908c2bb...
by
Dan Lenski
on 2020-10-15
finesse the URL-decoding of the GP login args
Unsurprisingly, it's messier than I thought it was. Some of them definitely
need to be URL-decoded, and some definitely shouldn't be.
https:/ /gitlab. com/openconnect /openconnect/ -/issues/ 147#note_ 429943037
Signed-off-by: Daniel Lenski <email address hidden>
767f47e...
by
Dan Lenski
on 2020-10-15
Merge https:/ /gitlab. com/openconnect /openconnect/ -/merge_ requests/ 114
Signed-off-by: Daniel Lenski <email address hidden>
ae4c06c...
by
Dan Lenski
on 2020-05-22
add tests/obsolete- server- crypto to XFAIL on all CI using OpenSSL 1.1.0+
OpenSSL 1.1.0+ removes 3DES and RC4 from the default build: https:/ /www.openssl. org/blog/ blog/2016/ 08/24/sweet32/
There is no way to re-enable without rebuilding from source.
Signed-off-by: Daniel Lenski <email address hidden>
a63086a...
by
Dan Lenski
on 2020-05-18
add 'obsolete- server- crypto' and 'pfs' tests
These are designed to ensure that we don't inadvertently break compatibility
with legacy/obsolete server crypto, and also that we don't *inadvertently
connect* to less-secure crypto than requested.
May need to override system crypto policy in order for GnuTLS to allow old crypto in CI.
(per nmav: https:/ /gitlab. com/openconnect /openconnect/ -/issues/ 145#note_ 346497960 )
- 'pfs': connect to a server whose only KX is RSA KX [if and only if]
`--pfs` is [not specified]
- 'obsolete- server- crypt': connect to a server whose only ciphers are 3DES
and/or RC4 [if and only if] `--allow- insecure- crypto` is specified
Signed-off-by: Daniel Lenski <email address hidden>
6c508a2...
by
Dan Lenski
on 2020-05-18
modify tests/common.sh so that launch_ simple_ sr_server( ) → test → cleanup() can be used repeatedly in a single script
Signed-off-by: Daniel Lenski <email address hidden>
f3aee6d...
by
Dan Lenski
on 2020-05-23
with --allow- insecure- crypto, check if it can be enabled by the library and fail if not
Fixes the issue of silent failure both with and without this option.
Getting the ciphers in OpenSSL 1.1.0 is extremely tedious.
Signed-off-by: Daniel Lenski <email address hidden>
662e4d9...
by
Dan Lenski
on 2020-05-18
Attempt to future-proof --allow- obsolete- crypto
`--allow- obsolete- crypto` with GnuTLS 3.6.0+ should set `%VERIFY_ ALLOW_SIGN_ WITH_SHA1` as well
(per nmav: https:/ /gitlab. com/openconnect /openconnect/ -/merge_ requests/ 114#note_ 346496796 ),
and should explicitly reenable SHA1
(moved to GnuTLS “bad hashes list” in 1d75e116b1681d0 e6b140d7530e7f0 403088da88)
Signed-off-by: Daniel Lenski <email address hidden>
4c1213a...
by
Dan Lenski
on 2020-05-18
rework MR to add --allow- insecure- crypto, and corresponding API functions
Allowing the ancient, broken 3DES and RC4 ciphers is insecure; we do not
want to (re-)enable them by default. (See discussion:
https:/ /gitlab. com/openconnect /openconnect/ -/issues/ 145#note_ 344687335 )
However, some still-in-use VPN servers can't do any better. So instead, we
explicitly disable them, unless explicitly enabled with the
`--allow- insecure- crypto` option, or corresponding API functions.
Signed-off-by: Daniel Lenski <email address hidden>
6f09997...
by
Dan Lenski
on 2020-10-15
Merge https:/ /gitlab. com/openconnect /openconnect/ -/merge_ requests/ 117
Signed-off-by: Daniel Lenski <email address hidden>
d3af00e...
by
Dan Lenski
on 2020-10-15
Merge https:/ /gitlab. com/openconnect /openconnect/ -/merge_ requests/ 123
Signed-off-by: Daniel Lenski <email address hidden>