Disable SSLv3 and RC4

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Sep 13 07:50:06 PDT 2016


On Tue, Sep 13, 2016 at 4:45 PM, Nux! <nux at li.nux.ro> wrote:
> Nikos,
>
> That was spot on! That config line gives me A- on Qualy's ssllabs.
> I get the "-" because the server does not support "Forward Secrecy"
>
> Using the following line should solve fwd secrecy and give me A+ at the theoretical cost of breaking old clients, as per the manual.
>
> tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
>
> In reality using that line makes the server unreachable by Qualys, Firefox or Cisco Anyconnect.
> "ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a supported cipher suite."

This should have allowed the ECDHE ciphersuites which have forward
secrecy. Do you happen to have an certificate which is marked for
encryption-only? Your certificate must allow digital signatures for
forward secrecy ciphersuites to work.

regards,
Nikos



More information about the openconnect-devel mailing list