rpms
/
ocserv
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import ocserv-1.2.0-1.el9

Browse Source
i9ce changed/i9/ocserv-1.2.0-1.el9
Arkady L. Shane 2 years ago
commit d8e3aca7dd
Signed by: tigro
GPG Key ID: 9C7900103E1C4F8B
13 changed files with 1925 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/ocserv-1.2.0.tar.xz

1
.ocserv.metadata
Unescape View File

@ -0,0 +1 @@
3af968b5da51da63e554bb96842b7e66e09d0d43 SOURCES/ocserv-1.2.0.tar.xz

148
SOURCES/PACKAGE-LICENSING
Unescape View File

@ -0,0 +1,148 @@
Note that ocserv contains components under different (but compatible) licenses.
A breakdown of those is given below.
GPL (v2 or later)
-----------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/common.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/config.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/cookies.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/html.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ip-lease.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/log.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-auth.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-config.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-misc.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-resume.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-user.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocpasswd.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/pam.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/plain.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/route-add.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/sec-mod.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/setproctitle.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/system.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tlslib.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tun.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-auth.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-bandwidth.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-extras.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-misc.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-privs.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-resume.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-tun.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-vpn.c
# Note that these files were marked as GPLv3 or later by the gnulib-tool,
# but this is a bug: http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html
GPL (v2 or later)
-----------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/arg-nonnull.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/c++defs.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/warn-on-use.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/build-aux/snippet/_Noreturn.h
BSD (3 clause) and GPL (v2 or later)
--------------------------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/icmp-ping.c
LGPL (v2.1 or later)
--------------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/memchr.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-ctype.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-ctype.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-strcase.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-strcasecmp.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/c-strncasecmp.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/cloexec.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/cloexec.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/close.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/dup2.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/errno.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fcntl.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fcntl.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fd-hook.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fd-hook.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fseek.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fseeko.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/fstat.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getdelim.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getdtablesize.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getline.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getpass.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/getpass.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/lseek.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/malloc.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/memmem.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/minmax.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-inval.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-inval.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-nothrow.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/msvc-nothrow.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/realloc.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdbool.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stddef.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdint.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdio-impl.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdio.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/stdlib.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/str-two-way.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/strdup.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/string.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/sys_stat.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/sys_types.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/time.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/unistd.in.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/common.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/cookies.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/gettime.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/html.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/icmp-ping.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ip-lease.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ipc.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main-auth.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/main.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/pam.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/plain.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/route-add.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/script-list.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/sec-mod.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/setproctitle.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/str.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/str.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/system.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tlslib.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/tun.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/vpn.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker-bandwidth.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/worker.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/htable/htable.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/htable/htable.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/htable/htable_type.h
CC0 (public domain)
--------------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/build_assert/build_assert.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/container_of/container_of.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/check_type/check_type.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/hash/hash.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/hash/hash.h
MIT
--------------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/list/list.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ccan/list/list.h
Auto-generated files
--------------------
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/gl/unistd.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocpasswd-args.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocpasswd-args.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocserv-args.c
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/ocserv-args.h
/var/lib/mock/fedora-rawhide-i386/root/builddir/build/BUILD/ocserv-0.2.1/src/version.inc

BIN
SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
View File

Binary file not shown.

BIN
SOURCES/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
View File

Binary file not shown.

BIN
SOURCES/ocserv-1.2.0.tar.xz.sig
View File

Binary file not shown.

33
SOURCES/ocserv-genkey
Unescape View File

@ -0,0 +1,33 @@
#!/bin/sh
#generate CA certificate/key
if test ! -f /etc/pki/ocserv/private/ca.key;then
mkdir -p /etc/pki/ocserv/private
certtool --generate-privkey --outfile /etc/pki/ocserv/private/ca.key >/dev/null 2>&1
echo "cn=`hostname -f` CA" >/etc/pki/ocserv/ca.tmpl
echo "expiration_days=-1" >>/etc/pki/ocserv/ca.tmpl
echo "serial=1" >>/etc/pki/ocserv/ca.tmpl
echo "ca" >>/etc/pki/ocserv/ca.tmpl
echo "cert_signing_key" >>/etc/pki/ocserv/ca.tmpl
certtool --template /etc/pki/ocserv/ca.tmpl \
--generate-self-signed --load-privkey /etc/pki/ocserv/private/ca.key \
--outfile /etc/pki/ocserv/cacerts/ca.crt >/dev/null 2>&1
#rm -f /etc/pki/ocserv/ca.tmpl
fi
#generate server certificate/key
if test ! -f /etc/pki/ocserv/private/server.key;then
certtool --generate-privkey --outfile /etc/pki/ocserv/private/server.key >/dev/null 2>&1
echo "cn=`hostname -f`" >/etc/pki/ocserv/server.tmpl
echo "serial=2" >>/etc/pki/ocserv/server.tmpl
echo "expiration_days=-1" >>/etc/pki/ocserv/server.tmpl
echo "signing_key" >>/etc/pki/ocserv/server.tmpl
echo "encryption_key" >>/etc/pki/ocserv/server.tmpl
certtool --template /etc/pki/ocserv/server.tmpl \
--generate-certificate --load-privkey /etc/pki/ocserv/private/server.key \
--load-ca-certificate /etc/pki/ocserv/cacerts/ca.crt --load-ca-privkey \
/etc/pki/ocserv/private/ca.key --outfile /etc/pki/ocserv/public/server.crt >/dev/null 2>&1
#rm -f /etc/pki/ocserv/server.tmpl
fi
exit 0

