Any way to specify the SSL/TLS protocol version in OpenConnect?
miguel.cruz at realbytes.be
Mon Sep 25 02:26:04 PDT 2017
Thank you Nikos for your suggestions.
I have installed gnutls-cli and ran gnutls-cli-debug which is a
fantastic tool to diagnose server SSL/TLS compatibility like other ssl
scanning tools but this one definitively helps to define a proper set
of gnutls priorities.
Based on the gnutls-cli-debug output, I have composed the following
(btw, i have send a mail to the server admin about his legacy and
Then as suggested, I had to recompile but had to download the latest
openconnect v7.08 first as the '--with-default-gnutls-priority' option
was not yet available in version 7.06. Then I ran the 'configure
script' with this option and then 'make install'.
And it worked ... connected !
The rest was a question of finding the correct parameters to
authenticate and establish the session but its done.
Thank you for help once again.
On Tue, Sep 19, 2017 at 10:26 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Mon, Sep 18, 2017 at 1:24 AM, Miguel Cruz <miguel.cruz at realbytes.be> wrote:
>> I'm trying to connect to some Cisco Anyconnect server I do not control
>> but the connection apparently fails during the SSL negotiation.
>> I have investigated the issue using openssl and found that the server
>> only supports TSLv1 with protocol renegotiation disabled.
>> Is there any way to specify OpenConnect which SSL/TLS protocol to use?
> Only if you compile openconnect with the
> '--with-default-gnutls-priority' option, and then set a priority which
> only enables TLS1.0. You may want to try tools like gnutls-cli-debug
> to see whether there can be something done with that server.
More information about the openconnect-devel