cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update ocserv's DESCR, mostly borrowed from the website - better information

Browse Source 
about the isolated security process and per-user unprivileged worker processes.
This commit is contained in:
sthen 2015-07-03 10:16:31 +00:00
parent 5ba536cb4f
commit 134ce96a0e
2 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/ocserv/Makefile
View File

@ -1,8 +1,9 @@
# $OpenBSD: Makefile,v 1.5 2015/07/02 20:50:21 sthen Exp $
# $OpenBSD: Makefile,v 1.6 2015/07/03 10:16:31 sthen Exp $
COMMENT= server implementing the AnyConnect SSL VPN protocol
DISTNAME= ocserv-0.10.6
REVISION= 0
EXTRACT_SUFX= .tar.xz
CATEGORIES= net

23
net/ocserv/pkg/DESCR
View File

@ -1,10 +1,15 @@
OpenConnect VPN server (or ocserv) implements the AnyConnect SSL VPN
protocol and is compatible with the OpenConnect VPN client. Its purpose
is to be a small, secure and configurable VPN server that depends on
standard protocols like TLS 1.2, and Datagram TLS. The AnyConnect
SSL VPN protocol was the closest protocol to match this requirement.
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a
secure, small, fast and configurable VPN server. It implements the OpenConnect
SSL VPN protocol, and has also (currently experimental) compatibility with
clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol
provides a dual TCP/UDP VPN channel, and uses the standard IETF security
protocols to secure it. Both IPv4 and IPv6 are supported.
The VPN users can be authenticated using password, certificate
authentication or both methods. Authenticated users are assigned their
own unprivileged worker process and obtain a networking (tun) device
and IP from a configurable pool of addresses.
Ocserv's main features are security through privilege separation and
sandboxing, accounting, and resilience due to a combined use of TCP and UDP.
Authentication occurs in an isolated security module process, and each user is
assigned an unprivileged worker process, and a networking (tun) device. That
not only eases the control of the resources of each user or group of users,
but also prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process. A management
interface allows for viewing and querying logged-in users.