Co-authored-by: Davide De Rosa <keeshux@gmail.com>
Better retain access group every time keychain is written to or
read from, there is no good reason to omit it. Requires Keychain
method to be reverted to non-static.
Partially revert 4490f0c116, based
on wrong assumptions about password references.
- Cleartext: pick any available
- HTTPS/TLS: only pick local servers, secure DNS may NEVER come
from VPN server
Require for TLS, not for HTTPS (not even sure about their need).
Logging and masking were not configured at Credentials and
ConnectionStrategy initialization time, hence the missing log
entries from e.g. ConnectionStrategy.init().
Code is currently disabled (canRebindLink() is hardcoded to false),
still it's good to stay consistent with semantics of
reasserting = false, i.e. "connection has become active again".
Use a different variable to signal an upcoming reconnection. Make
sure that reasserting is never set to false with the meaning of
"do not reconnect", because doing so would trigger a transient
"connected" state in the VPN.
Reverts use of cancelTunnelWithError() in sessionDidStop.
* Check if host is present in certificates SAN list
* Save .tlsServerHost error as .tlsServerVerification into last error
Co-authored-by: Davide De Rosa <keeshux@gmail.com>
The IP protocol number passed to NEPacketTunnelFlow is determined per
packet based on the IP header, instead of determining it based on
whether IPv6 settings are available or not.
sam
Roopesh Chander
Jose Blaya
Davide De Rosa
Kirill Pahnev
Robert Patchett
Jaroslav_
ThinkChaos