Bug 202253

Summary: [NEW PORT] net/ocserv: server implementing the AnyConnect SSL VPN protocol
Product: Ports & Packages Reporter: Carlos J Puga Medina <cjpm>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed FIXED    
Severity: Affects Only Me CC: pi
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
ocserv.shar
none
port
none
ocserv.shar
none
ocserv.shar
none
next-try none

Description Carlos J Puga Medina 2015-08-11 21:09:49 UTC 
Created attachment 159781 [details]
ocserv.shar

OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a
secure, small, fast and configurable VPN server. It implements the OpenConnect
SSL VPN protocol, and has also (currently experimental) compatibility with
clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol
provides a dual TCP/UDP VPN channel, and uses the standard IETF security
protocols to secure it. Both IPv4 and IPv6 are supported.

Ocserv's main features are security through privilege separation and
sandboxing, accounting, and resilience due to a combined use of TCP and UDP.
Authentication occurs in an isolated security module process, and each user is
assigned an unprivileged worker process, and a networking (tun) device. That
not only eases the control of the resources of each user or group of users,
but also prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process. A management
interface allows for viewing and querying logged-in users.

WWW: http://www.infradead.org/ocserv/
Comment 1 Carlos J Puga Medina 2015-08-11 23:18:13 UTC 
I noticed that enabling GSSAPI backend (needs krb5 port) gives problems when generates ocserv binary.

% ocserv
Undefined symbol "gss_mech_krb5" referenced from COPY relocation in /usr/local/sbin/ocserv

Trying to figure out how to fix this issue.
Comment 2 Carlos J Puga Medina 2015-08-11 23:30:17 UTC 
According to the following message [0], krb5 port causes this behaviour using USE_OPENSSL=yes instead OpenSSL from ports.

[0] https://lists.freebsd.org/pipermail/freebsd-ports-bugs/2008-November/153052.html
Comment 3 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-12 05:44:10 UTC 
Testing@work
Comment 4 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-12 05:55:36 UTC 
build-tests are fine on cur 93a 10x 10i. Needs a startup-script.
Comment 5 Carlos J Puga Medina 2015-08-12 16:58:21 UTC 
(In reply to Kurt Jaeger from comment #4)

I fixed ocserv port with GSSAPI option enabled. I will add a new shar file including the rc script also.
Comment 6 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-15 18:40:09 UTC 
Created attachment 159906 [details]
port

New version with improved sample config and stuff.

TODO: fix the man page
Comment 7 Carlos J Puga Medina 2015-08-15 19:02:17 UTC 
(In reply to Kurt Jaeger from comment #6)

Perfect! Regarding to man pages issue, for me are displayed properly formatted. Can you provide more info?
Comment 8 Carlos J Puga Medina 2015-08-15 19:34:20 UTC 
Created attachment 159907 [details]
ocserv.shar
Comment 9 Carlos J Puga Medina 2015-08-15 19:43:55 UTC 
(In reply to Carlos J Puga Medina from comment #8)

I've added patch-configure.ac with your improvements.
Comment 10 Carlos J Puga Medina 2015-08-15 21:34:33 UTC 
Created attachment 159908 [details]
ocserv.shar

Fix ocserv manpages
Comment 11 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-16 08:12:57 UTC 
pending info from ulrich/ingo about autogen generated man pages and mandoc.
Comment 12 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-16 21:11:26 UTC 
Created attachment 159934 [details]
next-try

This version also has working man pages. TODO: build-test.
Comment 13 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-16 21:34:44 UTC 
Test-builds done on 11a, 10.2a, 9.3a, 10.2i.

See http://people.freebsd.org/~pi/logs/net__ocserv*
Comment 14 commit-hook freebsd_committer freebsd_triage 2015-08-16 21:48:41 UTC 
A commit references this bug:

Author: pi
Date: Sun Aug 16 21:48:21 UTC 2015
New revision: 394422
URL: https://svnweb.freebsd.org/changeset/ports/394422

Log:
  New port: net/ocserv: server implementing the AnyConnect SSL VPN protocol

  OpenConnect server (ocserv) is an SSL VPN server. Its purpose is
  to be a secure, small, fast and configurable VPN server. It implements
  the OpenConnect SSL VPN protocol, and has also (currently experimental)
  compatibility with clients using the AnyConnect SSL VPN protocol.
  The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
  uses the standard IETF security protocols to secure it. Both IPv4
  and IPv6 are supported.

  Ocserv's main features are security through provilege separation
  and sandboxing, accounting, and resilience due to a combined use
  of TCP and UDP.  Authentication occurs in an isolated security
  module process, and each user is assigned an unprivileged worker
  process, and a networking (tun) device. That not only eases the
  control of the resources of each user or group of users, but also
  prevents data leak (e.g., heartbleed-style attacks), and privilege
  escalation due to any bug on the VPN handling (worker) process. A
  management interface allows for viewing and querying logged-in
  users.

  WWW: http://www.infradead.org/ocserv/

  PR:		202253
  Submitted by:	Carlos Jacobo Puga Medina <cpm@fbsd.es>
  Reviewed by:	pi

Changes:
  head/GIDs
  head/UIDs
  head/net/Makefile
  head/net/ocserv/
  head/net/ocserv/Makefile
  head/net/ocserv/distinfo
  head/net/ocserv/files/
  head/net/ocserv/files/ocserv.conf
  head/net/ocserv/files/ocserv.in
  head/net/ocserv/files/patch-configure.ac
  head/net/ocserv/files/patch-doc_Makefile.am
  head/net/ocserv/files/patch-src_config.c
  head/net/ocserv/files/patch-src_main-ctl-unix.c
  head/net/ocserv/files/patch-src_main.c
  head/net/ocserv/files/patch-src_ocserv-args.def
  head/net/ocserv/pkg-descr
  head/net/ocserv/pkg-plist
Comment 15 Kurt Jaeger freebsd_committer freebsd_triage 2015-08-16 21:49:18 UTC 
Finally 8-) Thank you very much! Committed!