On Mon, Aug 14, 2017 at 2:36 PM, David Woodhouse wrote:
> I actually had a fix for that lying around in my tree for a while; have
> finally pushed it now. Thanks!
>
> I note that the auth-nonascii test still fails on Ubuntu 16.04, as even
> in the trivial case of the default UTF-8 (in my case en_G
On Mon, Aug 14, 2017 at 3:36 PM, Nikos Mavrogiannopoulos
wrote:
> On Mon, Aug 14, 2017 at 2:36 PM, David Woodhouse wrote:
>> I actually had a fix for that lying around in my tree for a while; have
>> finally pushed it now. Thanks!
>>
>> I note that the auth-nonascii
On Fri, Sep 8, 2017 at 11:11 AM, Michael Haubenwallner
wrote:
> Same problem here when using GnuTLS 3.5.13,
> but there is no problem with GnuTLS 3.3.26.
Could you share its IP? Otherwise try I'd recommend using "gnutls-cli
IP -d 6" and try git-bisect on gnutls master to see which commit broke
t
On Fri, 2017-09-08 at 14:58 +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, Sep 8, 2017 at 11:11 AM, Michael Haubenwallner
> wrote:
>
> > Same problem here when using GnuTLS 3.5.13,
> > but there is no problem with GnuTLS 3.3.26.
>
> Could you share its IP? Otherw
On Fri, 2017-09-08 at 21:44 +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, 2017-09-08 at 14:58 +0200, Nikos Mavrogiannopoulos wrote:
> > On Fri, Sep 8, 2017 at 11:11 AM, Michael Haubenwallner
> > wrote:
> >
> > > Same problem here when using GnuTLS 3.5.13,
>
On Tue, 2017-09-12 at 15:11 +, Magnusson Peter wrote:
> We are running Openconnect on rhel7 against Cisco ASA(with hostscan
> enabled). After an upgrade for hostscan that was released recently
> version 4.3.0538 we are having problems connecting.
>
> It seems to be due to a bugfix that cisco p
On Mon, Sep 18, 2017 at 1:24 AM, Miguel Cruz wrote:
> Hi,
>
> I'm trying to connect to some Cisco Anyconnect server I do not control
> but the connection apparently fails during the SSL negotiation.
>
> I have investigated the issue using openssl and found that the server
> only supports TSLv1 wit
On Tue, Sep 19, 2017 at 9:42 PM, David Raison wrote:
> On 19/09/17 10:02, David Raison wrote:
>> If this is the way to do it, then I have to sort out this Segmentation
>> fault, maybe try it on fedora instead of debian, as you initially suggested:
>>
>>> LD_PRELOAD=/usr/lib/x86_64-linux-gnu/pkcs11
September 20, 2017 12:20:13 PM GMT+02:00, David Raison
wrote:
>Hi Nikos,
>
>
>On 20/09/17 12:08, Nikos Mavrogiannopoulos wrote:
>>> Which means I'm stuck again. I have the same "SSL connection
>failure:
>>> PKCS #11 error" on debian and fedora
On Fri, Sep 22, 2017 at 4:01 PM, Noel Dieschburg wrote:
> Hi David,
>
> First thank you for your quick answer ;)
>
> Do you know if there is a way to do such things (disable RSA-512 signin
> algo) without rcompiling the gnu-tls library? I found nothing for the
> moement.
I believe you have to rec
Hello,
I've released ocserv 0.11.9. This is a minor feature update in the
0.11.x branch.
* Version 0.11.9 (released 2017-10-09)
- Fixed bug which caused the acceptable of invalid IPv4 address as valid (#112).
- Fixed compatibility with gnutls 3.3.8 (used in debian jessie) by avoiding the
use o
Do you use the rhel7.4 version of centos7? That seems like a
regression from the epel to the rhel protobuf-c libraries.
Does the new build over that version address that?
