- Hardened IPC message validation between worker, main, and sec-mod
processes: added missing upper-bound checks on message lengths and
buffer sizes, and NULL guards on optional protobuf fields (defense-in-depth).
- Limited HTTP request body size to 256 KB to prevent unauthenticated
clients from exhausting worker process memory.
- Fixed proxy protocol v2 client certificate CN never being
extracted.
- Added VIRTUAL HOSTS and CONFIGURATION sections to ocserv(8) man page;
documented options scope.
- Setting a global-only option inside a [vhost:] section is now a hard
configuration error (previously it was ignored). Options are
annotated with their scope in doc/sample.config; see ocserv(8) for a
description of the configuration scope.
- radius: added group-separator option to auth configuration, allowing
the separator used in OU= Class attributes to be set to semicolon
(default) or comma, to support Freeradius deployments (#428)
- The bundled llhttp was updated to 9.3.1.
- occtl: Added terminate user, terminate id, and terminate session
commands that disconnect users and invalidate their session cookies,
preventing automatic reconnection (#689)
- Replaced autoconf/automake build system with meson (#699)
- Added nftables-based ocserv-fw; requires ipcalc-ng/ipcalc (#397)
- No longer need to duplicate global options in virtual hosts (#698)
- Timestamps in IPC messages extended to 64-bit for future date support
- Fixed a bug where a correct password was rejected after a wrong password
attempt in the same session (#323)
- Aligned the default values for dpd and mobile-dpd options with
the values present in the default configuration (#680)
- Aligned default values for keepalive, rekey-time, cookie-timeout,
auth-timeout, ban-reset-time, max-ban-score, and
switch-to-tcp-timeout with the values documented in sample.config
- The
no-udpoption can now be used to disable DTLS for specific vhosts.
Previously it was only available in per-user or per-group config.
openconnect/ocserv
1.4.2
on GitLab
5 hours ago