On Fri, 2019-04-19 at 13:58 -0400, Daniel Lenski wrote: > On Thu, Apr 18, 2019 at 5:04 PM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > Junos Pulse (which we should support because it supports IPv6 and at > > some point they're doing to stop supporting the legacy NC protocol) has > > something similar. Hence the hack checking for cert_md5 in > > http://david.woodhou.se/proxy.go > > Ah, nice. Do you have an OpenConnect branch with Pulse support? (Even > if crude and incomplete) Or some kind of protocol description? Does http://david.woodhou.se/pulse2.c count? I have that, and a bunch of the hexdumps from proxy.go, which I had vaguely understood at the time; I had worked out enough of the IF-T/TLS upgrade and the subsequent EAP bits that it mostly made sense. > > We really ought to do IPSec support so we can obsolete vpnc. Our ESP > > support for AES-CBC-HMAC-SHA1 is *really* fast now on the 'perfhacks' > > branch... :) > > I know we've discussed this before and I've expressed some skepticism > about my ability to reimplement IPSEC (IKEv1) in a worthwhile way > given the huge variety of options and kludges and workarounds for > various IPSEC servers in vpnc. I personally only have access to one > (Cisco) VPN concentrator these days. There's a bunch of BSD-licensed IKE code we can reuse, even though vpnc itself is under GPL. I suspect that implementing the basics, then adding more esoteric things if and when people come asking for them, would suffice.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
