Trying to build openconnect 8.20 on ubuntu 20
Dimitri Papadopoulos Orfanos
dimitri.papadopoulos at cea.fr
Fri Mar 18 03:16:53 PDT 2022
While I agree on pushing warnings to client end users to help general
awareness about antiquated protocols, end users are usually not in a
position to do anything about obsolete corporate VPN gateways.
As long as proprietary clients support some antiquated protocols, it's
hard not to expect the same from OpenConnect.
If you think about it, it's a whole different issue on the **client**
side and the **server** side. Perhaps it would make sense to have
distinct TLS stacks/settings for services and clients, trying hard to
minimize attacks vectors on services, and trying to preserve usability
of clients.
Best Regards,
Dimitri
Le 18/03/2022 à 10:43, Nikos Mavrogiannopoulos a écrit :
> I find that a futile goal as it goals against the consistency and minimization of attack surface goal that these policies are based on. Eventually these protocols will completely be removed from the OS libraries. It would be better to focus on giving good instructions to the user and warnings that these protocols will not be available for long, to help towards a transition to the newer generation of protocols rather than focus on keeping the old beasts alive.
>
> regards,
> Nikos
More information about the openconnect-devel
mailing list