GitLab

Bug reported by Leonhard Knauff.

Closes RADSECPROXY-68.

There's a chance that incoming (legitimate) connections arrive faster
than what it takes to spawn a new thread and get back to
listen(). Therefore we should ask the stack to queue at least one
entry, i.e. use a backlog value of at least 1. There's arguable also a
chance of more than two concurrent incoming connections, which would
make a case for a backlog value greater than one.

A reasonable high value seems to be 128, which also is what SOMAXCONN
is on many unix systems. In the choice between 1 and 128, an argument
against the higher value is that it may mask the potential problem of
spending a long time serving incoming connections.

Being reasonably confident that radsecproxy is efficient when it comes
to serving incoming connections, by handing them off to a newly
spawned thread, I think that 128 is a fine choice.

Closes RADSECPROXY-72.

We might have a bug where bindtoaddr() tries to set V6ONLY on IPv4
sockets. Until that's been resolved, don't alarm users on debug level
'warning'.

Have connectnonblocking() warn and fail if setting O_NONBLOCK fails.
Have it warn if restoring of flags fail.

coverity: 1449515

coverity: 1449517

coverity: 1449518

buf2radmsg() is never called with rqauth != NULL and secret == NULL
but let's protect against future callers.

coverity: 1449519

coverity: 1449508, 1449522.

coverity: 1450948

coverity: 1450949

coverity: 1449514

Going to errexit doesn't free resconf as that commit claims. It does
free conf though, which is good.

coverity: 1449524

coverity: 1449504

coverity: 1449503

Conflicts:
	ChangeLog

This was potentially making things worse.

The dynamiclookupcommand member of the _config_ of the server is being
set to NULL when it's copied in confserver_cb(), resulting in dynamic
discovery being done for realms that already have a server.

Patch from Fabian Mauchle.

Addresses RADSECPROXY-69.

See RADSECPROXY-64.

Like 92a0c39a for TCP.

Patch by Fabian Mauchle.

Pointed out by Faidon Liambotis.

List the three .html files.
Add targets for building .html from .1 and .5.

Effectively turning on support for DTLS 1.2 when OpenSSL version 1.0.2
or higher.

This should in theory allow for later versions of TLS too but let's
verify that when the time comes.

Keep regeneration of it dependent on configure finding docbook2x-man(1).