Updated to 1.2.0

epel9
Nikos Mavrogiannopoulos 1 year ago
parent 025342a309
commit 6894bf2ad7

2
.gitignore vendored

@ -239,3 +239,5 @@
/ocserv-1.1.6.tar.xz /ocserv-1.1.6.tar.xz
/ocserv-1.1.7.tar.xz /ocserv-1.1.7.tar.xz
/ocserv-1.1.7.tar.xz.sig /ocserv-1.1.7.tar.xz.sig
/ocserv-1.2.0.tar.xz
/ocserv-1.2.0.tar.xz.sig

File diff suppressed because it is too large Load Diff

@ -34,7 +34,7 @@
# and all configuration will be read from radius. That also includes the # and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values. # Acct-Interim-Interval, and Session-Timeout values.
# #
# See doc/README-radius.md for the supported radius configuration atributes. # See doc/README-radius.md for the supported radius configuration attributes.
# #
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
# The gssapi option allows one to use authentication methods supported by GSSAPI, # The gssapi option allows one to use authentication methods supported by GSSAPI,
@ -76,21 +76,25 @@ auth = "pam"
# hostname. # hostname.
#listen-host = [IP|HOSTNAME] #listen-host = [IP|HOSTNAME]
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
# hostname. if not set, listen-host will be used
#udp-listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change), # When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on # should set that to true to ask the client to resolve again on
# reconnects. # reconnects.
#listen-host-is-dyndns = true #listen-host-is-dyndns = true
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided # move the listen socket within the specified network namespace
# hostname. if not set, listen-host will be used # listen-netns = "foo"
#udp-listen-host = [IP|HOSTNAME]
# TCP and UDP port number # TCP and UDP port number
tcp-port = 443 tcp-port = 443
udp-port = 443 udp-port = 443
# The user the worker processes will be run as. It should be # The user the worker processes will be run as. This should be a dedicated
# unique (no other services run as this user). # unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
run-as-user = ocserv run-as-user = ocserv
run-as-group = ocserv run-as-group = ocserv
@ -148,7 +152,10 @@ server-key = /etc/pki/ocserv/private/server.key
# is set. # is set.
#ca-cert = /etc/ocserv/ca.pem #ca-cert = /etc/ocserv/ca.pem
# The number of sub-processes to use for the security module (authentication)
# processes. Typically this should not be set as the number of processes
# is determined automatically by the initially set maximum number of clients.
#sec-mod-scale = 4
### All configuration options below this line are reloaded on a SIGHUP. ### All configuration options below this line are reloaded on a SIGHUP.
@ -167,7 +174,7 @@ server-key = /etc/pki/ocserv/private/server.key
# Note however, that process isolation is restricted to the specific libc versions # Note however, that process isolation is restricted to the specific libc versions
# the isolation was tested at. If you get random failures on worker processes, try # the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging # disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/ocserv/ocserv/issues # information at: https://gitlab.com/openconnect/ocserv/issues
isolate-workers = true isolate-workers = true
# A banner to be displayed on clients after connection # A banner to be displayed on clients after connection
@ -176,7 +183,8 @@ isolate-workers = true
# A banner to be displayed on clients before connection # A banner to be displayed on clients before connection
#pre-login-banner = "Welcome" #pre-login-banner = "Welcome"
# Limit the number of clients. Unset or set to zero for unlimited. # Limit the number of clients. Unset or set to zero if unknown. In
# that case the maximum value is ~8k clients.
#max-clients = 1024 #max-clients = 1024
max-clients = 16 max-clients = 16
@ -238,6 +246,10 @@ switch-to-tcp-timeout = 25
# MTU discovery (DPD must be enabled) # MTU discovery (DPD must be enabled)
try-mtu-discovery = false try-mtu-discovery = false
# To enable load-balancer connection draining, set server-drain-ms to a value
# higher than your load-balancer health probe interval.
#server-drain-ms = 15000
# If you have a certificate from a CA that provides an OCSP # If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within # service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting # the TLS handshake. That will prevent the client from connecting
@ -294,11 +306,8 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE" tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
# That option requires the established DTLS channel to use the same # That option requires the established DTLS channel to use the same
# cipher as the primary TLS channel. This cannot be combined with # cipher as the primary TLS channel.Note also, that this option implies
# listen-clear-file since the ciphersuite information is not available # that the dtls-legacy option is false; this option cannot be enforced
# in that configuration. Note also, that this option implies that
# dtls-legacy option is false; this option cannot be enforced
# in the legacy/compat protocol.
#match-tls-dtls-ciphers = true #match-tls-dtls-ciphers = true
# The time (in seconds) that a client is allowed to stay connected prior # The time (in seconds) that a client is allowed to stay connected prior
@ -327,11 +336,9 @@ min-reauth-time = 300
# that get a score over that configured number are banned for # that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points, # min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that # a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points # due to different processes being involved the count of points
# will not be real-time precise. # will not be real-time precise. Local subnet IPs are exempt to allow
# # services that check for process health.
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
# #
# Set to zero to disable. # Set to zero to disable.
max-ban-score = 80 max-ban-score = 80
@ -381,7 +388,8 @@ rekey-method = ssl
