Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openconnect: T4982: Support defining minimum TLS version in openconnect VPN (backport #3371) #3377

Merged
merged 1 commit into from
Apr 30, 2024
Merged

openconnect: T4982: Support defining minimum TLS version in openconnect VPN (backport #3371) #3377

merged 1 commit into from
Apr 30, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Apr 30, 2024

Change Summary

Allow configuration of minimum acceptable TLS version for openconnect VPN.
Default is set at TLSv1.2 to ensure out-of-box/unconfigured option is not insecure.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T4982

Related PR(s)

Component(s) name

vpn -> openconnect

Proposed changes

How to test

  1. Create an openconnect VPN configuration:
set vpn openconnect authentication local-users username example password 'test'
set vpn openconnect authentication mode local 'password'
set vpn openconnect network-settings client-ip-settings subnet '192.168.1.1/30'
set vpn openconnect network-settings name-server '192.168.1.254'
set vpn openconnect ssl ca-certificate 'test-ca'
set vpn openconnect ssl certificate 'test-certificate'
set vpn openconnect tls-version-min 1.2
  1. Validate in the configuration file rendered that minimum TLS version has been set correctly:
vyos@vyos:~$ cat /var/run/ocserv/ocserv.conf | grep "tls-priorities"
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"

Smoketest result

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_openconnect.py
test_ocserv (__main__.TestVPNOpenConnect.test_ocserv) ...
SSL missing on OpenConnect config!

ok

----------------------------------------------------------------------
Ran 1 test in 8.705s

OK

Checklist:

@mergify mergify bot mentioned this pull request Apr 30, 2024
Merged
12 tasks
@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team April 30, 2024 06:30
@github-actions github-actions bot added the sagitta VyOS 1.4 LTS label Apr 30, 2024
@c-po c-po merged commit 982221b into sagitta Apr 30, 2024
5 checks passed
@mergify mergify bot deleted the mergify/bp/sagitta/pr-3371 branch April 30, 2024 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po c-po approved these changes

@sever-sever sever-sever sever-sever approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

Assignees
No one assigned
Labels
sagitta VyOS 1.4 LTS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sever-sever @c-po @Embezzle