--dtls-ciphers=LIST option not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That option works only with older ocserv and openconnect versions. With the newer the  TLS negotiation is the way the cipher is decided.

On July 5, 2018 1:42:51 PM UTC, Daniel Lenski <dlenski at gmail.com> wrote:
>On Wed, Jul 4, 2018 at 1:07 AM, David Woodhouse <dwmw2 at infradead.org>
>wrote:
>> Some background would be useful to help understand this. In the
>> original Cisco protocol the ciphersuite and DTLS version were hard-
>> coded, with the ciphersuite being exchanged over the TCP connection.
>> The DTLS connection then "resumed" a fake session that had never
>> previously existed. We added options using DTLS 1.2 and newer
>> ciphersuites, following this model.
>>
>> Eventually we realised this was stupid, and we should just let DTLS
>> negotiate a new session (including DTLS version and ciphersuites) for
>> itself. So now we do it differently; instead of resuming a faked
>> session we establish a new one, using a PreShared Key (PSK) that has
>> been established over the TCP connection. That is the "NEGOTIATE-PSK"
>> option.
>>
>> The --dtls-ciphers option that you're playing with, is what we send
>> over the TCP connection to the server. We send a list of the options
>> that we support, the server picks one and tells us which to use.
>>
>> If NEGOTIATE-PSK is chosen, nothing else from the dtls-ciphers string
>> is taken into account. The standard DTLS negotiation happens using
>all
>> the available ciphersuites. Perhaps we could entertain a feature
>> request to restrict that dynamic negotiation... but nobody's made a
>> good case for it yet.
>
>
>If I'm digesting all this properly, --dtls-ciphers will effectively
>*ONLY* allow arbitrary choices with Cisco AnyConnect servers ("legacy
>protocol"), and *NOT* with ocserv.
>
>Is that right? Should this be clarified in the manual if so?
>
>Thanks,
>Dan
>
>_______________________________________________
>openconnect-devel mailing list
>openconnect-devel at lists.infradead.org
>http://lists.infradead.org/mailman/listinfo/openconnect-devel

-- 
Sent from my mobile. Please excuse my brevity.



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux