2..14cb5a5 100755 ---- a/tests/test-client-bypass-protocol -+++ b/tests/test-client-bypass-protocol -@@ -43,7 +43,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting... " --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -@@ -68,7 +68,7 @@ PID=$! - wait_server $PID - - echo -n "Reconnecting..." --timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE} 2>&1 -+timeout 15s $OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE} 2>&1 - - echo ok - -diff --git a/tests/test-config-per-group b/tests/test-config-per-group -index 4a8bd60..6b8929a 100755 ---- a/tests/test-config-per-group -+++ b/tests/test-config-per-group -@@ -81,7 +81,7 @@ ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & - sleep 4 - - echo " * Connecting with user NOT in group..." --( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -129,7 +129,7 @@ sleep 2 - USERNAME=test - PASSWORD=test - echo " * Connecting with user in group to ${ADDRESS}:${PORT}..." --( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "${PASSWORD}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/test-cookie-invalidation b/tests/test-cookie-invalidation -index 5f77afa..a6f8cea 100755 ---- a/tests/test-cookie-invalidation -+++ b/tests/test-cookie-invalidation -@@ -35,7 +35,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie" -@@ -44,7 +44,7 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background >/dev/null 2>&1 - - sleep 4 - -@@ -58,9 +58,9 @@ if test $? != 0;then - fi - - echo "Terminating and connecting again with same cookie... " --#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - # fail $PID "Could not connect to server" --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 - - sleep 4 - -@@ -82,9 +82,9 @@ rm -f "${PIDFILE2}" - sleep 18 - - echo "Proper termination and connecting again with same (invalidated) cookie... " --#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+#( echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - # fail $PID "Could not connect to server" --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background >/dev/null 2>&1 - - sleep 4 - -diff --git a/tests/test-cookie-timeout b/tests/test-cookie-timeout -index 08081b2..b8b4dda 100755 ---- a/tests/test-cookie-timeout -+++ b/tests/test-cookie-timeout -@@ -34,7 +34,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie" -@@ -44,7 +44,7 @@ fi - sleep 16 - echo "" - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -59,7 +59,7 @@ rm -f "${PIDFILE}" - sleep 16 - echo "" - echo "Connecting again with cookie... " --echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -74,7 +74,7 @@ rm -f "${PIDFILE}" - sleep 16 - echo "" - echo "Connecting after forced kill with cookie... " --echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -90,7 +90,7 @@ rm -f "${PIDFILE}" - sleep 45 - echo "" - echo "Connecting with cookie after expiration... " --echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE}" --background -+echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE}" --background - - sleep 4 - -@@ -104,7 +104,7 @@ fi - # test cookie verification after cookie verification failure. That is to verify whether - # the channel between main and sec-mod is in consistent state. - echo "Connecting (again) to obtain cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= - - if test $? != 0;then - fail $PID "Could not obtain cookie" -diff --git a/tests/test-cookie-timeout-2 b/tests/test-cookie-timeout-2 -index fbeba81..4161eb6 100755 ---- a/tests/test-cookie-timeout-2 -+++ b/tests/test-cookie-timeout-2 -@@ -33,7 +33,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - fail $PID "Could not obtain cookie" -@@ -43,7 +43,7 @@ fi - sleep 10 - echo "" - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background -+echo "test" | $OPENCONNECT -q -b localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid.$$ --background - - sleep 4 - -@@ -58,7 +58,7 @@ rm -f "${srcdir}/pid2.$$" - sleep 30 - echo "" - echo "Connecting again with cookie (overriding first session)... " --echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background -+echo "test" | $OPENCONNECT -b -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pid2.$$ --background - - sleep 6 - -diff --git a/tests/test-enc-key b/tests/test-enc-key -index 0ca6249..5d65b62 100755 ---- a/tests/test-enc-key -+++ b/tests/test-enc-key -@@ -33,7 +33,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -@@ -48,7 +48,7 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -diff --git a/tests/test-explicit-ip b/tests/test-explicit-ip -index bfd1a9d..41d4665 100755 ---- a/tests/test-explicit-ip -+++ b/tests/test-explicit-ip -@@ -31,13 +31,13 @@ connect() - opts=$1 - pass=$2 - COOKIE='' --eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate` -+eval `echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate` - if [ -z "$COOKIE" ];then - return 1 - fi - - rm -f $TMPFILE --echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & -+echo "$pass" | $OPENCONNECT -q localhost:$PORT $opts -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file ${srcdir}/pidx >$TMPFILE 2>&1 & - CPID=$! - - sleep 3 -diff --git a/tests/test-group-pass b/tests/test-group-pass -index 1530f43..7a78237 100755 ---- a/tests/test-group-pass -+++ b/tests/test-group-pass -@@ -33,19 +33,19 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group1 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group2 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with wrong groupname... