~mamarley/openconnect/+git/gitlab-main:warn_about_blocked_DTLS_0.9_in_recent_OpenSSL

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

1678841... by Dan Lenski on 2022-03-15

Warn about blocked DTLS 0.9/1.0 in recent builds of OpenSSL, suggest --allow-insecure-crypto

Recent distro builds of OpenSSL prevent the use of pre-1.2 TLS via default
security policies, along with pre-1.2 DTLS. This is a headache for VPNs
because many (most?) Cisco AnyConnect VPNs are still using Cisco's pre-1.0
DTLS (also known as "DTLS 0.9", or "bad DTLS" in OpenConnect).

* Ubuntu's build of OpenSSL starting with 1.1.1f (https://packages.ubuntu.com/focal-updates/libssl-dev,
  see patch "tls1.2-min-seclevel2.patch")
* Debian's build of OpenSSL starting with 1.1.1k (https://sources.debian.org/patches/openssl/1.1.1k-1+deb11u1,
  see patch "set systemwide default settings for libssl users")

Discussion on mailing list at
http://lists.infradead.org/pipermail/openconnect-devel/2022-March/005103.html.

This adds a warning when DTLS handshake fails with OpenSSL 1.1.1f+, and
suggests the use of `--allow-insecure-crypto` which attempts to set the
OpenSSL security level (https://openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html)
to 0 as a workaround.

Signed-off-by: Daniel Lenski <email address hidden>

f3890a9... by Dan Lenski on 2022-06-17

Add os-tcp-mtu utility

Makes a host connection to an arbitrary TCP/IP host:port, and checks the
estimates of the MTU/MSS provided by various getsockopt() calls, just as
OpenConnect uses in calculate_mtu().

TODO:

1. Implement a working os-tcp-mtu for Windows, and build that too.
2. Use https://github.com/morristech/android-ifaddrs as
   as a drop-in replacement for `getifaddrs(3)` on Android

Signed-off-by: Daniel Lenski <email address hidden>

1835918... by Luca Boccassi on 2023-05-05

Merge branch 'softhsm' into 'master'

OBS: softhsm is not available in SUSE

See merge request openconnect/openconnect!472

9d8b5b7... by Luca Boccassi on 2023-05-05

OBS: softhsm is not available in SUSE

Signed-off-by: Luca Boccassi <email address hidden>

fc5f8d6... by dwmw2 on 2023-05-04

Build release builds as snapshots for COPR

We can't have a GPG signature on a tarball we create ourselves.

Signed-off-by: David Woodhouse <email address hidden>

723a047... by dwmw2 on 2023-05-04

Tag version 9.10

Signed-off-by: David Woodhouse <email address hidden>

5aca543... by dwmw2 on 2023-05-04

Fix use-after-free in realloc_inplace()

In file included from auth-globalprotect.c:20:
auth-globalprotect.c: In function 'parse_prelogin_xml':
openconnect-internal.h:1180:17: warning: pointer '__realloc_old_176' may be used after 'realloc' [-Wuse-after-free]
 1180 | free(__realloc_old); \
      | ^~~~~~~~~~~~~~~~~~~
openconnect-internal.h:1178:13: note: call to 'realloc' here
 1178 | p = realloc(p, size); \
      | ^~~~~~~~~~~~~~~~

This is a true warning. The second argument to the realloc_inplace()
macro includes a strlen() of the first. Evaluate it first, before the
attempt to realloc().

Signed-off-by: David Woodhouse <email address hidden>

b6b8520... by dwmw2 on 2023-05-04

Resync translations with sources

Signed-off-by: David Woodhouse <email address hidden>

299d444... by dwmw2 on 2023-04-28

Rework ESP probe retries

We weren't attempting to resend ESP probes at all, except at the retry
interval of about a minute. In a lossy network, or perhaps when the
server is slow to configure its end and start accepting ESP probes,
this meant that users sometimes saw the ESP failing to establish for
a whole minute (or multiple thereof).

Drop the loops in the protocol-specific udp_send_probes() functions
which were a primitive attempt to handle packet loss, and instead
deliberately send one probe a second for five seconds, before giving
up for the remainder of the dtls_attempt_period.

Fix up the reconnect handling with vpninfo->dtls_need_reconnect while
we're at it; it looks like that would just cause us to keep sending
probes and the flag would never be cleared.

Fixes: #601
Signed-off-by: David Woodhouse <email address hidden>

ab5f163... by Dimitri Papadopoulos <email address hidden> on 2023-03-17

pulsesecure.net → ivanti.com

We should also rename Pulse Connect Secure to Ivanti Connect Secure
at some point. For now, even the Ivanti web site uses both, perhaps
we should wait before we switch Pulse to Ivanti.

Signed-off-by: Dimitri Papadopoulos <email address hidden>