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-35c633c003
On Tue, Nov 21, 2017 at 8:35 AM, ping gao 高平(0) wrote:
>
On Wed, Nov 29, 2017 at 2:26 AM, Choon Hoe Chua wrote:
> Hi All
>
> I have Openconnect server up and running and clients can connect fine. But
> the connection protocol is always TLSv1.2. It does not seem to use DTLS, no
> matter which client I use (Cisco Anyconnect on MacOS, iOS and Android and
On Thu, Nov 30, 2017 at 1:21 AM, Choon Hoe Chua wrote:
> “occtl show users” show dtls-cipher as (no-dtls)
>
> I kind of got DTLS working by doing this:
>
> sudo systemctl stop ocserv.socket
> sudo ocserv -c /etc/ocserv/ocserv.conf
>
> So it seems if I stop ocserv.socket and start ocserv manually t
On Sat, Dec 2, 2017 at 2:38 AM, Choon Hoe Chua wrote:
> Here is the output from syslog
>
> Thanks & best regards
>
> - chua
>
> Dec 1 03:16:28 ubuntu ocserv[3528]: main[chchua]:
> [:::113.210.110.153]:16524 main.c:877: connect UDP socket from
> [:::113.210.110.153]:56182: Network is unrea
On Wed, Jan 3, 2018 at 2:07 PM, Remco Kranenburg wrote:
> Hi all,
>
> For some reason, every VPN user keeps spamming the logs about a failed
> UDP bind to port 443. I've attached an anonimized part of the log. The
> messages keep coming even when I disable UFW.
>
> Output of ocserv --version:
>
>
On Wed, Jan 3, 2018 at 3:29 PM, Remco Kranenburg wrote:
> On Wed, 2018-01-03 at 14:55 +0100, Nikos Mavrogiannopoulos wrote:
>> On Wed, Jan 3, 2018 at 2:07 PM, Remco Kranenburg > om> wrote:
>> > Output of ocserv --version:
>> >
>> > ocserv 0.10.11
>&g
On Thu, Jan 4, 2018 at 12:09 AM, Chaskiel Grundman wrote:
> I am running:
> OpenConnect version v7.08
> Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP
> software token, TOTP software token, Yubikey OATH, System keys, DTLS
>
> on ubuntu artful. I'm not sure when this started, but
sible to either party. For that,
allow larger than MTU packets to be received.
Signed-off-by: Nikos Mavrogiannopoulos
---
cstp.c | 9 +
dtls.c | 3 ++-
openconnect-internal.h | 4
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/cstp.c b
On Sat, Jan 6, 2018 at 4:01 PM, Chaskiel Grundman wrote:
> I did not test your patch, though I assume it would work, because I
> did not want to reinforce the idea that the VPN gateway is doing
> something wrong. Instead, I continued my own investigation.
>
> It turns out that in gnutls 3.5.8, gnu
Hello,
I've released ocserv 0.11.10. This is a minor feature update in the
0.11.x branch.
* Version 0.11.10 (released 2018-01-07)
- Increased the DTLS handshake timeout to 60 seconds and decreased
retransmission time to 400ms.
- Improved compatibility with certain anyconnect clients which
di
On Mon, Jan 8, 2018 at 5:51 AM, Chaskiel Grundman wrote:
>> Could you be more specific which code path you are referring to? As
>>far as I see openconnect seems to call gnutls_dtls_set_mtu(), as well
>> as gnutls_dtls_set_data_mtu() on different code paths.
>
> in the non-PSK-NEGOTIATE case, openc
Hi,
I was thinking options to allow supporting virtual servers under a
single server with different configuration / authentication methods,
and it seems that the simplicity of autogen's configuration parsing is
prohibiting anything like that to come in a natural way (e.g., via
sections [0]). Given
Nikos
From f4753d8923b801416e42dfa7ac911c19aae2024e Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos
Date: Wed, 17 Jan 2018 09:36:27 +0100
Subject: [PATCH] When an IPv6 address is found set INTERNAL_IP6_DNS
Signed-off-by: Nikos Mavrogiannopoulos
---
script.c | 21 +
1 file changed, 13 insertions(+), 8
On Wed, Jan 17, 2018 at 9:46 AM, David Woodhouse wrote:
> On Wed, 2018-01-17 at 09:41 +0100, Nikos Mavrogiannopoulos wrote:
>> Hi,
>> I got a report in ocserv that openconnect would not see an IPv6 DNS
>> address. Checking it further it seems that openconnect cli
Thank you. Committed in upstream master and 0.11.x branch.
