OpenConnect 7.08 release
David Woodhouse
dwmw2 at infradead.org
Tue Dec 13 08:28:38 PST 2016
A bunch of fixes, including Juniper compatibility with Junos Pulse 8.2
servers, and some other new form support in Juniper. We really ought to
support handling this with a 'proper' web browser, at least for the GUI
clients. The hard-coded hacks to parse known HTML forms are getting
nastier with each special case we add.
I've added a certificate torture test suite and fixed a number of the
bugs it showed with various esoteric (and not so esoteric) file
formats. Distributors, please ensure you run 'make check' in your
package build, and chase up any failures caused by the libraries you're
building against.
It supports the new DTLS 'real negotiation' support with ocserv,
instead of deciding the cipher suites in advance. And does run-time
probing for the data MTU.
Some Windows fixes, including support for point-to-point routing.
For those building against OpenSSL, this adds support for the final
OpenSSL 1.1 release. And fixes a security issue — OpenSSL-built clients
failed to *check* that the DTLS session was actually being resumed, and
hypothetically an attacker could have captured the DTLS session by just
performing a full handshake. So the client would be exchanging IP
packets with the attacker instead of the real VPN network.
I have managed to reproduce that attack using OpenSSL-built OpenConnect
against ocserv, where it uses standard DTLS protocols. Since Cisco's
pre-1.0 version of DTLS isn't fully supported by OpenSSL for full
handshakes (it's only ever used for resumes), I wasn't trivially able
to reproduce when talking to a Cisco ASA — but I believe it should be
possible. If you build OpenConnect against OpenSSL then you should
upgrade immediately. GnuTLS builds are not affected as they would never
succeed in performing a full negotiation in this situation anyway.
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz.asc
Björn Ketelaars (2):
Fix indentation in manpage openconnect
Small error in openconnect.8
Dan Lenski (1):
Correctly handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24
Daniel Lenski (3):
append_opt() and buf_append_urlencoded() should take const char *
Make buf_append_urlencoded() percent-encode fewer characters.
Unset got_cancel_cmd after reacting to it, as is already done for got_pause_cmd
David Woodhouse (181):
Handle Juniper pre-auth message too
Revert to original OpenSSL workaround now we can access get_issuer()
Fix OpenSSL 1.1 compiler warning
Fix warning about unused esp_kmp_hdr in non-ESP build
Add configure check for OpenSSL RT#4631
Fix condition for GnuTLS ESP
Add 1.0.1q to 1.0.1u-dev to broken OpenSSL versions (RT#4631)
Add bad_dtls_test from OpenSSL PR#1296
Use DTLS_client_method() and TLS_client_method() for OpenSSL 1.1+
Fix non-const warning in legacy generate_dtls_session()
Use X509_V_FLAG_PARTIAL_CHAIN for OpenSSL >= 1.0.2
Kill PACKET_starts() from bad_dtls_test
More OpenSSL 1.1 API breakage...
Build openconnect before we test it
Print correct filename when key not found
Add cert format torture test
Fix GnuTLS handling of OpenSSL encrypted PEM files
Add support for DER-encoded PKCS#1 and PKCS#8 files with OpenSSL
Add support for DER-encoded PKCS#1 and PKCS#8 files with GnuTLS
Add more certificate tests: PKCs8-PBES1, and DER forms of everything
Update changelog
More explicit PKCS#12 tests
Add VERBOSE=1 to gitlab make check
Fix auth-certificate test
Try unencrypted PKCS#8 DER specifically.
Allow DTLS unit test to be disabled
Use AS_HELP_STRING() consistently
Move lzstest to tests/
Output summary from configure script
Only set DTLS_GNUTLS if it's true
Fix pretty-printing of $ssl_library. "both" means we're using GnuTLS.
Do not set HAVE_GNUTLS_SESSION_SET_PREMASTER
Don't check for SSL_OP_CISCO_ANYCONNECT
Instead of disabling the DTLS test, make it XFAIL
Use oc_text_buf for constructing proxy URL
Use oc_text_buf for constructing group-access node
Quote SSL_DTLS_PC
Add OpenSSL-only CI build
Fix retry on tun fd when it isn't a Linux tun device
Update translations from GNOME
Resync translations with sources
Add translations for 'Enter PKCS#8 pass phrase:'
Add rôle selection for Juniper auth
Fix mingw build warning
Fix typo in rôle table matching
Fix crash in install_extra_certs() on PKCS#12 file containing no cert
Add newlines to PKCS#12 error messages
Update translations from GNOME
Add some more PKCS#12 test cases, including a mixed one that upsets GnuTLS
Fix ESP replay integer overflow problems
Increase ESP packet backlog to 64 packets
Do not define _POSIX_C_SOURCE
Include <string.h> from openconnect-internal.h
Split ESP sequence number handling into a separate file
Prevent ESP seq# wrap-around
Add ESP seq# test
Fix portability of lzstest
Run tests even without CWRAP
Fix up translation for ESP debug messages
Resync translations with sources
Update translations from GNOME
Fix translation search/replace errors
Disable known GnuTLS failures to make gitlab tests pass again
Fix uninitialised variable usage in parse_roles_form_node()
Fix FreeBSD9 build warnings
Attempt to add FreeBSD CI build
Fix gitlab CI config
Slight cleanup for verify_packet_seqno
Add --with-vpnc-script to FreeBSD CI biuld
