It's been over a year since the last release, and a few fixes have
accumulated. Most notably, some improvements to Pulse compatibility as
the servers have changed. Also some cleanups to the SSO support,
especially external browser handling for Cisco AnyConnect.
On Windows, update the Wintun driver and make it the default instead of
the old OpenVPN tap-windows driver.
Increase the default queue length to 32 (which turns vhost support on
by default), which is seen to improve real world performance quite a
lot. It's not entirely clear *why*, since there are large queues both
before and after OpenConnect doing its own packet processing, but
empirically it's clearly needed.
https://www.infradead.org/openconnect/download/openconnect-9.10.tar.gz
https://www.infradead.org/openconnect/download/openconnect-9.10.tar.gz.asc
Alex Samorukov (1):
Add MacOS support to the hipreport
Andy Teijelo (1):
Use the timeout command in csd-wrapper.sh
Daniel Lenski (101):
Bugfix fake-gp-server.py: uses the 'standard' base64
alphabet, not the 'URL-safe' one
OpenConnect has too many slightly-varying and undocumented interfaces for
external scripts with similar functions
Clearer error message when GlobalProtect portal configuration contains no
gateways at all
Clearer error for list-system-keys on Unix-like platforms
Cleanup GP auth tests (don't need to disable IPv6 here)
Rework GP fake server to have a persistent configuration
Add a fake SAML handler/form to fake-gp-server.py
Factor out some of the most repetitive elements of gp-auth-and-config
Explain why explicit proxying usually doesn't work in MITM docs
Clarify purpose/scope of --authgroup option
Clarify purpose/scope of --usergroup option
Log more details of unknown Pulse packets
Merge branch 'man' into 'master'
Support [,;] as separators for multiple search domains with all protocols
Expand comment about potentially-useful information in GP portal
configuration
Don't set xmlReadMemory's URL argument to "noname.xml"
Distinguish XML and non-XML error paths in gpst_xml_or_error
Parse GlobalProtect XML more leniently
Java: remove idleTimeoutSec from IPInfo class
Don't set xmlReadMemory's URL argument to "noname.xml" (fixup)
Treat empty redirect_url as a no-op
Add missing 'goto bad_config' in Pulse error path
More trace-level logging around Pulse config packets
Future-proof unknown attr_flag values in Pulse main config packet
Merge branch 'pulse-9.1R16' into 'master'
Make Fortinet's invalid credential response more human-readable
Add anchors to HTML manual, so any option can be the target of a link
Fix logging of ESP-magic "gateway" address in GP config parsing
Avoid warnings about unused ESP-related functions/variables in oncp.c and
gpst.c
Prevent crash on unexpected response for GlobalProtect portal prelogin XML
Allow --form-entry to override hidden fields' values or mark them as text
fields
Don't treat forms containing only hidden fields as non-empty
Ensure that even hidden form fields have labels
Basic 2FA token handling for F5
Add f5-auth-and-config tests of hidden form followed by 2FA form
Merge branch 'upstream/hidden_form_field_override' into 'master'
GlobalProtect can send the challenge-based 2FA form in an even stupider
way
List an unhandled Pulse flag related to hostname-based split tunnelling
Add --sni option to the CLI, for domain fronting
If --sni is specified, expect peer certificate to match value sent in
SNI, rather than hostname
Prioritize IPv6 for GlobalProtect ESP "magic ping"
Merge branch 'add_sni_option_for_domain_fronting' into 'master'
Combine Legacy IP and IPv6 cases in GP config XML parsing
Merge branch 'GP_consolidate_legacy_IP_and_IPv6_ESP_config_handling' into
'master'
Save GlobalProtect version reported by portal and parrot it back as
client version
Sending --long-options to HIP script was a mistake; use environment
variables instead
HOSTID → HOST_ID in hipreport.sh/hipreport-android.sh
Merge branch
'parrot_GP_server_software_version_back_as_client_software_version' into
'master'
Update changelog
Merge branch 'android' into 'master'
Update .gitlab-ci.yml to be multi-stage and conserve CI runner usage
Fix TNCC links in docs
Simulate condition leading to segfault in fake-fortinet-server.py
Update changelog
Merge branch 'manudroid19-master-patch-20475' into 'master'
Merge branch 'tap' into 'master'
Update .mailmap
Simplify port list in csd-post.sh
Mention newer/non-PPP-based wire protocol in the Fortinet docs
Bugfix tests/fake-gp-server.py
GlobalProtect JavaScript challenge fields can contain literal newlines
Parse GlobalProtect JavaScript challenge 'respMsg'