Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH 7/7] doc: Add new OpenConnect configuration options to VPN config
format
(Jussi Laakkonen)
2. Re: [PATCH 6/7] doc: Add new OpenConnect PKCS#12 parameters to VPN agent
API
(David Woodhouse)
----------------------------------------------------------------------
Date: Wed, 2 Oct 2019 17:16:49 +0300
From: Jussi Laakkonen <[email protected]>
Subject: [PATCH 7/7] doc: Add new OpenConnect configuration options to
VPN config format
To: [email protected]
Message-ID: <[email protected]>
Document the new options implemented for OpenConnect and the possible
choices for authentication.
---
doc/vpn-config-format.txt | 77 +++++++++++++++++++++++++++++++++++++--
1 file changed, 73 insertions(+), 4 deletions(-)
diff --git a/doc/vpn-config-format.txt b/doc/vpn-config-format.txt
index b9d37fa4..5c7524c9 100644
--- a/doc/vpn-config-format.txt
+++ b/doc/vpn-config-format.txt
@@ -54,8 +54,9 @@ OpenConnect VPN supports following options (see
openconnect(8) for details):
OpenConnect.CACert --cafile File containing other Certificate
Authorities in addition to the ones
in the system trust database (O)
- OpenConnect.ClientCert --certificate Client certificate file, if needed
- by web authentication (O)
+ OpenConnect.ClientCert --certificate Client certificate file, needed
+ by web authentication when AuthType
+ is set as "publickey" (O)
VPN.MTU --mtu Request MTU from server as the MTU
of the tunnel (O)
OpenConnect.Cookie --cookie-on-stdin Cookie received as a result of the
@@ -68,8 +69,75 @@ OpenConnect VPN supports following options (see
openconnect(8) for details):
Only usable for extremely simple VPN
configurations and should normally
be set only via the VPN Agent API.
-If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
-be contacted to supply the information.
+ OpenConnect.AllowSelfSignedCert none Additional option to define if self
+ signed server certificates are
+ allowed. Boolean string and defaults
+ to false, value "true" enables the
+ option. Affects to the OpenConnect
+ internal function only: --servercert
+ is not added to startup parameters
+ and receiving self signed cert from
+ server terminates the connection if
+ set as false (or omitted) (O)
+ OpenConnect.AuthType Type of authentication used with
+ OpenConnect. Applicable values are
+ "cookie", "cookie_with_userpass",
+ "userpass", "publickey" and
+ "pkcs12". Value "cookie" is basic
+ cookie based authentication. Value
+ "cookie_with_userpass" means that
+ credentials are used to retrieve the
+ connection cookie, which hides the
+ username from commandline. With
+ value "userpass" username and
+ password are used. Value "publickey"
+ requires CACert and UserPrivateKey
+ to be set. Value "pkcs12" uses the
+ PKCS12ClientCert and requests
+ password input. Defaults to "cookie"
+ (O)
+ cookie --cookie-on-stdin Default cookie based authentication
+ cookie_with_userpass Two phased connection, first
+ authentication: --cookieonly authenticate with credentials then
+ --passwd-on-stdin use cookie for connection. Username
+ --user is hidden from commandline during
+ connection: --cookie-on-stdin connection.
+ userpass --passwd-on-stdin Credential based authentication,
+ --user username is visible on commandline.
+ publickey --clientcert Non-encrypted client certificate and
+ --sslkey private key file is used for auth.
+ pkcs12 --cliencert Authenticat with PKCS#12 client
+ certificate.
+ OpenConnect.DisableIPv6 --disable-ipv6 Do not ask for IPv6 connectivity.
