Thank you Nikos for your suggestions. I have installed gnutls-cli and ran gnutls-cli-debug which is a fantastic tool to diagnose server SSL/TLS compatibility like other ssl scanning tools but this one definitively helps to define a proper set of gnutls priorities. Based on the gnutls-cli-debug output, I have composed the following priority string "NONE:+VERS-TLS1.0:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL". (btw, i have send a mail to the server admin about his legacy and unsecure configuration) Then as suggested, I had to recompile but had to download the latest openconnect v7.08 first as the '--with-default-gnutls-priority' option was not yet available in version 7.06. Then I ran the 'configure script' with this option and then 'make install'. And it worked ... connected ! The rest was a question of finding the correct parameters to authenticate and establish the session but its done. Thank you for help once again. Regards, Miguel On Tue, Sep 19, 2017 at 10:26 AM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > On Mon, Sep 18, 2017 at 1:24 AM, Miguel Cruz <miguel.cruz at realbytes.be> wrote: >> Hi, >> >> I'm trying to connect to some Cisco Anyconnect server I do not control >> but the connection apparently fails during the SSL negotiation. >> >> I have investigated the issue using openssl and found that the server >> only supports TSLv1 with protocol renegotiation disabled. >> >> Is there any way to specify OpenConnect which SSL/TLS protocol to use? > > Only if you compile openconnect with the > '--with-default-gnutls-priority' option, and then set a priority which > only enables TLS1.0. You may want to try tools like gnutls-cli-debug > to see whether there can be something done with that server. > > regards, > Nikos