5
SOURCES/ocserv-pamd.conf
Unescape View File

@ -0,0 +1,5 @@
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
session include password-auth

10
SOURCES/ocserv-script
Unescape View File

@ -0,0 +1,10 @@
#!/bin/sh
if [ "$REASON" = "connect" ];then
# add the user's interface into the internal zone
firewall-cmd --zone=internal --add-interface=$DEVICE
else
firewall-cmd --zone=internal --remove-interface=$DEVICE
fi
exit 0

765
SOURCES/ocserv.conf
Unescape View File

@ -0,0 +1,765 @@
### The following directives do not change with server reload.
# User authentication method. To require multiple methods to be
# used for the user to login, add multiple auth directives. The values
# in the 'auth' directive are AND composed (if multiple all must
# succeed).
# Available options: certificate, plain, pam, radius, gssapi.
# Note that authentication methods utilizing passwords cannot be
# combined (e.g., the plain, pam or radius methods).
# certificate:
# This indicates that all connecting users must present a certificate.
# The username and user group will be then extracted from it (see
# cert-user-oid and cert-group-oid). The certificate to be accepted
# it must be signed by the CA certificate as specified in 'ca-cert' and
# it must not be listed in the CRL, as specified by the 'crl' option.
#
# pam[gid-min=1000]:
# This enabled PAM authentication of the user. The gid-min option is used
# by auto-select-group option, in order to select the minimum valid group ID.
#
# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries. The 'otp' suboption allows one to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
# The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overridden,
# and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius configuration attributes.
#
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
# The gssapi option allows one to use authentication methods supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
# tickets and without tickets to login. The default value for require-local-user-map
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
# to have been issued within the provided number of seconds. That option is used to
# restrict logins even if the KDC provides long time TGT tickets.
auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login, irrespective of the main 'auth' entries.
# When multiple options are present, they are OR composed (any of them
# succeeding allows login).
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
# radius accounting to available users (see also stats-report-time).
#
# pam: can be combined with any authentication method, it provides
# a validation of the connecting user's name using PAM. It is
# superfluous to use this method when authentication is already
# PAM.
#
# Only one accounting method can be specified.
#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP|HOSTNAME]
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
# hostname. if not set, listen-host will be used
#udp-listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
#listen-host-is-dyndns = true
# move the listen socket within the specified network namespace
# listen-netns = "foo"
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
run-as-user = ocserv
run-as-group = ocserv
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
socket-file = ocserv.sock
# The default server directory. Does not require any devices present.
chroot-dir = /var/lib/ocserv
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
# The certificate files will be reloaded when changed allowing for in-place
# certificate renewal (they are checked and reloaded periodically;
# a SIGHUP signal to main server will force reload).
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
# Can be generated using:
# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
#dh-params = /etc/ocserv/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /etc/ocserv/pin.txt
#srk-pin-file = /etc/ocserv/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
# The number of sub-processes to use for the security module (authentication)
# processes. Typically this should not be set as the number of processes
# is determined automatically by the initially set maximum number of clients.
#sec-mod-scale = 4
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the
### server-cert, server-key, dh-params and ca-cert options will be reloaded
### if the provided file changes, on server reload. That allows certificate
### rotation, but requires the server key to remain the same for seamless
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time.
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
# Note however, that process isolation is restricted to the specific libc versions
# the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/openconnect/ocserv/issues
isolate-workers = true
# A banner to be displayed on clients after connection
#banner = "Welcome"
# A banner to be displayed on clients before connection
#pre-login-banner = "Welcome"
# Limit the number of clients. Unset or set to zero if unknown. In
# that case the maximum value is ~8k clients.
#max-clients = 1024
max-clients = 16
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol would then be expected in
# the TCP or UNIX socket (not the UDP one). Although both v1
# and v2 versions of proxy protocol are supported, the v2 version
# is recommended as it is more efficient in parsing.
#listen-proxy-proto = true
# Rate limit the number of incoming connections to one every X milliseconds
# (X is the provided value), as the secmod backlog grows. This
# makes the server more resilient (and prevents connection failures) on
# multiple concurrent connections. Set to zero for no limit.
rate-limit-ms = 100
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# Stats reset time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by cmd
# 'occtl show stats'. For daily: 86400, weekly: 604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 90
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 1800
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 25
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# To enable load-balancer connection draining, set server-drain-ms to a value
# higher than your load-balancer health probe interval.
#server-drain-ms = 15000
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /etc/ocserv/ocsp.der
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name)
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. If the user may belong to multiple groups, then use multiple such fields
# in the certificate's DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /etc/ocserv/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
#no-compress-limit = 256
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment are the ones
# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
# in addition require no padding, thus taking full advantage of the MTU.
# For that to be taken advantage of, the openconnect client must be
# used, and the server must be compiled against GnuTLS 3.2.7 or later.
# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
# in your system.
# Note that in Fedora gnutls follows crypto policies so insecure options
# are disabled within it.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
# That option requires the established DTLS channel to use the same
# cipher as the primary TLS channel.Note also, that this option implies
# that the dtls-legacy option is false; this option cannot be enforced
#match-tls-dtls-ciphers = true
