Priority string override use case

Daniel Lenski dlenski at gmail.com
Fri Feb 5 13:35:11 EST 2021


On Thu, Feb 4, 2021 at 11:07 AM Леонид Порожнета <porozhnetalv at gmail.com> wrote:
>
> Hi everyone.
>
> While using OpenConnect under Ubuntu 20.10 I've got
> >>WARNING: You specified --gnutls-priority. This should not be
> >>         necessary; please report cases where a priority string
> >>         override is necessary to connect to a server
> >>         to <openconnect-devel at lists.infradead.org>.
>
> So i'm here.
>
> My employer uses TLS1.0 protocol with SHA1 CA certificate (we have our
> own CA) and round-robin DNS with different certificates for different
> IP-addresses.

Hi Leonid,
Thank you very much for this reply. This is very helpful.

As of the *next* release of OpenConnect, you'll be able to handle this
case by using the `--allow-insecure-crypto` flag on the command line,
which will attempt to override the system minimum crypto policy. See
https://gitlab.com/openconnect/openconnect/-/merge_requests/158

> Without overriding priority string I'm getting the "Server certificate
> verify failed: insecure algorithm" error аnd an offer to use
> --servercert option, which does not help because of different
> certificates.

We just merged *another* change which will help with this case :-)
https://gitlab.com/openconnect/openconnect/-/merge_requests/162
This will allow you to specify `--servercert` repeatedly on the
command-line, so that you can whitelist all of the round-robin server
fingerprints. Though the better option will be to use `--cafile` to
whitelist the CA… which should work with the SHA1-signed certs as long
as `--allow-insecure-crypto` is specified.

If you can build and test with a recent version of
https://gitlab.com/openconnect/openconnect/commits/master, it'd be
great to confirm that this works for you.

-Dan



More information about the openconnect-devel mailing list