On Mon, Jan 29, 2018 at 8:14 AM, Kevin Cernekee wrote:
> These use a slightly different User-Agent string. If they are not
> detected correctly, then IPv6-only VPNs will not work.
>
> Since the Android bindings did not exist until 6.00,
On Mon, Feb 12, 2018 at 1:57 PM, Andrey Markovskiy
wrote:
> Hi, All!
>
> We've installed ocserv with pam auth and when user send wrong password,
> client get:
> "Server 'xxx.xxx.xxx.xxx' requested Basic authentication which is disabled
> by default"
> We can set methods from client by command line
erver.
On February 14, 2018 7:03:09 AM UTC, Andrey Markovskiy
wrote:
>
>
>On 13.02.2018 13:04, Nikos Mavrogiannopoulos wrote:
>> On Mon, Feb 12, 2018 at 1:57 PM, Andrey Markovskiy
>> wrote:
>>> Hi, All!
>>>
>>> We've installed ocserv with p
On Tue, Feb 20, 2018 at 12:25 AM, Kevin Cernekee wrote:
> From: Nikos Mavrogiannopoulos
>
> This allows keeping track of clients which have their DTLS
> stream come from a different IP location than their CSTP
> stream.
>
> Relates #61
> ---
> src/main.c| 3 +
On Sat, Feb 24, 2018 at 6:42 PM, Chang John wrote:
> Hi,
>
> I've found a behavior that the reported stats of bytes_out from worker may
> not match the actual reading from tun interface.
>
> A simple example is mentioned below:
> You can find the TX reported from occtl is 17672025 (17.7 MB) whi
On Tue, Feb 27, 2018 at 9:36 AM, David Woodhouse wrote:
> On Thu, 2018-01-11 at 10:44 +, Jerry van Kooten wrote:
>>
>> OpenConnect gives me these messages and then crashes:
>>
>>
>> Unrecognised data packet
>> Unknown KMP message 300 of size 1427:
>> RTNETLINK answers: No such process
>> RTNET
Hello,
I've released ocserv 0.11.10. This is a bug fix update in the
0.11.x branch.
* Version 0.11.11 (released 2018-03-03)
- Enhanced HTML unescaping to
account encodings seen in some
AnyConnect clients. Contributed by
Daniel Lenski.
- Addressed issue which could cause the worker process
ente
On Fri, 2018-03-02 at 14:56 +0100, David Woodhouse wrote:
> On Thu, 2018-03-01 at 12:26 +0100, Muenz, Michael wrote:
> >
> > Thanks for your quick reply! Renaming of interfaces is no problem,
> > I
> > already wrote a plugin for OpenConnect as client.
>
> Ah, want to figure out the underlying io
On Thu, Mar 1, 2018 at 9:35 AM, Muenz, Michael wrote:
> Hi list
>
> I'm want to build a OCServ plugin for OPNsense Firewall based on FreeBSD.
> In the config there's an option "device" to set the name of the tun device.
>
> It seems to work fine on Linux but it doesn't work for FreeBSD.
> Whenever
On Fri, 2018-03-09 at 14:55 +0100, Muenz, Michael wrote:
> Am 08.03.2018 um 20:47 schrieb Nikos Mavrogiannopoulos:
> > On Thu, Mar 1, 2018 at 9:35 AM, Muenz, Michael > .org> wrote:
> > > Hi list
> > >
> > > I'm want to build a OCServ plugin for OPN
On Wed, 2018-03-07 at 09:22 +0800, Fung wrote:
> http://ocserv.gitlab.io/www/manual.html
> or sample.config
>
>
> 1. line
>
> # Subsets of the routes above that will not be routed by
>
> should be
>
> # Subsets of the routes below that will not be routed by
>
>
> 2. line
>
> # enable pr
On Tue, 2018-03-20 at 13:38 -0700, Vincent Huang wrote:
> doc/design.md indicates that the security module assigns session IDs
> to new user sessions, but I haven't been able to find where this
> happens, only that the SID gets passed around through a bunch of
> protobufs and used as a client sessi
On Tue, Apr 10, 2018 at 5:37 AM, Daniel Lenski wrote:
> On Apr 6, 2018 2:23 PM, "David Woodhouse" wrote:
>>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
>>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l wrote:
>>> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
>>>
>>> As
Currently the openconnect CI contains many expected failures making CI
failure the norm. Fix that and mark expected failures as such.
regards,
Nikos
From 53e3f831c3f06023e9d6c60cbc16dd21c54d0de6 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos
Date: Sun, 15 Apr 2018 11:43:51 +0200
Subject
Hello,
I've released ocserv 0.11.12. This is a bug fix update in the
0.11.x branch.
* Version 0.11.12 (released 2018-04-22)
- Corrected crash on certain cases when proxy protocol is in use (#146).
- Corrected use of new features in GnuTLS 3.6.x
- Include crypt.h when necessary for crypt() - new
Hello,
I've just released ocserv 0.12.0. This release has improvements
for openconnect server to support virtual hosts, and
other improvements in the supported authentication methods.
* Version 0.12.0 (released 2018-04-22)
- Allow DTLS stream to come from different IP from TLS stream.
There a
On Thu, May 10, 2018 at 1:26 PM, David Woodhouse wrote:
> On Thu, 2018-05-10 at 01:38 +, Ryan Taylor wrote:
>>
>> If this is correct, using the servercert option is a significant security
>> problem.
>>
>> Perhaps the servercert option is not intended to be used for any sort of
>> security g
On Thu, May 31, 2018 at 1:10 PM, David Woodhouse wrote:
> After a lot of hard work and persistence by Dan, the GlobalProtect
> support is finally merged. Thanks!
>
> I'd like to make an 8.0 release fairly soon. I know I've been a little
> bit neglectful, so now would be a good time to remind me of
On Thu, May 31, 2018 at 1:10 PM, David Woodhouse wrote:
> I'm pondering using Gitlab for managing issues and pull requests to
> make sure they are tracked better. Feel free to file things there;
> we'll treat it as an experiment for now:
> https://gitlab.com/dwmw2/openconnect
ocs
On Wed, 2018-07-04 at 09:07 +0100, David Woodhouse wrote:
>
> > --dtls-ciphers='AES-256-GCM'
> > --dtls-ciphers='AES256-GCM-SHA384'
> >
> > The GCM cipher is the one the server negotiates correctly when not
> > using the --dtls-ciphers option.
> >
> > So could it be that the option does not work
That option works only with older ocserv and openconnect versions. With the
newer the TLS negotiation is the way the cipher is decided.
On July 5, 2018 1:42:51 PM UTC, Daniel Lenski wrote:
>On Wed, Jul 4, 2018 at 1:07 AM, David Woodhouse
>wrote:
>> Some background would be useful to help under
On Thu, Jul 12, 2018 at 5:23 PM, Gareth Williams
wrote:
> Hi,
>
> I've just installed and configured ocserv. I'm using openconnect as a
> client on two Windows 10 laptops. If I attempt from, say, a hotel xDSL
> network, I connect and am able to access my lab environment remotely.
>
> However, if
On Sat, Jul 14, 2018 at 6:49 PM, Gareth Williams
wrote:
> Hi Dan,
>
> On 13/07/2018 22:12, Daniel Lenski wrote:
>>
>> On Fri, Jul 13, 2018 at 2:03 PM, Daniel Lenski wrote:
>>>
>>> Something in between the client and server is injecting an RST,ACK in
>>> both directions.