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in seconds) that a client is allowed to stay connected
# Unset to disable. When set a client will be disconnected after being
# continuously connected for this amount of time, and its cookies will
# be invalidated (i.e., re-authentication will be required).
#session-timeout = 86400
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
min-reauth-time = 300
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to different processes being involved the count of points
# will not be real-time precise. Local subnet IPs are exempt to allow
# services that check for process health.
#
# Set to zero to disable.
max-ban-score = 80
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 1200
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
# ssl: Will perform an efficient rehandshake on the channel allowing
# a seamless connection during rekey.
# new-tunnel: Will instruct the client to discard and re-establish the channel.
# Use this option only if the connecting clients have issues with the ssl
# option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL
# (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values. The connect script must return zero as exit code, or the
# client connection will be refused.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/ocserv-script
#disconnect-script = /usr/bin/ocserv-script
# This script is to be called when the client's advertised hostname becomes
# available. It will contain REASON with "host-update" value and the
# variable REMOTE_HOSTNAME in addition to the connect variables.
#host-update-script = /usr/bin/myhostnamescript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'.
#use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It can be overridden in the command line.
pid-file = /var/run/ocserv.pid
# Log Level. Ocserv sends the logging messages to standard error
# as well as the system log. The log level can be overridden in the
# command line with the -d option. All messages at the configured
# level and lower will be displayed.
# Supported levels (default 0):
# 0 default (Same as basic)
# 1 basic
# 2 info
# 3 debug
# 4 http
# 8 sensitive
# 9 TLS
log-level = 1
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised. Multiple domains (functional on
# openconnect clients) can be provided in a space separated list.
default-domain = example.com
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
# Note that, you could use addresses from a subnet of your LAN network if you
# enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
#ipv4-network = 192.168.1.0
#ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default
# Subsets of the routes above that will not be routed by
# the server.
no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"
# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route,
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
# restrict-user-to-routes, cgroup, stats-report-time,
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
# split-dns and session-timeout.
#
# Note that the 'iroute' option allows one to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. The hostname option will set a
# hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows one to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
# EXAMPLE.COM = {
# kdc = https://ocserv.example.com/KdcProxy
# http_anchors = FILE:/etc/ocserv-ca.pem
# }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
# The following option is available in ocserv, when compiled with GSSAPI support.
#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
# Client profile xml. This can be used to advertise alternative servers
# to the client. A minimal file can be:
# <?xml version="1.0" encoding="UTF-8"?>
# <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
# <ServerList>
# <HostEntry>
# <HostName>VPN Server name</HostName>
# <HostAddress>localhost</HostAddress>
# </HostEntry>
# </ServerList>
# </AnyConnectProfile>
#
# Other fields may be used by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot.
# Note that:
# (1) enabling this option is not recommended as it will allow the
# worker processes to open arbitrary files (when isolate-workers is
# set to true).
# (2) This option cannot be set per-user or per-group; only the global
# version is being sent to client.
#user-profile = profile.xml
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# This option will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on every TLS
# connection. It must be set to true to support legacy CISCO clients
# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
cisco-client-compat = true
# This option allows one to disable the DTLS-PSK negotiation (enabled by default).
# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
# DTLS channel to negotiate its ciphers and the DTLS protocol version.
#dtls-psk = false
# This option allows one to disable the legacy DTLS negotiation (enabled by default,
# but that may change in the future).
# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
# from AnyConnect protocol. It has several limitations, that are addressed
# by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true
# This option will enable the settings needed for Cisco SVC IPPhone clients
# to connect. It implies dtls-legacy = true and tls-priorities is changed to
# only the ciphers the device supports.
cisco-svc-client-compat = false
# This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default).
# If the server has not configured an IPv6 or IPv4 address pool, enabling this option
# will instruct the client to bypass the server for that IP protocol. The option is
# currently only understood by Anyconnect clients.
client-bypass-protocol = false
# The following options are related to server camouflage (hidden service)
# This option allows you to enable the camouflage feature of ocserv that makes it look
# like a web server to unauthorized parties.
# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific
# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey",
# otherwise the server will return HTTP error for all requests.
camouflage = false
# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check,
# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey".
camouflage_secret = "mysecretkey"
# Defines the realm (browser prompt) for HTTP authentication.
# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized.
# Better change it from the default value to avoid fingerprinting.
camouflage_realm = "Restricted Content"
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"
# An example virtual host with different authentication methods serviced
# by this server.
#[vhost:www.example.com]
#auth = "certificate"
#ca-cert = /etc/ocserv/ca.pem
# The certificate set here must include a 'dns_name' corresponding to
# the virtual host name.
#server-cert = /etc/pki/ocserv/public/server.crt
#server-key = /etc/pki/ocserv/private/server.key
#ipv4-network = 192.168.2.0
#ipv4-netmask = 255.255.255.0
#cert-user-oid = 0.9.2342.19200300.100.1.1
# HTTP headers
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src 'none'
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache

141
SOURCES/ocserv.init
Unescape View File

@ -0,0 +1,141 @@
#!/bin/sh
#
# ocserv This shell script takes care of starting and stopping
# ocserv on RedHat or other chkconfig-based system.
#
# chkconfig: - 24 76
#
# processname: ocserv
# port.
### BEGIN INIT INFO
# Provides: ocserv
# Required-Start: $network
# Required-Stop: $network
# Short-Description: start and stop ocserv
# Description: ocserv is a VPN server
### END INIT INFO
# To install:
# copy this file to /etc/rc.d/init.d/ocserv
# shell> chkconfig --add ocserv
# shell> mkdir /etc/ocserv
# make .conf or .sh files in /etc/ocserv (see below)
# To uninstall:
# run: chkconfig --del ocserv
ocserv=""
ocserv_locations="/usr/sbin/ocserv /usr/local/sbin/ocserv"
for location in $ocserv_locations
do
if [ -f "$location" ]
then
ocserv=$location
fi
done
# PID directory
piddir="/var/run/ocserv"
pidf="$piddir/ocserv.pid"
# Our working directory
work=/etc/ocserv
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
echo "Networking is down"
exit 0
fi
# Check that binary exists
if ! [ -f $ocserv ]
then
echo "ocserv binary not found"
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n $"Starting ocserv: "
/sbin/modprobe tun >/dev/null 2>&1
# From a security perspective, I think it makes
# sense to remove this, and have users who need
# it explictly enable in their --up scripts or
# firewall setups.
#echo 1 > /proc/sys/net/ipv4/ip_forward
# Run startup script, if defined
if [ -x /usr/sbin/ocserv-genkey ]; then
/usr/sbin/ocserv-genkey
fi
if [ ! -d $piddir ]; then
mkdir $piddir
fi
if [ -s $pidf ]; then
kill `cat $pidf` >/dev/null 2>&1
sleep 2
fi
rm -f $pidf
cd $work
# Start every .conf in $work and run .sh if exists
errors=0
$ocserv --pid-file $pidf -c $work/ocserv.conf
errors=$?
if [ $errors != 0 ]; then
failure; echo
else
success; echo
fi
;;
stop)
echo -n $"Shutting down ocserv: "
if [ -s $pidf ]; then
kill `cat $pidf` >/dev/null 2>&1
fi
rm -f $pidf
success; echo
rm -f $lock
;;
restart)
$0 stop
sleep 2
$0 start
;;
reload)
/usr/bin/occtl reload
exit $?
;;
reopen)
;;
condrestart)
$0 stop
sleep 2
$0 start
;;
status)
/usr/bin/occtl show status
;;
*)
echo "Usage: ocserv {start|stop|restart|condrestart|reload|reopen|status}"
exit 1
;;
esac
exit 0

17
SOURCES/ocserv.service
Unescape View File

@ -0,0 +1,17 @@
[Unit]
Description=OpenConnect SSL VPN server
Documentation=man:ocserv(8)
After=syslog.target
After=network-online.target
After=dbus.service
[Service]
PrivateTmp=true
Type=simple
PIDFile=/var/run/ocserv.pid
ExecStartPre=/usr/sbin/ocserv-genkey
ExecStart=/usr/sbin/ocserv --pid-file /var/run/ocserv.pid --config /etc/ocserv/ocserv.conf -f
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

