The source project of this merge request has been removed.
Ciphersuite priority override options
Changes:
- Add undocumented options to override the GnuTLS priority string (
--gnutls-priority
) or OpenSSL cipher list (--openconnect-ciphers
) for TLS connections. - Add details on the exact TLS library version against which OpenConnect was built.
- Log ciphersuite on every new HTTPS connection, not just with AnyConnect protocol
- Bugfix case where GnuTLS is trying to describe “DTLS” cipher, when we're actually using ESP
- Cleanup some version checks for no-longer-supported GnuTLS versions, per 32358559
Rationale:
- Sometimes servers are broken, or offer old/insecure/dubious ciphersuite possibilities that don't match our default allowed ciphersuites
- We want OpenConnect to have sane, secure defaults, but testing this with all combinations of (OpenConnect version, TLS library version, legacy server) is very hard
- See #21 (closed), #83 (closed), #103 (closed), LP #1867184 for examples of where it broke
- Most end users don't know how to build OpenConnect from source, or want to learn. They just want to get connected, even if they have to use and old/insecure/dubious ciphersuite combinations.
- Telling users that they need to recompile to use a particular ciphersuite seems unnecessary. It also exacerbates the problem of figuring out what ciphersuites would work for a particular combination of VPN server and TLS library, especially when the end user is unable to share the identity of the VPN server in question.
(More discussion at #21 (comment 299083798).)