- 24 Feb, 2021 1 commit
-
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 20 Feb, 2021 2 commits
-
-
Daniel Lenski authored
We don't need the artifacts from any builds, and add a dedicated Makefile target to update the '/public' directory. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
Based on the example at https://gitlab.com/pages/plain-html, and ocserv's configuration (https://gitlab.com/openconnect/ocserv/blob/master/.gitlab-ci.yml) Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 18 Feb, 2021 1 commit
-
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 11 Feb, 2021 2 commits
-
-
Daniel Lenski authored
CSD XML tag and nostub are entirely protocol-specific and used in only one place See merge request openconnect/openconnect!159
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 05 Feb, 2021 3 commits
-
-
Daniel Lenski authored
Allow specification of multiple certificate fingerprints on command-line via --servercert See merge request openconnect/openconnect!162
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
Server certificates will be accepted if they match *any* of the provided fingerprints. Behavior with `--servercert` is otherwise unchanged; it still disables system trust stores, meaning that _only_ certificates matching the provided fingerprints will be accepted if it is specified one or more times. This will allow the use of `--servercert` to non-interactively connect to a server which has a non-trusted certificate and redirects to one or more other servers with non-trusted certificates. (See #25 for a real case.) Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 03 Feb, 2021 1 commit
-
-
Daniel Lenski authored
Pulse: one more known failcode (0x0e = client cert required) See merge request openconnect/openconnect!163
-
- 25 Jan, 2021 1 commit
-
-
Daniel Lenski authored
Verified by connecting to a Pulse server which requires a client cert, without providing one via -c/-k. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 23 Jan, 2021 5 commits
-
-
Daniel Lenski authored
With --allow-insecure-crypto, set OpenSSL 1.1.0+ "security level" to 0, and attempt to disable system minimum crypto requirements See merge request openconnect/openconnect!158
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
in tests/obsolete-server-crypto, do not override GNUTLS_SYSTEM_PRIORITY_FILE when invoking OpenConnect This will allow us to test OpenConnect's ability to disable the system-wide crypto policy by itself. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings Because openconnect_set_allow_insecure_crypto() now does more than just attempt to reenable 3DES and ARC4, its failure to enable those ciphers should not be treated as fatal, but merely a warning. Setting the appropriate environment variable (GNUTLS_SYSTEM_PRIORITY_FILE or OPENSSL_CONF) to `/dev/null` *before* crypto library initialization should ensure that a systemwide crypto configuration file doesn't set a minimum crypto requirement which would override the user choice. See https://gitlab.com/openconnect/openconnect/-/issues/211#note_482161646 for discussion of GnuTLS settings, and https://www.openssl.org/docs/man1.1.1/man5/config.html for OpenSSL. FIXME: OpenSSL implementation needs library reinitialization. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
Based on: * POSIX-compatible `setenv` implementation for Windows: https://stackoverflow.com/a/23616164 * Enabling Windows "secure API" getenv_s and _putenv_s functions in MinGW: * Using -DMINGW_HAS_SECURE_API: https://stackoverflow.com/a/51977723 * By manually defining their prototypes: https://stackoverflow.com/a/51977723 * Apparently, only newer versions of MinGW follow the MINGW_HAS_SECURE_API flag, and autodetecting them is quite hard. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 22 Jan, 2021 1 commit
-
-
Daniel Lenski authored
See discussions on https://gitlab.com/openconnect/openconnect/-/issues/211 for rationale. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 20 Jan, 2021 1 commit
-
-
Daniel Lenski authored
Use separate counters for inner and outer loop. See merge request openconnect/openconnect!161
-
- 16 Jan, 2021 1 commit
-
-
Tom Carroll authored
The inner and outer loop share a counter. The inner loop resets the counter to zero when entering the loop. I don't believe this is the intention from an examination of the code. Have inner and outer loops use separate counters. Signed-off-by:
Tom Carroll <incentivedesign@gmail.com>
-
- 08 Jan, 2021 2 commits
-
-
Daniel Lenski authored
Small memory leak in gnutls.c:assign_privkey See merge request openconnect/openconnect!160
-
Tom Carroll authored
Ensure the array pcerts is free'd for both success/fail paths. The function gnutls_certificate_set_key() is odd as it takes ownership of the contents of pcerts, but not the pcerts array itself. See: gnutls-3.6.15/lib/cert-cred.c:gnutls_certificate_set_key() ... new_pcert_list = gnutls_malloc(sizeof(gnutls_pcert_st) * pcert_list_size); if (new_pcert_list == NULL) { return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } memcpy(new_pcert_list, pcert_list, sizeof(gnutls_pcert_st) * pcert_list_size); Signed-off-by:
