Hi,
Is there a way to have the latest Cisco AnyConnect 4.6 clients use
ocserv with a stronger DTLS cipher than the default RSA_AES_128_SHA1?
When the same version of AnyConnect connects to an ASA the DTLS cipher
shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box should
also support. I have tried playing around with the
cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers config
options, but understand some of those are mutually exclusive.
I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect
clients with ocserv which works fine, but would like to support the
"best DTLS possible" (or at least match the ASA cipher) for a few
cases where TCP file transfer throughput through AnyConnect is
important (seeing about 3x throughput via DTLS).
`occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103:
TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM)
DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)
Thanks in advance!
