Why: Setup DTLS failed; using SSL instead

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks a lot Daniel! This seems to have resolved the issue. There is a
remaining tangential issue, which you might be able to help with. So
here I go. Unfortunately Egypt is performing DPI and seems to be
killing the DTLS stream, so I cannot connect over DTLS even though I'm
using v7.08 (from brew on OSX). The client emits the error message:
DTLS handshake failed: Resource temporarily unavailable, try again.

and on the server side "# tcpdump -ni eth0 udp and port 443" is
showing zero packets reaching the server! Unfortunately it seems the
DPI is effective here. My question is, is there any extra
encryption/obfuscation that can be done on the DTLS stream? Would
using newer ciphers like TLS_1.3 perhaps help? I know it's a long
shot, but worth trying. Thanks again!

On Thu, Jul 26, 2018 at 3:08 PM Daniel Lenski <dlenski at gmail.com> wrote:
>
> On Jul 26, 2018 7:28 AM, "Ahmed Kamal" <email.ahmedkamal at googlemail.com> wrote:
> >
> > Thanks for helping. My config file is mostly defaults. Here it is:
> > https://transfer.sh/tXIM0/ocserv.conf.txt
> > Let me know if anything else is needed to debug this. Thanks
>
> In your configuration file, you've explicitly *disabled* the settings which allow DTLS connections from (a) Cisco clients and (b) openconnect < v7.08. Since you're connecting with openconnect v7.06, that explains the problem. (It's not offering the PSK-NEGOTIATE cipher which newer openconnect versions send to trigger the new-style DTLS negotiation.)
>
>
> # This option will enable the pre-draft-DTLS version of DTLS, and
> # will not require clients to present their certificate on every TLS
> # connection. It must be set to true to support legacy CISCO clients
> # and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
> cisco-client-compat = false
>
> # This option allows to disable the legacy DTLS negotiation (enabled by default,
> # but that may change in the future).
> # The legacy DTLS uses a pre-draft version of the DTLS protocol and was
> # from AnyConnect protocol. It has several limitations, that are addressed
> # by the dtls-psk protocol supported by openconnect 7.08+.
> dtls-legacy = false
>
>
> -Dan
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux