On Wed, May 17, 2017 at 10:59 PM, Yuri <me at koshaq.net> wrote: > Hi there. > > We're using openconnect 7.08 on Arch Linux and the server is running ocserv. > Server: > > Debian jessie, ocserv 0.11.6 > I noticed that when I connect from this particular Arch machine, DTLS > wouldn't work. I also tried recompiling openconnect with OpenSSL, but > ultimately I see the same output at the server. Connecting without > DTLS works fine, though. [...] > And on the server I see: > May 17 15:00:38 test-vpngw02 ocserv[1914]: worker[username]: > IP.ADD.RE.SS worker-vpn.c:236: could not set TLS priority: > 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL': > The request is invalid. As indicated above, the error is on the server. My guess is that if jessie is on 3.3.8 the -VERS-ALL is not available, and that's why it complains. You can verify by checking the output of: gnutls-cli -l --priority 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL' regards, Nikos
