Disable SSLv3 and RC4

Nux! nux at li.nux.ro
Tue Sep 13 08:03:44 PDT 2016


Nikos,

Thanks for that, it will take me a bit to digest it.
The cert might be as you suspect since it's a letsencrypt one.

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com>
> To: "Nux!" <nux at li.nux.ro>
> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org>
> Sent: Tuesday, 13 September, 2016 15:50:06
> Subject: Re: Disable SSLv3 and RC4

> On Tue, Sep 13, 2016 at 4:45 PM, Nux! <nux at li.nux.ro> wrote:
>> Nikos,
>>
>> That was spot on! That config line gives me A- on Qualy's ssllabs.
>> I get the "-" because the server does not support "Forward Secrecy"
>>
>> Using the following line should solve fwd secrecy and give me A+ at the
>> theoretical cost of breaking old clients, as per the manual.
>>
>> tls-priorities =
>> "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
>>
>> In reality using that line makes the server unreachable by Qualys, Firefox or
>> Cisco Anyconnect.
>> "ocserv[18873]: GnuTLS error (at worker-vpn.c:585): Could not negotiate a
>> supported cipher suite."
> 
> This should have allowed the ECDHE ciphersuites which have forward
> secrecy. Do you happen to have an certificate which is marked for
> encryption-only? Your certificate must allow digital signatures for
> forward secrecy ciphersuites to work.
> 
> regards,
> Nikos



More information about the openconnect-devel mailing list