On Fri, Jul 31, 2020 at 4:45 PM Jason Gunthorpe wrote:
> Yes, arguably the list in #2 should map all of the cisco suite names
> to gnutls parameters and the policy string should control which are
> allowed.
That might be a useful follow-up to
https://gitlab.com/openconnect/openconnect/-/merge_req
On Fri, Jul 31, 2020 at 04:33:08PM -0700, Daniel Lenski wrote:
> 1) the TLS ciphers list (to allow SHA384 as MAC; IMO this should have
> already been included alongside +SHA256 in
> https://gitlab.com/openconnect/openconnect/-/commit/5a3f242e7f778836f1645fb6479953e369a8f81e)
> 2) the DTLS v1.2 cip
On Fri, Jul 31, 2020 at 4:00 PM Jason Gunthorpe wrote:
>
> On Fri, Jul 31, 2020 at 02:41:46PM -0700, Daniel Lenski wrote:
> > On Fri, Jul 31, 2020 at 2:19 PM Nikos Mavrogiannopoulos
> > wrote:
> > >
> > > On Thu, Jul 30, 2020 at 10:00 PM Jason Gunthorpe wrote:
> > > >
> > > > If GCM is not avail
On Fri, Jul 31, 2020 at 02:41:46PM -0700, Daniel Lenski wrote:
> On Fri, Jul 31, 2020 at 2:19 PM Nikos Mavrogiannopoulos
> wrote:
> >
> > On Thu, Jul 30, 2020 at 10:00 PM Jason Gunthorpe wrote:
> > >
> > > If GCM is not available on the VPN server this is a reasonable fallback.
> > >
> > > Severs
On Fri, Jul 31, 2020 at 2:19 PM Nikos Mavrogiannopoulos
wrote:
>
> On Thu, Jul 30, 2020 at 10:00 PM Jason Gunthorpe wrote:
> >
> > If GCM is not available on the VPN server this is a reasonable fallback.
> >
> > Severs will not auto-fallback to older TLS if the X-DTLS12-CipherSuite is
> > sent, s
On Thu, Jul 30, 2020 at 10:00 PM Jason Gunthorpe wrote:
>
> If GCM is not available on the VPN server this is a reasonable fallback.
>
> Severs will not auto-fallback to older TLS if the X-DTLS12-CipherSuite is
> sent, so the existing non-GCM modes with the old TLS do not negotiate.
In terms of s
