(Sorry, I stopped watching this list for a bit) On Tue, Dec 13, 2016 at 3:59 AM, David Woodhouse <dwmw2 at infradead.org> wrote: >> I was planning to break down my changes into two parts to make them >> easier to review. First, add *SSL-only* support for GP. This is a >> pretty self-contained change, requiring only two small patches to the >> rest of the OpenConnect code to work correctly: >> >> - Handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24: >> http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004039.html >> >> - Unset got_cancel_cmd after reacting to it, as is already done for >> got_pause_cmd: >> http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004038.html > > I've merged these and they'll be in the 7.08 release, which I'm working > on right now and hoping to push out today unless anything explodes. Great! > I'm slightly reticent about merging new protocols but I think it makes > sense, and your submissions so far have reassured me that you'll do a > good job of maintaining it. > > However, I think I do need to lumber you with an additional hurdle > before we merge your new protocol after 7.08 ? let's add a new API to > check whether libopenconnect supports a given protocol, or to enumerate > the protocols it supports. Currently it's just a hard-coded "if it's > 7.05 or newer, it supports Juniper too", and I don't think we want that > to continue. Let's do something explicit instead, and things like > NetworkManager-openconnect can base their decisions on that. For the protocol enumeration API, should the enumeration function *just* return a linked list of protocol names ({"anyconnect","nc","gp"}) or will it need to return something more complex with hints about possible authentication schemes, etc.? Since all three of the current protocols use HTTPS for authentication and HTTPS or <something UDP based> for the transport, I think a plain list should suffice? but I'm not that familiar with the more exotic authentication possibilities for Juniper and may be overlooking something. We had also discussed the possibility of "--protocol=autodetect" or something to that effect. Is that still something you'd want to have ready in order for a merge? I do not currently have access to any Juniper VPN, so I might have trouble testing it thoroughly. Thanks, Dan
