On Mon, 2021-04-26 at 15:44 -0400, David Johnston wrote: > Good Day OpenConnect/ocserv mailing list, > > I have a client who has a requirement for an SSL VPN with an > additional pre-shared key for post-quantum resistance. (Like PPKs in > IPSec, or the additional symmetric key in Wireguard) We would rather > not use OpenVPN. > > Does anybody have any ideas of how we could accomplish this in > OpenConnect? Is there some gnuTLS priority string we can use? If I was > to mod the source code, where would I start?
I'm assuming you want to do this in conjunction with ocserv on the server side, using the AnyConnect protocol? Would it suffice to use DHE_PSK for the TLS connection? That concatenates the PSK with the DH-generated "supposedly PFS" key, to generate the Master Secret used for encrypting that session. The DTLS connection is already using PSK; you could either mix in an additional shared secret on both client and server side, or perhaps you don't need to if the TLS connection is already secured?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel