ocserv-0.11.10-bp151.2.14

- add firewalld service

- update version 0.11.10
  * see NEWS
- drop boo1021353-ocserv-doc-racing-in-parallel-build.patch
  * upstreamed
- add ocserv-LZ4_compress_default.patch
  * leap doesn't have LZ4_compress_default

- Use readline (current) instead of readline5:
  + Replace readline5-devel BuildRequires with readline-devel.

- fix boo#1021353: ocserv randomly misbuilds man pages
- add patch: boo1021353-ocserv-doc-racing-in-parallel-build.patch
  * occtl and ocpasswd are both built from args.def, which
    will cause a racing problem in parallel builds that autogen
    write contents randomly. fixed by adding a prefix to make
    them different in filename.

- update version 0.11.6
  * cserv: Improved detection of mobile clients
  * ocserv: Update the worker's ID on Radius accounting messages.
    That is, even if we initially advertize the ID of the worker
    handling the client as NAS-Port, the client may eventually end-up
    being served by another process with different ID. In that case we make
    sure that the radius server is notified on the next accounting message.
    If you are using radius see doc/README.radius.md about NAS-Port, since
    that behavior may cause issues in freeradius installations.
  * ocserv: Added config option 'switch-to-tcp-timeout'. That allows an
    automatic switch to TCP in case of no received UDP traffic for
    certain time
  * ocserv: Pre-load the OCSP response file; that way worker processes can
    serve it, even if they have no access to it.
  * ocserv: When compiled with GnuTLS 3.5.6 automatically set DH
    parameters from the known set.

- update version 0.10.11
  * Corrected the reporting of keepalive to occtl.
  * Handle clients which send the first request to /VPN
  * Prevent a crash in per-user config dir is not available if
    expose-iroutes is set to true.
- update license: GPL-2.0
- open ports using ocserv.SuSEfirewall
- enable ip forwarding using ocserv.sysctl

- update version 0.10.10
  * Increase the number of log messages logged in the default level.
    That is added messages that could be of use to administrators.
  * Introduced ipv6-subnet-prefix config option. That option allows
    to specify the IPv6 subnet prefix to be given to client. That is,
    allow providing the clients networks larger than /128. The default
    setting is 128 to keep backwards compatibility.
  * Introduced the expose-iroutes config option. That option allows
    the server to advertise routes offered by some clients to all of
    them. This requires the config-per-user option.
  * When a client has assigned iroutes which cannot be applied, he
    will be denied access.
  * Added restrict-user-to-routes configuration option which will
    execute ocserv-fw script on user connection. The script will
    set firewall rules which deny the user access to any other
    networks than the routes set for the user. This is added as a
    tech preview; details of this option may change on later releases.
  * When banning IPv6 addresses treat a /64 network as a single address.
  * Fixed conflict with isolate-workers and user-profile.
  * occtl: Allow disabling the pager functionality on compile time
    using --with-pager="".

- update version 0.10.9
  * When compiled with GnuTLS 3.4 automatically sort the certificate
    list to be imported
  * Reload the CRL during periodic maintaince if its modification
    time changes
  * Address issue with duplicate check failing on IPv6 addresses
  * Added the ability to specify a UsersFile in plain auth for using
    an OTP
    This allows to use an OTP 2nd factor authentication without having
    to rely on PAM. This change, also enables the usage of an empty
    password field in the password file if an OTP file is present
  * Allow loading DER-encoded CRLs
  * Re-added the PAM accounting method. That accounting method can
    be combined with any authentication method, and can be used to
    check for a valid system account
- changes in 0.10.8
  * Pass the proxy protocol information at earlier stage to main
    process, to allow the correct information to be passed at the
    connect script and occtl
  * Added the IP_REAL_LOCAL environment variable to scripts. This
    passes the local IP the client connected to
  * The PAM accounting method was dropped as there was no practical
    usage of it, the way it was implemented
  * When assigning IPv6 addresses use the whole available netmask
  * occtl: Print the local IP the client connected to, with the
    client information
  * occtl: Print the configured for the client split-dns domains
- changes in 0.10.7
  * Added a fuzzying factor to CPU intensive, or radius communication
    tasks when initiated by worker process. That avoids a very
    high load periodically, e.g., when multiple clients connect
    at the same time
  * Added support for haproxy's protocol v2 format. That allows
    to report the correct client IP even on proxied sessions.
    It introduces the configuration option listen-proxy-proto
  * occtl: added -n/--no-pager option. That allows to disable
    pager explicitly
  * occtl: fixed several cases of invalid JSON output
- changes in 0.10.6
  * Transmit packets to the last incoming source, allowing faster
    switch of the communication channel
  * The worker processes will utilize the UDP socket address
    (if any), when reporting peer's address if the listen-clear-file
    option is set
  * Lifted the limit on the number of configuration options. That
    allows to add an "unlimited" number of 'route' options
  * Support encrypted key files. That adds the key-pin and srk-pin
    configuration options
  * The dbus communication option has been dropped
  * Radius: depend on radcli radius library
  * occtl: added -j/--json option. That allows to output in a
    JSON format

- set isolated-workers to false since we didn't build w/ seccomp yet
- change systemd socket ports as well

- update version 0.10.5
  * Added tgt-freshness-time option for gssapi/Kerberos authentication
    option. That allows to specify the maximum number of seconds after
    which a reauthentication with Kerberos is required to login to VPN.
  * main/sec-mod: impose long timeouts on reads from sec-mod. That
    would prevent issues when reading in a blocked in authentication
    sec-mod.
  * radius: When using radius accounting with certificate
    authentication, properly notify of user session termination.
  * radius: On definitely terminated sessions contact the radius server
    as soon as possible. For sessions that can still be resumed the
    radius server is contacted periodically after the cookies expire.
  * radius: consider Acct-Interim-Interval when seen by the server.
    That will be taken into account if groupconfig=true in radius
    subconfig.
  * Added configuration options persistent-cookies and session-timeout.
  * radius: added support for Route-IPv6-Information,
    Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address,
    Session-Timeout.
  * Corrected desync of main and sec-mod by introducing a synchronous
    communication socket. Reported by Mani Behrouz.
  * PAM: forward the actual prompt to worker process, and not only
    informational messages.
- drop ocserv-str_init.patch, upstream fixed.

- add user.tmpl, for certificate login
- tweak default config more
- add README.SUSE as setup instructions

- initial version 0.9.0.1
  * Added native support for radius. That adds the new auth
    configuration option "radius", which has as parameters
    the freeradius-client configuration file and optionally
    the groupconfig option which instructs to read
    configuration from radius; the stats-report-time option
    enables interim-updates. That adds the dependency to
    freeradius-client (see doc/README.radius).
  * Reply using the same address that received UDP packets
    are sent.
  * Simplify the input of IPv6 network addresses.
  * Use a separate IPC and PID namespace in Linux systems
    for worker processes. That effectively puts each worker
    process in a separate container. This can be enabled at
    compile time using --enable-linux-namespaces.
  * Configuration option 'use-seccomp' was replaced by
    'isolate-workers', which in addition to seccomp it enables
    the Linux namespaces restrictions.
  * Added support for stateless compression using LZ4 and LZS.
    This is disabled by default.
- disable dbus interface because currently it provides less
  function than unix socket
- add patch: ocserv-str_init.patch
- add patch: ocserv-enable-systemd.patch
- add patch: ocserv.config.patch