Hi Nikos On 14/07/2018 20:41, Nikos Mavrogiannopoulos wrote: > What was the total size of the client hello? There was a particular > firewall which would terminate the TLS connection if the client hello > was between 256 and 512 bytes, and it was the reason of rfc7685 > extension. You can append %DUMBFW to see if that's the case, and it > will ensure that gnutls' hello is outside that range. Unfortunately, it's 242 bytes, therefore outside of the range.? I've just tried with %DUMBFW, just for the sake of it, and it still fails. >> Oddly enough, gnutls-cli still sends the following extensions when >> --disable-extensions is set: > I think it is time to deprecate that option. It is not possible to > negotiate TLS1.2 or TLS1.3 without extensions. It seems that option only disables some but not all extensions, as it connected with that option.? It only fails with the %NO_EXTENSIONS option, which disables all extensions. Even though the --disable-extensions option works, it's a gnutls-cli option and there doesn't seem to be an equivalent for the openconnect client. Thanks for your help and patience, Gareth --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
