From db60acc38ae4acbb284edd651fba652f9f24b661 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 23 Sep 2016 11:25:36 +0200 Subject: [PATCH] updated to 0.11.5 --- .gitignore | 2 ++ ocserv.conf | 30 +++++++++++++++++++++++++----- ocserv.spec | 5 ++++- sources | 4 ++-- 4 files changed, 33 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index faf3d74..7c992c4 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,5 @@ /ocserv-0.11.4.tar.xz /ocserv-0.11.4.tar.xz.sig /gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-0.11.5.tar.xz +/ocserv-0.11.5.tar.xz.sig diff --git a/ocserv.conf b/ocserv.conf index 43cc196..9530d82 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -255,6 +255,14 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" # on the main channel. #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +# That option requires the established DTLS channel to use the same +# cipher as the primary TLS channel. This cannot be combined with +# listen-clear-file since the ciphersuite information is not available +# in that configuration. Note also, that this option implies that +# dtls-legacy option is false; this option cannot be enforced +# in the legacy/compat protocol. +#match-tls-dtls-ciphers = true + # The time (in seconds) that a client is allowed to stay connected prior # to authentication auth-timeout = 240 @@ -545,13 +553,25 @@ ping-leases = false # The following options are for (experimental) AnyConnect client # compatibility. -# This option must be set to true to support legacy CISCO clients. -# A side effect of this option is that it will no longer be required -# for clients to present their certificate on every connection. -# That is they may resume a cookie without presenting a certificate -# (when certificate authentication is used). +# This option will enable the pre-draft-DTLS version of DTLS, and +# will not require clients to present their certificate on every TLS +# connection. It must be set to true to support legacy CISCO clients +# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. cisco-client-compat = true +# This option allows to disable the DTLS-PSK negotiation (enabled by default). +# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate +# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the +# DTLS channel to negotiate its ciphers and the DTLS protocol version. +#dtls-psk = false + +# This option allows to disable the legacy DTLS negotiation (enabled by default, +# but that may change in the future). +# The legacy DTLS uses a pre-draft version of the DTLS protocol and was +# from AnyConnect protocol. It has several limitations, that are addressed +# by the dtls-psk protocol supported by openconnect 7.08+. +dtls-legacy = true + # Client profile xml. A sample file exists in doc/profile.xml. # It is required by some of the CISCO clients. # This file must be accessible from inside the worker's chroot. diff --git a/ocserv.spec b/ocserv.spec index 336a826..0a71b54 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,7 +1,7 @@ %global _hardened_build 1 Name: ocserv -Version: 0.11.4 +Version: 0.11.5 Release: 1%{?dist} Summary: OpenConnect SSL VPN server @@ -160,6 +160,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Fri Sep 23 2016 Nikos Mavrogiannopoulos - 0.11.5-1 +- New upstream release + * Fri Aug 5 2016 Nikos Mavrogiannopoulos - 0.11.4-1 - New upstream release diff --git a/sources b/sources index 44d23cb..197a6c2 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ 310168e221d6e810022b270e32bf9662 gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg c144d7522377a701cb9e63a20098e122 gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg -645b8f26d2aa40bfe4c32c8de7c8c87e ocserv-0.11.4.tar.xz -a036652f70660c5041adbea14aabf934 ocserv-0.11.4.tar.xz.sig +fbda999ce0b528d001bb46b3db6f5d49 ocserv-0.11.5.tar.xz +f008f957a95feb8ef675ff1af09e3b53 ocserv-0.11.5.tar.xz.sig