Skip to content

Commit

Permalink
openconnect: T4982: Support defining minimum TLS version in openconne…
Browse files Browse the repository at this point in the history
…ct VPN
  • Loading branch information
Embezzle committed Apr 28, 2024
1 parent aa15f74 commit a2c8293
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 0 deletions.
8 changes: 8 additions & 0 deletions data/templates/ocserv/ocserv_config.j2
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,15 @@ keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 30
{% if tls_version_min == '1.0' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
{% elif tls_version_min == '1.1' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0"
{% elif tls_version_min == '1.2' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
{% elif tls_version_min == '1.3' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"
{% endif %}
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
Expand Down
28 changes: 28 additions & 0 deletions interface-definitions/vpn_openconnect.xml.in
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,34 @@
<valueless/>
</properties>
</leafNode>
<leafNode name="tls-version-min">
<properties>
<help>Specify the minimum required TLS version</help>
<completionHelp>
<list>1.0 1.1 1.2 1.3</list>
</completionHelp>
<valueHelp>
<format>1.0</format>
<description>TLS v1.0</description>
</valueHelp>
<valueHelp>
<format>1.1</format>
<description>TLS v1.1</description>
</valueHelp>
<valueHelp>
<format>1.2</format>
<description>TLS v1.2</description>
</valueHelp>
<valueHelp>
<format>1.3</format>
<description>TLS v1.3</description>
</valueHelp>
<constraint>
<regex>(1.0|1.1|1.2|1.3)</regex>
</constraint>
</properties>
<defaultValue>1.2</defaultValue>
</leafNode>
<node name="ssl">
<properties>
<help>SSL Certificate, SSL Key and CA</help>
Expand Down
11 changes: 11 additions & 0 deletions smoketest/scripts/cli/test_vpn_openconnect.py
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,9 @@ def test_ocserv(self):
# Verify configuration
daemon_config = read_file(config_file)

# Verify TLS string (with default setting)
self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"', daemon_config)

# authentication mode local password-otp
self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config)
self.assertIn(f'listen-host = {listen_ip_no_cidr}', daemon_config)
Expand Down Expand Up @@ -253,5 +256,13 @@ def test_ocserv(self):
self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)

# Set TLS version to the highest security (v1.3 min)
self.cli_set(base_path + ['tls-version-min', '1.3'])
self.cli_commit()

# Verify TLS string
daemon_config = read_file(config_file)
self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"', daemon_config)

if __name__ == '__main__':
unittest.main(verbosity=2)

0 comments on commit a2c8293

Please sign in to comment.