ocserv 0.12.0 has been released, which has improvements for openconnect server to support virtual hosts, and other improvements in the supported authentication methods. From http://lists.infradead.org/pipermail/openconnect-devel/2018-April/004854.html :
- Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP (#61). - Increased possibilities of allowed combinations of authentication methods (#108). - Corrected regression since 0.11.8 with OTP authentication (#137). - Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port (#133). Changes to port: - There is no need any more for libintl, as such remove devel/gettext from LDEP and sync WANTLIB - ocserv builds fine with OpenBSD's make. Remove USE_GMAKE=Yes - Adjust CONFIGURE_ARGS: * ocserv doesn't rely on libopts any more * exclude test that use nuttcp, which we do not have in ports Builds and tests ok on amd64. I've been using this version as a 1-on-1 replacement of an existing installation (0.11.x) for the last two days without any issues. Comments/OKs? Index: Makefile =================================================================== RCS file: /cvs/ports/net/ocserv/Makefile,v retrieving revision 1.32 diff -u -p -r1.32 Makefile --- Makefile 23 Apr 2018 09:01:10 -0000 1.32 +++ Makefile 25 Apr 2018 13:17:16 -0000 @@ -2,25 +2,24 @@ COMMENT= server implementing the AnyConnect SSL VPN protocol -DISTNAME= ocserv-0.11.12 +DISTNAME= ocserv-0.12.0 EXTRACT_SUFX= .tar.xz CATEGORIES= net HOMEPAGE= https://ocserv.gitlab.io/www/ -MAINTAINER= Bjorn Ketelaars <[email protected]> +MAINTAINER= Bjorn Ketelaars <[email protected]> # GPLv2+ PERMIT_PACKAGE_CDROM= Yes -WANTLIB = c curses ev gnutls intl lz4 m nettle oath pam protobuf-c -WANTLIB += radcli readline talloc +WANTLIB+= c curses ev gnutls lz4 m nettle oath pam protobuf-c +WANTLIB+= radcli readline talloc MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ LIB_DEPENDS= archivers/lz4 \ - devel/gettext \ devel/libev \ devel/libtalloc \ devel/protobuf-c \ @@ -32,12 +31,11 @@ TEST_DEPENDS= net/openconnect \ shells/bash \ sysutils/coreutils -USE_GMAKE= Yes CONFIGURE_STYLE= autoconf -CONFIGURE_ARGS= --enable-local-libopts \ - --without-docker-tests \ +CONFIGURE_ARGS= --without-docker-tests \ --without-geoip \ --without-http-parser \ + --without-nuttcp-tests \ --without-pcl-lib CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ @@ -47,14 +45,18 @@ AUTOCONF_VERSION= 2.69 post-extract: sed -i 's,#!/bin/bash,#!${LOCALBASE}/bin/bash,' \ - ${WRKSRC}/tests/test-{iroute,append-routes,user-config} + ${WRKSRC}/tests/test-{iroute,append-routes,user-config} \ + ${WRKSRC}/tests/haproxy-connect \ + ${WRKSRC}/tests/multiple-routes sed -i 's,/usr/sbin/openconnect,${LOCALBASE}/sbin/openconnect,' \ ${WRKSRC}/tests/common.sh sed -i 's,/etc/ocserv,${SYSCONFDIR}/ocserv,' \ ${WRKSRC}/src/ocpasswd/ocpasswd.c - cd ${WRKSRC}; \ - sed -i 's,/usr/bin/ocserv-fw,${SYSCONFDIR}/ocserv/ocserv-fw,g' \ - src/ocserv-args.def src/main-user.c doc/ocserv.8 doc/sample.config + sed -i 's,/usr/bin/ocserv-fw,${SYSCONFDIR}/ocserv/ocserv-fw,g' \ + ${WRKSRC}/src/main-user.c \ + ${WRKSRC}/doc/sample.config + sed -i 's,/usr/bin/ocserv\\-fw,${SYSCONFDIR}/ocserv/ocserv\\-fw,g' \ + ${WRKSRC}/doc/ocserv.8 post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ocserv @@ -64,6 +66,7 @@ post-install: ${SUBST_CMD} -c -m ${SHAREMODE} -o ${SHAREOWN} -g ${SHAREGRP} \ ${WRKSRC}/doc/sample.config \ ${PREFIX}/share/examples/ocserv/sample.config + ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${PREFIX}/man/man8/ pre-test: ln -fs ${LOCALBASE}/bin/gtimeout ${WRKDIR}/bin/timeout Index: distinfo =================================================================== RCS file: /cvs/ports/net/ocserv/distinfo,v retrieving revision 1.22 diff -u -p -r1.22 distinfo --- distinfo 23 Apr 2018 09:01:10 -0000 1.22 +++ distinfo 25 Apr 2018 13:17:16 -0000 @@ -1,2 +1,2 @@ -SHA256 (ocserv-0.11.12.tar.xz) = SRlQt7/jb8P1LBC9aAkC1l4Hda/BiaosI9j9smdKUk8= -SIZE (ocserv-0.11.12.tar.xz) = 785956 +SHA256 (ocserv-0.12.0.tar.xz) = /btyQQEzQZdWQLuYUbFO0Wx4YClGboG3nN+84h99yJ8= +SIZE (ocserv-0.12.0.tar.xz) = 679420 Index: patches/patch-configure_ac =================================================================== RCS file: /cvs/ports/net/ocserv/patches/patch-configure_ac,v retrieving revision 1.8 diff -u -p -r1.8 patch-configure_ac --- patches/patch-configure_ac 10 Oct 2017 09:20:48 -0000 1.8 +++ patches/patch-configure_ac 25 Apr 2018 13:17:16 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-configure_ac,v 1.8 2017/ Index: configure.ac --- configure.ac.orig +++ configure.ac -@@ -162,7 +162,7 @@ if test "$test_for_geoip" = yes;then +@@ -168,7 +168,7 @@ if test "$test_for_geoip" = yes;then fi have_readline=no Index: patches/patch-doc_sample_config =================================================================== RCS file: /cvs/ports/net/ocserv/patches/patch-doc_sample_config,v retrieving revision 1.19 diff -u -p -r1.19 patch-doc_sample_config --- patches/patch-doc_sample_config 12 Jan 2018 22:28:51 -0000 1.19 +++ patches/patch-doc_sample_config 25 Apr 2018 13:17:16 -0000 @@ -5,7 +5,7 @@ no seccomp, gssapi Index: doc/sample.config --- doc/sample.config.orig +++ doc/sample.config -@@ -34,15 +34,6 @@ +@@ -35,15 +35,6 @@ # Acct-Interim-Interval, and Session-Timeout values. # # See doc/README-radius.md for the supported radius configuration atributes. @@ -21,16 +21,16 @@ Index: doc/sample.config #auth = "pam" #auth = "pam[gid-min=1000]" -@@ -55,8 +46,6 @@ auth = "plain[passwd=./sample.passwd]" - # for authentication. That is, if set, any of the methods enabled - # will be sufficient to login. +@@ -58,8 +49,6 @@ auth = "plain[passwd=./sample.passwd]" + # When multiple options are present, they are OR composed (any of them + # succeeding allows login). #enable-auth = "certificate" -#enable-auth = "gssapi" -#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" # Accounting methods available: # radius: can be combined with any authentication method, it provides -@@ -99,8 +88,8 @@ udp-port = 443 +@@ -102,8 +91,8 @@ udp-port = 443 # The user the worker processes will be run as. It should be # unique (no other services run as this user). @@ -41,7 +41,7 @@ Index: doc/sample.config # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -109,7 +98,7 @@ run-as-group = daemon +@@ -112,7 +101,7 @@ run-as-group = daemon # socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any), so it is best # specified relatively to the chroot directory. @@ -49,8 +49,8 @@ Index: doc/sample.config +socket-file = ${LOCALSTATEDIR}/run/ocserv-socket # The default server directory. Does not require any devices present. - #chroot-dir = /path/to/chroot -@@ -163,16 +152,6 @@ ca-cert = ../tests/certs/ca.pem + #chroot-dir = /var/lib/ocserv +@@ -172,16 +161,6 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -67,7 +67,7 @@ Index: doc/sample.config # A banner to be displayed on clients #banner = "Welcome" -@@ -328,9 +307,8 @@ min-reauth-time = 300 +@@ -337,9 +316,8 @@ min-reauth-time = 300 # Banning clients in ocserv works with a point system. IP addresses # that get a score over that configured number are banned for # min-reauth-time seconds. By default a wrong password attempt is 10 points, @@ -79,7 +79,7 @@ Index: doc/sample.config # # Score banning cannot be reliably used when receiving proxied connections # locally from an HTTP server (i.e., when listen-clear-file is used). -@@ -344,7 +322,6 @@ ban-reset-time = 1200 +@@ -353,7 +331,6 @@ ban-reset-time = 1200 # In case you'd like to change the default points. #ban-points-wrong-password = 10 #ban-points-connection = 1 @@ -87,7 +87,7 @@ Index: doc/sample.config # Cookie timeout (in seconds) # Once a client is authenticated he's provided a cookie with -@@ -411,7 +388,7 @@ rekey-method = ssl +@@ -420,7 +397,7 @@ rekey-method = ssl use-occtl = true # PID file. It can be overridden in the command line. @@ -96,7 +96,7 @@ Index: doc/sample.config # Set the protocol-defined priority (SO_PRIORITY) for packets to # be sent. That is a number from 0 to 6 with 0 being the lowest -@@ -526,6 +503,11 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -535,6 +512,11 @@ no-route = 192.168.5.0/255.255.255.0 # any other routes. In case of defaultroute, the no-routes are restricted. # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. @@ -108,7 +108,7 @@ Index: doc/sample.config #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -@@ -598,23 +580,6 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -607,23 +589,6 @@ no-route = 192.168.5.0/255.255.255.0 # and '%{G}', if present will be replaced by the username and group name. #proxy-url = http://example.com/ #proxy-url = http://example.com/%{U}/ Index: patches/patch-tests_multiple-routes =================================================================== RCS file: patches/patch-tests_multiple-routes diff -N patches/patch-tests_multiple-routes --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_multiple-routes 25 Apr 2018 13:17:16 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: tests/multiple-routes +--- tests/multiple-routes.orig ++++ tests/multiple-routes +@@ -49,7 +49,7 @@ echo ok + + echo -n "Checking number of routes... " + +-CONTENTS=`cat ${TMPFILE1}|grep X-CSTP-Split-Include|wc -l` ++CONTENTS=`cat ${TMPFILE1}|grep X-CSTP-Split-Include|wc -l|sed 's/^ *//'` + if test "$CONTENTS" != "256";then + cat ${TMPFILE1}|grep X-CSTP-Split-Include + fail $PID "Temporary file contents are not correct; 256 routes were not found"
