Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

ocserv-0.11.10-lp152.4.7 RPM for ppc64le

From OpenSuSE Ports Leap 15.2 for ppc64le

Name: ocserv Distribution: openSUSE:Leap:15.2:PowerPC / ports
Version: 0.11.10 Vendor: openSUSE
Release: lp152.4.7 Build date: Sat May 16 15:36:08 2020
Group: Productivity/Networking/Security Build host: obs-power9-06
Size: 1189238 Source RPM: ocserv-0.11.10-lp152.4.7.src.rpm
Packager: https://bugs.opensuse.org
Url: http://www.infradead.org/ocserv
Summary: OpenConnect VPN Server
 
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. The server
is implemented primarily for the GNU/Linux platform but its code
is designed to be portable to other UNIX variants as well.

Ocserv's main features are security through privilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP. Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process.
A management interface allows for viewing and querying logged-in users.

Provides

Requires

License

GPL-2.0

Changelog

* Tue Feb 27 2018 i@marguerite.su
  - add firewalld service
* Sat Feb 24 2018 i@marguerite.su
  - update version 0.11.10
    * see NEWS
  - drop boo1021353-ocserv-doc-racing-in-parallel-build.patch
    * upstreamed
  - add ocserv-LZ4_compress_default.patch
    * leap doesn't have LZ4_compress_default
* Thu May 11 2017 dimstar@opensuse.org
  - Use readline (current) instead of readline5:
    + Replace readline5-devel BuildRequires with readline-devel.
* Mon Jan 23 2017 i@marguerite.su
  - fix boo#1021353: ocserv randomly misbuilds man pages
  - add patch: boo1021353-ocserv-doc-racing-in-parallel-build.patch
    * occtl and ocpasswd are both built from args.def, which
      will cause a racing problem in parallel builds that autogen
      write contents randomly. fixed by adding a prefix to make
      them different in filename.
* Wed Dec 21 2016 i@marguerite.su
  - update version 0.11.6
    * cserv: Improved detection of mobile clients
    * ocserv: Update the worker's ID on Radius accounting messages.
      That is, even if we initially advertize the ID of the worker
      handling the client as NAS-Port, the client may eventually end-up
      being served by another process with different ID. In that case we make
      sure that the radius server is notified on the next accounting message.
      If you are using radius see doc/README.radius.md about NAS-Port, since
      that behavior may cause issues in freeradius installations.
    * ocserv: Added config option 'switch-to-tcp-timeout'. That allows an
      automatic switch to TCP in case of no received UDP traffic for
      certain time
    * ocserv: Pre-load the OCSP response file; that way worker processes can
      serve it, even if they have no access to it.
    * ocserv: When compiled with GnuTLS 3.5.6 automatically set DH
      parameters from the known set.
* Fri Feb 12 2016 i@marguerite.su
  - update version 0.10.11
    * Corrected the reporting of keepalive to occtl.
    * Handle clients which send the first request to /VPN
    * Prevent a crash in per-user config dir is not available if
      expose-iroutes is set to true.
  - update license: GPL-2.0
  - open ports using ocserv.SuSEfirewall
  - enable ip forwarding using ocserv.sysctl
* Thu Jan 07 2016 i@marguerite.su
  - update version 0.10.10
    * Increase the number of log messages logged in the default level.
      That is added messages that could be of use to administrators.
    * Introduced ipv6-subnet-prefix config option. That option allows
      to specify the IPv6 subnet prefix to be given to client. That is,
      allow providing the clients networks larger than /128. The default
      setting is 128 to keep backwards compatibility.
    * Introduced the expose-iroutes config option. That option allows
      the server to advertise routes offered by some clients to all of
      them. This requires the config-per-user option.
    * When a client has assigned iroutes which cannot be applied, he
      will be denied access.
    * Added restrict-user-to-routes configuration option which will
      execute ocserv-fw script on user connection. The script will
      set firewall rules which deny the user access to any other
      networks than the routes set for the user. This is added as a
      tech preview; details of this option may change on later releases.
    * When banning IPv6 addresses treat a /64 network as a single address.
    * Fixed conflict with isolate-workers and user-profile.
    * occtl: Allow disabling the pager functionality on compile time
      using --with-pager="".
* Wed Oct 21 2015 i@marguerite.su
  - update version 0.10.9
    * When compiled with GnuTLS 3.4 automatically sort the certificate
      list to be imported
    * Reload the CRL during periodic maintaince if its modification
      time changes
    * Address issue with duplicate check failing on IPv6 addresses
    * Added the ability to specify a UsersFile in plain auth for using
      an OTP
      This allows to use an OTP 2nd factor authentication without having
      to rely on PAM. This change, also enables the usage of an empty
      password field in the password file if an OTP file is present
    * Allow loading DER-encoded CRLs
    * Re-added the PAM accounting method. That accounting method can
      be combined with any authentication method, and can be used to
      check for a valid system account
  - changes in 0.10.8
    * Pass the proxy protocol information at earlier stage to main
      process, to allow the correct information to be passed at the
      connect script and occtl
    * Added the IP_REAL_LOCAL environment variable to scripts. This
      passes the local IP the client connected to
    * The PAM accounting method was dropped as there was no practical
      usage of it, the way it was implemented
    * When assigning IPv6 addresses use the whole available netmask
    * occtl: Print the local IP the client connected to, with the
      client information
    * occtl: Print the configured for the client split-dns domains
  - changes in 0.10.7
    * Added a fuzzying factor to CPU intensive, or radius communication
      tasks when initiated by worker process. That avoids a very
      high load periodically, e.g., when multiple clients connect
      at the same time
    * Added support for haproxy's protocol v2 format. That allows
      to report the correct client IP even on proxied sessions.
      It introduces the configuration option listen-proxy-proto
    * occtl: added -n/--no-pager option. That allows to disable
      pager explicitly
    * occtl: fixed several cases of invalid JSON output
  - changes in 0.10.6
    * Transmit packets to the last incoming source, allowing faster
      switch of the communication channel
    * The worker processes will utilize the UDP socket address
      (if any), when reporting peer's address if the listen-clear-file
      option is set
    * Lifted the limit on the number of configuration options. That
      allows to add an "unlimited" number of 'route' options
    * Support encrypted key files. That adds the key-pin and srk-pin
      configuration options
    * The dbus communication option has been dropped
    * Radius: depend on radcli radius library
    * occtl: added -j/--json option. That allows to output in a
      JSON format
* Mon Jun 08 2015 i@marguerite.su
  - set isolated-workers to false since we didn't build w/ seccomp yet
  - change systemd socket ports as well
* Sun Jun 07 2015 i@marguerite.su
  - update version 0.10.5
    * Added tgt-freshness-time option for gssapi/Kerberos authentication
      option. That allows to specify the maximum number of seconds after
      which a reauthentication with Kerberos is required to login to VPN.
    * main/sec-mod: impose long timeouts on reads from sec-mod. That
      would prevent issues when reading in a blocked in authentication
      sec-mod.
    * radius: When using radius accounting with certificate
      authentication, properly notify of user session termination.
    * radius: On definitely terminated sessions contact the radius server
      as soon as possible. For sessions that can still be resumed the
      radius server is contacted periodically after the cookies expire.
    * radius: consider Acct-Interim-Interval when seen by the server.
      That will be taken into account if groupconfig=true in radius
      subconfig.
    * Added configuration options persistent-cookies and session-timeout.
    * radius: added support for Route-IPv6-Information,
      Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address,
      Session-Timeout.
    * Corrected desync of main and sec-mod by introducing a synchronous
      communication socket. Reported by Mani Behrouz.
    * PAM: forward the actual prompt to worker process, and not only
      informational messages.
  - drop ocserv-str_init.patch, upstream fixed.
* Fri Feb 13 2015 i@marguerite.su
  - add user.tmpl, for certificate login
  - tweak default config more
  - add README.SUSE as setup instructions
* Mon Feb 02 2015 i@marguerite.su
  - initial version 0.9.0.1
    * Added native support for radius. That adds the new auth
      configuration option "radius", which has as parameters
      the freeradius-client configuration file and optionally
      the groupconfig option which instructs to read
      configuration from radius; the stats-report-time option
      enables interim-updates. That adds the dependency to
      freeradius-client (see doc/README.radius).
    * Reply using the same address that received UDP packets
      are sent.
    * Simplify the input of IPv6 network addresses.
    * Use a separate IPC and PID namespace in Linux systems
      for worker processes. That effectively puts each worker
      process in a separate container. This can be enabled at
      compile time using --enable-linux-namespaces.
    * Configuration option 'use-seccomp' was replaced by
      'isolate-workers', which in addition to seccomp it enables
      the Linux namespaces restrictions.
    * Added support for stateless compression using LZ4 and LZS.
      This is disabled by default.
  - disable dbus interface because currently it provides less
    function than unix socket
  - add patch: ocserv-str_init.patch
  - add patch: ocserv-enable-systemd.patch
  - add patch: ocserv.config.patch

