Any way to specify the SSL/TLS protocol version in OpenConnect?

Miguel Cruz miguel.cruz at realbytes.be
Mon Sep 25 02:26:04 PDT 2017


Thank you Nikos for your suggestions.

I have installed gnutls-cli and ran gnutls-cli-debug which is a
fantastic tool to diagnose server SSL/TLS compatibility like other ssl
scanning tools but this one definitively helps to define a proper set
of gnutls priorities.

Based on the gnutls-cli-debug output, I have composed the following
priority string
"NONE:+VERS-TLS1.0:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL".
(btw, i have send a mail to the server admin about his legacy and
unsecure configuration)

Then as suggested, I had to recompile but had to download the latest
openconnect v7.08 first as the '--with-default-gnutls-priority' option
was not yet available in version 7.06. Then I ran the 'configure
script' with this option and then 'make install'.

And it worked ... connected !

The rest was a question of finding the correct parameters to
authenticate and establish the session but its done.

Thank you for help once again.
Regards,
Miguel

On Tue, Sep 19, 2017 at 10:26 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Mon, Sep 18, 2017 at 1:24 AM, Miguel Cruz <miguel.cruz at realbytes.be> wrote:
>> Hi,
>>
>> I'm trying to connect to some Cisco Anyconnect server I do not control
>> but the connection apparently fails during the SSL negotiation.
>>
>> I have investigated the issue using openssl and found that the server
>> only supports TSLv1 with protocol renegotiation disabled.
>>
>> Is there any way to specify OpenConnect which SSL/TLS protocol to use?
>
> Only if you compile openconnect with the
> '--with-default-gnutls-priority' option, and then set a priority which
> only enables TLS1.0. You may want to try tools like gnutls-cli-debug
> to see whether there can be something done with that server.
>
> regards,
> Nikos



More information about the openconnect-devel mailing list