/
index.xml
50 lines (40 loc) · 2.45 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<PAGE>
<INCLUDE file="inc/header.tmpl" />
<VAR match="VAR_SEL_INDEX" replace="selected" />
<VAR match="VAR_SEL_ABOUT" replace="selected" />
<PARSE file="menu1.xml" />
<PARSE file="menu2.xml" />
<INCLUDE file="inc/content.tmpl" />
<h1>OpenConnect</h1>
<p>OpenConnect is an SSL VPN client initially created to support Cisco's <a href="http://www.cisco.com/go/asm">AnyConnect SSL VPN</a>.
It has since been ported to support the Juniper SSL VPN (which is now known as <a href="https://www.pulsesecure.net/products/connect-secure/">Pulse Connect Secure</a>),
and the <a href="https://www.paloaltonetworks.com/features/vpn">Palo Alto Networks GlobalProtect SSL VPN</a>.</p>
<p>An openconnect VPN server (<a href="https://www.infradead.org/ocserv">ocserv</a>), which implements an improved version of the Cisco AnyConnect protocol,
has also been written.</p>
<p>OpenConnect is released under the <a href="licence.html">GNU Lesser Public License, version 2.1</a>.</p>
<p>Like <a href="http://www.unix-ag.uni-kl.de/~massar/vpnc/">vpnc</a>,
OpenConnect is not officially supported by, or associated in any way
with, Cisco Systems, Juniper Networks, Pulse Secure, or Palo Alto Networks.
It just happens to interoperate with their equipment.
</p>
<h2>Motivation</h2>
<p>Development of OpenConnect was started after a trial of the Cisco
client under Linux found it to have many deficiencies:</p>
<ul>
<li>Inability to use SSL certificates from a <a href="http://en.wikipedia.org/wiki/Trusted_Platform_Module">TPM</a> or
<a href="http://en.wikipedia.org/wiki/PKCS11">PKCS#11</a> smartcard, or even use a passphrase.</li>
<li>Lack of support for Linux platforms other than i386.</li>
<li>Lack of integration with NetworkManager on the Linux desktop.</li>
<li>Lack of proper (RPM/DEB) packaging for Linux distributions.</li>
<li>"Stealth" use of libraries with <tt>dlopen()</tt>, even using
the development-only symlinks such as <tt>libz.so</tt> —
making it hard to properly discover the dependencies which
proper packaging would have expressed</li>
<li>Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.</li>
<li>Unable to run as an unprivileged user, which would have reduced the severity of the above bug.</li>
<li>Inability to audit the source code for further such "Security 101" bugs.</li>
</ul>
<p>Naturally, OpenConnect addresses all of the above issues, and more.
</p>
<INCLUDE file="inc/footer.tmpl" />
</PAGE>