GnuTLS from 3.6.3 to 3.6.12 sends DTLS ClientHello with all zeroes in the client random. This slightly unplanned release of OpenConnect blacklists those versions for DTLS. Upgrade to GnuTLS 3.6.13 ASAP. Some other stuff made it in before the release, including RFC6750 Bearer token support, support for a custom stoken file, and various other fixes. Other patches are being worked on and missed the boat; I'll probably do another release relatively soon. ftp://ftp.infradead.org/pub/openconnect/openconnect-8.06.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-8.06.tar.gz.asc Alan Jowett (1): Add support to OpenConnect client to use RFC6750 style Bearer tokens to authenticate to the server. Corey Wright (6): GlobalProtect: Refactor HIP functionality into separate function Add framework to execute trojan periodically GlobalProtect: Add HIP check timeout separate from (re)connecting Allow user of application or API to override trojan interval GlobalProtect: Allow overriding trojan interval GlobalProtect: Ensure timeout is less than DPD when DTLS connecting Daniel Lenski (57): Set correct mimetype and charset for XML post GlobalProtect login bugfix: reversed condition where portal form should be retried on gateway GlobalProtect: try to connect to portal interface before gateway explain GlobalProtect portals vs. gateways in the docs Fix double-free when client repeatedly fails to pull GlobalProtect client config another GP error string that tells the client to stop trying to reconnect clarify in manual how to use --cafile with --no-system-trust (ping issue #80) Try harder to explain unknown values in GP /ssl-vpn/login.esp response pass IDLE_TIMEOUT to configuration script don't show SAML login details in banner when alt-secret was specified (implying SAML login already done) log message should distinguish when SAML authentication is needed, vs. SAML authentication complete Don't show SAML details in banner, and don't show SAML “path” when it's actually a complete HTML page more possible login.esp arguments periodic HIP checking works fine with HTTPS tunnel as long as we pause-and-reconnect the tunnel simplify move dtls_state checks into gpst_connect() itself, to avoid repetition HIP timing nitpicks nitpick docs: --force-trojan option placement and description don't tell Windows/Java users to use --csd-wrapper since it doesn't work yet cleanup parse_portal_xml() fewer hardcoded constants, fewer problems Always openconnect_close_https() before intermittent HIP check Add undocumented --gnutls-priority command line option fail if GP portal config contains no gateways (rather than simply attempting to continue with same server) Merge branch 'improve_HIP_check' Merge branch 'gitlab/more_careful_highlighting_of_unknown_GP_login_return_values' Merge branch 'less_confusing_GP_SAML_output' Merge 'gitlab/pass_IDLE_TIMEOUT_to_script' add long-sought README.md couple other touch-ups to the docs show exact GnuTLS/OpenSSL version in --version/--help text allow cipher list overrides with OpenSSL as well log ciphersuite on every new HTTPS connection, not just AnyConnect protocol include negotiated [D]TLS version in ciphersuite string for OpenSSL (GnuTLS already does this) Remove checks for no-longer supported GnuTLS versions don't try to describe "DTLS" cipher if protocol's "DTLS" is actually ESP add comments on confusing TLS/DTLS cipher description fields mention test suite in Getting Started / Building docs ignore failure in downloading CSD stub if CSD wrapper is specified Merge branch 'origin/ignore_missing_CSD_stub_if_wrapper_specified' Don't prevent compilation on GnuTLS <3.5.0, and add comment on OpenSSL/GnuTLS difference Merge branch 'github_PR_164' use run-time version numbers (per dwmw) windows read_stdin should strip either "\r\n" or "\n" as line ending (#113) Merge branch 'windows_read_stdin_line_ending' Merge branch 'gnutls_priority_override_option' missing defines (IPPROTO_ICMP and ICMP_ECHOREPLY) for Windows oNCP: explain likely meaning of long-puzzling 'error 0x08' add some clarifications about Pulse vs. NC to the documentation Merge branch 'origin/explain_server_0x08' remove README.TESTS from Makefile.am Merge branch 'upstream/master' Run Cisco CSD script as child, not daemonized grandchild Update changelog.xml add Java wrapper function for setTrojanInterval() add OC_PROTO_PERIODIC_TROJAN feature flag Merge branch 'periodic_Trojan_touch_up' David Woodhouse (93): Explicitly link libtss2-mu for tss2-esys build Use localtime_s where available to fix MSYS2 build Rework HTTP header