Date: Sun, 11 Oct 2020 08:36:34 +0000 (UTC) From: Kurt Jaeger <pi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r552035 - in head/net/ocserv: . files Message-ID: <202010110836.09B8aYwp098922@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pi Date: Sun Oct 11 08:36:34 2020 New Revision: 552035 URL: https://svnweb.freebsd.org/changeset/ports/552035 Log: net/ocserv: update 1.0.1 -> 1.1.1 - Fixed compatibility with OpenBSD that lacks procfs - Improved rate-limit-ms and made it dependent on secmod backlog. This makes the server more resilient (and prevents connection failures) on multiple concurrent connections - Added namespace support for listen address by introducing the listen-netns option - Disable TLS1.3 when cisco client compatibility is enabled. New anyconnect clients seem to supporting TLS1.3 but are unable to handle a client with an RSA key - Enable a race free user disconnection via occtl - Added the config option of a pre-login-banner - Ocserv siwtched to using multiple ocserv-sm processes to improve scale, with the number of ocserv-sm process dependent on maximum clients and number of CPUs. Configuration option sec-mod-scale can be used to override the heuristics. - Fixed issue with group selection on radius servers sending multiple group class attribute. PR: 250225 Submitted by: Juraj Lutter <juraj@lutter.sk> Relnotes: https://gitlab.com/openconnect/ocserv/-/releases/1.1.1 Modified: head/net/ocserv/Makefile head/net/ocserv/distinfo head/net/ocserv/files/patch-configure.ac head/net/ocserv/files/patch-doc_sample.config head/net/ocserv/pkg-plist Modified: head/net/ocserv/Makefile ============================================================================== --- head/net/ocserv/Makefile Sun Oct 11 08:32:24 2020 (r552034) +++ head/net/ocserv/Makefile Sun Oct 11 08:36:34 2020 (r552035) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 1.0.1 -PORTREVISION= 1 +PORTVERSION= 1.1.1 CATEGORIES= net net-vpn security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ @@ -32,7 +31,8 @@ USES= autoreconf cpe gperf libtool localbase ncurses CPE_VENDOR= infradead GNU_CONFIGURE= yes CONFIGURE_ARGS= --without-geoip \ - --without-http-parser + --without-http-parser \ + --disable-namespaces USERS= _ocserv GROUPS= _ocserv @@ -41,7 +41,7 @@ USE_RC_SUBR= ocserv PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}" -OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI RADIUS +OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS PORTDOCS= AUTHORS ChangeLog NEWS README TODO PORTEXAMPLES= profile.xml sample.config sample.passwd @@ -52,6 +52,10 @@ GSSAPI_CONFIGURE_OFF= --without-gssapi RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius + +MAXMIND_DESC= Use Maxmind GeoIP library +MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb +MAXMIND_CONFIGURE_OFF= --without-maxmind .include <bsd.port.pre.mk> Modified: head/net/ocserv/distinfo ============================================================================== --- head/net/ocserv/distinfo Sun Oct 11 08:32:24 2020 (r552034) +++ head/net/ocserv/distinfo Sun Oct 11 08:36:34 2020 (r552035) @@ -1,3 +1,3 @@ -TIMESTAMP = 1586552655 -SHA256 (ocserv-1.0.1.tar.xz) = 59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b -SIZE (ocserv-1.0.1.tar.xz) = 787800 +TIMESTAMP = 1602242932 +SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a +SIZE (ocserv-1.1.1.tar.xz) = 818988 Modified: head/net/ocserv/files/patch-configure.ac ============================================================================== --- head/net/ocserv/files/patch-configure.ac Sun Oct 11 08:32:24 2020 (r552034) +++ head/net/ocserv/files/patch-configure.ac Sun Oct 11 08:36:34 2020 (r552035) @@ -1,15 +1,15 @@ ---- configure.ac.orig 2020-04-09 21:07:12 UTC +--- configure.ac.orig 2020-10-09 11:32:59 UTC +++ configure.ac @@ -15,7 +15,7 @@ AM_PROG_AR AM_PROG_CC_C_O AC_PROG_SED - if [ test "$GCC" = "yes" ];then + if test "$GCC" = "yes" && ! expr "$CC" : clang >/dev/null 2>&1;then - CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-truncation" + CFLAGS="$CFLAGS -Wall -Wno-strict-aliasing -Wextra -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers" fi + AC_PATH_PROG(CTAGS, ctags, [:]) - AC_PATH_PROG(CSCOPE, cscope, [:]) -@@ -199,7 +199,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind +@@ -222,7 +222,7 @@ if test "$test_for_geoip" = yes && test "$have_maxmind fi have_readline=no Modified: head/net/ocserv/files/patch-doc_sample.config ============================================================================== --- head/net/ocserv/files/patch-doc_sample.config Sun Oct 11 08:32:24 2020 (r552034) +++ head/net/ocserv/files/patch-doc_sample.config Sun Oct 11 08:36:34 2020 (r552035) @@ -1,4 +1,4 @@ ---- doc/sample.config.orig 2020-04-09 20:56:20 UTC +--- doc/sample.config.orig 2020-09-20 19:49:01 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used @@ -9,10 +9,10 @@ # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -@@ -106,8 +106,8 @@ udp-port = 443 - - # The user the worker processes will be run as. It should be - # unique (no other services run as this user). +@@ -110,8 +110,8 @@ udp-port = 443 + # The user the worker processes will be run as. This should be a dedicated + # unprivileged user (e.g., 'ocserv') and no other services should run as this + # user. -run-as-user = nobody -run-as-group = daemon +run-as-user = _ocserv @@ -20,7 +20,7 @@ # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -176,15 +176,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -33,13 +33,13 @@ -# disabling that option and report the failures you, along with system and debugging -# information at: https://gitlab.com/ocserv/ocserv/issues -isolate-workers = true -+# ocserv 1.0.1 on FreeBSD does not currently support process isolation, ++# ocserv 1.1.1 on FreeBSD does not currently support process isolation, +# because ocserv only supports Linux's seccomp system, but not capsicum(4). +#isolate-workers = false - # A banner to be displayed on clients + # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -535,15 +529,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. @@ -58,7 +58,7 @@ # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -591,13 +585,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. Modified: head/net/ocserv/pkg-plist ============================================================================== --- head/net/ocserv/pkg-plist Sun Oct 11 08:32:24 2020 (r552034) +++ head/net/ocserv/pkg-plist Sun Oct 11 08:36:34 2020 (r552035) @@ -6,4 +6,5 @@ man/man8/ocpasswd.8.gz man/man8/ocserv.8.gz @sample etc/ocserv/ocserv.conf.sample sbin/ocserv +sbin/ocserv-worker @dir(%%USERS%%,%%GROUPS%%,750) /var/run/ocserv
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010110836.09B8aYwp098922>