Nikos, Thanks for that, it will take me a bit to digest it. The cert might be as you suspect since it's a letsencrypt one. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com> > To: "Nux!" <nux at li.nux.ro> > Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org> > Sent: Tuesday, 13 September, 2016 15:50:06 > Subject: Re: Disable SSLv3 and RC4 > On Tue, Sep 13, 2016 at 4:45 PM, Nux! <nux at li.nux.ro> wrote: >> Nikos, >> >> That was spot on! That config line gives me A- on Qualy's ssllabs. >> I get the "-" because the server does not support "Forward Secrecy" >> >> Using the following line should solve fwd secrecy and give me A+ at the >> theoretical cost of breaking old clients, as per the manual. >> >> tls-priorities = >> "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" >> >> In reality using that line makes the server unreachable by Qualys, Firefox or >> Cisco Anyconnect. >> "ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a >> supported cipher suite." > > This should have allowed the ECDHE ciphersuites which have forward > secrecy. Do you happen to have an certificate which is marked for > encryption-only? Your certificate must allow digital signatures for > forward secrecy ciphersuites to work. > > regards, > Nikos
