On Thu, Feb 4, 2021 at 11:07 AM Леонид Порожнета <porozhnet...@gmail.com> wrote: > > Hi everyone. > > While using OpenConnect under Ubuntu 20.10 I've got > >>WARNING: You specified --gnutls-priority. This should not be > >> necessary; please report cases where a priority string > >> override is necessary to connect to a server > >> to <openconnect-devel@lists.infradead.org>. > > So i'm here. > > My employer uses TLS1.0 protocol with SHA1 CA certificate (we have our > own CA) and round-robin DNS with different certificates for different > IP-addresses.
Hi Leonid, Thank you very much for this reply. This is very helpful. As of the *next* release of OpenConnect, you'll be able to handle this case by using the `--allow-insecure-crypto` flag on the command line, which will attempt to override the system minimum crypto policy. See https://gitlab.com/openconnect/openconnect/-/merge_requests/158 > Without overriding priority string I'm getting the "Server certificate > verify failed: insecure algorithm" error аnd an offer to use > --servercert option, which does not help because of different > certificates. We just merged *another* change which will help with this case :-) https://gitlab.com/openconnect/openconnect/-/merge_requests/162 This will allow you to specify `--servercert` repeatedly on the command-line, so that you can whitelist all of the round-robin server fingerprints. Though the better option will be to use `--cafile` to whitelist the CA… which should work with the SHA1-signed certs as long as `--allow-insecure-crypto` is specified. If you can build and test with a recent version of https://gitlab.com/openconnect/openconnect/commits/master, it'd be great to confirm that this works for you. -Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
