~mamarley/openconnect/+git/gitlab-main:check_tcp_mtu_tool

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

47a0d3e... by Dan Lenski on 2022-06-20

Tunnel MTU calculation diagrams

Signed-off-by: Daniel Lenski <email address hidden>

e89cf07... by Dan Lenski on 2022-06-19

Check IP and TCP options sizes in os-tcp-mtu

Signed-off-by: Daniel Lenski <email address hidden>

9955d6a... by Dan Lenski on 2022-06-18

Don't build os-tcp-mtu on Windows

It doesn't work

Signed-off-by: Daniel Lenski <email address hidden>

31420fe... by Dan Lenski on 2022-06-17

Add os-tcp-mtu utility

Makes a host connection to an arbitrary TCP/IP host:port, and checks the
estimates of the MTU/MSS provided by various getsockopt() calls, just as
OpenConnect uses in calculate_mtu().

Signed-off-by: Daniel Lenski <email address hidden>

c55a6c5... by Dan Lenski on 2022-06-15

[QUICK-AND-DIRTY] Calculate Pulse MTU independently of the server and override if the server's value seems too high

See comments inline for what's going on here.

Signed-off-by: Daniel Lenski <email address hidden>

cf4c5dc... by Dan Lenski on 2022-06-18

Log more details of unknown Pulse packets

Perhaps there's something useful/interesting lurking in the unknown packets,
like a DPD/keepalive packet, as noted in
https://gitlab.com/openconnect/openconnect/-/issues/456

Signed-off-by: Daniel Lenski <email address hidden>

37b6a79... by Dan Lenski on 2022-06-06

Clarify purpose/scope of --usergroup option

The name '--usergroup' exists purely for historical/Cisco-specific reasons.
Its function is simply to override the *path* of the URL for the initial
HTTPS request to the server.

Thus 'openconnect --usergroup loginRealm vpn.server.com'
and 'openconnect https://vpn.server.com/loginRealm' are entirely equivalent;
with most front-ends, specifying the URL directly is the only way to set the
path.

Signed-off-by: Daniel Lenski <email address hidden>

8953715... by Dan Lenski on 2022-06-05

Clarify purpose/scope of --authgroup option

We frequently get questions from users who are unsure of how to
automatically enter an authentication dropdown selection using the command
line client. A recent example:
https://lists.infradead.org/pipermail/openconnect-devel/2022-May/005125.html

The `--authgroup=GROUP` option is specifically designed for this purpose: it can enter
a value into "the right" dropdown/list field on multiple protocols:

- Cisco AnyConnect/ocserv: "authgroup" selection form field
- Juniper: "realm" OR "frmSelectRoles" selection form field
- Pulse: "realm" selection form field
- Fortinet: "realm" selection form field
- F5: "domain" selection form field
- GlobalProtect: "gateway" selection form field (found on the "portal" interface;
  this one actually controls the choice of gateway server)

The functionality of the `--authgroup` option is not as obvious as
it could/should be because the name "authgroup" is Cisco-specific.

This patch improves the `--help` output and openconnect(8) man page to
show that it works with other protocols as well, and mention the names
of the relevant fields for those protocols.

Signed-off-by: Daniel Lenski <email address hidden>

6246bbd... by Dimitri Papadopoulos Orfanos <email address hidden> on 2022-06-08

Merge branch 'const' into 'master'

Fix constness again in HKDF/HPKE-related functions

See merge request openconnect/openconnect!384

422f5f8... by Dan Lenski on 2022-06-03

Explain why explicit proxying usually doesn't work in MITM docs

Simply put, many VPN clients *ignore* an explicitly-set browser/system
proxy, whether as an intentional anti-MITM measure or as a consequence of
inconsistent and incompetent design and coding.

This is why transparent proxying is generally necessary in order to reliably
MITM a proprietary VPN client.

Initially discussed in
https://gitlab.com/openconnect/openconnect/-/issues/366#note_968160422.

Signed-off-by: Daniel Lenski <email address hidden>