[PULL request] distinguish between different rekey methods

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Feb 12 05:10:25 EST 2014


On Tue, Feb 11, 2014 at 11:06 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> According to their documentation it performs a rehandshake over the
>> session. That has to be verified with a cisco server though.
>> For openconnect to support that (and test it), calling
>> gnutls_handshake() over an existing session would be sufficient.
> I have a *very* vague recollection of having tried that, and it not
> being sufficient. It's been a long time though. And it might only have
> been DTLS which stopped working; that required a rekey after 24 hours.
> Which made it very painful to test, of course.

It could be that anyconnect servers use a custom protocol to negotiate
the rehandshake. For example it could be something like a packet
'start rehandshake' and then start the actual TLS rehandshake, but I
find it highly unlikely as it is pointless. I have modified the rekey
branch to handle redhandshakes, so I'd appreciate if somebody could
test it against a cisco server.

As I understand one would need to set something like
svc rekey method ssl
svc rekey time 1

regards,
Nikos



More information about the openconnect-devel mailing list