GnuTLS & OpenSSL incompatibility in RHEL
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Tue Sep 23 07:41:03 PDT 2014
On Tue, Sep 23, 2014 at 8:42 AM, Alexander Rumyantsev
<alexander at rumyantsev.com> wrote:
> Hi!
> I have ocserv running on RHEL 6.5 and openconnect on OS X 10.9+macports
> Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header.
> But i couldn't establish connection due to following error: "SSL connection failure: curve not supported"
> I think that's because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears.
It seems the issue is on all parties here. Openconnect sets -CURVE-ALL
if gnutls < 3.2.9 is used. Then the openssl server negotiates an ECDHE
ciphersuite even if no curve was sent by the client. That's pretty
nasty situation.
regards,
Nikos
More information about the openconnect-devel
mailing list