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --authgroup group4 --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - cleanup -diff --git a/tests/test-gssapi-opt-cert b/tests/test-gssapi-opt-cert -index 0ef2d55..5cf1105 100755 ---- a/tests/test-gssapi-opt-cert -+++ b/tests/test-gssapi-opt-cert -@@ -29,7 +29,7 @@ opts=$1 - pass=$2 - rm -f ${OUTFILE} - --echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 -+echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 - if test $? != 0;then - cat ${OUTFILE} - return 1 -diff --git a/tests/test-gssapi-opt-pass b/tests/test-gssapi-opt-pass -index 8999d30..b6ebd11 100755 ---- a/tests/test-gssapi-opt-pass -+++ b/tests/test-gssapi-opt-pass -@@ -29,7 +29,7 @@ opts=$1 - pass=$2 - rm -f ${OUTFILE} - --echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --authenticate >${OUTFILE} 2>&1 -+echo "$pass" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --authenticate >${OUTFILE} 2>&1 - if test $? != 0;then - cat ${OUTFILE} - return 1 -diff --git a/tests/test-iroute b/tests/test-iroute -index d7b5f52..caf0a92 100755 ---- a/tests/test-iroute -+++ b/tests/test-iroute -@@ -34,13 +34,13 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -47,7 +47,7 @@ kill -USR2 $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -58,7 +58,7 @@ kill -USR2 $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -diff --git a/tests/test-max-same-1 b/tests/test-max-same-1 -index 5146483..ec19c0d 100755 ---- a/tests/test-max-same-1 -+++ b/tests/test-max-same-1 -@@ -47,7 +47,7 @@ launch_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - echo "Could not obtain cookie" -@@ -57,12 +57,12 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background - - sleep 4 - - echo "Connecting again with same cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background - - sleep 4 - -diff --git a/tests/test-multi-cookie b/tests/test-multi-cookie -index 83c9cb5..7581f9c 100755 ---- a/tests/test-multi-cookie -+++ b/tests/test-multi-cookie -@@ -47,7 +47,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - echo "Could not obtain cookie" -@@ -57,12 +57,12 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE1}" --background - - sleep 4 - - echo "Connecting again with same cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -b -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${PIDFILE2}" --background - - sleep 4 - -diff --git a/tests/test-multiple-client-ip b/tests/test-multiple-client-ip -index 0e799e0..76099fe 100755 ---- a/tests/test-multiple-client-ip -+++ b/tests/test-multiple-client-ip -@@ -84,14 +84,14 @@ sleep 4 - - # Run client 1 - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -@@ -99,14 +99,14 @@ fi - - # Run client 2 - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS3} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID2} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 -diff --git a/tests/test-namespace-listen b/tests/test-namespace-listen -index 9691b28..81c3e86 100755 ---- a/tests/test-namespace-listen -+++ b/tests/test-namespace-listen -@@ -77,7 +77,7 @@ if test $? != 0; then - fi - - echo " connecting to server" --(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --pid-file=${CLIPID} -b) || -+(echo "test" | ${CMDNS3} $OPENCONNECT $ADDRESS:$PORT -u "test" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --pid-file=${CLIPID} -b) || - fail $PID "could not connect to server" - sleep 5 - -diff --git a/tests/test-otp b/tests/test-otp -index 5209b0a..ed1fe94 100755 ---- a/tests/test-otp -+++ b/tests/test-otp -@@ -45,27 +45,27 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting with wrong username... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u falsetest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected with wrong username!" - echo ok - - echo -n "Connecting with wrong OTP... " --( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n999482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should not have connected with wrong OTP!" - echo ok - - echo -n "Connecting with correct password and OTP... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with OTP!" - echo ok - - echo -n "Connecting with empty password and wrong OTP... " --( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "999999\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should have not connected with wrong OTP!" - echo ok - - echo -n "Connecting with empty password and OTP... " --( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with OTP-only!" - echo ok - -diff --git a/tests/test-otp-cert b/tests/test-otp-cert -index c8dc12c..61a71db 100755 ---- a/tests/test-otp-cert -+++ b/tests/test-otp-cert -@@ -45,22 +45,22 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - echo ok - - echo -n "Connecting to obtain cookie (with incorrect certificate)... