updated to 0.11.5

.gitignore

@@ -45,3 +45,5 @@
 /ocserv-0.11.4.tar.xz
 /ocserv-0.11.4.tar.xz.sig
 /gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
+/ocserv-0.11.5.tar.xz
+/ocserv-0.11.5.tar.xz.sig

ocserv.conf

@@ -255,6 +255,14 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
 # on the main channel.
 #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
 
+# That option requires the established DTLS channel to use the same
+# cipher as the primary TLS channel. This cannot be combined with
+# listen-clear-file since the ciphersuite information is not available
+# in that configuration. Note also, that this option implies that
+# dtls-legacy option is false; this option cannot be enforced
+# in the legacy/compat protocol.
+#match-tls-dtls-ciphers = true
+
 # The time (in seconds) that a client is allowed to stay connected prior
 # to authentication
 auth-timeout = 240
@@ -545,13 +553,25 @@ ping-leases = false
 # The following options are for (experimental) AnyConnect client 
 # compatibility. 
 
-# This option must be set to true to support legacy CISCO clients.
+# This option will enable the pre-draft-DTLS version of DTLS, and
-# A side effect of this option is that it will no longer be required 
+# will not require clients to present their certificate on every TLS
-# for clients to present their certificate on every connection.
+# connection. It must be set to true to support legacy CISCO clients
-# That is they may resume a cookie without presenting a certificate
+# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
-# (when certificate authentication is used).
 cisco-client-compat = true
 
+# This option allows to disable the DTLS-PSK negotiation (enabled by default).
+# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
+# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
+# DTLS channel to negotiate its ciphers and the DTLS protocol version.
+#dtls-psk = false
+
+# This option allows to disable the legacy DTLS negotiation (enabled by default,
+# but that may change in the future).
+# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
+# from AnyConnect protocol. It has several limitations, that are addressed
+# by the dtls-psk protocol supported by openconnect 7.08+.
+dtls-legacy = true
+
 # Client profile xml. A sample file exists in doc/profile.xml.
 # It is required by some of the CISCO clients.
 # This file must be accessible from inside the worker's chroot. 

ocserv.spec

@@ -1,7 +1,7 @@
 %global _hardened_build 1
 
 Name:		ocserv
-Version:	0.11.4
+Version:	0.11.5
 Release:	1%{?dist}
 Summary:	OpenConnect SSL VPN server
 
@@ -160,6 +160,9 @@ rm -rf %{buildroot}
 %{_localstatedir}/lib/ocserv/profile.xml
 
 %changelog
+* Fri Sep 23 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.5-1
+- New upstream release
+
 * Fri Aug  5 2016 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.4-1
 - New upstream release
 

sources

@@ -1,4 +1,4 @@
 310168e221d6e810022b270e32bf9662  gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 c144d7522377a701cb9e63a20098e122  gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
-645b8f26d2aa40bfe4c32c8de7c8c87e  ocserv-0.11.4.tar.xz
+fbda999ce0b528d001bb46b3db6f5d49  ocserv-0.11.5.tar.xz
-a036652f70660c5041adbea14aabf934  ocserv-0.11.4.tar.xz.sig
+f008f957a95feb8ef675ff1af09e3b53  ocserv-0.11.5.tar.xz.sig