Hi everyone. While using OpenConnect under Ubuntu 20.10 I've got >>WARNING: You specified --gnutls-priority. This should not be >> necessary; please report cases where a priority string >> override is necessary to connect to a server >> to <[email protected]>.
So i'm here. My employer uses TLS1.0 protocol with SHA1 CA certificate (we have our own CA) and round-robin DNS with different certificates for different IP-addresses. Without overriding priority string I'm getting the "Server certificate verify failed: insecure algorithm" error аnd an offer to use --servercert option, which does not help because of different certificates. Using gnutls-cli I've found out that I have to enable TLS1.0 and SHA1 with priority string 'NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1' since TLS1.0 is banned systemwide in Ubuntu 20, and SHA1 (as far as I understand) in GnuTLS itself. While in gnutls-cli this override works equally well through --priority option, GNUTLS_SYSTEM_PRIORITY_FILE environment variable and /etc/gnutls/config file, it seems that OpenConnect accepts only override though --gnutls-priority option. And by the way - ignores the fact that TLS1.0 is disabled at system level. Best regards, Leonid Porozhneta P.S. OpenConnect version v8.10-1 Using GnuTLS 3.6.15. Ubuntu 20.10 _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
