On Mon, Mar 30, 2020 at 12:55 AM Stefano Piletti <ste@xxxxxxxxxxxx> wrote:
>
>
> Hello,
> I'm looking for a way to make openconnect server and client connect using protocol chacha20-poly1305 which happens to be faster on my setup.
> I have tried to modify the tls-priorities string in this way:
> "NORMAL:%SERVER_PRECEDENCE:%COMPAT:+CHACHA20-POLY1305:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
>
>
>
> but the connection still make use of AES.
Assuming *server* does indeed support ChaCha20/Poly1305… the ordering
of ciphersuites with GnuTLS is something I don't fully understand;
maybe Nikos can weigh in here. Try this to make it allow *only*
ChaCha20/Poly1305 as the AEAD algorithm:
gnutls-cli --list --priority
"NONE:%SERVER_PRECEDENCE:+VERS-ALL:+COMP-ALL:+KX-ALL:+MAC-ALL:+CURVE-ALL:+SIGN-ALL:+CHACHA20-POLY1305"
>
>
> environment (server and client):
>
> Linux debian 10 AMD64
>
> Openconnect 0.12.6
I think you mean ocserv 0.12.6. The openconnect client is important
here too. The client is what actually chooses the cipher. See this
recently-merged change, which will allow you to experiment with
ciphersuite priority overrides from the OpenConnect CLI:
https://gitlab.com/openconnect/openconnect/-/merge_requests/71
-Dan
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
