Sadly I do need Cisco client compat. Guess there is simply no way around it. On Sun, Dec 1, 2019 at 2:18 PM Nikos Mavrogiannopoulos <n.mavrogiannopoulos@xxxxxxxxx> wrote: > > Yes. You will need to turn of the cisco client compatibility though and the behavior should change to what you described. > > Regards, > Nikos > > On December 1, 2019 3:19:02 AM UTC, Siyuan Ren <netheril96@xxxxxxxxx> wrote: > >Hi, > > > >I don't want people (well, more specifically, China's great firewall) > >to find out that my VM has an openconnect server running. > > > >Currently I only allow login via client certificate. I expected when > >users do not present a valid client certificate, the TLS connection is > >never established, so no one can find out what exactly is protected by > >the TLS connection. But in reality, my ocserv responds with > > > >``` > ><config-auth client="vpn" type="auth-request"> > > <version who="sg">0.1(1)</version> > > <auth id="main"> > > <message>Please enter your username.</message> > > <form method="post" action="/auth"> </form> > > </auth> > ></config-auth> > >``` > > > >which clearly tells others that it is a VPN. > > > >Is it possible for ocserv to outright close the endpoint if client > >certificates are not present or valid? > > > >_______________________________________________ > >openconnect-devel mailing list > >openconnect-devel@xxxxxxxxxxxxxxxxxxx > >http://lists.infradead.org/mailman/listinfo/openconnect-devel > > -- > Sent from my mobile. Please excuse my brevity. _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
