Softpedia >Linux >System >Networking >ocserv >  Changelog

ocserv Changelog

What's new in ocserv 0.8.4

Sep 9, 2014
  • The bundled protobuf-c was updated to 1.0.1.
  • Fixed a crash in the work-around for the infinite loop.

New in ocserv 0.3.1 (Feb 17, 2014)

  • Corrected decoding of cookies. That will prevent issues where the server is unable to parse client cookies.
  • Changed the method X-CSTP-MTU is taken into account to avoid smaller MTU sizes than the intended.
  • Corrected IPv6 address assignment in Linux (the equivalent code for BSD-derivatives is untested).
  • Default configuration file changed to /etc/ocserv/ocserv.conf and default password file for ocpasswd to /etc/ocserv/ocpasswd.
  • Added support for multiple DNS and NBNS servers in ocserv.conf. The 'local' keyword is no longer supported.
  • Added the new config options split-dns and custom-header.
  • When seccomp is being used the forbidden system calls will return error instead of the process being killed.
  • Rekey time can now be configured using the rekey-time option, and can also be disabled when setting it to zero.
  • Rekey method changed to SSL to use rehandshakes instead of new tunnels.
  • Added support for the "new" IPv6 address sending headers. That is enabled if the client sends "X-CSTP-Full-IPv6-Capability: true".
  • occtl: fixed gathering of interface statistics.

New in ocserv 0.3.0 (Jan 27, 2014)

  • Added occtl a control tool for ocserv, that can be used to query the server about the connected users, and perform certain actions such as reload the server's configuration, stop the server or disconnect a user.
  • Added support for systemd socket-activatable service.
  • Added priorities on the OpenConnect DTLS ciphersuites to ensure the server has a say on the selected one (and prevent clients from negotiating 3DES when AES is supported by both).
  • Better display of IP addresses in log messages.
  • Added the use-dbus configuration option. It can be used to disable the D-BUS service (and thus the usage of the occtl utility).
  • Added (optional) dependency on protocolbuffer-c, allowing a simpler handling and easier extension of the internal IPC protocol.
  • Added configuration option cisco-client-compat which if enabled it allows a client to authenticate by sending its credentials in different TLS sessions. A cookie is used to associate the sessions.
  • Updated seccomp rules to allow the system calls used by the worker process.
  • Allow TLS rehandshakes on the TCP channel.

New in ocserv 0.2.3 (Dec 16, 2013)

  • Added X-CSTP-License header to client reply for mobile client compatibility. Patch by Kevin Cernekee.
  • When a new connection presents a cookie of an existing session the previous session of this cookie is disconnected (and its IP is hijacked). If no previous session is active, the server will attempt to assign the previously used IP.
  • If udp-port is unset or set to zero then the server will not listen for UDP sessions.
  • When using PAM allow it to update the username.
  • When always-require-cert is set to false do not require a certificate for cookie authentication.
  • Added the net-priority configuration option.
  • Corrected sending of DPD in the main TLS channel. Report and initial fix by Kevin Cernekee.
  • Added support for cgroups in Linux.

New in ocserv 0.2.2 (Nov 25, 2013)

  • The system http-parser library is used if present instead of the bundled.
  • The system libopts library is used if autogen is present.
  • Added --http-debug option to ocserv.
  • Added support for AES-GCM under DTLS 1.2 (requires GnuTLS 3.2.7).
  • More precise MTU calculation (needed in AES-GCM ciphersuites)
  • Do not use an MTU larger than the one initially proposed to openconnect.

New in ocserv 0.2.0 (Nov 1, 2013)

  • Added configuration directives 'config-per-user' and 'config-per-group'. They allow loading an additional configuration client per user or per group from the setup directory.
  • Added the ipv6-prefix configuration option to replace ipv6-netmask. The new option accepts IPv6 subnet prefixes.
  • Added the 'iroute' configuration directive, applicable only to group or user configuration files. It allows setting routes on the server based on the connected client.
  • Corrected authentication using only certificates.
  • The UDP file descriptor from main to workers is forwarded once per minute to avoid a duplicate DTLS client hello message tearing the worker's session.
  • Corrected client disconnection issues when connect-script was specified.

New in ocserv 0.1.7 (Oct 28, 2013)

  • Instead of suggesting different DTLS and CSTP MTU values, suggest a single value to the peer. That avoids issues with openconnect which reads one of the suggested values and ignores the other.
  • Added config option "output-buffer" to allow selecting between high throughput or low latency (following similar openconnect change).
  • Enabled config option "mtu".
  • Configuration file parsing was modified to allow detecting mispellings of directives and unknown options.

New in ocserv 0.1.5 (Jul 16, 2013)

  • More robust support of PAM by allowing more than one factor authentication. In practice this allows authentication with more than one password (e.g., with a permanent one and an one time password), as well as changing the password.
  • Cookies are no longer stored in the server side. The server is now stateless. A randomly generated key is used to encrypt and authenticate the cookies sent to the client.
  • Added test suite. It requires "make check" to be run as root (in order to be able to run the server).
  • Bypass the AnyConnect auto-download mechanism. Patch by Kevin Cernekee.
  • Unescape HTML-formatted passwords, or usernames. Reported by P.H. Vos.

New in ocserv 0.1.2 (May 9, 2013)

  • Several updates to allow compilation in FreeBSD.
  • Allow prior to leasing an IP to ping it in order to check if it is in use.
  • ocpasswd accepts options to lock and unlock users.
  • Several updates to allow CISCO's anyconnect clients to connect to this server.

New in ocserv 0.1.0 (Mar 23, 2013)

  • Corrected issue with ocsp-response configuration field.
  • Added ability to specify multiple certificate and key pairs.
  • Added support for TLS session tickets.
  • Added the "plain" authentication option, which allows a simple password file format. The ocpasswd tool can be used to generate entries for this file.
  • The private key operations are performed on a special process to prevent loss of the private key in case of compromise of a worker process.

New in ocserv 0.0.2 (Mar 5, 2013)

  • Updated HTTP protocol handling (fixes issue with openconnect < 4). Reported by Mike Miller.
  • Use TCP wrappers (libwrap) when present.
  • Fixed issue with the 'local' keyword in DNS server.
  • Added configuration options 'user-profile' and 'always-require-cert' to enable non-openconnect clients to connect. They are enabled with the configure option --enable-anyconnect-compat.
  • Allow setting a rate limit on the number of connections.
  • Allow setting a reconnection delay time after a failed authentication attempt (added min-reauth-time option).
  • Eliminated memory leaks.
  • Auto-detect xml content for username and password (fixes interoperability with newer openconnect versions).