On Thu, May 18, 2017 at 8:19 AM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > On Wed, May 17, 2017 at 10:59 PM, Yuri <me at koshaq.net> wrote: >> Hi there. >> >> We're using openconnect 7.08 on Arch Linux and the server is running ocserv. >> Server: >> >> Debian jessie, ocserv 0.11.6 >> I noticed that when I connect from this particular Arch machine, DTLS >> wouldn't work. I also tried recompiling openconnect with OpenSSL, but >> ultimately I see the same output at the server. Connecting without >> DTLS works fine, though. > > [...] > >> And on the server I see: >> May 17 15:00:38 test-vpngw02 ocserv[1914]: worker[username]: >> IP.ADD.RE.SS worker-vpn.c:236: could not set TLS priority: >> 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL': >> The request is invalid. > > As indicated above, the error is on the server. My guess is that if > jessie is on 3.3.8 the -VERS-ALL is not available, and that's why it > complains. > You can verify by checking the output of: > gnutls-cli -l --priority > 'NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL' That patch is needed for debian/jessie: https://gitlab.com/ocserv/ocserv/commit/89ba65922af1c9e34403b4605349729de3a34391 I'd suggest to move that to debian bug tracker. regards, Nikos
