OpenConnect 9.10 release
David Woodhouse
dwmw2 at infradead.org
Thu May 4 11:45:14 PDT 2023
It's been over a year since the last release, and a few fixes have
accumulated. Most notably, some improvements to Pulse compatibility as
the servers have changed. Also some cleanups to the SSO support,
especially external browser handling for Cisco AnyConnect.
On Windows, update the Wintun driver and make it the default instead of
the old OpenVPN tap-windows driver.
Increase the default queue length to 32 (which turns vhost support on
by default), which is seen to improve real world performance quite a
lot. It's not entirely clear *why*, since there are large queues both
before and after OpenConnect doing its own packet processing, but
empirically it's clearly needed.
https://www.infradead.org/openconnect/download/openconnect-9.10.tar.gz
https://www.infradead.org/openconnect/download/openconnect-9.10.tar.gz.asc
Alex Samorukov (1):
Add MacOS support to the hipreport
Andy Teijelo (1):
Use the timeout command in csd-wrapper.sh
Daniel Lenski (101):
Bugfix fake-gp-server.py: <saml-request> uses the 'standard' base64 alphabet, not the 'URL-safe' one
OpenConnect has too many slightly-varying and undocumented interfaces for external scripts with similar functions
Clearer error message when GlobalProtect portal configuration contains no gateways at all
Clearer error for list-system-keys on Unix-like platforms
Cleanup GP auth tests (don't need to disable IPv6 here)
Rework GP fake server to have a persistent configuration
Add a fake SAML handler/form to fake-gp-server.py
Factor out some of the most repetitive elements of gp-auth-and-config
Explain why explicit proxying usually doesn't work in MITM docs
Clarify purpose/scope of --authgroup option
Clarify purpose/scope of --usergroup option
Log more details of unknown Pulse packets
Merge branch 'man' into 'master'
Support [,;] as separators for multiple search domains with all protocols
Expand comment about potentially-useful information in GP portal configuration
Don't set xmlReadMemory's URL argument to "noname.xml"
Distinguish XML and non-XML error paths in gpst_xml_or_error
Parse GlobalProtect XML more leniently
Java: remove idleTimeoutSec from IPInfo class
Don't set xmlReadMemory's URL argument to "noname.xml" (fixup)
Treat empty redirect_url as a no-op
Add missing 'goto bad_config' in Pulse error path
More trace-level logging around Pulse config packets
Future-proof unknown attr_flag values in Pulse main config packet
Merge branch 'pulse-9.1R16' into 'master'
Make Fortinet's invalid credential response more human-readable
Add anchors to HTML manual, so any option can be the target of a link
Fix logging of ESP-magic "gateway" address in GP config parsing
Avoid warnings about unused ESP-related functions/variables in oncp.c and gpst.c
Prevent crash on unexpected response for GlobalProtect portal prelogin XML
Allow --form-entry to override hidden fields' values or mark them as text fields
Don't treat forms containing only hidden fields as non-empty
Ensure that even hidden form fields have labels
Basic 2FA token handling for F5
Add f5-auth-and-config tests of hidden form followed by 2FA form
Merge branch 'upstream/hidden_form_field_override' into 'master'
GlobalProtect can send the challenge-based 2FA form in an even stupider way
List an unhandled Pulse flag related to hostname-based split tunnelling
Add --sni option to the CLI, for domain fronting
If --sni is specified, expect peer certificate to match value sent in SNI, rather than hostname
Prioritize IPv6 for GlobalProtect ESP "magic ping"
Merge branch 'add_sni_option_for_domain_fronting' into 'master'
Combine Legacy IP and IPv6 cases in GP config XML parsing
Merge branch 'GP_consolidate_legacy_IP_and_IPv6_ESP_config_handling' into 'master'
Save GlobalProtect version reported by portal and parrot it back as client version
Sending --long-options to HIP script was a mistake; use environment variables instead
HOSTID → HOST_ID in hipreport.sh/hipreport-android.sh
Merge branch 'parrot_GP_server_software_version_back_as_client_software_version' into 'master'
Update changelog
Merge branch 'android' into 'master'
Update .gitlab-ci.yml to be multi-stage and conserve CI runner usage
Fix TNCC links in docs
Simulate condition leading to segfault in fake-fortinet-server.py
Update changelog
Merge branch 'manudroid19-master-patch-20475' into 'master'
Merge branch 'tap' into 'master'
Update .mailmap
Simplify port list in csd-post.sh
Mention newer/non-PPP-based wire protocol in the Fortinet docs
Bugfix tests/fake-gp-server.py
GlobalProtect JavaScript challenge fields can contain literal newlines
Parse GlobalProtect JavaScript challenge 'respMsg' as JSON string
Merge branch 'parse_GP_javascript_better' into 'master'
Persistent configuration for fake Fortinet server
Persistent configuration for fake Juniper server
Give more details about unexpected Pulse configuration packets
Expand examples of '--useragent' in manual page
Merge branch 'FAIL_obsolete-server-crypto' into 'master'
Add 'except' clause for Gitlab-CI Android builds
Parse JSON login forms for F5
Update changelog
Merge branch 'parse_JSON_login_forms_F5' into 'master'
Make xmlnode_bool_or_int_value() a global, internal function
Persist Windows installer artifacts (openconnect-installer.exe) for tagged commits/releases
Unique names for each variant openconnect-installer.exe
Update changelog and README
Merge branch 'persist-windows-builds' into 'master'
Junos/Pulse → Junos/Ivanti Pulse
Ignore blank labels sent in GlobalProtect prelogin
GnuTLS: Print more relevant information in the case of a fatal TLS alert
Fortinet: send dual_stack parameter to support IPv6 and Legacy IP simultaneously
Add a more modern LIMITATIONS section to man page
GnuTLS: Add UNSAFE_RENEGOTIATION to allow-insecure-crypto
Remove TAP-Windows driver from installer, and update docs to reference Wintun's default inclusion
Bundled Cisco CSD wrapper script only works on GNU/Linux on Intel x86/x86_64 processors
Merge branch 'tap_wintun' into 'master'
Update .mailmap
Add FTM-push token mode for Fortinet
Newer Pulse servers can disable their ESP protocol layering malpractice
Pulse needs an 'official' version string in IF/T-T establishment to support IPv6
Document the potential need for an EAP-TLS-within-EAP-TTLS workaround for Pulse
Merge branch 'Pulse_unstupid_ESP' into 'master'
Small additions to changelog before release
Update docs related to vpnc-script, platform, Trojans
Tell Apple users not to use '-i tunX', but '-i utunX' instead.
