adding support for PAN Globalprotect (SSL+ESP) to Openconnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(Sorry, I stopped watching this list for a bit)

On Tue, Dec 13, 2016 at 3:59 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> I was planning to break down my changes into two parts to make them
>> easier to review. First, add *SSL-only* support for GP. This is a
>> pretty self-contained change, requiring only two small patches to the
>> rest of the OpenConnect code to work correctly:
>>
>> - Handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24:
>>   http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004039.html
>>
>> - Unset got_cancel_cmd after reacting to it, as is already done for
>> got_pause_cmd:
>>   http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004038.html
>
> I've merged these and they'll be in the 7.08 release, which I'm working
> on right now and hoping to push out today unless anything explodes.

Great!

> I'm slightly reticent about merging new protocols but I think it makes
> sense, and your submissions so far have reassured me that you'll do a
> good job of maintaining it.
>
> However, I think I do need to lumber you with an additional hurdle
> before we merge your new protocol after 7.08 ? let's add a new API to
> check whether libopenconnect supports a given protocol, or to enumerate
> the protocols it supports. Currently it's just a hard-coded "if it's
> 7.05 or newer, it supports Juniper too", and I don't think we want that
> to continue. Let's do something explicit instead, and things like
> NetworkManager-openconnect can base their decisions on that.

For the protocol enumeration API, should the enumeration function
*just* return a linked list of protocol names
({"anyconnect","nc","gp"}) or will it need to return something more
complex with hints about possible authentication schemes, etc.? Since
all three of the current protocols use HTTPS for authentication and
HTTPS or <something UDP based> for the transport, I think a plain list
should suffice? but I'm not that familiar with the more exotic
authentication possibilities for Juniper and may be overlooking
something.

We had also discussed the possibility of "--protocol=autodetect" or
something to that effect. Is that still something you'd want to have
ready in order for a merge? I do not currently have access to any
Juniper VPN, so I might have trouble testing it thoroughly.

Thanks,
Dan



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux