[GIT PULL] DTLS and other improvements to openconnect
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Feb 3 09:34:51 EST 2014
On Mon, Feb 3, 2014 at 2:41 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> Still the most important addition is the support for AES-GCM, which is
>> not only better to AES-CBC due to side-channels, but is also more
>> UDP-friendly as it requires no padding and has a shorter nonce.
>> They are available from:
>> git://gitorious.org/openconnect-x/openconnect-x.git privacy-improvements
> Please add the --pfs option to the man page too.
Updated.
> And shouldn't it affect
> the DTLS setup too?
The DTLS channel's key depends on a key which has been established
with PFS, so if the server does not save the session keys somewhere,
it is ok.
> It probably also wants an openconnect_set_pfs()
> function in the library, since we now support actually making
> connections from the library too?
Added in a followup commit as well as its JNI counterpart.
regards,
Nikos
More information about the openconnect-devel
mailing list