On 12/01/2019 01:07 PM, Siyuan Ren wrote: > Sadly I do need Cisco client compat. Guess there is simply no way around it. > > On Sun, Dec 1, 2019 at 2:18 PM Nikos Mavrogiannopoulos > <n.mavrogiannopoulos@xxxxxxxxx> wrote: >> Yes. You will need to turn of the cisco client compatibility though and the behavior should change to what you described. >> >> Regards, >> Nikos >> >> On December 1, 2019 3:19:02 AM UTC, Siyuan Ren <netheril96@xxxxxxxxx> wrote: >>> Hi, >>> >>> I don't want people (well, more specifically, China's great firewall) >>> to find out that my VM has an openconnect server running. >>> >>> Currently I only allow login via client certificate. I expected when >>> users do not present a valid client certificate, the TLS connection is >>> never established, so no one can find out what exactly is protected by >>> the TLS connection. But in reality, my ocserv responds with >>> >>> ``` >>> <config-auth client="vpn" type="auth-request"> >>> <version who="sg">0.1(1)</version> >>> <auth id="main"> >>> <message>Please enter your username.</message> >>> <form method="post" action="/auth"> </form> >>> </auth> >>> </config-auth> >>> ``` >>> >>> which clearly tells others that it is a VPN. >>> >>> Is it possible for ocserv to outright close the endpoint if client >>> certificates are not present or valid? >>> >>> _______________________________________________ >>> openconnect-devel mailing list >>> openconnect-devel@xxxxxxxxxxxxxxxxxxx >>> http://lists.infradead.org/mailman/listinfo/openconnect-devel >> -- >> Sent from my mobile. Please excuse my brevity. > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel Out of interest - would this bypass scrutiny by the Great Firewall? Do they also not conduct packet inspections of connections that would reveal a VPN connection? _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