804
SPECS/ocserv.spec
Unescape View File

@ -0,0 +1,804 @@
## START: Set by rpmautospec
## (rpmautospec version 0.3.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 1;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
Version: 1.2.0
Release: %autorelease
%global _hardened_build 1
%if 0%{?fedora} || 0%{?rhel} >= 7
%define use_systemd 1
%define have_gpgv2 1
%else
%define use_systemd 0
%define have_gpgv2 0
%endif
%if 0%{?fedora} >= 28 || 0%{?rhel} > 7
%define use_libwrap 0
%define use_geoip 0
%else
%define use_libwrap 1
%define use_geoip 1
%endif
%define use_local_protobuf 0
Name: ocserv
Summary: OpenConnect SSL VPN server
# For a breakdown of the licensing, see PACKAGE-LICENSING
# To simplify licenses LGPLv2+ files have been promoted to GPLv2+.
License: GPLv2+ and BSD and MIT and CC0
URL: http://www.infradead.org/ocserv/
Source0: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
Source1: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
Source3: ocserv.conf
Source4: ocserv.service
Source5: ocserv-pamd.conf
Source6: PACKAGE-LICENSING
Source8: ocserv-genkey
Source9: ocserv-script
Source10: gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
Source11: ocserv.init
# Taken from upstream:
# http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
BuildRequires: make
BuildRequires: gcc
%if 0%{?rhel} && 0%{?rhel} <= 6
BuildRequires: gnutls30-devel
%else
BuildRequires: gnutls-devel
%endif
BuildRequires: pam-devel
BuildRequires: iproute
BuildRequires: openconnect
BuildRequires: gnutls-utils
%if (0%{?use_local_protobuf} == 0)
BuildRequires: protobuf-c-devel
%endif
BuildRequires: libnl3-devel
BuildRequires: krb5-devel
BuildRequires: libtasn1-devel
BuildRequires: gperf
BuildRequires: libtalloc-devel
BuildRequires: libev-devel
BuildRequires: http-parser-devel
%if %{use_libwrap}
BuildRequires: tcp_wrappers-devel
%endif
BuildRequires: automake, autoconf
BuildRequires: radcli-devel
BuildRequires: lz4-devel
BuildRequires: readline-devel
%if %{use_geoip}
BuildRequires: GeoIP-devel
%else
BuildRequires: libmaxminddb-devel
%endif
%if %{use_systemd}
BuildRequires: systemd
BuildRequires: systemd-devel
BuildRequires: liboath-devel
BuildRequires: uid_wrapper
# Disable socket_wrapper on certain architectures because it
# introduces new syscalls that the worker cannot handle.
%ifnarch aarch64 %{ix86} %{arm}
BuildRequires: socket_wrapper
%endif
BuildRequires: gnupg2
%if 0%{?rhel} && 0%{?rhel} >= 7
%ifarch x86_64 %{ix86}
BuildRequires: libseccomp-devel
%endif
%else
%ifarch x86_64 %{ix86} %{arm} aarch64
BuildRequires: libseccomp-devel
%endif
%endif
%endif
# no rubygem in epel7
%if 0%{?fedora}
BuildRequires: rubygem-ronn-ng
%endif
Recommends: gnutls-utils
Recommends: iproute
Recommends: pam
Requires(pre): shadow-utils
%if %{use_systemd}
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%endif
#gnulib is bundled. See https://fedorahosted.org/fpc/ticket/174
Provides: bundled(gnulib)
#CCAN is bundled. See https://fedorahosted.org/fpc/ticket/364
Provides: bundled(bobjenkins-hash) bundled(ccan-container_of)
Provides: bundled(ccan-htable) bundled(ccan-list)
Provides: bundled(ccan-check_type) bundled(ccan-build_assert)
%description
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a
secure, small, fast and configurable VPN server. It implements the OpenConnect
SSL VPN protocol, and has also (currently experimental) compatibility with
clients using the AnyConnect SSL VPN protocol. The OpenConnect VPN protocol
uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS
to provide the secure VPN service.
%prep
%if %{have_gpgv2}
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
%endif
%autosetup -p1
rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
%if (0%{?use_local_protobuf} == 0)
rm -rf src/protobuf/protobuf-c/
touch src/*.proto
%endif
rm -rf src/ccan/talloc
sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c
sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config
%if 0%{?rhel} && 0%{?rhel} <= 6
echo "int main() { return 77; }" > tests/valid-hostname.c
%endif
%build
%if 0%{?rhel} && 0%{?rhel} <= 6
export PKG_CONFIG_LIBDIR="%{_libdir}/gnutls30/pkgconfig:%{_libdir}/pkgconfig"
export LIBGNUTLS_CFLAGS="-I/usr/include/gnutls30"
export LIBGNUTLS_LIBS="-L%{_libdir}/gnutls30/ -lgnutls"
export CFLAGS="$CFLAGS -I/usr/include/libev -I/usr/include/gnutls30"
sed -i 's/AM_PROG_AR//g' configure.ac
autoreconf -fvi
%endif
%configure \
--without-pcl-lib \
%if %{use_systemd}
--enable-systemd \
%else
--disable-systemd \
%endif
%if %{use_local_protobuf}
--without-protobuf \
%endif
%if %{use_libwrap}
--with-libwrap
%else
--without-libwrap
%endif
make %{?_smp_mflags}
%pre
getent group ocserv &>/dev/null || groupadd -r ocserv
getent passwd ocserv &>/dev/null || \
/usr/sbin/useradd -r -g ocserv -s /sbin/nologin -c ocserv \
-d %{_localstatedir}/lib/ocserv ocserv
mkdir -p %{_sysconfdir}/pki/ocserv/public
mkdir -p -m 700 %{_sysconfdir}/pki/ocserv/private
mkdir -p %{_sysconfdir}/pki/ocserv/cacerts
%check
# The 1.2.0 release has a missing file
make check %{?_smp_mflags} VERBOSE=1 XFAIL_TESTS="test-group-cert"
%if %{use_systemd}
%post
%systemd_post ocserv.service
%preun
%systemd_preun ocserv.service
%postun
%systemd_postun ocserv.service
%endif
%install
rm -rf %{buildroot}
cp -a %{SOURCE6} PACKAGE-LICENSING
mkdir -p %{buildroot}/%{_sysconfdir}/pam.d/
mkdir -p %{buildroot}/%{_sysconfdir}/ocserv/
install -p -m 644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/pam.d/ocserv
install -p -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/ocserv/
mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/
install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/
mkdir -p %{buildroot}/%{_sbindir}
install -p -m 755 %{SOURCE8} %{buildroot}/%{_sbindir}
mkdir -p %{buildroot}/%{_bindir}
install -p -m 755 %{SOURCE9} %{buildroot}/%{_bindir}
%if 0%{?rhel} && 0%{?rhel} <= 7
sed -i 's|expiration_days=-1|expiration_days=9999|' %{buildroot}/%{_sbindir}/ocserv-genkey
