diff --git a/.gitignore b/.gitignore index 5d57c42..099ada9 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,5 @@ /ocserv-0.8.7.tar.xz /ocserv-0.8.8.tar.xz.sig /ocserv-0.8.8.tar.xz +/ocserv-0.8.9.tar.xz.sig +/ocserv-0.8.9.tar.xz diff --git a/ocserv.conf b/ocserv.conf index 6871a25..2d6f6f9 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -22,13 +22,19 @@ auth = "pam" # to generate password entries. #auth = "plain[/etc/ocserv/ocpasswd]" +# Whether to enable seccomp worker isolation. That restricts the number of +# system calls allowed to a worker process, in order to reduce damage from a +# bug in the worker process. It is available on Linux systems at a performance cost. +#use-seccomp = true + +# Whether to enable the authentication method's session control (i.e., PAM). +# That requires more resources on the server, and makes cookies one-time-use; +# thus don't enable unless you need it. +#session-control = true + # A banner to be displayed on clients #banner = "Welcome" -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - # Limit the number of clients. Unset or set to zero for unlimited. #max-clients = 1024 max-clients = 16 @@ -41,10 +47,23 @@ max-clients = 16 # multiple times). Unset or set to zero for unlimited. max-same-clients = 2 +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + # TCP and UDP port number tcp-port = 443 udp-port = 443 +# Accept connections using a socket file. The connections are +# forwarded without SSL/TLS. +listen-clear-file = /var/run/ocserv-conn.socket + # Keepalive in seconds keepalive = 32400 @@ -94,7 +113,6 @@ server-key = /etc/pki/ocserv/private/server.key # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. -#ca-cert = /path/to/ca.pem ca-cert = /etc/pki/ocserv/cacerts/ca.crt # The object identifier that will be used to read the user ID in the client @@ -113,10 +131,10 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt #crl = /path/to/crl.pem # GnuTLS priority string -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" # To enforce perfect forward secrecy (PFS) on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # The time (in seconds) that a client is allowed to stay connected prior # to authentication @@ -135,7 +153,18 @@ auth-timeout = 40 #min-reauth-time = 2 # Cookie timeout (in seconds) -cookie-timeout = 360 +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 300 + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be re-used +# from a different IP. +deny-roaming = false # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once @@ -157,8 +186,8 @@ rekey-method = ssl # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), # ID (a unique numeric ID); REASON may be "connect" or "disconnect". -#connect-script = /usr/bin/ocserv-script -#disconnect-script = /usr/bin/ocserv-script +#connect-script = /scripts/ocserv-script +#disconnect-script = /scripts/ocserv-script # UTMP use-utmp = true @@ -171,6 +200,7 @@ use-occtl = true # if you use more than a single servers. #occtl-socket-file = /var/run/occtl.socket + # PID file. It can be overriden in the command line. #pid-file = /var/run/ocserv.pid @@ -254,7 +284,7 @@ ping-leases = false # # To set the server as the default gateway for the client just # comment out all routes from the server. -route = 192.168.1.0/255.255.255.0 +#route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 #route = fef4:db8:1000:1001::/64 @@ -291,17 +321,23 @@ route = 192.168.1.0/255.255.255.0 #default-select-group = DEFAULT # Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. +# ocserv to scan all available groups and include the full list. That +# option is only functional on plain authentication. #auto-select-group = true -# The system command to use to setup a route. %R will be replaced with the -# route/mask and %D with the (tun) device. +# The system command to use to setup a route. %{R} will be replaced with the +# route/mask and %{D} with the (tun) device. # -# The following example is from linux systems. %R should be something +# The following example is from linux systems. %{R} should be something # like 192.168.2.0/24 -route-add-cmd = "ip route add %R dev %D" -route-del-cmd = "ip route delete %R dev %D" +route-add-cmd = "ip route add %{R} dev %{D}" +route-del-cmd = "ip route delete %{R} dev %{D}" + +# This option allows to forward a proxy. The special strings '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#proxy-url = http://example.com/ +#proxy-url = http://example.com/%{U}/%{G}/hello # # The following options are for (experimental) AnyConnect client diff --git a/ocserv.spec b/ocserv.spec index e2aa87d..8dc9f4d 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,5 +1,5 @@ Name: ocserv -Version: 0.8.8 +Version: 0.8.9 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -142,6 +142,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Dec 11 2014 Nikos Mavrogiannopoulos - 0.8.9-1 +- New upstream release + * Wed Nov 26 2014 Nikos Mavrogiannopoulos - 0.8.8-1 - New upstream release diff --git a/sources b/sources index 63a85e1..3900854 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -de7faa9e1658dfea0f409fcc83fcb7ff ocserv-0.8.8.tar.xz.sig -d9b12a3fa976dfda3e4c0238173744e6 ocserv-0.8.8.tar.xz +5ea9824e39ca125260b67a1379f42036 ocserv-0.8.9.tar.xz.sig +cd935cc89bffac75c825e66ef71f6a73 ocserv-0.8.9.tar.xz