>>
>> If you tweak the sig
On Sat, Jul 14, 2018 at 9:52 PM, Gareth Williams
wrote:
> Hi Nikos
>
> On 14/07/2018 20:41, Nikos Mavrogiannopoulos wrote:
>>
>> What was the total size of the client hello? There was a particular
>> firewall which would terminate the TLS connection if the client hello
On Sun, Jul 15, 2018 at 4:41 PM, Gareth Williams
wrote:
>
> On 14/07/2018 21:06, Nikos Mavrogiannopoulos wrote:
>>
>> Unfortunately, it is only heuristics you can try here. It could be
>> that the middlebox doesn't understand a particular extension, or some
>>
On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote:
> Hi,
>
> Is there a way to have the latest Cisco AnyConnect 4.6 clients use
> ocserv with a stronger DTLS cipher than the default
> RSA_AES_128_SHA1?
> When the same version of AnyConnect connects to an ASA the DTLS
> cipher
> shows as DHE_R
Thanks. I've created this MR:
https://gitlab.com/openconnect/ocserv/merge_requests/86
On Wed, Jul 18, 2018 at 7:22 PM, Daniel Lenski wrote:
> On Tue, Jul 17, 2018 at 10:45 PM, Nikos Mavrogiannopoulos
> wrote:
>>
>> On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote
On Tue, Jul 24, 2018 at 6:21 PM, Daniel Lenski wrote:
> On Fri, Jul 20, 2018 at 9:54 AM, Dave Hansen wrote:
>> TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers
>> that blacklist TLS 1.0. Where should this get fixed?
>
> This seems to be a common feature of newer Cisco ser
On Fri, Jul 20, 2018 at 6:54 PM, Dave Hansen wrote:
> TL;DR: openconnect on Ubuntu 14.04 fails to connect to Intel VPN servers
> that blacklist TLS 1.0. Where should this get fixed?
>
> ---
>
> I'm running a rather vintage Ubuntu 14.04 which ships a rather
> unmodified openconnect 5.02 package.
On Tue, Jul 24, 2018 at 9:50 PM, Dave Hansen wrote:
> On 07/24/2018 12:22 PM, Nikos Mavrogiannopoulos wrote:
>>> Further, this code still seems to be around in openconnect, at least
>>> when compiled against old versions of gnutls:
>>>
>>> https://github.
On August 4, 2018 8:52:33 AM UTC, Jeroen Balduyck
wrote:
>On 6 July 2018 at 08:28, Nikos Mavrogiannopoulos
> wrote:
>> That option works only with older ocserv and openconnect versions.
>With the newer the TLS negotiation is the way the cipher is decided.
>>
>> On
On Tue, Aug 7, 2018 at 2:10 PM, Jeroen Balduyck
wrote:
>>
>> The server should pick the same ciphersuite as in the TLS channel. However
>> you raise a valid point, you have no way to affect that ciphersuite right?
>> Either in the old or the new protocol. Indeed the oc client gives >no
>> contr
The reason openconnect client doesn't put the real value is because it doesn't
know it. The Cisco protocol was not sending that value and we had no reason to
"fix" it in the openconnect protocol.
On August 16, 2018 10:30:32 AM UTC, David Woodhouse wrote:
>On Thu, 2018-08-16 at 12:22 +0200, Jero
The option is all or nothing. If true then all the forwarded connections must
have the header.
On September 27, 2018 11:02:20 AM UTC, Volodymyr Litovka
wrote:
>Hello, colleagues,
>
>I'm facing strange issue, connecting to ocserv (0.11.9-1, Ubuntu 18)
>using openconnect (7.08, OSX) from behind
Firefox has kerberos (spnego) authentication disabled by default. You need to
enable it, per domain.
See:
https://www.adelton.com/docs/idm/enable-kerberos-in-firefox
On October 20, 2018 12:19:32 PM UTC, "chiasa.men" wrote:
>I'm running ocserv on a linux with kerberos auth which works well.
>My
On Tue, 2018-10-23 at 22:43 +0200, chiasa.men wrote:
> You are right. I already configured it and it works.
> My question is how to tell firefox to use the TGT gained via the vpn
> connection for the further authentification processes.
>
> At the moment I'm using MIT Kerberos Client and gain a Ti
I would certainly welcome a patch on that for gnutls!
On November 4, 2018 5:37:32 AM UTC, Yoshimasa Niwa wrote:
>> Hm... or maybe only the 'password' type fields should be stored in
>> keychain and every other form field can be provided on the command
>> line? Those ones aren't secret, after all.
