OpenConnect 7.03 release

David Woodhouse dwmw2 at infradead.org
Fri Jan 9 06:04:34 PST 2015 

This releases fixes an issue with the two-stage authentication that is
used with tools like NetworkManager (or openconnect --authenticate),
where you first authenticate with an interactive client and then make
the actual VPN connection separately with the resulting cookie.

Round-robin DNS can give you multiple A or AAAA records for the same
hostname, and in that case the authentication would carefully report the
IP address it connected to instead of the hostname, to ensure that the
second stage would definitely reconnect to the *same* server that we
authenticated to.

However, there are cases where you can get different results each time
even when there is only *one* answer, with trick DNS servers to do
load-balancing or attempt geographical matching. We didn't cope with
that. Since NetworkManager is fairly bad at handling the error feedback,
the result would be a failure to connect after you think you've
authenticated OK and the auth-dialog box has gone away.

Now the authentication stage will *always* report the IP address; never
the hostname.

There are some other internal improvements which aren't stunningly
exciting, as well as updates to the Android build infrastructure;
especially to support PIE builds.

ftp://ftp.infradead.org/pub/openconnect/openconnect-7.03.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.03.tar.gz.asc

David Woodhouse (17):
      Add undocumented --gnutls-debug command line option
      Import translations from GNOME
      Add missing newline on vpn_perror() output
      Change vpninfo->deflate to three separate bitmasks for requested/CSTP/DTLS
      Do compression context setup *after* negotiation rather than before
      Calculate correct upper bound for zlib buffers
      Kill static dtls_pkt
      Stop receiving CSTP to stack
      Always output specific IP address in authentication results
      Fix some untranslated strings
      Make constant data const in cstp.c
      Make constant data const in ntlm.c
      Make constant data const in main.c
      Update translations from GNOME
      Fix 'vX.XX-unknown' when RPM package applies patches
      Update changelog
      Tag version 7.03

Kevin Cernekee (8):
      android: Don't install symlinks into the sysroot
      android: Build with NDK r10d
      android: Update nettle, gnutls, stoken, and oath-toolkit
      android: Make a $(PKG_CONFIG) helper variable
      android: Drop libtomcrypt dependency
      android: Build openconnect binary as PIE
      android: Import run_pie helper program from Chromium
      android: Fix bogus liboath pathname


-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150109/07fe54d2/attachment-0001.bin>

More information about the openconnect-devel mailing list