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should not have connected with wrong certificate!" - echo ok - - echo -n "Connecting to obtain cookie (with certificate)... " --( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "test\n328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - echo ok - - echo -n "Connecting to obtain cookie (with no pass and certificate)... " --( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo -e "328482\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - echo ok - -diff --git a/tests/test-pam b/tests/test-pam -index 8ec787a..561a140 100755 ---- a/tests/test-pam -+++ b/tests/test-pam -@@ -37,22 +37,22 @@ wait_server $PID - - echo "" - echo "Connecting with wrong password... " --( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "testuser\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with wrong cred" - - echo "" - echo "Connecting with empty password... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with wrong cred" - - echo "" - echo "Connecting with wrong username... " --( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with wrong cred" - - echo "" - echo "Connecting with correct password... " --( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || -+( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -v $ADDRESS:$PORT --authgroup group2 -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -diff --git a/tests/test-pam-noauth b/tests/test-pam-noauth -index dc8dd3d..1f67371 100755 ---- a/tests/test-pam-noauth -+++ b/tests/test-pam-noauth -@@ -35,19 +35,19 @@ launch_sr_pam_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting with correct password but no PAM user... " --( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u xtest --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with non existing user" - - echo "Connecting with incorrect password (correct in PAM) and existing user... " --( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "testuser123\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with non existing user" - - echo "Connecting with empty password (correct in PAM) and existing user... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie with non existing user" - - echo "Connecting with correct password and existing user... " --( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) ||#>/dev/null 2>&1 ) || -+( echo -e "test\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u testuser --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) ||#>/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - cleanup -diff --git a/tests/test-pass b/tests/test-pass -index 9d5484a..5aaaf48 100755 ---- a/tests/test-pass -+++ b/tests/test-pass -@@ -34,39 +34,39 @@ launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with wrong password... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with empty password... " --( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo -e "\n" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - echo "Connecting to obtain cookie with wrong username... " --( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - # test locked account - - echo "Connecting to obtain cookie with locked account... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u locked --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - #test special characters - - echo "Connecting to obtain cookie with special password... " --( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting to obtain cookie with empty password... " --( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u "empty" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - #echo "Normal connection... " --#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - if ! test -f ${PIDFILE};then -diff --git a/tests/test-pass-cert b/tests/test-pass-cert -index 8050788..8d284b8 100755 ---- a/tests/test-pass-cert -+++ b/tests/test-pass-cert -@@ -34,26 +34,26 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo ok - - echo -n "Connecting to obtain cookie (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie (with incorrect certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-wrong.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Should not have connected with wrong certificate!" - - echo ok - - - #echo "Normal connection... " --#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true ) || -+#( echo "test" | $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true ) || - # fail $PID "Could not connect to server" - - cleanup -diff --git a/tests/test-pass-group-cert b/tests/test-pass-group-cert -index ff64993..e559ac6 100755 ---- a/tests/test-pass-group-cert -+++ b/tests/test-pass-group-cert -@@ -33,37 +33,37 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group1 (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - DEFAULT (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup DEFAULT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group2 (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group4 (with certificate)... " --( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group4 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Got cookie when it shouldn't!" - - echo ok -diff --git a/tests/test-pass-group-cert-no-pass b/tests/test-pass-group-cert-no-pass -index bc39b45..401b24f 100755 ---- a/tests/test-pass-group-cert-no-pass -+++ b/tests/test-pass-group-cert-no-pass -@@ -33,25 +33,25 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 && -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 && - fail $PID "Connected without certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group1 (with certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group1 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group2 (with certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group2 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Connecting to obtain cookie - group3 (hidden) (with certificate)... " --LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 || -+LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --authgroup group3 -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-group-key.pem -c ${srcdir}/certs/user-group-cert.pem -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 || - fail $PID "Could not connect with certificate!" - - echo ok -diff --git a/tests/test-pass-opt-cert b/tests/test-pass-opt-cert -index ac9adc1..1836538 100755 ---- a/tests/test-pass-opt-cert -+++ b/tests/test-pass-opt-cert -@@ -38,7 +38,7 @@ connect() - { - opts=$1 - pass=$2 --echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --passwd-on-stdin --authenticate >${TMPFILE} -+echo ${pass} | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT $opts --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --passwd-on-stdin --authenticate >${TMPFILE} - if test $? != 0;then - cat ${TMPFILE} - return 1 -diff --git a/tests/test-pass-script b/tests/test-pass-script -index 89a4094..0f18551 100755 ---- a/tests/test-pass-script -+++ b/tests/test-pass-script -@@ -67,7 +67,7 @@ launch_server -d 1 -f -c "${CONFIG}" & PID=$! - wait_server $PID - - echo " * Connecting to obtain cookie with wrong username... " --( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && -+( echo "tost" | $OPENCONNECT -q localhost:$PORT -u tost --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - - rm -f ${builddir}/connect.ok -@@ -76,11 +76,11 @@ rm -f ${builddir}/host-update.ok - #test special characters - - echo " * Connecting to obtain cookie... " --( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo " * Re-connecting to force script run... " --echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true -+echo "!@#$%^&*()<>" | timeout 7 $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true - - TIMEOUT=5 - while ! test -f ${builddir}/disconnect.ok; do -@@ -112,7 +112,7 @@ rm -f ${builddir}/disconnect.ok - rm -f ${builddir}/host-update.ok - - echo " * Re-connecting to get cookie... " --echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >${PARAMSFILE} -+echo "test2" | $OPENCONNECT -q localhost:$PORT -u "test2" --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${PARAMSFILE} - if test $? != 0;then - echo "Could not connect" - cat ${PARAMSFILE} -@@ -127,7 +127,7 @@ fi - - echo " * Re-connecting to force session stealing... " - eval "$(grep COOKIE ${PARAMSFILE})" --echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE} -b -+echo ${COOKIE}| $OPENCONNECT --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE} -b - - echo " - Pausing client" - TIMEOUT=4 -@@ -156,7 +156,7 @@ rm -f ${builddir}/connect.ok - rm -f ${builddir}/disconnect.ok - - echo " * Re-connecting to steal previous IP address... " --echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true --pid-file=${OPIDFILE2} -b -+echo ${COOKIE} | $OPENCONNECT -q --local-hostname='mylocalname' localhost:$PORT -u "test2" --reconnect-timeout 0 --cookie-on-stdin --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true --pid-file=${OPIDFILE2} -b - - echo " - Resuming (disconnected) client" - kill -s CONT $(cat ${OPIDFILE}) -@@ -205,7 +205,7 @@ done - sleep 5 - echo " - Check server status" - --( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "!@#$%^&*()<>" | $OPENCONNECT --local-hostname='mylocalname' -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo " - Killing server" -diff --git a/tests/test-replay b/tests/test-replay -index b8aa848..0533893 100755 ---- a/tests/test-replay -+++ b/tests/test-replay -@@ -60,7 +60,7 @@ launch_server -d 9999 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to obtain cookie... " --eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3` -+eval `echo "test" | $OPENCONNECT -q localhost:$PORT -u test --authenticate --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=` - - if [ -z "$COOKIE" ];then - echo "Could not obtain cookie" -@@ -70,7 +70,7 @@ fi - #echo "Cookie: $COOKIE" - - echo "Connecting with cookie... " --echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --verbose --pid-file "${PIDFILE1}" --background -+echo "test" | $OPENCONNECT -q localhost:$PORT -u test -C "$COOKIE" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --verbose --pid-file "${PIDFILE1}" --background - - sleep 4 - -diff --git a/tests/test-san-cert b/tests/test-san-cert -index a5040ae..a41c331 100755 ---- a/tests/test-san-cert -+++ b/tests/test-san-cert -@@ -49,25 +49,25 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (without certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected without certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with invalid certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-invalid.