Run all cert tests by default with manual invocation
Explicitly detect, and reject building with, LibreSSL
We don't need cwrap for bad_dtls_test any more
Add support for EC PKCS#1 certs
Fix crash in init_esp_ciphers with OpenSSL < 1.1
Add DSA and EC keys to torture tests
Remove stray key files
Make MAX definition conditional to make FreeBSD happy
Fix main.o dependency on version.c
Fix main.o dependency harder
More LibreSSL build fixes
Add missing user-cert.prm
Use --key-password for OpenSSL PKCS#11 PIN
Add PKCS#11 tests
Add softhsm2.conf
Missing auth-pkcs11
Enable EC PKCS#11 test
PKCS#11 test shouldn't be unconditional
FFS, eventually I'll get the condition right
Fix softhsm check
Support pin-value= for PKCS#11 URI with OpenSSL
Import keys for SoftHSM with softhsm2-util
Re-import SoftHSM token
Disable DSA tests for GnuTLS too
Fix uninitialised cert pointer in load_pkcs11_certificate()
Only run test-pkcs11 if we have cwrap
Update changelog
Add missing distfiles
Change tar format to allow softhsm objects to fit
Fix ESP replay problem
Reorder ESP sequence checks
Update comment
Fix compiler warning in verify_packet_seqno()
Fix format warning in openconnect_win32__strerror()
Use shared runners
Don't discard output from ocserv in tests
Create ocserv config files from configure script
Put test sockdir in build dir
Add pubkey-less PKCS#11 tests
Use --no-mark-private for all objects in token=openconnect-test1
Add PKCS#11 test with CKA_PRIVATE on certs
Check for errors from SSL_CTX_use_PrivateKey()
Fix PKCS#11 error reporting
Work around OpenSSL crash with EC keys lacking public key
Fix OpenSSL 1.1 build of EC workaround
Suggest using --servercert when certificate validation fails
Kill --no-cert-check
Call SSL_CTX_check_private_key() to validate cert+key match
Update translations from GNOME
Fix 'Got no issuer from PKCS#11' message
Escape 'PKCS#11 support' in configure summary
Remove unused variable from bad_dtls_test.c
Fix configure reporting of Yubikey support
Allow explicit disabling of DSA tests
Enable CentOS CI builds
Fix Windows inet_pton() build warning
CI cleanups
Revamp GnuTLS/OpenSSL detection
Simplify ESP conditionals
Simplify DTLS conditionals
Remove bad-random test stuff
Split crypto library parts out from dtls.c to {gnutls,openssl}-dtls.c
Reinstate 'make check' warning for OpenSSL builds
Add serverhash test tool
Kill DTLS_FREE macro
Fix build from clean
Add openconnect_init_ssl() in serverhash.c
Fix Windows build of serverhash
Fix serverhash build with local OpenSSL
Report actual DTLS cipher for OpenSSL
Allow OpenSSL to use TLSv1.2
Set SSL_OP_TLSEXT_PADDING to work around F5 firewall bugs
Update changelog
Update translations from GNOME
Single pipeline for creating openconnect.8.inc
Support --key-password for GnuTLS PKCS#11 PIN
DTLS MTU detection fixes
Update test suite
Change DSA test key to 1024 bits
Update CONFIG_STATUS_DEPENDENCIES
Enable DSA-SHA1 in ocserv config
Fix IPv6 setup on Solaris
Update changelog
Fix 'make install' from clean too.
Add DTLS files back to translation
Update translations from GNOME
Explicitly disallow non-resumed sessions for legacy DTLS establishment
Add session resume check for GnuTLS too
Attempt to re-open CONIN$ if stdin has been redirected on Windows
Limit netmask on Windows TAP setup to 255.255.255.254
Remember the X-CSTP-Base-MTU: value that the server sends back
Add GNUTLS_NO_EXTENSIONS to DTLS setup
Better attempt at handling TAP-Windows tun setup
Add TUNIDX for Windows vpnc-script
Increase oNCP configuration buffer size
Update changelog
Update translations from GNOME
Fix pcsclite dependency in openconnect.pc
Fix openssl dependency in openssl.pc
Remove unused LIBS/CFLAGS manipulation in configure.ac
Update translations from GNOME
Update translations from GNOME
Enable DHE ciphers for Cisco DTLS
Don't resume OpenSSL DTLS session for PSK-NEGOTIATE
Allow DTLS version negotiation with PSK-NEGOTIATE and OpenSSL 1.0.2
Calculate MTU for PSK-NEGOTIATE
Add TPM documentation
Changelog entry for SHA256 hashes
Stop using deprecated LZ4 functions
Update translations from GNOME
Resync translations with sources
Tag version 7.08
Jon DeVree (1):
Add Content-Length header to mimic official pulse client
Mathias Schuepany (1):
Patch for servers that do not listen on TCP 443
Nikolay Martynov (1):
IPv6 packet size field doesn't include header size, take this into account
Nikos Mavrogiannopoulos (8):
Always calculate the base_mtu value
Indicate the the --mtu option is used by legacy servers only
Extended MTU discovery to work even when compiled with openssl
Enable DTLS protocol negotiation
Introduce SHA2-256 as a peer certificate hash and make it the default
openconnect_check_peer_cert_hash: allow partial server hash matches
Introduced buf_append_hex()
tests: added check for operation under different --servercert parameters
Piotr Kubaj (1):
Fix build with LibreSSL.
Ralph Schmieder (1):
Add --passtos option to copy TOS/TCLASS from VPN packets
Thorsten Bonhagen (1):
gnutls GNUTLS_E_INTERRUPTED same behavior as GNUTLS_E_AGAIN
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161213/38264df6/attachment-0001.bin>
More information about the openconnect-devel
mailing list