sed -i 's|tls-priorities = "@SYSTEM"|tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf
%if 0%{?rhel} <= 6
sed -i 's|isolate-workers = true|isolate-workers = false|' %{buildroot}/%{_sysconfdir}/ocserv/ocserv.conf
%endif
%endif
%if %{use_systemd}
mkdir -p %{buildroot}/%{_unitdir}
install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir}
%else
mkdir -p %{buildroot}/%{_initrddir}
install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name}
%endif
%make_install
%files
%defattr(-,root,root,-)
%dir %{_localstatedir}/lib/ocserv
%dir %{_sysconfdir}/ocserv
%config(noreplace) %{_sysconfdir}/ocserv/ocserv.conf
%config(noreplace) %{_sysconfdir}/pam.d/ocserv
%config(noreplace) %{_localstatedir}/lib/ocserv/profile.xml
%doc AUTHORS ChangeLog NEWS COPYING README.md PACKAGE-LICENSING doc/README-radius.md
%doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT
%{_mandir}/man8/ocserv.8*
%{_mandir}/man8/occtl.8*
%{_mandir}/man8/ocpasswd.8*
%{_bindir}/ocpasswd
%{_bindir}/occtl
%{_bindir}/ocserv-fw
%{_bindir}/ocserv-script
%{_sbindir}/ocserv
%{_sbindir}/ocserv-worker
%{_sbindir}/ocserv-genkey
%{_localstatedir}/lib/ocserv/profile.xml
%if %{use_systemd}
%{_unitdir}/ocserv.service
%else
%{_initrddir}/%{name}
%endif
%changelog
* Thu Aug 03 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 1.2.0-1
- Rebuilt for MSVSphere 9.2
* Tue Jul 11 2023 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.2.0-1
- Updated to 1.2.0
* Tue Jul 11 2023 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.7-3
- use %%autorelease and %%autochangelog
* Thu Jun 22 2023 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.7-2
- Backported fixes for expired certificates
* Sun May 07 2023 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.7-1
- updated to 1.1.7
* Thu Feb 17 2022 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.6-1
- Updated to 1.1.6
* Thu Feb 10 2022 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.4-3
- Fixes for gnutls 3.7.3 and glibc new syscalls
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Nov 13 2021 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.4-1
- update to 1.1.4
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.1.3-5
- Rebuilt for protobuf 3.19.0
* Tue Oct 26 2021 Adrian Reber <adrian@lisas.de> - 1.1.3-4
- Rebuilt for protobuf 3.18.1
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 02 2021 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.3-2
- removed unused file
* Wed Jun 02 2021 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.3-1
- updated to 1.1.3
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Jan 14 2021 Adrian Reber <adrian@lisas.de> - 1.1.2-5
- Rebuilt for protobuf 3.14
* Sat Jan 09 2021 Tom Stellard <tstellar@redhat.com> - 1.1.2-4
- Add BuildRequires: make
* Wed Dec 09 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.2-3
- do not special case rhel8 for http-parser
* Sun Dec 06 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.2-2
- skip patch that needs root
* Sun Dec 06 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.2-1
- Update to upstream 1.1.2 release
* Mon Nov 23 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-15
- Rebuilt for ronn successor
* Thu Nov 12 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.1-14
- rebuilt for new radcli
* Fri Oct 30 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-13
- spec: removed seccomp-trap debugging option
* Fri Oct 30 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-12
- Compile with new glibc
* Thu Oct 29 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-11
- rebuild without pcllib
* Fri Oct 23 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-10
- do not treat TODO as document to install
* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 1.1.1-9
- Rebuilt for protobuf 3.13
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-8
- corrected bogus date
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-7
- disable socket_wrapper on archs where it causes problems
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-6
- make check: be verbose
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-5
- removed xfail tests; they no longer fail
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-4
- ensure gnutls-utils are installed when building
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-3
- added resumption to XFAIL
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-2
- documented crypto policies change
* Mon Sep 21 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.1.1-1
- updated to 1.1.1
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Jun 21 2020 Adrian Reber <adrian@lisas.de> - 1.1.0-2
- Rebuilt for protobuf 3.12
* Tue Jun 16 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.1.0-1
- updated to 1.1.0
* Wed May 06 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.0.1-4
- Requirements turned to recommendations
* Fri May 01 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.0.1-3
- sources: removed unnecessary files
* Wed Apr 15 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 1.0.1-2
- Rebuild for http-parser 2.9.4
* Thu Apr 09 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.0.1-1
- Update to 1.0.1-1
- Update to upstream 1.0.1 release
* Thu Apr 09 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1.0.0-2
- sources: removed unnecessary files
* Fri Mar 20 2020 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 1.0.0-1
- Update to 1.0.0-1
- Update to upstream 1.0.0 release
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 02 2020 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.12.6-3
- updated configuration to mark profile as configuration
* Sat Dec 28 2019 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 0.12.6-2
- ocserv.conf: updated to latest upstream version
* Sat Dec 28 2019 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 0.12.6-1
- Update to 0.12.6-1
- Update to upstream 0.12.6 release
* Wed Oct 16 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.12.5-1
