On Mon, Feb 3, 2014 at 2:41 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> Still the most important addition is the support for AES-GCM, which is >> not only better to AES-CBC due to side-channels, but is also more >> UDP-friendly as it requires no padding and has a shorter nonce. >> They are available from: >> git://gitorious.org/openconnect-x/openconnect-x.git privacy-improvements > Please add the --pfs option to the man page too. Updated. > And shouldn't it affect > the DTLS setup too? The DTLS channel's key depends on a key which has been established with PFS, so if the server does not save the session keys somewhere, it is ok. > It probably also wants an openconnect_set_pfs() > function in the library, since we now support actually making > connections from the library too? Added in a followup commit as well as its JNI counterpart. regards, Nikos