On Fri, Dec 28, 2018 at 11:16 AM My Kindle wrote:
>
> Hi
>
> i will very appreciate if you can tell me how i can set my ocserv .
> i always get log with ocserv[892]: sec-mod: maximum number of stored TLS
> sessions reached (64) , my ocserv is slow when users connect it . i have
> tried to s
Hello,
I've just released ocserv 0.12.2. This is a minor feature update
release.
* Version 0.12.2 (released 2019-01-10)
- Added support for AES256-SHA legacy cipher. This allows the anyconnect
clients to use AES256.
- Added support for the DTLS1.2 protocol hack used by new Anyconnect clients.
Hi,
If you are using rhel with ipsec I would suggest to contact redhat at
access.redhat.com. this list is about openconnect an ssl vpn.
On March 7, 2019 9:57:39 PM UTC, "Phillips, Tony" wrote:
>Hey, folks.
>
>We're using openconnect 8.02 on RHEL 7.4 VM, with a Palo Alto 5060
>firewall as the G
On Fri, 2019-03-08 at 10:27 +, David Woodhouse wrote:
> On Fri, 2019-03-08 at 10:24 +0000, Nikos Mavrogiannopoulos wrote:
> > Hi,
> > If you are using rhel with ipsec I would suggest to contact redhat
> > at access.redhat.com. this list is about openconnect an ssl vpn.
On Fri, 2019-03-08 at 20:26 +, Phillips, Tony wrote:
> Resending because the listserver bounced it due to it being HTML
> email.
>
> > > Tony, what's the output of gnutls-cli --benchmark-tls-ciphers on
> > > that platform?
>
> Testing throughput in cipher/MAC combinations (payload: 1400 bytes
0 outgoing IP packets dropped.
>About the same number of TCP segments retransmitted.
>Segments retransmitted as a percentage of segments sent: 5%.
>
>That's pretty destructive to a TCP flow. Incidentally, we're using NFS
>over TCP to do the file handling.
>
On Fri, 2019-04-05 at 14:17 +0200, Wolfgang Dautermann wrote:
> Dear Openconnect/Ocserv-Team,
>
> I set up a VPN-Server with ocserv and each user does get a fixed
> (RFC1918) IP using a config-per-user configuration.
>
> How can I enable connections (e.g. ssh, http, ping, ...) between
> different
On Fri, 2019-04-05 at 20:45 +, David Woodhouse wrote:
> >
> > Cat /proc/crypto | grep module
> >
> > includes the output "module : aesni_intel
> >
> > Does that mean "yes?"
> >
> > If "not necessarily," let me know how to query that.
>
> It means the hardware does. Not necessarily the
ann
wrote:
>
> (sorry for the late answer)
>
> On 05.04.19 18:13, Nikos Mavrogiannopoulos wrote:
> > That's how the tun device is. Have you pushed the routes of your local
> > network to your clients? Most likely the clients do not know that the
> > network is h
On Thu, Apr 11, 2019 at 6:52 PM David Woodhouse wrote:
>
> On Wed, 2019-04-10 at 21:41 +, Phillips, Tony wrote:
> > Using the "Fake Server", and doing this from the OpenConnect Client:
> >
> > # netperf/bin/netperf netperf -H 172.16.0.2 -t UDP_STREAM -- -m 1024
> > MIGRATED UDP STREAM TEST fro
will
diminish quite fast. What about making it opt in?
On April 13, 2019 10:48:52 AM UTC, David Woodhouse wrote:
>On Fri, 2019-04-12 at 00:05 +0300, David Woodhouse wrote:
>> On Thu, 2019-04-11 at 22:14 +0200, Nikos Mavrogiannopoulos wrote:
>> > Do you really want to i
On April 18, 2019 3:27:53 PM UTC, Daniel Lenski wrote:
>
>3. OpenConnect currently supports the three most widely-deployed SSL
>VPNs in the USA (AnyConnect, Juniper, and GlobalProtect, in that
>order) based on my attempts to survey a bunch of S&P 500 companies and
>university websites using wha
Isn't ikev1 kind of being phased out?