# Script to call when a client connects and obtains an IP. # Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment. # The following parameters are passed on the environment.
# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), # REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL # REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL
# (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
@ -400,6 +408,12 @@ rekey-method = ssl
#connect-script = /usr/bin/ocserv-script #connect-script = /usr/bin/ocserv-script
#disconnect-script = /usr/bin/ocserv-script #disconnect-script = /usr/bin/ocserv-script
# This script is to be called when the client's advertised hostname becomes
# available. It will contain REASON with "host-update" value and the
# variable REMOTE_HOSTNAME in addition to the connect variables.
#host-update-script = /usr/bin/myhostnamescript
# UTMP # UTMP
# Register the connected clients to utmp. This will allow viewing # Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'. # the connected clients using the command 'who'.
@ -412,6 +426,20 @@ use-occtl = true
# PID file. It can be overridden in the command line. # PID file. It can be overridden in the command line.
pid-file = /var/run/ocserv.pid pid-file = /var/run/ocserv.pid
# Log Level. Ocserv sends the logging messages to standard error
# as well as the system log. The log level can be overridden in the
# command line with the -d option. All messages at the configured
# level and lower will be displayed.
# Supported levels (default 0):
# 0 default (Same as basic)
# 1 basic
# 2 info
# 3 debug
# 4 http
# 8 sensitive
# 9 TLS
log-level = 1
# Set the protocol-defined priority (SO_PRIORITY) for packets to # Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest # be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type- # priority. Alternatively this can be used to set the IP Type-
@ -434,7 +462,8 @@ device = vpns
# same for the same user when possible. # same for the same user when possible.
predictable-ips = true predictable-ips = true
# The default domain to be advertised # The default domain to be advertised. Multiple domains (functional on
# openconnect clients) can be provided in a space separated list.
default-domain = example.com default-domain = example.com
# The pool of addresses that leases will be given from. If the leases # The pool of addresses that leases will be given from. If the leases
@ -561,10 +590,10 @@ no-route = 192.168.5.0/255.255.255.0
# per group. Each file name on these directories must match the username # per group. Each file name on these directories must match the username
# or the groupname. # or the groupname.
# The options allowed in the configuration files are dns, nbns, # The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, # ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, user-profile, cgroup, stats-report-time, # restrict-user-to-routes, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
# split-dns and session-timeout. # split-dns and session-timeout.
# #
@ -629,9 +658,12 @@ no-route = 192.168.5.0/255.255.255.0
# #
# Other fields may be used by some of the CISCO clients. # Other fields may be used by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot. # This file must be accessible from inside the worker's chroot.
# Note that enabling this option is not recommended as it will allow # Note that:
# the worker processes to open arbitrary files (when isolate-workers is # (1) enabling this option is not recommended as it will allow the
# worker processes to open arbitrary files (when isolate-workers is
# set to true). # set to true).
# (2) This option cannot be set per-user or per-group; only the global
# version is being sent to client.
#user-profile = profile.xml #user-profile = profile.xml
# #
@ -657,6 +689,35 @@ cisco-client-compat = true
# by the dtls-psk protocol supported by openconnect 7.08+. # by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true dtls-legacy = true
# This option will enable the settings needed for Cisco SVC IPPhone clients
# to connect. It implies dtls-legacy = true and tls-priorities is changed to
# only the ciphers the device supports.
cisco-svc-client-compat = false
# This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default).
# If the server has not configured an IPv6 or IPv4 address pool, enabling this option
# will instruct the client to bypass the server for that IP protocol. The option is
# currently only understood by Anyconnect clients.
client-bypass-protocol = false
# The following options are related to server camouflage (hidden service)
# This option allows you to enable the camouflage feature of ocserv that makes it look
# like a web server to unauthorized parties.
# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific
# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey",
# otherwise the server will return HTTP error for all requests.
camouflage = false
# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check,
# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey".
camouflage_secret = "mysecretkey"
# Defines the realm (browser prompt) for HTTP authentication.
# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized.
# Better change it from the default value to avoid fingerprinting.
camouflage_realm = "Restricted Content"
#Advanced options #Advanced options
# Option to allow sending arbitrary custom headers to the client after # Option to allow sending arbitrary custom headers to the client after
@ -669,8 +730,8 @@ dtls-legacy = true
## An example virtual host with different authentication methods serviced # An example virtual host with different authentication methods serviced
## by this server. # by this server.
#[vhost:www.example.com] #[vhost:www.example.com]
#auth = "certificate" #auth = "certificate"
@ -687,3 +748,18 @@ dtls-legacy = true
#ipv4-netmask = 255.255.255.0 #ipv4-netmask = 255.255.255.0
#cert-user-oid = 0.9.2342.19200300.100.1.1 #cert-user-oid = 0.9.2342.19200300.100.1.1
# HTTP headers
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src 'none'
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache

@ -1,4 +1,4 @@
Version: 1.1.7 Version: 1.2.0
Release: %autorelease Release: %autorelease
%global _hardened_build 1 %global _hardened_build 1
@ -38,8 +38,6 @@ Source8: ocserv-genkey
Source9: ocserv-script Source9: ocserv-script
Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
Source11: ocserv.init Source11: ocserv.init
# When removed remove the autoreconf step
Patch0: expired-certs.patch
# Taken from upstream: # Taken from upstream:
# http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
@ -141,8 +139,6 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10}
%endif %endif
%autosetup -p1 %autosetup -p1
# temporarily needed to apply patches
autoreconf -fvi
rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
%if (0%{?use_local_protobuf} == 0) %if (0%{?use_local_protobuf} == 0)
@ -152,9 +148,6 @@ touch src/*.proto
rm -rf src/ccan/talloc rm -rf src/ccan/talloc
sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c
sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config
# GPLv3 in headers is a gnulib bug:
# http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html
sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/*
%if 0%{?rhel} && 0%{?rhel} <= 6 %if 0%{?rhel} && 0%{?rhel} <= 6
echo "int main() { return 77; }" > tests/valid-hostname.c echo "int main() { return 77; }" > tests/valid-hostname.c
@ -199,7 +192,8 @@ mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private
mkdir -p %{_sysconfdir}/pki/ocserv/cacerts mkdir -p %{_sysconfdir}/pki/ocserv/cacerts
%check %check
make check %{?_smp_mflags} VERBOSE=1 # The 1.2.0 release has a missing file
make check %{?_smp_mflags} VERBOSE=1 XFAIL_TESTS="test-group-cert"
%if %{use_systemd} %if %{use_systemd}
%post %post
@ -254,7 +248,7 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name}
%config(noreplace) %{_sysconfdir}/pam.d/ocserv %config(noreplace) %{_sysconfdir}/pam.d/ocserv
%config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml %config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml
%doc AUTHORS ChangeLog NEWS COPYING COPYING README.md PACKAGE-LICENSING %doc AUTHORS ChangeLog NEWS COPYING README.md PACKAGE-LICENSING doc/README-radius.md
%doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT
%{_mandir}/man8/ocserv.8* %{_mandir}/man8/ocserv.8*

@ -1,2 +1,2 @@
SHA512 (ocserv-1.1.7.tar.xz) = 5b6182b98c0406a27dae7121ec0d8771b158e0d8ce2056bd35451c8ed087a8b7f7d40035f9db5c19aa9a9a3b2c6b07be8f0bad4b6b96569584815a5358202ba4 SHA512 (ocserv-1.2.0.tar.xz) = 23edd48313cb4988cea1e2493ab65784c7a39a062798e1ffd380b6de5629e69bd71ded863eb7a0c9fe1bac3cc2db23014cdedbd5d15801e2a66d5ef4e3f28ffb
SHA512 (ocserv-1.1.7.tar.xz.sig) = 96d2562fdf918f2b6ea829d747330a3be2e015ab25897e01bd0d387cb69ef3592aacabbeec9612e95eca1fbce6178a176dbf76d553b7626c09d453d216ddd63d SHA512 (ocserv-1.2.0.tar.xz.sig) = 1d8ac24c97c6495adc070f7b24553715ff27e6a9937a020522904559f4c48f3e18ca712b80762d55c285ce8f99eb4cd9a84b2875a351eb1df1ef6c705c5d3199

Loading…
Cancel
Save