Disable SSLv3 and RC4
Nux!
nux at li.nux.ro
Tue Sep 13 07:45:54 PDT 2016
Nikos,
That was spot on! That config line gives me A- on Qualy's ssllabs.
I get the "-" because the server does not support "Forward Secrecy"
Using the following line should solve fwd secrecy and give me A+ at the theoretical cost of breaking old clients, as per the manual.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
In reality using that line makes the server unreachable by Qualys, Firefox or Cisco Anyconnect.
"ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a supported cipher suite."
Any ideas?
Thanks,
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Nux!" <nux at li.nux.ro>
> To: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com>
> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org>
> Sent: Tuesday, 13 September, 2016 15:33:15
> Subject: Re: Disable SSLv3 and RC4
> Thanks Nikos, I'll have a look at that option.
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com>
>> To: "Nux!" <nux at li.nux.ro>
>> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org>
>> Sent: Tuesday, 13 September, 2016 15:20:44
>> Subject: Re: Disable SSLv3 and RC4
>
>> On Mon, Sep 12, 2016 at 3:37 PM, Nux! <nux at li.nux.ro> wrote:
>>> Hello,
>>>
>>> SSLLabs are currently giving my ocserv grade C because:
>>> This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to
>>> mitigate. Grade capped to C.
>>> This server accepts RC4 cipher, but only with older protocol versions. Grade
>>> capped to B.
>>
>> Check the tls-priorities option. Most likely you need to set something like:
> > tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
More information about the openconnect-devel
mailing list