On April 19, 2019 5:58:40 PM UTC, Daniel Lenski wrote:
>On Thu, Apr 18, 2019 at 5:04 PM David Woodhouse
>wrote:
>> Junos Pulse (which we should support because it supports IPv6 and at
>> some point they're doing to stop supporting the legacy NC protocol)
>h
On Fri, 2019-04-19 at 14:54 -0400, Daniel Lenski wrote:
> On Fri, Apr 19, 2019 at 2:22 PM Nikos Mavrogiannopoulos
> wrote:
> > Isn't ikev1 kind of being phased out?
>
> In theory, yes.
> But so are IPv4 and TLS v1.0… and I wouldn't hold my breath on any of
> the
On Thu, May 2, 2019 at 3:44 AM Amos Bird wrote:
>
> Hello!
>
> I tried commenting out the "route = default" in ocserv config
> file, and even add no-route = default, but it still adds a default
> route after connecting. What else should I do to disable default
> route pushing?
Pushing no routes m
Hello,
I've just released ocserv 0.12.4. This is a bug fix release.
* Version 0.12.4 (released 2019-07-03)
- Added support for radius access-challenge (multifactor) authentication.
- Fixed race condition when connect-script and disconnect-script are
set, which could potentially cause a crash (
Hello,
I've just released ocserv 0.12.5. This is a bug fix release.
* Version 0.12.5 (released 2019-10-16)
- Fixed issue with FreeBSD tun devices closing (#213).
- Added configuration option udp-listen-host. This option supports different
listen addresses for tcp and udp such as haproxy for tc
On Wed, Oct 23, 2019 at 2:23 AM Leendert van Doorn
wrote:
>
> I wanted to let this list know some of my observations with getting IPv6 to
> work on my iPhone with Anyconnect and an ocserv server. I noticed some much
> older threads on this list but no one got it working as far as I can tell.
>
>
On Thu, Oct 31, 2019 at 3:33 PM Leendert van Doorn
wrote:
>
> On Thu, Oct 31, 2019 at 6:59 PM Nikos Mavrogiannopoulos
> wrote:
> >
> > Is there something we can do on the ocserv side to improve that?
> > Should if we send the routes to the mobile client would it w
Are you using the config-per-group directive? This does not seem to
support the split-dns directive. You could modify
src/sup-config/file.c to read it, as well as the related ipc file. If
you cannot do it, please open a ticket at gitlab ocserv's site.
regards,
Nikos
On Mon, Nov 4, 2019 at 4:39 PM
Thank you. I've tweaked it a little to be less disruptive for
openconnect clients:
https://gitlab.com/openconnect/ocserv/merge_requests/119
Does the do anyconnect servers send the 2000::/3 route to iphone
clients all the time?
regards,
Nikos
On Fri, Nov 15, 2019 at 5:40 AM Leendert van Doorn
wr
Yes. You will need to turn of the cisco client compatibility though and the
behavior should change to what you described.
Regards,
Nikos
On December 1, 2019 3:19:02 AM UTC, Siyuan Ren wrote:
>Hi,
>
>I don't want people (well, more specifically, China's great firewall)
>to find out that my VM h
It wouldn't matter benchmarking it. It will not be significantly different.
From what you describe the crypto capacity of cpu is at least 10-fold what you
see on the wire. So the issue is somewhere else.
On December 30, 2019 10:08:28 AM UTC, Carles Pina i Estany
wrote:
>
>Hi,
>
>On Dec/30/201
On Fri, Jan 3, 2020 at 10:23 PM Ian Lord wrote:
>
> Hi,
>
> I am new to Openconnect VPN Server and I was able to install the server and
> connect to it using the OpenConnect Gui VPN Client.
