This also moves some of the reasonsibility from ClientProto to
OpenVPNClient. This plays better with the EPKI implementation and also
does not break the idea of the current certcheck implementation as we now
just give the certcheck in client protocol a preconfigured SSL Config instead
of all the certificates individually.
The AppControl feature provides an internal communications channel that
is described in detail in the relevant commits that implement it. This
change adds two intrinsic app control 'protocols' to the list of
supported handlers in the client. The new protocols are:
- cxa1: This is a request for the client to begin a TLS handshake via
the app control channel.
- cck1: This is the protocol that allows the exchange of the requested
TLS handshake data.
The 'cxa1' handler parses the request and initiates the handshake from
the client. This handshake is exchanged via the 'cck1' protocol and
serves to prove to the server that the client has access to the required
private key.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
This add a way to signal that webauth needs to be used when a client
erroursnly uses REST to try to download a profile.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
1. Added specific details on DATA_V2/peer-id/float support.
2. For AEAD mode, emphasized that the leading 8 bytes (4 bytes for
DATA_V2/peer-id and 4 for packet ID) is all included in the AD.
3. Added specific details on protocol negotiation where the client
indicates protocol extension availability with IV_x parameters
in the peer info string, and the server responds by pushing
directives to the client to enable the feature.
4. Added "TCP nonlinear mode" section, a new protocol extension
that is needed by multithreaded TCP servers.