Hi there. We're using openconnect 7.08 on Arch Linux and the server is running ocserv. Client: Arch Linux OpenConnect version v7.08 Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS GnuTLS version: gnutls 3.5.11-1 Server: Debian jessie, ocserv 0.11.6 I noticed that when I connect from this particular Arch machine, DTLS wouldn't work. I also tried recompiling openconnect with OpenSSL, but ultimately I see the same output at the server. Connecting without DTLS works fine, though. Other machines (Ubuntu 14.04 running openconnect, and any number of diverse AnyConnect clients we already had on our network) don't seem to have this issue. We're also using letsencrypt certificates on server Could anyone point me at what the server doesn't like about the client? The output from client is below. Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected as 10.65.11.74, using SSL SSL read error: Success.; reconnecting. Connected to IP.ADD.RE.SS:443 SSL negotiation with server.name Connected to HTTPS on server.name Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 SSL read error: Success.; reconnecting. Connected to IP.ADD.RE.SS:443 ... etc And on the server I see: May 17 15:00:38 test-vpngw02 ocserv[1914]: worker[username]: IP.ADD.RE.SS worker-vpn.c:236: could not set TLS priority: 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL': The request is invalid. In the server's config file there is: tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" Best regards, Yuri.
