It's been over a year since the last release, and a few fixes have accumulated. Most notably, some improvements to Pulse compatibility as the servers have changed. Also some cleanups to the SSO support, especially external browser handling for Cisco AnyConnect.
On Windows, update the Wintun driver and make it the default instead of the old OpenVPN tap-windows driver. Increase the default queue length to 32 (which turns vhost support on by default), which is seen to improve real world performance quite a lot. It's not entirely clear *why*, since there are large queues both before and after OpenConnect doing its own packet processing, but empirically it's clearly needed. https://www.infradead.org/openconnect/download/openconnect-9.10.tar.gz https://www.infradead.org/openconnect/download/openconnect-9.10.tar.gz.asc Alex Samorukov (1): Add MacOS support to the hipreport Andy Teijelo (1): Use the timeout command in csd-wrapper.sh Daniel Lenski (101): Bugfix fake-gp-server.py: <saml-request> uses the 'standard' base64 alphabet, not the 'URL-safe' one OpenConnect has too many slightly-varying and undocumented interfaces for external scripts with similar functions Clearer error message when GlobalProtect portal configuration contains no gateways at all Clearer error for list-system-keys on Unix-like platforms Cleanup GP auth tests (don't need to disable IPv6 here) Rework GP fake server to have a persistent configuration Add a fake SAML handler/form to fake-gp-server.py Factor out some of the most repetitive elements of gp-auth-and-config Explain why explicit proxying usually doesn't work in MITM docs Clarify purpose/scope of --authgroup option Clarify purpose/scope of --usergroup option Log more details of unknown Pulse packets Merge branch 'man' into 'master' Support [,;] as separators for multiple search domains with all protocols Expand comment about potentially-useful information in GP portal configuration Don't set xmlReadMemory's URL argument to "noname.xml" Distinguish XML and non-XML error paths in gpst_xml_or_error Parse GlobalProtect XML more leniently Java: remove idleTimeoutSec from IPInfo class Don't set xmlReadMemory's URL argument to "noname.xml" (fixup) Treat empty redirect_url as a no-op Add missing 'goto bad_config' in Pulse error path More trace-level logging around Pulse config packets Future-proof unknown attr_flag values in Pulse main config packet Merge branch 'pulse-9.1R16' into 'master' Make Fortinet's invalid credential response more human-readable Add anchors to HTML manual, so any option can be the target of a link Fix logging of ESP-magic "gateway" address in GP config parsing Avoid warnings about unused ESP-related functions/variables in oncp.c and gpst.c Prevent crash on unexpected response for GlobalProtect portal prelogin XML Allow --form-entry to override hidden fields' values or mark them as text fields Don't treat forms containing only hidden fields as non-empty Ensure that even hidden form fields have labels Basic 2FA token handling for F5 Add f5-auth-and-config tests of hidden form followed by 2FA form Merge branch 'upstream/hidden_form_field_override' into 'master' GlobalProtect can send the challenge-based 2FA form in an even stupider way List an unhandled Pulse flag related to hostname-based split tunnelling Add --sni option to the CLI, for domain fronting If --sni is specified, expect peer certificate to match value sent in SNI, rather than hostname Prioritize IPv6 for GlobalProtect ESP "magic ping" Merge branch 'add_sni_option_for_domain_fronting' into 'master' Combine Legacy IP and IPv6 cases in GP config XML parsing Merge branch 'GP_consolidate_legacy_IP_and_IPv6_ESP_config_handling' into 'master' Save GlobalProtect version reported by portal and parrot it back as client version Sending --long-options to HIP script was a mistake; use environment variables instead HOSTID → HOST_ID in hipreport.sh/hipreport-android.sh Merge branch 'parrot_GP_server_software_version_back_as_client_software_version' into 'master' Update changelog Merge branch 'android' into 'master' Update .gitlab-ci.yml to be multi-stage and conserve CI runner usage Fix TNCC links in docs Simulate condition leading to segfault in fake-fortinet-server.py Update changelog Merge branch 'manudroid19-master-patch-20475' into 'master' Merge branch 'tap' into 'master' Update .mailmap Simplify port list in csd-post.sh Mention newer/non-PPP-based wire protocol in the Fortinet docs Bugfix tests/fake-gp-server.py GlobalProtect JavaScript challenge fields can contain literal newlines Parse GlobalProtect JavaScript challenge 'respMsg' as JSON string Merge branch 'parse_GP_javascript_better' into 'master' Persistent configuration for fake Fortinet server Persistent configuration for fake Juniper server Give more details about unexpected Pulse configuration packets Expand examples of '--useragent' in manual page Merge branch 'FAIL_obsolete-server-crypto' into 'master' Add 'except' clause for Gitlab-CI Android builds Parse JSON login forms for F5 Update changelog Merge branch 'parse_JSON_login_forms_F5' into 'master' Make xmlnode_bool_or_int_value() a global, internal function Persist Windows installer artifacts (openconnect-installer.exe) for tagged commits/releases Unique names for each variant openconnect-installer.exe Update changelog and README Merge branch 'persist-windows-builds' into 'master' Junos/Pulse → Junos/Ivanti Pulse Ignore blank labels sent in GlobalProtect prelogin GnuTLS: Print more relevant information in the case of a fatal TLS alert Fortinet: send dual_stack parameter to support IPv6 and Legacy IP simultaneously Add a more modern LIMITATIONS section to man page GnuTLS: Add UNSAFE_RENEGOTIATION to allow-insecure-crypto Remove TAP-Windows driver from installer, and update docs to reference Wintun's default inclusion Bundled Cisco CSD wrapper script only works on GNU/Linux on Intel x86/x86_64 processors Merge branch 'tap_wintun' into 'master' Update .mailmap Add FTM-push token mode for Fortinet Newer Pulse servers can disable their ESP protocol layering malpractice Pulse needs an 'official' version string in IF/T-T establishment to support IPv6 Document the potential need for an EAP-TLS-within-EAP-TTLS workaround for Pulse Merge branch 'Pulse_unstupid_ESP' into 'master' Small additions to changelog before release Update docs related to vpnc-script, platform, Trojans Tell Apple users not to use '-i tunX', but '-i utunX' instead. Bugfix Y2038 for F5 authentication timestamp Fix mixed line endings Add --no-external-auth option, and follow it for Cisco protocol More specific error message with proposed workaround for Pulse EAP-TLS requests Update changelog Merge branch 'hipreport' into 'master' David Woodhouse (40): Merge branch 'obs' into 'master' Merge branch 'CentOS6' into 'master' Merge branch 'rhel5' into 'master' Merge branch 'autoconf' into 'master' Revert "Use more idiomatic super().__init__() in html.py" BuildRequire glibc-langpack-cs on EPEL9 for auth-nonascii test Import translations from GNOME Remove stray debug message on Pulse ESP rekey Fix ESP recv() error handling for Windows Use OpenSSL_version() not deprecated SSLeay_version() Add list-system-keys tool Fix COPR builds Clean up NSIS installation a bit Don't install list-system-keys Attempt to handle multiple IP packets in an Array TLS frame Update changelog, improve Windows certificate store documentation Default 'Getting Started' top-level menu to connecting.html Looks like Array *does* split packets across TLS records Detect Array session timeout and exit cleanly Import translations from GNOME Fix Solaris build Update translations from GNOME Bump default queue length to 32 Update translations from GNOME Fix missing TX stats on vhost Update docs on running as non-root Redirect stdout to stderr when spawning external browser Fix F5 build with json-parser 1.1.0 Revert "html.py is a Python 3 script" Fix installer suffix handling Resync translations with sources Set SOCK_CLOEXEC on listening socket for Cisco external browser support Fix --server vs. positional argument handling Report unexpected Pulse EAP requests more explicitly Fix EINTR handling for select() on cmd_fd Attempt to handle Legacy IP frames in the middle of oNCP config Rework ESP probe retries Resync translations with sources Fix use-after-free in realloc_inplace() Tag version 9.10 Dimitri Papadopoulos (40): Stop CentOS6 CI job AC_PREREQ expects a single version argument No need to support RHEL 5 Fix signedness of character buffers in HKDF/HPKE-related functions Fix constness of character buffers in HKDF/HPKE-related functions Fix constness again in HKDF/HPKE-related functions Merge branch 'const' into 'master' Man page: fix list of supported protocols Man page: remove spurious space before ) Man page: use bold for option names Clarify certificate verification in Cisco CSD/trojan scripts Fix broken links in documentation Python: indentation contains mixed spaces and tabs Python invalid syntax Fix NULL pointer dereference resulting in non-functional Android builds since v8.20 Wintun 0.13 (2021-08-02) → 0.14.1 (2021-10-17) Wintun driver registered as "Wintun" instead of "wintun" Revert 59d3e370 Update the changelog: support for Wintun 0.14.1 Case-insensitive TAP component ID Support TAP driver bundled with OpenVPN Merge branch 'wintun-0.14.1' into 'master' Free vpninfo->urlpath before re-assigning obsolete-server-crypto test is no longer XFAIL in Fedora/GnuTLS Remove deprecated option cookie-validity from ocserv test configurations Replace deprecated libtasn1 macros obsolete-server-crypto test is no longer XFAIL in Fedora/GnuTLS/* obsolete-server-crypto and auth-certificate tests are now XFAIL in Fedora/OpenSSL CI test html.py is a Python 3 script Remove support for OpenSSL 0.9.8 Verbatim LGPLv2.1, to the byte Remove support for LibreSSL Latest version of lzo.c and lzo.h Apply local changes to lzo.c and lzo.h Merge branch 'lzo' into 'master' Deprecate option --juniper, suggest --protocol=nc instead Remove obsolete LIMITATIONS from man page Make it clearer that the preferred driver is Wintun Cherry-pick several one-line cleanup MRs pulsesecure.net → ivanti.com Elias Norberg (1): Add support for Pulse region choice Hossein Khojany (1): Add openconnect_set_sni API function and Java setSNI() wrapper Luca Boccassi (1): obs: remove libtss2-dev from debian dependency, to allow build for 18.04 to succeed Manuel de Prada (1): Fortinet: fix bug causing segfault when SVPNCOOKIE is set repeatedly Mike Gilbert (1): jsondump.c: include <inttypes.h> for PRId64 Rahul Rameshbabu (1): Do not add 'single-sign-on' to the capabilities list for AnyConnect auth requests Timothee 'TTimo' Besset (1): Fix pulse 9.1R16 connection
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