Tom Carroll <incentivedesign@gmail.com>
-
- 05 Jan, 2021 6 commits
-
-
Elias Norberg authored
In version 1.1.0 of OpenSSL, a security level was introduced that enforces specific settings for certificates etc. This PR sets the security level to 0, to retain the functionality that previous versions of openssl had, and preventing errors like: 140088222534656:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310 See https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html for more information about security levels. Signed-off-by:
Elias Norberg <elias@aisle.se> Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
add SIGUSR1 as trigger to print detailed connection information and stats See merge request openconnect/openconnect!154
-
Daniel Lenski authored
tncc-emulate.py: add TNCC_USER_AGENT override variable See merge request openconnect/openconnect!157
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
This way, initial connection information and background PID will be usefully printed to the console, as will errors which prevent the tunnel from being started (and thus cause OpenConnect to abort as soon as it's established a connection to the server). This is a further refinement of 557ac6cf (!117). Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 14 Dec, 2020 3 commits
-
-
Daniel Lenski authored
add auth_expiration (AnyConnect, GP, Pulse) and openconnect_get_auth_expiration() API function See merge request openconnect/openconnect!156
-
Daniel Lenski authored
We have many examples of this field (AVP 0x583/0xd5c) being multiples of 60 or 3600, strongly suggesting that it's the remaining auth lifetime: - https://gitlab.com/openconnect/openconnect/-/issues/98: `AVP 0x583/0xd5c: 00 01 fa 40` (0x1fa40 seconds = 36 hours) - private communication: `AVP 0x583/0xd5c: 00 00 a9 ec` (0xa9ec seconds = 12 hours) - private communication: `AVP 0x583/0xd5c: 00 00 0a 70` (0xa70 seconds = 44 minutes) Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
This allows protocols to save the moment when a session's authentication (`vpninfo->cookie`) is expected to expire and no longer be useful for reconnection. The motivation is to eventually allow front-ends to know whether reauthentication is needed, or whether they should try using a cached cookie. Current state: - AnyConnect protocol: expiration is determined from the CONNECT response header `X-CSTP-Session-Timeout-Remaining` (with `X-CSTP-Session-Timeout` or `X-CSTP-Lease-Duration` as upper bounds in its absence) - GlobalProtect protocol: expiration is determined from the `<lifetime>` tag of the XML config. - Juniper Network Connect protocol: no currently known way to determine expiration. The `DSID` cookie is a standard HTTP cookie, so perhaps its expiration timestamp is intended for this purpose; however, I can find no real-world case where it has an expiration timestamp set. - None of the currently-supported protocols provide the expiration timestamp until the connection phase, so it can't be obtained for export by the `--authenticate` option. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 13 Dec, 2020 1 commit
-
-
Daniel Lenski authored
See https://gitlab.com/openconnect/openconnect/-/issues/207#note_465454559 for use case and discussion Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 10 Dec, 2020 1 commit
-
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 09 Dec, 2020 3 commits
-
-
Daniel Lenski authored
GP: ESP debug messages and more IPv6 baby steps See merge request openconnect/openconnect!155
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
I'm tired of OpenConnect getting blamed for lack of ESP connectivity when in fact literally every example that has been investigated since 2017 turned out to be due to a missing server configuration, broken server configuration, or network UDP blockage. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 08 Dec, 2020 2 commits
-
-
Daniel Lenski authored
This patch replaces them with inline functions (modeled after gpst_os_name), instead of storing them in the global `struct openconnect_info` object. TODO: further clarify, separate, and consolidate protocol-specific data in `struct openconnect_info`. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
Process <dns-v6>, <access-routes-v6>, and <exclude-access-routes-v6> tags, and only show the long-winded "please report" message once. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 03 Dec, 2020 1 commit
-
-
Daniel Lenski authored
more logging around Trojan script invocation (CSD/HIP/TNCC) See merge request openconnect/openconnect!152
-
- 01 Dec, 2020 2 commits
-
-
Daniel Lenski authored
See #203 for a recent example of where it wasn't clear that a problem was caused by a CSD script being invoked and never returning, due to the lack of logging. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
Daniel Lenski authored
bugfix for !143 See merge request openconnect/openconnect!153
-