DTLS disabled on server?

David Woodhouse dwmw2 at infradead.org
Mon Oct 3 13:30:56 PDT 2016


On Mon, 2016-10-03 at 22:06 +0200, Peter Brant wrote:
> On Mon, Oct 3, 2016 at 9:35 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> >
> > It'll work today. Can you build the client with OpenSSL and just try
> > adding '--dtls-ciphers DHE-RSA-AES256-SHA' or
> > '--dtls-ciphers DHE-RSA-AES128-SHA' on the command line?
> >
> Thanks. Both of those work after rebuilding with OpenSSL.

Thanks. And do they both work with GnuTLS if you do this...?

diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 07cb8f4..3017cef 100644
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -58,6 +58,10 @@ struct {
 	const char *prio;
 	const char *min_gnutls_version;
 } gnutls_dtls_ciphers[] = {
+	{ "DHE-RSA-AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1,
+	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+DHE-RSA:%COMPAT", "3.0.0" },
+	{ "DHE-RSA-AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_DHE_RSA, GNUTLS_MAC_SHA1,
+	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+DHE-RSA:%COMPAT", "3.0.0" },
 	{ "AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1,
 	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT", "3.0.0" },
 	{ "AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_KX_RSA, GNUTLS_MAC_SHA1,
diff --git a/openssl-dtls.c b/openssl-dtls.c
index ede21b5..89fce64 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -537,6 +537,7 @@ void append_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *b
 #endif
 	buf_append(buf, "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:");
 #endif
+	buf_append(buf, "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:");
 	buf_append(buf, "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
 }
 
-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161003/66df701b/attachment-0001.bin>


More information about the openconnect-devel mailing list