- Update to 0.12.5-1
- Update to upstream 0.12.5 release
* Wed Oct 16 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.12.4-4
- spec: fix missing definition
* Mon Oct 14 2019 Nikos Mavrogiannopoulos <nmav@redhat.com>
- spec: updated for rhel8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jul 03 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.12.4-1
- Update to 0.12.4-1
- Update to upstream 0.12.4 release
* Tue Mar 12 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.12.3-1
- Update to 0.12.3-1
- Update to upstream 0.12.3 release
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.12.2-4
- Rebuild for readline 8.0
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 0.12.2-2
- Rebuilt for libcrypt.so.2 (#1666033)
* Thu Jan 10 2019 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.12.2-1
- Update to 0.12.2-1
- Update to upstream 0.12.2 release
* Tue Jul 24 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.12.1-5
- Added gcc as build-dependency
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 10 2018 Jason Tibbitts <tibbs@math.uh.edu> - 0.12.1-3
- Remove needless use of %%defattr
* Mon Jul 09 2018 Igor Gnatenko <ignatenko@redhat.com> - 0.12.1-2
- add BuildRequires: gcc
* Sat May 12 2018 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.12.1-1
- Update to 0.12.1-1
- Update to upstream 0.12.1 release
* Mon Apr 23 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.12.0-1
- Update to 0.12.0-1
- Update to upstream 0.12.0 release
* Thu Apr 12 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.11-2
- Update to 0.11.11-2
- Update to upstream 0.11.11 release
- include crypt.h to use crypt()
* Mon Mar 05 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.11-1
- Update to 0.11.11-1
- Update to upstream 0.11.11 release
* Wed Feb 14 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.11.10-5
- Remove %%clean section
* Tue Feb 13 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.11.10-4
- Remove BuildRoot definition
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 0.11.10-2
- Rebuilt for switch to libxcrypt
* Mon Jan 08 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.10-1
- Update to 0.11.10-1
- Update to upstream 0.11.10 release
* Tue Nov 21 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.9-3
- Update to 0.11.9-3
- Update to upstream 0.11.9 release
* Thu Nov 16 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.9-2
- do not enable libwrap
* Tue Oct 10 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.9-1
- Update to 0.11.9-1
- Update to upstream 0.11.9 release
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.8-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed May 03 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.8-1
- Update to 0.11.8-1
- Update to upstream 0.11.8 release
* Mon Feb 13 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.7-1
- Update to 0.11.7-1
- Update to upstream 0.11.7 release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.11.6-4
- Rebuild for readline 7.x
* Tue Nov 15 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.6-3
- Removed gpg keys from sources
* Tue Nov 15 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.6-2
- ocserv.conf: include switch-to-tcp-timeout
* Tue Nov 15 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.6-1
- updated to 0.11.6
* Fri Sep 23 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.5-1
- updated to 0.11.5
* Wed Sep 14 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.4-3
- Added getrandom to the list of allowed syscalls (#1375851)
* Thu Sep 08 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.4-2
- Rebuild to address http-parser breakage (#1374081)
* Fri Aug 05 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.4-1
- updated to 0.11.4
* Thu Jun 16 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.3-1
- updated to 0.11.3
* Tue Apr 26 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.2-2
- fixed date and removed legacy config options
* Tue Apr 26 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.2-1
- updated to 0.11.2 and added auto sig verification
* Mon Mar 21 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.1-1
- updated to 0.11.1
* Fri Feb 19 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.0-1
- updated to 0.11.0
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Feb 02 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.11-2
- corrected license to apply to the real one
* Mon Jan 11 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.11-1
- updated to 0.10.11
* Mon Nov 30 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.10-1
- updated to 0.10.10
* Thu Oct 08 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.9-1
- updated to 0.10.9
* Thu Sep 17 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.8-2
- compile ocserv using radcli
* Mon Sep 07 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.8-1
- updated to 0.10.8
* Fri Aug 07 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.7-1
- updated to 0.10.7
* Thu Jul 09 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.6-2
- corrected JSON output in occtl
* Thu Jul 02 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.6-1
- updated to 0.10.6
* Wed Jun 17 2015 Dennis Gilmore <dennis@ausil.us> - 0.10.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon May 25 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.5-1
- updated to 0.10.5
* Mon Apr 27 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.4-1
- new upstream release
* Mon Mar 30 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.2-1
- new upstream release
* Mon Mar 16 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.1-1
- updated to 0.10.1
* Wed Mar 11 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.0-2
- updated dependencies and files for 0.10.0
* Wed Mar 11 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.0-1
- updated to 0.10.0
* Wed Feb 18 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9.2-1
