Nikos, That was spot on! That config line gives me A- on Qualy's ssllabs. I get the "-" because the server does not support "Forward Secrecy" Using the following line should solve fwd secrecy and give me A+ at the theoretical cost of breaking old clients, as per the manual. tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" In reality using that line makes the server unreachable by Qualys, Firefox or Cisco Anyconnect. "ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a supported cipher suite." Any ideas? Thanks, Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Nux!" <nux at li.nux.ro> > To: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com> > Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org> > Sent: Tuesday, 13 September, 2016 15:33:15 > Subject: Re: Disable SSLv3 and RC4 > Thanks Nikos, I'll have a look at that option. > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- >> From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com> >> To: "Nux!" <nux at li.nux.ro> >> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org> >> Sent: Tuesday, 13 September, 2016 15:20:44 >> Subject: Re: Disable SSLv3 and RC4 > >> On Mon, Sep 12, 2016 at 3:37 PM, Nux! <nux at li.nux.ro> wrote: >>> Hello, >>> >>> SSLLabs are currently giving my ocserv grade C because: >>> This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to >>> mitigate. Grade capped to C. >>> This server accepts RC4 cipher, but only with older protocol versions. Grade >>> capped to B. >> >> Check the tls-priorities option. Most likely you need to set something like: > > tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