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with invalid certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with certificate - no SAN)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Connected with invalid certificate!" - - echo "ok (failed as expected)" - - echo -n "Connecting to obtain cookie (with certificate - SAN)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-san-cert.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Failed to connect with certificate!" - - echo ok -diff --git a/tests/test-script-multi-user b/tests/test-script-multi-user -index 6327a26..c0bfa3d 100755 ---- a/tests/test-script-multi-user -+++ b/tests/test-script-multi-user -@@ -47,16 +47,16 @@ launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! - wait_server $PID - - echo "Connecting to force script block... " --echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true & -+echo "!@#$%^&*()<>" | timeout 60 $OPENCONNECT -q localhost:$PORT -u "sp@c/al" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true & - - sleep 3 - - echo "Connecting to obtain cookie... " --( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || -+( echo "${USERNAME}" | $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - - echo "Connecting in background... " --( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --background >/dev/null 2>&1 ) || -+( echo "${USERNAME}" | timeout 15 $OPENCONNECT -q localhost:$PORT -u "${USERNAME}" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --background >/dev/null 2>&1 ) || - fail $PID "Could not connect to server; probably blocked" - - sleep 3 -diff --git a/tests/test-sighup b/tests/test-sighup -index add538f..dd424e5 100755 ---- a/tests/test-sighup -+++ b/tests/test-sighup -@@ -34,7 +34,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -44,7 +44,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) || -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) || - fail $PID "Could not connect with certificate!" - - echo ok -@@ -57,7 +57,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Connecting to obtain cookie (with certificate)... " --( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null 2>&1 ) && -+( LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null 2>&1 ) && - fail $PID "Could not connect with certificate!" - - echo ok -diff --git a/tests/test-stress b/tests/test-stress -index 3816604..a2db96e 100755 ---- a/tests/test-stress -+++ b/tests/test-stress -@@ -33,7 +33,7 @@ run_client() { - PASS=$1; - shift; - -- ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true >/dev/null 2>&1 ) || -+ ( echo $PASS | $OPENCONNECT -q $HOST -u $USER --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >/dev/null 2>&1 ) || - echo "$USER: Could not connect to server" - } - -diff --git a/tests/test-udp-listen-host b/tests/test-udp-listen-host -index f3e6623..956938b 100755 ---- a/tests/test-udp-listen-host -+++ b/tests/test-udp-listen-host -@@ -111,7 +111,7 @@ ${CMDNS2} ${HAPROXY} -f ${HACONFIG} -d & HAPID=$! - sleep 3 - - echo " * Connecting to haproxy and using dtls ... " --echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID}" --background -+echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID}" --background - - wait_file "${CLIPID}" 11 - -@@ -134,7 +134,7 @@ echo "restart ocsev with udp-listen-host set to 127.0.0.1" - ${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG_UDP_LISTEN_LOCAL} ${DEBUG} & PID=$! - - echo " * Connecting to haproxy and using dtls again ... " --echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --script=/bin/true --verbose --pid-file "${CLIPID2}" --background -+echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${HAPORT} --user test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --script=/bin/true --verbose --pid-file "${CLIPID2}" --background - - wait_file "${CLIPID2}" 11 - -diff --git a/tests/test-user-config b/tests/test-user-config -index 1c7f518..f8573ce 100755 ---- a/tests/test-user-config -+++ b/tests/test-user-config -@@ -42,20 +42,20 @@ PID=$! - wait_server $PID - - echo -n "Connecting to obtain cookie (with certificate)... " --( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly /dev/null ) || -+( $OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly /dev/null ) || - fail $PID "Could not connect with certificate!" - - echo ok - - echo -n "Re-connecting to force script run... " --$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true /dev/null & -+$OPENCONNECT -q localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true /dev/null & - kpid1=$! - echo ok - - sleep 2 - - echo -n "Re-connecting to check the iroutes... " --$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & -+$OPENCONNECT -v localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & - kpid2=$! - - echo ok -@@ -63,7 +63,7 @@ sleep 3 - - echo -n "Checking if max-same-clients is considered... " - --timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE2} 2>&1 -+timeout 15s $OPENCONNECT localhost:$PORT --sslkey ${srcdir}/certs/user-key.pem -c ${srcdir}/certs/user-cert-testuser.pem --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE2} 2>&1 - if test $? = 124;then - fail $PID "Max-same-clients directive was ignored" - fi -@@ -155,7 +155,7 @@ rm -f ${TMPFILE1} - rm -f ${TMPFILE2} - - echo -n "Re-connecting to check the ipv4-network... " --$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! -+$OPENCONNECT -v localhost:$PORT --sslkey "${srcdir}/certs/user-key.pem" -c "${srcdir}/certs/user-cert-testipnet.pem" --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true ${TMPFILE1} 2>&1 & kpid3=$! - - echo ok - sleep 3 -diff --git a/tests/test-vhost b/tests/test-vhost -index 902f011..1a57e60 100755 ---- a/tests/test-vhost -+++ b/tests/test-vhost -@@ -62,7 +62,7 @@ PID=$! - wait_server $PID - - echo -n "Connecting to default host to obtain cookie (user without certificate)... " --connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" -+connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" - if test $? != 0;then - fail $PID "Failed to connect with user without certificate!" - fi -@@ -111,7 +111,7 @@ fi - echo ok - - echo -n "Connecting to default host to obtain cookie (with certificate)... " --connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "d66b507ae074d03b02eafca40d35f87dd81049d3" -+connect "default.example.com" "-u test --sslkey ./certs/user-key.pem -c ./certs/user-cert.pem" "" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" - if test $? = 0;then - fail $PID "Connected to wrong host with certificate!" - fi -@@ -136,7 +136,7 @@ kill -HUP $PID - sleep 5 - - echo -n "Sanity check to default host..." --connect "default.example.com" "-u test" "test" "d66b507ae074d03b02eafca40d35f87dd81049d3" -+connect "default.example.com" "-u test" "test" "pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8=" - if test $? != 0;then - fail $PID "Failed to connect with user without certificate!" - fi -diff --git a/tests/traffic b/tests/traffic -index 3ea962f..1f0fcaf 100755 ---- a/tests/traffic -+++ b/tests/traffic -@@ -79,14 +79,14 @@ sleep 4 - - # Run clients - echo " * Getting cookie from ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) - if test $? != 0;then - echo "Could not get cookie from server" - exit 1 - fi - - echo " * Connecting to ${ADDRESS}:${PORT}..." --( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) -+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b ) - if test $? != 0;then - echo "Could not connect to server" - exit 1 diff --git a/ocserv.conf b/ocserv.conf index d5e0814..0ecd600 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -34,7 +34,7 @@ # and all configuration will be read from radius. That also includes the # Acct-Interim-Interval, and Session-Timeout values. # -# See doc/README-radius.md for the supported radius configuration atributes. +# See doc/README-radius.md for the supported radius configuration attributes. # # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] # The gssapi option allows one to use authentication methods supported by GSSAPI, @@ -72,25 +72,29 @@ auth = "pam" # Only one accounting method can be specified. #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" -# Use listen-host to limit to specific IPs or to the IPs of a provided +# Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. #listen-host = [IP|HOSTNAME] +# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided +# hostname. if not set, listen-host will be used +#udp-listen-host = [IP|HOSTNAME] + # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. #listen-host-is-dyndns = true -# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided -# hostname. if not set, listen-host will be used -#udp-listen-host = [IP|HOSTNAME] +# move the listen socket within the specified network namespace +# listen-netns = "foo" # TCP and UDP port number tcp-port = 443 udp-port = 443 -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). +# The user the worker processes will be run as. This should be a dedicated +# unprivileged user (e.g., 'ocserv') and no other services should run as this +# user. run-as-user = ocserv run-as-group = ocserv @@ -148,7 +152,10 @@ server-key = /etc/pki/ocserv/private/server.key # is set. #ca-cert = /etc/ocserv/ca.pem - +# The number of sub-processes to use for the security module (authentication) +# processes. Typically this should not be set as the number of processes +# is determined automatically by the initially set maximum number of clients. +#sec-mod-scale = 4 ### All configuration options below this line are reloaded on a SIGHUP. @@ -167,7 +174,7 @@ server-key = /etc/pki/ocserv/private/server.key # Note however, that process isolation is restricted to the specific libc versions # the isolation was tested at. If you get random failures on worker processes, try # disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues +# information at: https://gitlab.com/openconnect/ocserv/issues isolate-workers = true # A banner to be displayed on clients after connection @@ -176,7 +183,8 @@ isolate-workers = true # A banner to be displayed on clients before connection #pre-login-banner = "Welcome" -# Limit the number of clients. Unset or set to zero for unlimited. +# Limit the number of clients. Unset or set to zero if