Disable SSLv3 and RC4

Tue Sep 13 07:45:54 PDT 2016

Nikos,

That was spot on! That config line gives me A- on Qualy's ssllabs.
I get the "-" because the server does not support "Forward Secrecy"

Using the following line should solve fwd secrecy and give me A+ at the theoretical cost of breaking old clients, as per the manual.

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"

In reality using that line makes the server unreachable by Qualys, Firefox or Cisco Anyconnect.

"ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a supported cipher suite."

Any ideas?

Thanks,
Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Nux!" <nux at li.nux.ro>
> To: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com>
> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org>
> Sent: Tuesday, 13 September, 2016 15:33:15
> Subject: Re: Disable SSLv3 and RC4

> Thanks Nikos, I'll have a look at that option.
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> ----- Original Message -----
>> From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com>
>> To: "Nux!" <nux at li.nux.ro>
>> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org>
>> Sent: Tuesday, 13 September, 2016 15:20:44
>> Subject: Re: Disable SSLv3 and RC4
> 
>> On Mon, Sep 12, 2016 at 3:37 PM, Nux! <nux at li.nux.ro> wrote:
>>> Hello,
>>>
>>> SSLLabs are currently giving my ocserv grade C because:
>>> This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to
>>> mitigate. Grade capped to C.
>>> This server accepts RC4 cipher, but only with older protocol versions. Grade
>>> capped to B.
>> 
>> Check the tls-priorities option. Most likely you need to set something like:
> > tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"