Re: ocserv AnyConnect DTLS cipher
Hi, I'm checking this issue as it seems it's not yet implemented the AES-256-CBC in ocserv, I've seen this https://gitlab.com/openconnect/ocserv/merge_requests/86 and I want to know if there is a plan to deploy it in version 0.12.2 or if I can compile it from source just to check it if it's working. Also I want to know if using DTLS insted TLS via TCP will increase performance, any experience? thanks ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: ocserv AnyConnect DTLS cipher
On Tue, Jul 17, 2018 at 10:45 PM, Nikos Mavrogiannopoulos wrote: > > On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote: > > Hi, > > > > Is there a way to have the latest Cisco AnyConnect 4.6 clients use > > ocserv with a stronger DTLS cipher than the default > > RSA_AES_128_SHA1? > > When the same version of AnyConnect connects to an ASA the DTLS > > cipher > > shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box > > should > > also support. I have tried playing around with the > > cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers > > config > > options, but understand some of those are mutually exclusive. > > > > I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect > > clients with ocserv which works fine, but would like to support the > > "best DTLS possible" (or at least match the ASA cipher) for a few > > cases where TCP file transfer throughput through AnyConnect is > > important (seeing about 3x throughput via DTLS). > > > > `occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103: > > TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM) > > DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1) > > You cannot with the current ocserv as it doesn't support anything but > aes-128 or 3des for compatibility with anyconnect. You could try a > patch like the one below if AES256-SHA is supported by anyconnect. If > that works for you, we'd only need a test case for it, to include it in > the server. Recent ASAs and AnyConnect *do* support AES-256-CBC. I get this when connecting to a couple different ASAs: (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1) ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: ocserv AnyConnect DTLS cipher
On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote:
> Hi,
>
> Is there a way to have the latest Cisco AnyConnect 4.6 clients use
> ocserv with a stronger DTLS cipher than the default
> RSA_AES_128_SHA1?
> When the same version of AnyConnect connects to an ASA the DTLS
> cipher
> shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box
> should
> also support. I have tried playing around with the
> cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers
> config
> options, but understand some of those are mutually exclusive.
>
> I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect
> clients with ocserv which works fine, but would like to support the
> "best DTLS possible" (or at least match the ASA cipher) for a few
> cases where TCP file transfer throughput through AnyConnect is
> important (seeing about 3x throughput via DTLS).
>
> `occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103:
> TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM)
> DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1)
You cannot with the current ocserv as it doesn't support anything but
aes-128 or 3des for compatibility with anyconnect. You could try a
patch like the one below if AES256-SHA is supported by anyconnect. If
that works for you, we'd only need a test case for it, to include it in
the server.
regards,
Nikos
diff --git a/src/worker-http.c b/src/worker-http.c
index fd6b998e..65c40fc9 100644
--- a/src/worker-http.c
+++ b/src/worker-http.c
@@ -103,6 +103,16 @@ static const dtls_ciphersuite_st ciphersuites[] = {
.server_prio = 80,
.txt_version = "3.2.7",
},
+ {
+.oc_name = "AES256-SHA",
+.gnutls_name =
+"NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+RSA:%COMPAT",
+.gnutls_version = GNUTLS_DTLS0_9,
+.gnutls_mac = GNUTLS_MAC_SHA1,
+.gnutls_kx = GNUTLS_KX_RSA,
+.gnutls_cipher = GNUTLS_CIPHER_AES_256_CBC,
+.server_prio = 60,
+},
{
.oc_name = "AES128-SHA",
.gnutls_name =
___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
