GnuTLS & OpenSSL incompatibility in RHEL

[Nikos Mavrogiannopoulos]

On Tue, Sep 23, 2014 at 8:42 AM, Alexander Rumyantsev
<alexander at rumyantsev.com> wrote:
> Hi!
> I have ocserv running on RHEL 6.5 and openconnect on OS X 10.9+macports
> Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header.
> But i couldn't establish connection due to following error: "SSL connection failure: curve not supported"
> I think that's because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears.
> Don't even know how to deal with this, or even it worth of dealing.

Note that there is also sniproxy, which does not terminate but
forwards correctly the SSL sessions based on the server name present
on client hello.

> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv.

Do you have some more information on that? Is there a known "protocol"
to forward SSL connections to another process which listens to unix
sockets? It would be even more interesting if there was not any
termination at all and the SSL session was forwarded as is (e.g., via
file descriptor passing).

regards,
Nikos