On Mon, 2021-04-26 at 15:44 -0400, David Johnston wrote:
> Good Day OpenConnect/ocserv mailing list,
> 
> I have a client who has a requirement for an SSL VPN with an
> additional pre-shared key for post-quantum resistance. (Like PPKs in
> IPSec, or the additional symmetric key in Wireguard) We would rather
> not use OpenVPN.
> 
> Does anybody have any ideas of how we could accomplish this in
> OpenConnect? Is there some gnuTLS priority string we can use? If I was
> to mod the source code, where would I start?


I'm assuming you want to do this in conjunction with ocserv on the
server side, using the AnyConnect protocol?

Would it suffice to use DHE_PSK for the TLS connection? That
concatenates the PSK with the DH-generated "supposedly PFS" key, to
generate the Master Secret used for encrypting that session.

The DTLS connection is already using PSK; you could either mix in an
additional shared secret on both client and server side, or perhaps you
don't need to if the TLS connection is already secured?

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to