From d2cb3ed97fa26118ea203109b57485e30ff5b027 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 22 Jan 2015 11:41:49 +0100 Subject: [PATCH] new upstream release --- .gitignore | 2 + ocserv.conf | 233 ++++++++++++++++++++++++++++++++++------------------ ocserv.spec | 8 +- sources | 4 +- 4 files changed, 161 insertions(+), 86 deletions(-) diff --git a/.gitignore b/.gitignore index 099ada9..0ef6c80 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ /ocserv-0.8.8.tar.xz /ocserv-0.8.9.tar.xz.sig /ocserv-0.8.9.tar.xz +/ocserv-0.9.0.tar.xz +/ocserv-0.9.0.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 04e5b0e..aa5dbaf 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,36 +1,47 @@ # User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use # multiple auth directives. Available options: certificate, certificate[optional], -# plain, pam. -#auth = "certificate" -#auth = "plain[./sample.passwd]" -auth = "pam" +# plain, pam, radius[configfile,groupconfig]. -# This indicates that a user may present a certificate. When that option +# certificate: +# This indicates that all connecting users must present a certificate. +# +# certificate[optional]: +# This indicates that a user may present a certificate. When that option # is set, individual users or user groups can be forced to present a valid -# certificate by using "require-cert=true". -#auth = "certificate[optional]" - -# The gid-min option is used by auto-select-group option, in order to -# select the minimum group ID. -#auth = "pam[gid-min=1000]" - -# The plain option requires specifying a password file which contains +# certificate by adding "require-cert=true" in the per-user configuration file. +# +# pam[gid-min=1000]: +# The gid-min option is used by auto-select-group option, in order to +# select the minimum valid group ID. +# +# plain[/etc/ocserv/ocpasswd] +# The plain option requires specifying a password file which contains # entries of the following format. -# "username:groupname:encoded-password" -# One entry must be listed per line, and 'ocpasswd' can be used +# "username:groupname1,groupname2:encoded-password" +# One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. -#auth = "plain[/etc/ocserv/ocpasswd]" +# +# radius[/etc/radiusclient/radiusclient.conf,groupconfig]: +# The radius option requires specifying freeradius-client configuration +# file. If the groupconfig option is set, then config-per-user will be overriden, +# and all configuration will be read from radius. The supported atributes for +# radius configuration are: +# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address, +# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server -# Whether to enable seccomp worker isolation. That restricts the number of +#auth = "certificate" +#auth = "certificate[optional]" +auth = "pam" +#auth = "pam[gid-min=1000]" +#auth = "plain[/etc/ocserv/ocpasswd]" +#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" + +# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of # system calls allowed to a worker process, in order to reduce damage from a # bug in the worker process. It is available on Linux systems at a performance cost. -#use-seccomp = true - -# Whether to enable the authentication method's session control (i.e., PAM). -# That requires more resources on the server, and makes cookies one-time-use; -# thus don't enable unless you need it. -#session-control = true +# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +isolate-workers = true # A banner to be displayed on clients #banner = "Welcome" @@ -60,21 +71,34 @@ max-same-clients = 2 tcp-port = 443 udp-port = 443 -# Accept connections using a socket file. The connections are -# forwarded without SSL/TLS. -listen-clear-file = /var/run/ocserv-conn.socket +# Accept connections using a socket file. It accepts HTTP +# connections (i.e., without SSL/TLS unlike its TCP counterpart), +# and uses it as the primary channel. That option cannot be +# combined with certificate authentication. +#listen-clear-file = /var/run/ocserv-conn.socket + +# Stats report time. The number of seconds after which each +# worker process will report its usage statistics (number of +# bytes transferred etc). This is useful when accounting like +# radius is in use. +#stats-report-time = 360 # Keepalive in seconds keepalive = 32400 # Dead peer detection in seconds. +# Note that when the client is behind a NAT this value +# needs to be short enough to prevent the NAT disassociating +# his UDP session from the port number. Otherwise the client +# could have his UDP connection stalled, for several minutes. dpd = 90 -# Dead peer detection for mobile clients. The needs to -# be much higher to prevent such clients being awaken too +# Dead peer detection for mobile clients. That needs to +# be higher to prevent such clients being awaken too # often by the DPD messages, and save battery. -# (clients that send the X-AnyConnect-Identifier-DeviceType) -#mobile-dpd = 1800 +# The mobile clients are distinguished from the header +# 'X-AnyConnect-Identifier-DeviceType'. +mobile-dpd = 1800 # MTU discovery (DPD must be enabled) try-mtu-discovery = false @@ -84,8 +108,11 @@ try-mtu-discovery = false # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user # or pkcs11:object=my-vpn-key;object-type=private) # -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key @@ -128,13 +155,29 @@ ca-cert = /etc/pki/ocserv/cacerts/ca.crt #cert-group-oid = 2.5.4.11 # The revocation list of the certificates issued by the 'ca-cert' above. +# See the manual to generate an empty CRL initially. #crl = /path/to/crl.pem -# GnuTLS priority string -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" +# Uncomment this to enable compression negotiation (LZS, LZ4). +#compression = true + +# Set the minimum size under which a packet will not be compressed. +# That is to allow low-latency for VoIP packets. The default size +# is 256 bytes. Modify it if the clients typically use compression +# as well of VoIP with codecs that exceed the default value. +#no-compress-limit = 256 + +# GnuTLS priority string; note that SSL 3.0 is disabled by default +# as there are no openconnect (and possibly anyconnect clients) using +# that protocol. The string below does not enforce perfect forward +# secrecy, in order to be compatible with legacy clients. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0" tls-priorities = "@SYSTEM" -# To enforce perfect forward secrecy (PFS) on the main channel. +# More combinations in priority strings are available, check +# http://gnutls.org/manual/html_node/Priority-Strings.html +# E.g., the string below enforces perfect forward secrecy (PFS) +# on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # The time (in seconds) that a client is allowed to stay connected prior @@ -181,16 +224,25 @@ rekey-time = 172800 # option. rekey-method = ssl -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. +# Script to call when a client connects and obtains an IP. +# The following parameters are passed on the environment. # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 +# assigned), IPV6_REMOVE (the IPv6 remote address), and # ID (a unique numeric ID); REASON may be "connect" or "disconnect". + +# The disconnect script will receive the additional values: STATS_BYTES_IN, +# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes +# output from the tun device, and the duration of the session in seconds. + #connect-script = /usr/bin/ocserv-script #disconnect-script = /usr/bin/ocserv-script # UTMP +# Register the connected clients to utmp. This will allow viewing +# the connected clients using the command 'who'. use-utmp = true # Whether to enable support for the occtl tool (i.e., either through D-BUS, @@ -201,14 +253,13 @@ use-occtl = true # if you use more than a single servers. #occtl-socket-file = /var/run/occtl.socket - # PID file. It can be overriden in the command line. #pid-file = /var/run/ocserv.pid # The default server directory. Does not require any devices present. chroot-dir = /var/lib/ocserv -# socket file used for IPC, will be appended with .PID +# socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any) socket-file = ocserv.sock @@ -232,7 +283,7 @@ run-as-group = ocserv # Network settings # -# The name of the tun device +# The name to use for the tun device device = vpns # Whether the generated IPs will be predictable, i.e., IP stays the @@ -243,20 +294,22 @@ predictable-ips = true default-domain = example.com # The pool of addresses that leases will be given from. -ipv4-network = 192.168.1.0 -ipv4-netmask = 255.255.255.0 +#ipv4-network = 192.168.1.0 +#ipv4-netmask = 255.255.255.0 + +# An alternative way of specifying the network: +#ipv4-network = 192.168.1.0/24 # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 -dns = 192.168.1.2 +#dns = 192.168.1.2 # The NBNS server (if any) #nbns = 192.168.1.3 # The IPv6 subnet that leases will be given from. -#ipv6-network = fc00:: -#ipv6-prefix = 16 +#ipv6-network = fda9:4efe:7e3b:03ea::/64 # The domains over which the provided DNS should be used. Use # multiple lines for multiple domains. @@ -264,10 +317,13 @@ dns = 192.168.1.2 # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. +# Only set to true, if there can be occupied addresses in the +# IP range for leases. ping-leases = false -# Unset to assign the default MTU of the device -# mtu = +# Use this option to enforce an MTU value to the incoming +# connections. Unset to use the default MTU of the TUN device. +#mtu = 1420 # Unset to enable bandwidth restrictions (in bytes/sec). The # setting here is global, but can also be set per user or per group. @@ -284,84 +340,97 @@ ping-leases = false # config-per-user/group or even connect and disconnect scripts. # # To set the server as the default gateway for the client just -# comment out all routes from the server. +# comment out all routes from the server, or use the special keyword +# 'default'. + #route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 #route = fef4:db8:1000:1001::/64 +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +# The group may be followed by a user-friendly name in brackets. +#select-group = group1 +#select-group = group2[My special group] + +# The name of the (virtual) group that if selected it would assign the user +# to its default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. +#auto-select-group = true + # Configuration files that will be applied per user connection or # per group. Each file name on these directories must match the username # or the groupname. # The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, -# net-priority and cgroup. +# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, +# net-priority, deny-roaming, no-udp, user-profile, require-cert, and cgroup. # # Note that the 'iroute' option allows to add routes on the server # based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). +# by the commands route-add-cmd and route-del-cmd (see below). The no-udp +# is a boolean option (e.g., no-udp = true), and will prevent a UDP session +# for that specific user or group. #config-per-user = /etc/ocserv/config-per-user/ #config-per-group = /etc/ocserv/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. - #default-user-config = /etc/ocserv/defaults/user.conf #default-group-config = /etc/ocserv/defaults/group.conf -# Groups that a client is allowed to select from. -# A client may belong in multiple groups, and in certain use-cases -# it is needed to switch between them. For these cases the client can -# select prior to authentication. Add multiple entries for multiple groups. -#select-group = group1 -#select-group = group2[My group 2] -#select-group = tost[The tost group] - -# The name of the group that if selected it would allow to use -# the assigned by default group. -#default-select-group = DEFAULT - -# Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. That -# option is only functional on plain authentication. -#auto-select-group = true +# This option is only valid in a user/group configuration file. If the +# auth mode is certificate[optional], it requires a certificate for this +# particular user or group. +#require-cert = true # The system command to use to setup a route. %{R} will be replaced with the # route/mask and %{D} with the (tun) device. # -# The following example is from linux systems. %{R} should be something -# like 192.168.2.0/24 +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 (the argument of iroute). route-add-cmd = "ip route add %{R} dev %{D}" route-del-cmd = "ip route delete %{R} dev %{D}" -# This option allows to forward a proxy. The special strings '%{U}' +# This option allows to forward a proxy. The special keywords '%{U}' # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ -#proxy-url = http://example.com/%{U}/%{G}/hello +#proxy-url = http://example.com/%{U}/ # # The following options are for (experimental) AnyConnect client # compatibility. +# This option must be set to true to support legacy CISCO clients. +# A side effect of this option is that it will no longer be required +# for clients to present their certificate on every connection. +# That is they may resume a cookie without presenting a certificate +# (when certificate authentication is used). +cisco-client-compat = true + # Client profile xml. A sample file exists in doc/profile.xml. +# It is required by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. -# It is not used by the openconnect client. user-profile = profile.xml # Binary files that may be downloaded by the CISCO client. Must -# be within any chroot environment. +# be within any chroot environment. Normally you don't need +# to use this option. #binary-files = /path/to/binaries -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie and complete their authentication in the same TCP connection. -# Legacy CISCO clients do not do that, and thus this option should be -# set for them. -cisco-client-compat = true - #Advanced options # Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. +# authentication and prior to VPN tunnel establishment. You shouldn't +# need to use this option normally; if you do and you think that +# this may help others, please send your settings and reason to +# the openconnect mailing list. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. #custom-header = "X-My-Header: hi there" + diff --git a/ocserv.spec b/ocserv.spec index 3e8ed6a..6908137 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ocserv -Version: 0.8.9 -Release: 4%{?dist} +Version: 0.9.0 +Release: 1%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -32,6 +32,7 @@ BuildRequires: protobuf-c-devel BuildRequires: libnl3-devel BuildRequires: readline-devel BuildRequires: autogen +BuildRequires: gperf %ifarch %{ix86} x86_64 BuildRequires: libseccomp-devel %endif @@ -148,6 +149,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Thu Jan 22 2015 Nikos Mavrogiannopoulos - 0.9.0-1 +- new upstream release + * Fri Jan 9 2015 Nikos Mavrogiannopoulos - 0.8.9-4 - enable PIE diff --git a/sources b/sources index 3900854..cb7074e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -5ea9824e39ca125260b67a1379f42036 ocserv-0.8.9.tar.xz.sig -cd935cc89bffac75c825e66ef71f6a73 ocserv-0.8.9.tar.xz +50994bf7e40fd6bedda33bb2f99b1f11 ocserv-0.9.0.tar.xz +62942bdda7e101c0049622c68fd13dd4 ocserv-0.9.0.tar.xz.sig