Priority string override use case
Леонид Порожнета
porozhnetalv at gmail.com
Thu Feb 4 14:06:07 EST 2021
Hi everyone.
While using OpenConnect under Ubuntu 20.10 I've got
>>WARNING: You specified --gnutls-priority. This should not be
>> necessary; please report cases where a priority string
>> override is necessary to connect to a server
>> to <openconnect-devel at lists.infradead.org>.
So i'm here.
My employer uses TLS1.0 protocol with SHA1 CA certificate (we have our
own CA) and round-robin DNS with different certificates for different
IP-addresses.
Without overriding priority string I'm getting the "Server certificate
verify failed: insecure algorithm" error аnd an offer to use
--servercert option, which does not help because of different
certificates.
Using gnutls-cli I've found out that I have to enable TLS1.0 and SHA1
with priority string 'NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1' since
TLS1.0 is banned systemwide in Ubuntu 20, and SHA1 (as far as I
understand) in GnuTLS itself.
While in gnutls-cli this override works equally well through
--priority option, GNUTLS_SYSTEM_PRIORITY_FILE environment variable
and /etc/gnutls/config file, it seems that OpenConnect accepts only
override though --gnutls-priority option. And by the way - ignores the
fact that TLS1.0 is disabled at system level.
Best regards, Leonid Porozhneta
P.S.
OpenConnect version v8.10-1
Using GnuTLS 3.6.15.
Ubuntu 20.10
More information about the openconnect-devel
mailing list