On Tue, Sep 13, 2016 at 4:45 PM, Nux! <nux at li.nux.ro> wrote: > Nikos, > > That was spot on! That config line gives me A- on Qualy's ssllabs. > I get the "-" because the server does not support "Forward Secrecy" > > Using the following line should solve fwd secrecy and give me A+ at the theoretical cost of breaking old clients, as per the manual. > > tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" > > In reality using that line makes the server unreachable by Qualys, Firefox or Cisco Anyconnect. > "ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a supported cipher suite." This should have allowed the ECDHE ciphersuites which have forward secrecy. Do you happen to have an certificate which is marked for encryption-only? Your certificate must allow digital signatures for forward secrecy ciphersuites to work. regards, Nikos
