On Mon, Mar 30, 2020 at 6:49 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > On Mon, Mar 30, 2020 at 12:55 AM Stefano Piletti <ste@xxxxxxxxxxxx> wrote: > > > > > > Hello, > > I'm looking for a way to make openconnect server and client connect using protocol chacha20-poly1305 which happens to be faster on my setup. > > I have tried to modify the tls-priorities string in this way: > > "NORMAL:%SERVER_PRECEDENCE:%COMPAT:+CHACHA20-POLY1305:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1" > > > > but the connection still make use of AES. > > Assuming *server* does indeed support ChaCha20/Poly1305… the ordering > of ciphersuites with GnuTLS is something I don't fully understand; > maybe Nikos can weigh in here. Try this to make it allow *only* > ChaCha20/Poly1305 as the AEAD algorithm: > > gnutls-cli --list --priority > "NONE:%SERVER_PRECEDENCE:+VERS-ALL:+COMP-ALL:+KX-ALL:+MAC-ALL:+CURVE-ALL:+SIGN-ALL:+CHACHA20-POLY1305" Starting from NONE can be tricky if you do not restrict to a single protocol (new protocols can add new parameters). If you want to enable just a single cipher, you can also do "NORMAL:-CIPHER-ALL:+CHACHA20-POLY1305". Note that priority strings are about individual algorithms, and the ones mentioned before take precedence. The command you quote above will show you the final CipherSuite ordering. Note also that the server can override your priorities with something he prefers (e.g., if the server has AES accelerated CPU may want to save its cycles and not use chacha). regards, Nikos _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
