Hi, In ocserv version 0.11.9 (config below) the server uses the ciphers set in "tls-priorities" and AnyConnect client connects with “RSA_AES128_CBC_SHA”. Transport protocol is DTLSv0.9. This is the expected behaviour. In ocserv version 0.12.4 (using the same config) the server ignores the ciphers set in "tls-priorities” and AnyConnect connects with “AES256_GCM_SHA384”. Transport protocol is DTLSv1.2. In ocserv version 0.12.4 if I disable DTLS legay with "dtls-legacy = true” then the server suses the ciphers set in "tls-priorities” and the client connects with “RSA_AES128_CBC_SHA” using TLS protocol, no DTLS. Why is this change between ocserv version 0.11.9 and 0.12.4 and how can I have both DTLS and the server using the ciphers set in "tls-priorities” with ocserv 0.12.4 ? Thank you ! ocserv.conf: mobile-dpd = 20 dpd = 20 keepalive = 20 mtu = 1492 try-mtu-discovery = True isolate-workers = true tls-priorities = NONE:-VERS-ALL:+VERS-TLS1.2:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL ipv4-network = x.x.x.x dns = x.x.x.x route = x.x.x.x route = x.x.x.x route = x.x.x.x max-same-clients = 2 max-clients = 500 auth-timeout = 240 min-reauth-time = 300 cookie-timeout = 86400 rekey-time = 172800 rekey-method = ssl ping-leases = False use-occtl = True tcp-port = 443 udp-port = 443 config-per-user = /etc/ocserv/config-per-user/ config-per-group = /etc/ocserv/config-per-group/ deny-roaming = False max-ban-score = 0 predictable-ips = True auth = "pam" default-domain = x.x.x.x enable-auth = "pam" device = vpns ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem server-cert = /etc/letsencrypt/live/x.x.x.x/fullchain.pem server-key = /etc/letsencrypt/live/x.x.x.x/privkey.pem run-as-user = nobody run-as-group = daemon pid-file = /var/run/ocserv.pid socket-file = /var/run/ocserv.socket occtl-socket-file = /var/run/occtl.socket _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