+ Boolean string and defaults to
+ false, value "true" enables the
+ option (O)
+ OpenConnect.NoDTLS --no-dtls Disable DTLS and ESP (O)
+ OpenConnect.NoHTTPKeepalive --no-http-keepalive Disable HTTP connection
+ re-use to workaround issues with
+ some servers. Boolean string and
+ defaults to false, value "true"
+ enables the option (O)
+ OpenConnect.PKCS12ClientCert --certificate Certificate and private key in
+ a PKCS#12 structure, protected with
+ a password. Needed when AuthType is
+ "pkcs12" (O)
+ OpenConnect.Usergroup --usergroup Set login usergroup on remote server
+ (O)
+ OpenConnect.UserPrivateKey --sslkey SSL private key file needed by web
+ authentication when AuthType is set
+ as "publickey" (O)
+
+The VPN agent will be contacted to supply the information based on the
+authentication type as follows:
+ Authentication type Information requested Saved with name
+ cookie OpenConnect.Cookie OpenConnect.Cookie
+ cookie_with_userpass Username OpenConnect.Username
+ Password OpenConnect.Password
+ userpass Username OpenConnect.Username
+ Password OpenConnect.Password
+ publickey <none>
+ pkcs12 OpenConnect.PKCS12Password OpenConnect.PKCS12Password
OpenVPN VPN supports following options (see openvpn(8) for details):
Option name OpenVPN option Description
@@ -235,6 +303,7 @@ L2TP.User = username
[provider_openconnect]
Type = OpenConnect
+AuthType = pkcs12
Name = Connection to corporate network using Cisco VPN
Host = 7.6.5.4
Domain = corporate.com
--
2.20.1
------------------------------
Date: Wed, 02 Oct 2019 20:49:08 +0100
From: David Woodhouse <[email protected]>
Subject: Re: [PATCH 6/7] doc: Add new OpenConnect PKCS#12 parameters
to VPN agent API
To: [email protected],Jussi Laakkonen <[email protected]>
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
boundary="----AYXBOYRSICU77CL6S4LMCHCOASLFVE"
------AYXBOYRSICU77CL6S4LMCHCOASLFVE
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hm, this seems very wrong=2E Files which happen to be PKCS#12 should be tre=
ated absolutely identically to files which happen to be PKCS#1 or PKCS#8=2E
See http://david=2Ewoodhou=2Ese/draft-woodhouse-cert-best-practice=2Ehtml
On 2 October 2019 15:16:48 BST, Jussi Laakkonen <jussi=2Elaakkonen@jolla=
=2Ecom> wrote:
>Add new OpenConnect VPN agent parameters to the API documentation=2E
>Following are added:
> Name Requirement OC authentication type
> OpenConnect=2EPKCS12ClientCert informational pkcs12
> OpenConnect=2EPKCS12Password mandatory pkcs12
>---
> doc/vpn-agent-api=2Etxt | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
>diff --git a/doc/vpn-agent-api=2Etxt b/doc/vpn-agent-api=2Etxt
>index 26c732d1=2E=2Efcb0e9e1 100644
>--- a/doc/vpn-agent-api=2Etxt
>+++ b/doc/vpn-agent-api=2Etxt
>@@ -85,6 +85,15 @@ Fields string Username
> Return the OpenConnect cookie value that is used for
> authenticating the VPN session=2E
>=20
>+ string OpenConnect=2EPKCS12ClientCert
>+
>+ Informational field containing a PKCS#12 URL or a path
>+ name for the PKCS#12 client certificate=2E
>+
>+ string OpenConnect=2EPKCS12Password
>+
>+ Password for decrypting PKCS#12 client certificate=2E
>+
> string OpenConnect=2EServerCert
>=20
> Return the OpenConnect server hash used to identify
>--=20
>2=2E20=2E1
>_______________________________________________
>connman mailing list -- connman@lists=2E01=2Eorg
>To unsubscribe send an email to connman-leave@lists=2E01=2Eorg
--=20
Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E
------AYXBOYRSICU77CL6S4LMCHCOASLFVE
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><head></head><body>Hm, this seems very wrong=2E Files which happen to=
be PKCS#12 should be treated absolutely identically to files which happen =
to be PKCS#1 or PKCS#8=2E<br><br>See <a href=3D"http://david=2Ewoodhou=2Ese=
/draft-woodhouse-cert-best-practice=2Ehtml">http://david=2Ewoodhou=2Ese/dra=
ft-woodhouse-cert-best-practice=2Ehtml</a><br><br><div class=3D"gmail_quote=
">On 2 October 2019 15:16:48 BST, Jussi Laakkonen <jussi=2Elaakkonen@jol=
la=2Ecom> wrote:<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0=
pt 0pt 0=2E8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1e=
x;">
<pre class=3D"k9mail">Add new OpenConnect VPN agent parameters to the API =
documentation=2E<br>Following are added:<br> Name
Requirement OC authent=
ication type<br> OpenConnect=2EPKCS12ClientCert informational pkcs12<br> Op=
enConnect=2EPKCS12Password mandatory pkcs12<hr>
doc/vpn-agent-api=2Etxt | 9=
+++++++++<br> 1 file changed, 9 insertions(+)<br><br>diff --git a/doc/vpn-=
agent-api=2Etxt b/doc/vpn-agent-api=2Etxt<br>index 26c732d1=2E=2Efcb0e9e1 1=
00644<br>--- a/doc/vpn-agent-api=2Etxt<br>+++ b/doc/vpn-agent-api=2Etxt<br>=
@@ -85,6 +85,15 @@ Fields string Username<br>
Return the OpenConnect co=
okie value that is used for<br> authenticating the VPN
session=2E<br> <b=
r>+ string OpenConnect=2EPKCS12ClientCert<br>+<br>+
Informational field =
containing a PKCS#12 URL or a path<br>+ name for the PKCS#12
client certi=
ficate=2E<br>+<br>+ string OpenConnect=2EPKCS12Password<br>+<br>+
Passwo=
rd for decrypting PKCS#12 client certificate=2E<br>+<br> string
OpenConne=
ct=2EServerCert<br> <br> Return the OpenConnect server
hash used to iden=
tify</pre></blockquote></div><br>-- <br>Sent from my Android device with K-=
9 Mail=2E Please excuse my brevity=2E</body></html>
------AYXBOYRSICU77CL6S4LMCHCOASLFVE--
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list -- [email protected]
To unsubscribe send an email to [email protected]
------------------------------
End of connman Digest, Vol 48, Issue 4
**************************************