>
> When I try to connect to the same server using Cisco Anyconnect Secure
> Mobility Client version 4.8.0
Unfortunately we have no automated testing with anyconnect clients, so
it could be that new clients expect something different, or that we
simply regressed in that feature. I'd suggest reporting the issue at:
https://gitlab.com/openconnect/ocserv with as much debugging info as
possible.
regards,
N
On Fri, Jan 10, 2020 at 1:30 PM Florian Domain wrote:
>
> Hi all,
>
> We're using ocserv with 2 factor authentication (LDAP and Duo, very
> similar to what is described here
> https://ocserv.gitlab.io/www/recipes-ocserv-2fa.html#Duo).
>
> I found out that on a single ocserv server, when a login pr
On Mon, Jan 13, 2020 at 6:21 PM Philippe Strauss
wrote:
> tls-priorities =
> "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
Change this to:
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
___
openconnect-devel mailing list
openconnec
On Mon, Jan 13, 2020 at 4:55 PM Florian Domain wrote:
>
> Hi Nikos,
>
> Thanks for your reply.
>
> I did some tests with two users trying to connect at the same time,
> and ocserv is not blocking at username/password/LDAP stages, but only
> when duo has sent its notification to user's device. So a
ssue.
>
>Regards,
>
>Florian D.
>
>Le mar. 14 janv. 2020 à 09:04, Nikos Mavrogiannopoulos
> a écrit :
>>
>> On Mon, Jan 13, 2020 at 4:55 PM Florian Domain
> wrote:
>> >
>> > Hi Nikos,
>> >
>> > Thanks for your reply.
>
> Quick question for folks on this list.
> During our security review of OpenConnect server, a couple of the question
> were raised:
> 1) Can we drop privileges from the ocserv-main process after forking the
> ocserv-sm?
> a. Looking through the code, I don't see any obvious reason why not, but
On Mon, Feb 3, 2020 at 4:58 PM Alan Jowett wrote:
>
> Thanks for the quick feedback, I appreciate it.
>
> Privileges needed by ocserv-main
> - Any chance the up/down scripts could be moved to ocserv-sm? Based on the
> other thread, I think the answer is no due to concurrency constraints, but
> f
Hi,
If you use "SAN(rfc822name)" as the cert-user-oid you will have the full
address as username. From then you can use the scripts to do additional
authorization if required.
regards,
Nikos
From: openconnect-devel on
behalf of fddi
Sent: Thursday, M
I'd suggest to use the openconnect-gui windows application as it can use smart
cards supported in windows natively.
https://openconnect.github.io/openconnect-gui/
From: openconnect-devel on
behalf of Noss Benoit
Sent: Friday, March 20, 2020 12:10 PM
To
On Mon, Mar 30, 2020 at 6:49 PM Daniel Lenski wrote:
>
> On Mon, Mar 30, 2020 at 12:55 AM Stefano Piletti wrote:
> >
> >
> > Hello,
> > I'm looking for a way to make openconnect server and client connect using
> > protocol chacha20-poly1305 which happens to be faster on my setup.
> > I have trie
On Thu, Jul 30, 2020 at 10:00 PM Jason Gunthorpe wrote:
>
> If GCM is not available on the VPN server this is a reasonable fallback.
>
> Severs will not auto-fallback to older TLS if the X-DTLS12-CipherSuite is
> sent, so the existing non-GCM modes with the old TLS do not negotiate.
In terms of s
On Sun, Aug 30, 2020 at 11:11 PM Yuriy Andamasov wrote:
>
> Hello Community!
> My name is Yuriy and i’m one of coordinators at VyOS project.
> Not that much time ago we integrated ocserv in VyOS rolling release
> https://twitter.com/vyos_dev/status/129582719962114
> Seems people received idea
I do not have a preference on the location; I do not know if David's stats on
the web site show a particular location being more dominant by visitors.
regards,
Nikos
From: openconnect-devel on
behalf of Yuriy Andamasov
Sent: Tuesday, September 8, 2020
On Sun, Sep 13, 2020 at 2:41 PM wrote:
>
>
> Hello everyone,
>
Hi!
> Now my problem: In one of my standard configurations, I run the ocserv
> behind of proprietary routers on a small arm-based computer. On that, I
> use armbian which is a Debian derivative with a 5.7 Linux Kernel
> optimized for
1 - 100 of 113 matches
Mail list logo