- new upstream release
* Mon Feb 16 2015 Peter Robinson <pbrobinson@gmail.com> - 0.9.1-3
- aarch64 (and ARMv7) now has seccomp support
* Mon Feb 16 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9.1-2
- depend on freeradius-client
* Mon Feb 16 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9.1-1
- updated to 0.9.1
* Thu Jan 29 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9.0-3
- run make check
* Thu Jan 29 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9.0-2
- Do not enable seccomp in x86. It is broken.
* Thu Jan 22 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9.0-1
- new upstream release
* Tue Jan 13 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-10
- compile without support for smp to prevent issues with autogen
* Fri Jan 09 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-9
- enable PIE
* Tue Jan 06 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-8
- Comply with system-wide crypto policies
* Tue Jan 06 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-7
- enable seccomp on x86 platforms only
* Tue Jan 06 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-6
- mention the enabling of seccomp
* Tue Jan 06 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-5
- disable seccomp on arm
* Tue Jan 06 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-4
- ocserv.service: depend on network-online.target (#1178760)
* Mon Dec 29 2014 Nikos Mavrogiannopoulos <nmav@gnutls.org> - 0.8.9-3
- Added seccomp dependency
* Thu Dec 11 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-2
- updated for bundled script
* Thu Dec 11 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.9-1
- new upstream release
* Wed Nov 26 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.8-1
- new upstream release
* Mon Oct 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.7-2
- corrected bogus date
* Mon Oct 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.7-1
- updated to 0.8.7
* Tue Sep 09 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.4-3
- Ship a default ocserv-script, which will put connecting clients into the
internal firewall zone.
* Thu Aug 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.4-2
- removed unused config file
* Thu Aug 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.4-1
- updated to 0.8.4 and removed unused file
* Sun Aug 17 2014 Peter Robinson <pbrobinson@fedoraproject.org> - 0.8.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Aug 08 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.2-4
- rebuilt
* Tue Aug 05 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.2-3
- rebuilt for new protobuf-c
* Fri Aug 01 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.2-2
- disabled auto-select-group by default
* Mon Jul 28 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.2-1
- new upstream release
* Mon Jun 30 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.1-1
- Updated to 0.8.1
* Fri Jun 06 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-6
- Added ocserv-genkey
* Fri Jun 06 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-5
- corrected date
* Fri Jun 06 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-4
- doc update
* Fri Jun 06 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-3
- corrected chroot path
* Fri Jun 06 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-2
- Generate the certificates and private keys before the first run
* Mon Jun 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0-1
- updated ocserv to 0.8.0
* Tue May 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0pre0-4
- Updated license information
* Mon May 26 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0pre0-3
- depend on systemd-devel
* Mon May 26 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0pre0-2
- depend on talloc
* Mon May 26 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.8.0pre0-1
- new upstream release
* Fri May 09 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.5-1
- new upstream release
* Fri May 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.4-2
- updated default config file
* Fri May 02 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.4-1
- new upstream release
* Thu Apr 10 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.3-1
- new upstream release
* Fri Mar 14 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.2-1
- new upstream release
* Mon Feb 17 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.1-4
- Added missing profile file.
* Mon Feb 17 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.1-3
- more config updates
* Mon Feb 17 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.1-2
- fixes in default config
* Mon Feb 17 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.1-1
- new upstream release
* Wed Jan 29 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.0-6
- bumped version
* Wed Jan 29 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.0-5
- remove expiration date by default
* Mon Jan 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.0-4
- more uniform handling of buildrequires
* Mon Jan 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.0-3
- do not output anything when generating certificates
* Mon Jan 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.0-2
- added changelog entry
* Mon Jan 27 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.3.0-1
- updated to ocserv 0.3.0
* Mon Dec 16 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.2.3-1
- updated to 0.2.3
* Fri Dec 06 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.2.1-4
- use the correct config file
* Fri Dec 06 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.2.1-3
- corrected chroot directory
* Fri Dec 06 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.2.1-2
- compile with any version of libopts
* Fri Dec 06 2013 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.2.1-1
- Initial import (#1027770)
Write Preview
Loading…
Cancel
Save