unknown. In +# that case the maximum value is ~8k clients. #max-clients = 1024 max-clients = 16 @@ -238,6 +246,10 @@ switch-to-tcp-timeout = 25 # MTU discovery (DPD must be enabled) try-mtu-discovery = false +# To enable load-balancer connection draining, set server-drain-ms to a value +# higher than your load-balancer health probe interval. +#server-drain-ms = 15000 + # If you have a certificate from a CA that provides an OCSP # service you may provide a fresh OCSP status response within # the TLS handshake. That will prevent the client from connecting @@ -294,11 +306,8 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE" # That option requires the established DTLS channel to use the same -# cipher as the primary TLS channel. This cannot be combined with -# listen-clear-file since the ciphersuite information is not available -# in that configuration. Note also, that this option implies that -# dtls-legacy option is false; this option cannot be enforced -# in the legacy/compat protocol. +# cipher as the primary TLS channel.Note also, that this option implies +# that the dtls-legacy option is false; this option cannot be enforced #match-tls-dtls-ciphers = true # The time (in seconds) that a client is allowed to stay connected prior @@ -327,11 +336,9 @@ min-reauth-time = 300 # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, # a KKDCP POST is 1 point, and a connection is 1 point. Note that -# due to difference processes being involved the count of points -# will not be real-time precise. -# -# Score banning cannot be reliably used when receiving proxied connections -# locally from an HTTP server (i.e., when listen-clear-file is used). +# due to different processes being involved the count of points +# will not be real-time precise. Local subnet IPs are exempt to allow +# services that check for process health. # # Set to zero to disable. max-ban-score = 80 @@ -381,7 +388,8 @@ rekey-method = ssl # Script to call when a client connects and obtains an IP. # The following parameters are passed on the environment. # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), -# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL +# REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL +# (the local interface IP the client connected), IP_LOCAL # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and @@ -400,6 +408,12 @@ rekey-method = ssl #connect-script = /usr/bin/ocserv-script #disconnect-script = /usr/bin/ocserv-script +# This script is to be called when the client's advertised hostname becomes +# available. It will contain REASON with "host-update" value and the +# variable REMOTE_HOSTNAME in addition to the connect variables. + +#host-update-script = /usr/bin/myhostnamescript + # UTMP # Register the connected clients to utmp. This will allow viewing # the connected clients using the command 'who'. @@ -412,6 +426,20 @@ use-occtl = true # PID file. It can be overridden in the command line. pid-file = /var/run/ocserv.pid +# Log Level. Ocserv sends the logging messages to standard error +# as well as the system log. The log level can be overridden in the +# command line with the -d option. All messages at the configured +# level and lower will be displayed. +# Supported levels (default 0): +# 0 default (Same as basic) +# 1 basic +# 2 info +# 3 debug +# 4 http +# 8 sensitive +# 9 TLS +log-level = 1 + # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest # priority. Alternatively this can be used to set the IP Type- @@ -434,7 +462,8 @@ device = vpns # same for the same user when possible. predictable-ips = true -# The default domain to be advertised +# The default domain to be advertised. Multiple domains (functional on +# openconnect clients) can be provided in a space separated list. default-domain = example.com # The pool of addresses that leases will be given from. If the leases @@ -561,10 +590,10 @@ no-route = 192.168.5.0/255.255.255.0 # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, -# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, +# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route, +# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, -# restrict-user-to-routes, user-profile, cgroup, stats-report-time, +# restrict-user-to-routes, cgroup, stats-report-time, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, # split-dns and session-timeout. # @@ -628,10 +657,13 @@ no-route = 192.168.5.0/255.255.255.0 # # # Other fields may be used by some of the CISCO clients. -# This file must be accessible from inside the worker's chroot. -# Note that enabling this option is not recommended as it will allow -# the worker processes to open arbitrary files (when isolate-workers is -# set to true). +# This file must be accessible from inside the worker's chroot. +# Note that: +# (1) enabling this option is not recommended as it will allow the +# worker processes to open arbitrary files (when isolate-workers is +# set to true). +# (2) This option cannot be set per-user or per-group; only the global +# version is being sent to client. #user-profile = profile.xml # @@ -657,6 +689,35 @@ cisco-client-compat = true # by the dtls-psk protocol supported by openconnect 7.08+. dtls-legacy = true +# This option will enable the settings needed for Cisco SVC IPPhone clients +# to connect. It implies dtls-legacy = true and tls-priorities is changed to +# only the ciphers the device supports. +cisco-svc-client-compat = false + +# This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default). +# If the server has not configured an IPv6 or IPv4 address pool, enabling this option +# will instruct the client to bypass the server for that IP protocol. The option is +# currently only understood by Anyconnect clients. +client-bypass-protocol = false + +# The following options are related to server camouflage (hidden service) + +# This option allows you to enable the camouflage feature of ocserv that makes it look +# like a web server to unauthorized parties. +# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific +# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey", +# otherwise the server will return HTTP error for all requests. +camouflage = false + +# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check, +# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey". +camouflage_secret = "mysecretkey" + +# Defines the realm (browser prompt) for HTTP authentication. +# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized. +# Better change it from the default value to avoid fingerprinting. +camouflage_realm = "Restricted Content" + #Advanced options # Option to allow sending arbitrary custom headers to the client after @@ -669,8 +730,8 @@ dtls-legacy = true -## An example virtual host with different authentication methods serviced -## by this server. +# An example virtual host with different authentication methods serviced +# by this server. #[vhost:www.example.com] #auth = "certificate" @@ -687,3 +748,18 @@ dtls-legacy = true #ipv4-netmask = 255.255.255.0 #cert-user-oid = 0.9.2342.19200300.100.1.1 + +# HTTP headers +included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains +included-http-headers = X-Frame-Options: deny +included-http-headers = X-Content-Type-Options: nosniff +included-http-headers = Content-Security-Policy: default-src 'none' +included-http-headers = X-Permitted-Cross-Domain-Policies: none +included-http-headers = Referrer-Policy: no-referrer +included-http-headers = Clear-Site-Data: "cache","cookies","storage" +included-http-headers = Cross-Origin-Embedder-Policy: require-corp +included-http-headers = Cross-Origin-Opener-Policy: same-origin +included-http-headers = Cross-Origin-Resource-Policy: same-origin +included-http-headers = X-XSS-Protection: 0 +included-http-headers = Pragma: no-cache +included-http-headers = Cache-control: no-store, no-cache diff --git a/ocserv.spec b/ocserv.spec index 8f2b22b..1a72762 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,4 +1,4 @@ -Version: 1.1.7 +Version: 1.2.0 Release: %autorelease %global _hardened_build 1 @@ -38,8 +38,6 @@ Source8: ocserv-genkey Source9: ocserv-script Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source11: ocserv.init -# When removed remove the autoreconf step -Patch0: expired-certs.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -141,8 +139,6 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %endif %autosetup -p1 -# temporarily needed to apply patches -autoreconf -fvi rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h %if (0%{?use_local_protobuf} == 0) @@ -152,9 +148,6 @@ touch src/*.proto rm -rf src/ccan/talloc sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config -# GPLv3 in headers is a gnulib bug: -# http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html -sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* %if 0%{?rhel} && 0%{?rhel} <= 6 echo "int main() { return 77; }" > tests/valid-hostname.c @@ -199,7 +192,8 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private mkdir -p %{_sysconfdir}/pki/ocserv/cacerts %check -make check %{?_smp_mflags} VERBOSE=1 +# The 1.2.0 release has a missing file +make check %{?_smp_mflags} VERBOSE=1 XFAIL_TESTS="test-group-cert" %if %{use_systemd} %post @@ -254,7 +248,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %config(noreplace) %{_sysconfdir}/pam.d/ocserv %config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml -%doc AUTHORS ChangeLog NEWS COPYING COPYING README.md PACKAGE-LICENSING +%doc AUTHORS ChangeLog NEWS COPYING README.md PACKAGE-LICENSING doc/README-radius.md %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %{_mandir}/man8/ocserv.8* diff --git a/sources b/sources index 30fa688..bd969b3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ocserv-1.1.7.tar.xz) = 5b6182b98c0406a27dae7121ec0d8771b158e0d8ce2056bd35451c8ed087a8b7f7d40035f9db5c19aa9a9a3b2c6b07be8f0bad4b6b96569584815a5358202ba4 -SHA512 (ocserv-1.1.7.tar.xz.sig) = 96d2562fdf918f2b6ea829d747330a3be2e015ab25897e01bd0d387cb69ef3592aacabbeec9612e95eca1fbce6178a176dbf76d553b7626c09d453d216ddd63d +SHA512 (ocserv-1.2.0.tar.xz) = 23edd48313cb4988cea1e2493ab65784c7a39a062798e1ffd380b6de5629e69bd71ded863eb7a0c9fe1bac3cc2db23014cdedbd5d15801e2a66d5ef4e3f28ffb +SHA512 (ocserv-1.2.0.tar.xz.sig) = 1d8ac24c97c6495adc070f7b24553715ff27e6a9937a020522904559f4c48f3e18ca712b80762d55c285ce8f99eb4cd9a84b2875a351eb1df1ef6c705c5d3199