Bugfix Y2038 for F5 authentication timestamp
Fix mixed line endings
Add --no-external-auth option, and follow it for Cisco protocol
More specific error message with proposed workaround for Pulse EAP-TLS requests
Update changelog
Merge branch 'hipreport' into 'master'
David Woodhouse (40):
Merge branch 'obs' into 'master'
Merge branch 'CentOS6' into 'master'
Merge branch 'rhel5' into 'master'
Merge branch 'autoconf' into 'master'
Revert "Use more idiomatic super().__init__() in html.py"
BuildRequire glibc-langpack-cs on EPEL9 for auth-nonascii test
Import translations from GNOME
Remove stray debug message on Pulse ESP rekey
Fix ESP recv() error handling for Windows
Use OpenSSL_version() not deprecated SSLeay_version()
Add list-system-keys tool
Fix COPR builds
Clean up NSIS installation a bit
Don't install list-system-keys
Attempt to handle multiple IP packets in an Array TLS frame
Update changelog, improve Windows certificate store documentation
Default 'Getting Started' top-level menu to connecting.html
Looks like Array *does* split packets across TLS records
Detect Array session timeout and exit cleanly
Import translations from GNOME
Fix Solaris build
Update translations from GNOME
Bump default queue length to 32
Update translations from GNOME
Fix missing TX stats on vhost
Update docs on running as non-root
Redirect stdout to stderr when spawning external browser
Fix F5 build with json-parser 1.1.0
Revert "html.py is a Python 3 script"
Fix installer suffix handling
Resync translations with sources
Set SOCK_CLOEXEC on listening socket for Cisco external browser support
Fix --server vs. positional argument handling
Report unexpected Pulse EAP requests more explicitly
Fix EINTR handling for select() on cmd_fd
Attempt to handle Legacy IP frames in the middle of oNCP config
Rework ESP probe retries
Resync translations with sources
Fix use-after-free in realloc_inplace()
Tag version 9.10
Dimitri Papadopoulos (40):
Stop CentOS6 CI job
AC_PREREQ expects a single version argument
No need to support RHEL 5
Fix signedness of character buffers in HKDF/HPKE-related functions
Fix constness of character buffers in HKDF/HPKE-related functions
Fix constness again in HKDF/HPKE-related functions
Merge branch 'const' into 'master'
Man page: fix list of supported protocols
Man page: remove spurious space before )
Man page: use bold for option names
Clarify certificate verification in Cisco CSD/trojan scripts
Fix broken links in documentation
Python: indentation contains mixed spaces and tabs
Python invalid syntax
Fix NULL pointer dereference resulting in non-functional Android builds since v8.20
Wintun 0.13 (2021-08-02) → 0.14.1 (2021-10-17)
Wintun driver registered as "Wintun" instead of "wintun"
Revert 59d3e370
Update the changelog: support for Wintun 0.14.1
Case-insensitive TAP component ID
Support TAP driver bundled with OpenVPN
Merge branch 'wintun-0.14.1' into 'master'
Free vpninfo->urlpath before re-assigning
obsolete-server-crypto test is no longer XFAIL in Fedora/GnuTLS
Remove deprecated option cookie-validity from ocserv test configurations
Replace deprecated libtasn1 macros
obsolete-server-crypto test is no longer XFAIL in Fedora/GnuTLS/*
obsolete-server-crypto and auth-certificate tests are now XFAIL in Fedora/OpenSSL CI test
html.py is a Python 3 script
Remove support for OpenSSL 0.9.8
Verbatim LGPLv2.1, to the byte
Remove support for LibreSSL
Latest version of lzo.c and lzo.h
Apply local changes to lzo.c and lzo.h
Merge branch 'lzo' into 'master'
Deprecate option --juniper, suggest --protocol=nc instead
Remove obsolete LIMITATIONS from man page
Make it clearer that the preferred driver is Wintun
Cherry-pick several one-line cleanup MRs
pulsesecure.net → ivanti.com
Elias Norberg (1):
Add support for Pulse region choice
Hossein Khojany (1):
Add openconnect_set_sni API function and Java setSNI() wrapper
Luca Boccassi (1):
obs: remove libtss2-dev from debian dependency, to allow build for 18.04 to succeed
Manuel de Prada (1):
Fortinet: fix bug causing segfault when SVPNCOOKIE is set repeatedly
Mike Gilbert (1):
jsondump.c: include <inttypes.h> for PRId64
Rahul Rameshbabu (1):
Do not add 'single-sign-on' to the capabilities list for AnyConnect auth requests
Timothee 'TTimo' Besset (1):
Fix pulse 9.1R16 connection
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20230504/8ec94bd5/attachment.p7s>
More information about the openconnect-devel
mailing list