On Tue, Mar 15, 2022 at 12:12 PM Daniel Lenski <dlen...@gmail.com> wrote: > This patch suggests that the "OpenSSL security level" could be the > culprit: if the "OpenSSL security level is set to >=2, then vanilla > OpenSSL 1.1.1f will allow old/bad/Cisco DTLS, but Debian/Ubuntu > OpenSSL 1.1.1f will *not* allow it:
This thread confirms that the change was intentional in Ubuntu 20.04: https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/5 > Contrary to the default in ubuntu 20.04 tls 1.0 and 1.1 are only allowed on > security level <2 instead of <4. Also the default security level of 1 was > raised to 2. Furthermore, as of 1.1.1k, *Debian* picks up a similar patch: https://sources.debian.org/patches/openssl/1.1.1k-1+deb11u1/ So both TLS <1.2 and DTLS <1.2 are disabled by default, and the OpenSSL security level is set to 2 by default, in Ubuntu 20.04+ and Debian sid. We'll have to warn users about this… yay. 🤦🏻♂️ Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
