Friday, March 04, 2022

UPDATE net/ocserv-1.1.6

Diff below brings ocserv to 1.1.6. Changes can be found at
https://ocserv.gitlab.io/www/changelog.html.

Comments/OK?


diff --git Makefile Makefile
index 5054a04e9aa..00d0502f6d3 100644
--- Makefile
+++ Makefile
@@ -2,7 +2,7 @@

COMMENT= server implementing the AnyConnect SSL VPN protocol

-DISTNAME= ocserv-1.1.3
+DISTNAME= ocserv-1.1.6
EXTRACT_SUFX= .tar.xz

CATEGORIES= net
diff --git distinfo distinfo
index 1cba0add06d..16c7a6c526b 100644
--- distinfo
+++ distinfo
@@ -1,2 +1,2 @@
-SHA256 (ocserv-1.1.3.tar.xz) = GrcMbm6ja2E+jhcfwDtggcQxKkXuUswpWcBownMkEH4=
-SIZE (ocserv-1.1.3.tar.xz) = 833320
+SHA256 (ocserv-1.1.6.tar.xz) = amy+kiEuMigEJqUcY0rcPUgDV53QSc/bfgFHFMyCxpM=
+SIZE (ocserv-1.1.6.tar.xz) = 839744
diff --git patches/patch-doc_sample_config patches/patch-doc_sample_config
index 2201ebce2fc..e509136066d 100644
--- patches/patch-doc_sample_config
+++ patches/patch-doc_sample_config
@@ -1,5 +1,3 @@
-$OpenBSD: patch-doc_sample_config,v 1.24 2021/10/28 07:00:13 bket Exp $
-
no seccomp, gssapi

Index: doc/sample.config
@@ -8,7 +6,7 @@ Index: doc/sample.config
@@ -35,15 +35,6 @@
# Acct-Interim-Interval, and Session-Timeout values.
#
- # See doc/README-radius.md for the supported radius configuration atributes.
+ # See doc/README-radius.md for the supported radius configuration attributes.
-#
-# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
-# The gssapi option allows one to use authentication methods supported by GSSAPI,
@@ -50,7 +48,7 @@ Index: doc/sample.config

# The default server directory. Does not require any devices present.
#chroot-dir = /var/lib/ocserv
-@@ -166,16 +155,6 @@ ca-cert = ../tests/certs/ca.pem
+@@ -172,16 +161,6 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.


@@ -67,19 +65,21 @@ Index: doc/sample.config
# A banner to be displayed on clients after connection
#banner = "Welcome"

-@@ -341,9 +320,8 @@ min-reauth-time = 300
+@@ -345,10 +324,9 @@ min-reauth-time = 300
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
--# due to difference processes being involved the count of points
--# will not be real-time precise.
-+# and a connection is 1 point. Note that due to different processes
-+# being involved the count of points will not be real-time precise.
+-# due to different processes being involved the count of points
+-# will not be real-time precise. Local subnet IPs are exempt to allow
+-# services that check for process health.
++# and a connection is 1 point. Note that due to different processes being
++# involved the count of points will not be real-time precise. Local subnet
++# IPs are exempt to allow services that check for process health.
#
- # Score banning cannot be reliably used when receiving proxied connections
- # locally from an HTTP server (i.e., when listen-clear-file is used).
-@@ -357,7 +335,6 @@ ban-reset-time = 1200
+ # Set to zero to disable.
+ max-ban-score = 80
+@@ -359,7 +337,6 @@ ban-reset-time = 1200
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
@@ -87,7 +87,7 @@ Index: doc/sample.config

# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
-@@ -432,7 +409,7 @@ rekey-method = ssl
+@@ -434,7 +411,7 @@ rekey-method = ssl
use-occtl = true

# PID file. It can be overridden in the command line.
@@ -96,7 +96,7 @@ Index: doc/sample.config

# Log Level. It can be overridden in the command line with the -d option.
# All messages at the configure level and lower will be displayed.
-@@ -561,6 +538,11 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -563,6 +540,11 @@ no-route = 192.168.5.0/255.255.255.0
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
@@ -108,7 +108,7 @@ Index: doc/sample.config
#restrict-user-to-routes = true

# This option implies restrict-user-to-routes set to true. If set, the
-@@ -633,23 +615,6 @@ no-route = 192.168.5.0/255.255.255.0
+@@ -635,23 +617,6 @@ no-route = 192.168.5.0/255.255.255.0
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
diff --git pkg/PLIST pkg/PLIST
index c6621ee663e..b1bf81b356b 100644
--- pkg/PLIST
+++ pkg/PLIST
@@ -1,4 +1,3 @@
-@comment $OpenBSD: PLIST,v 1.5 2020/07/18 20:27:53 bket Exp $
@newgroup _ocserv:749
@newuser _ocserv:749:_ocserv:daemon:ocserv user:/nonexistent:/sbin/nologin
@rcscript ${RCDIR}/ocserv

No comments:

Post a Comment