Files

/etc/ocserv
/etc/ocserv/README.SUSE
/etc/ocserv/certificates
/etc/ocserv/certificates/ca.tmpl
/etc/ocserv/certificates/server.tmpl
/etc/ocserv/certificates/user.tmpl
/etc/ocserv/ocpasswd
/etc/ocserv/ocserv.conf
/etc/sysconfig/SuSEfirewall2.d/services/ocserv
/etc/sysctl.d/60-ocserv.conf
/usr/bin/occtl
/usr/bin/ocpasswd
/usr/bin/ocserv-fw
/usr/bin/ocserv-script
/usr/lib/firewalld
/usr/lib/firewalld/services
/usr/lib/firewalld/services/ocserv.xml
/usr/lib/systemd/system/ocserv.service
/usr/lib/systemd/system/ocserv.socket
/usr/sbin/ocserv
/usr/share/doc/packages/ocserv
/usr/share/doc/packages/ocserv/AUTHORS
/usr/share/doc/packages/ocserv/COPYING
/usr/share/doc/packages/ocserv/LICENSE
/usr/share/doc/packages/ocserv/NEWS
/usr/share/doc/packages/ocserv/README.md
/usr/share/doc/packages/ocserv/TODO
/usr/share/man/man8/occtl.8.gz
/usr/share/man/man8/ocpasswd.8.gz
/usr/share/man/man8/ocserv.8.gz

Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 11:51:01 2024