Thanks. I've created this MR: https://gitlab.com/openconnect/ocserv/merge_requests/86 On Wed, Jul 18, 2018 at 7:22 PM, Daniel Lenski <dlenski at gmail.com> wrote: > On Tue, Jul 17, 2018 at 10:45 PM, Nikos Mavrogiannopoulos > <n.mavrogiannopoulos at gmail.com> wrote: >> >> On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote: >> > Hi, >> > >> > Is there a way to have the latest Cisco AnyConnect 4.6 clients use >> > ocserv with a stronger DTLS cipher than the default >> > RSA_AES_128_SHA1? >> > When the same version of AnyConnect connects to an ASA the DTLS >> > cipher >> > shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box >> > should >> > also support. I have tried playing around with the >> > cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers >> > config >> > options, but understand some of those are mutually exclusive. >> > >> > I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect >> > clients with ocserv which works fine, but would like to support the >> > "best DTLS possible" (or at least match the ASA cipher) for a few >> > cases where TCP file transfer throughput through AnyConnect is >> > important (seeing about 3x throughput via DTLS). >> > >> > `occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103: >> > TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM) >> > DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1) >> >> You cannot with the current ocserv as it doesn't support anything but >> aes-128 or 3des for compatibility with anyconnect. You could try a >> patch like the one below if AES256-SHA is supported by anyconnect. If >> that works for you, we'd only need a test case for it, to include it in >> the server. > > Recent ASAs and AnyConnect *do* support AES-256-CBC. I get this when > connecting to a couple different ASAs: > > (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1)
