On Sat, Jun 11, 2016 at 3:47 AM, Shen Alex <alex.51cto at gmail.com> wrote: > When I install openconnect client on cento6.5 and try to connect to > ocserv(disable sslv3). It shows: > > attempting to connect to server x.x.x.x:443 > SSL negotiation with xxxxxxxxxxxxxxxxxxxxxx > SSL connection failure > 139933011761000:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:339: > Failed to open HTTPS connection to xxxxxxxxxxxxxxxxxx > GET https://xxxxxxxxxxxxxxxxx/ > Attempting to connect to server x.x.x.x:443 > SSL negotiation with xxxxxxxxxxxxxxxxxxxxxxx > SSL connection failure > 139933011761000:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:339: > Failed to open HTTPS connection to xxxxxxxxxxxxxxxx > Failed to obtain WebVPN cookie > > I want to set ssl version manually.(like "curl -1","openssl -tls1",etc.) > But I couldn't find any settings about it in "man openconnect". Hmm, this seems to be hardcoded in openssl.c: ssl3_method = TLSv1_client_method(); if (!vpninfo->https_ctx) { vpninfo->https_ctx = SSL_CTX_new(ssl3_method); If you change TLSv1_client_method() to TLS_client_method(), does that fix it? (Not sure if that has any impact on ASA compatibility, or compatibility with older OpenSSL versions.)