fetching to receive into oc_text_buf Use GNUTLS_PK_ECC instead of GNUTLS_PK_ECDSA for compatibility Merge branch 'fix_issue_78_crash_and_stop_trying_to_reconnect' of gitlab.com:dlenski/openconnect Merge branch 'globalprotect_auth' of gitlab.com:dlenski/openconnect Fix EPEL builds in COPR Update Gitlab CI to include TPM2, GSSAPI and libp11 support Add Coverity CI support Turn libp11 CI off again openssl: Fix error path when loading certificate fails openssl: Check for SSL_CTX_use_PrivateKey() failure in PKCS#12 openssl: Fix certificate load failure harder Explicitly check for PKCS#11 token info overrun Add Java to Coverity Coverity cosmetics Clean up GnuTLS token info more Fix potential uninitialised data in LZS decompression Fix double-free in xmlpost_initial_req() Avoid strcpy() in Esys install_tpm_passphrase Silence Coverity warning in cancellable_connect() Fix error return from process_http_response() Fix undefined shift in decode_base32() for invalid input oncp: Tear down ESP if receiving new config fails cstp: Tweak DTLS header matching Fix strerror() calls with negative values Check for BYE packet being correctly written in cstp_bye() Fix potential leak on error path in xmlpost_initial_req() Fix potential leak in XML config handling Fix leak of PKCS#11 object ID on URI parse failure Fix use-after-free in GPST debug checks jni: Consistently check for getctx() failing Make free_opt(NULL) work like free(NULL) Fix potential NULL dereference in GlobalProtect XML parsing Fix potential NULL dereference in GlobalProtect parse_login_xml() Fix NULL dereference when checking IP addresses after reconnect Fix leak in Juniper parse_input_node() Fix leak on error path in Juniper parse_select_node() Fix leak on error path in connect_https_socket() Fix leaks in Pulse duplicate session handling Fix leak on error path vin read_stdin() Fix potential leak in do_https_request() Fix potential leak of saml_path in GlobalProtect parse_prelogin_xml() Fix leak on error path in pulse_request_session_kill() Try harder to make Coverity shut up about read_file_into_string() Clean up openconnect_protos handling Silence Coverity warning in oncp_obtain_cookie() Always check return value of set_sock_nonblock() Silence Coverity warnings about set_fd_cloexec() return values Print debug warning if sending ESP probe fails Print warning if sending to cookie to TNCC script fails Check return value from select() in GnuTLS code Check select() return value in main loop Check select() return value in ssl.c Check setsockopt() return value when setting SO_SNDBUF Correct handling of empty responses to HTTP requests pulse: Be more forgiving about unknown AVP 0xd73 values Really pull in tpm2-tss for EPEL8 builds pulse: A value of 0xF for AVP 0xd73 means 'prompt for password only' Merge branch 'correct_mimetype_and_charset_for_XML_post' of gitlab.com:dlenski/openconnect Merge branch 'clarify_cafile_and_no_system_trust' of gitlab.com:dlenski/openconnect Fix pulse session kill request When select() returns with errno == EINTR, that isn't an error Fix build error in select fix Update translations from GNOME tun-win32: Attempt to open all adapters, don't bail if the first is in use Add password change support Make win32 search_taps() function work standalone, add debugging Add separate list-taps.exe "test" Detect closed HTTPS socket when sending requests Send Coverity reports to $GITLAB_USER_EMAIL instead of hard-coding it. Consolidate almost-identical set_[ht]otp_mode() functions Move read_file_into_string() to ssl.c and rename it Allow custom stoken rcfile to be specfied pulse: Attempt to handle EAP-TTLS fragmentation Fix potential NULL dereference in openconnect_get_peer_cert_chain() Resync translations with sources Update translations from GNOME, prioritising GNOME translations Update translations from GNOME http: Retry request (once) on error receiving response pulse: Fix memory leaks in pulse_eap_ttls_send() pulse: Fix another error-path leak in pulse_eap_ttls_recv() Fix double colon in DTLS12 ciphersuite list Add some basic hostscan support to csd-post.sh Don't split translated strings with #ifdefs Update translations from GNOME String fixes Fix merge request references in changelog Merge branch 'issue99' of gitlab.com:Alan_Jowett/openconnect Add changelog for RFC6750 bearer token support Disable DTLS for GnuTLS 3.6.3 - 3.6.12 Resync translations with sources Tag version 8.06 John Spencer (1): Fix build with libressl 2.7.x/2.9.x jethrogb (1): Always send client cert
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
