Hi, I installed ocserv 0.9.0.1 complied from offical source on a Debian 8.0 box. No connection can be made, as the server do not respond to client hello message. ocserv log: > # ocserv -f -d 9999 > listening (TCP) on [2400:8900::f03c:91ff:fe70:9cad]:8443... > listening (TCP) on 106.187.99.160:8443... > listening (UNIX) on /var/run/ocserv-conn.socket... > listening (UDP) on [2400:8900::f03c:91ff:fe70:9cad]:8443... > listening (UDP) on 106.187.99.160:8443... > ocserv[1331]: main: initializing control unix socket: /var/run/occtl.socket > ocserv[1331]: main: initialized ocserv 0.9.0 > ocserv[1332]: sec-mod: sec-mod initialized (socket: > /var/run/ocserv-socket.1331) > ocserv[1331]: TLS[<3>]: ASSERT: common.c:1041 > ocserv[1332]: sec-mod: received request from pid 1331 and uid 0 > ocserv[1332]: sec-mod: cmd [size=55] sm: sign > ocserv[1333]: worker: 60.246.138.215:48257 accepted connection > ocserv[1333]: TLS[<5>]: REC[0x83b7aa0]: Allocating epoch #0 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_constate.c:586 > ocserv[1333]: TLS[<5>]: REC[0x83b7aa0]: Allocating epoch #1 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:1139 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:224 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:333 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:574 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_record.c:1058 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_record.c:1179 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_buffers.c:1392 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_handshake.c:1428 > ocserv[1333]: TLS[<3>]: ASSERT: gnutls_handshake.c:3092 > ocserv[1333]: GnuTLS error (at worker-vpn.c:349): Error in the push > function. > ocserv[1331]: main: 60.246.138.215:48257 main-misc.c:501: command socket > closed > ocserv[1331]: main: 60.246.138.215:48257 removing client '' with id '1333'! Using openssl s_client on the same box yield the following: > $ openssl s_client -connect kotone.priscatella.net:8443 > CONNECTED(00000003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 305 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- And gnutls-cli probe fails like this: > # /usr/bin/gnutls-cli kotone.priscatella.net -p 8443 > Processed 147 CA certificate(s). > Resolving 'kotone.priscatella.net'... > Connecting to '2400:8900::f03c:91ff:fe70:9cad:8443'... > *** Fatal error: Error in the pull function. > *** Handshake has failed > GnuTLS error: Error in the pull function. OpenConnect for Android v1.02 shows: > LIB: POST https://kotone.priscatella.net:8443/ > LIB: Attempting to connect to server 106.187.99.160:8443 > LIB: SSL negotiation with kotone.priscatella.net > LIB: SSL connection failure: The TLS conection was non-properly terminated. > LIB: Failed to open HTTPS connection to kotone.priscatella.net > Error obtaining cookie > VPN terminated with errors Cisco AnyConnect ICS+ 4.0.01196 fails too. ocserv.conf(only listed what I've modified): > auth="plain[/etc/ocserv/ocpasswd]" > max-clients = 16 > max-same-client = 4 > tcp-port = 8443 > udp-port = 8443 > try-mtu-discovery = true > server-cert = /etc/ssl/ocserv/cert/certchain.pem > server-key = /etc/ssl/ocserv/key/server.pem > default-domain = priscatella.net > dns = 8.8.8.8 > dns = 8.8.4.4 > cisco-client-compat = true Since I believed this is a problem inside GnuTLS, I tried run it on GnuTLS 3.3.8 from Debian repo and self-compiled 3.3.12, still no luck. On a side note, gnutls-cli-debug failed to recognise my apache-powered https sites while gnutls-cli is able to. Any help is appreciated. regards, Lam