Re: ocserv AnyConnect DTLS cipher
Hi, I'm checking this issue as it seems it's not yet implemented the AES-256-CBC in ocserv, I've seen this https://gitlab.com/openconnect/ocserv/merge_requests/86 and I want to know if there is a plan to deploy it in version 0.12.2 or if I can compile it from source just to check it if it's working. Also I want to know if using DTLS insted TLS via TCP will increase performance, any experience? thanks ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: ocserv AnyConnect DTLS cipher
On Tue, Jul 17, 2018 at 10:45 PM, Nikos Mavrogiannopoulos wrote: > > On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote: > > Hi, > > > > Is there a way to have the latest Cisco AnyConnect 4.6 clients use > > ocserv with a stronger DTLS cipher than the default > > RSA_AES_128_SHA1? > > When the same version of AnyConnect connects to an ASA the DTLS > > cipher > > shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box > > should > > also support. I have tried playing around with the > > cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers > > config > > options, but understand some of those are mutually exclusive. > > > > I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect > > clients with ocserv which works fine, but would like to support the > > "best DTLS possible" (or at least match the ASA cipher) for a few > > cases where TCP file transfer throughput through AnyConnect is > > important (seeing about 3x throughput via DTLS). > > > > `occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103: > > TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM) > > DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1) > > You cannot with the current ocserv as it doesn't support anything but > aes-128 or 3des for compatibility with anyconnect. You could try a > patch like the one below if AES256-SHA is supported by anyconnect. If > that works for you, we'd only need a test case for it, to include it in > the server. Recent ASAs and AnyConnect *do* support AES-256-CBC. I get this when connecting to a couple different ASAs: (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1) ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: ocserv AnyConnect DTLS cipher
On Mon, 2018-07-16 at 16:09 -0500, Marc West wrote: > Hi, > > Is there a way to have the latest Cisco AnyConnect 4.6 clients use > ocserv with a stronger DTLS cipher than the default > RSA_AES_128_SHA1? > When the same version of AnyConnect connects to an ASA the DTLS > cipher > shows as DHE_RSA_AES256_SHA, which GnuTLS 3.5.18 on my ocserv box > should > also support. I have tried playing around with the > cisco-client-compat/dtls-legacy/dtls-psk/match-tls-dtls-ciphers > config > options, but understand some of those are mutually exclusive. > > I plan to force TCP and TLS1.2 with GCM ciphers for most AnyConnect > clients with ocserv which works fine, but would like to support the > "best DTLS possible" (or at least match the ASA cipher) for a few > cases where TCP file transfer throughput through AnyConnect is > important (seeing about 3x throughput via DTLS). > > `occtl show user` with ocserv 0.12.1 and AnyConnect 4.6.01103: > TLS ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM) > DTLS cipher: (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1) You cannot with the current ocserv as it doesn't support anything but aes-128 or 3des for compatibility with anyconnect. You could try a patch like the one below if AES256-SHA is supported by anyconnect. If that works for you, we'd only need a test case for it, to include it in the server. regards, Nikos diff --git a/src/worker-http.c b/src/worker-http.c index fd6b998e..65c40fc9 100644 --- a/src/worker-http.c +++ b/src/worker-http.c @@ -103,6 +103,16 @@ static const dtls_ciphersuite_st ciphersuites[] = { .server_prio = 80, .txt_version = "3.2.7", }, + { +.oc_name = "AES256-SHA", +.gnutls_name = +"NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+RSA:%COMPAT", +.gnutls_version = GNUTLS_DTLS0_9, +.gnutls_mac = GNUTLS_MAC_SHA1, +.gnutls_kx = GNUTLS_KX_RSA, +.gnutls_cipher = GNUTLS_CIPHER_AES_256_CBC, +.server_prio = 60, +}, { .oc_name = "AES128-SHA", .gnutls_name = ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel