Skip to content

Ciphersuite priority override options

Changes:

  • Add undocumented options to override the GnuTLS priority string (--gnutls-priority) or OpenSSL cipher list (--openconnect-ciphers) for TLS connections.
  • Add details on the exact TLS library version against which OpenConnect was built.
  • Log ciphersuite on every new HTTPS connection, not just with AnyConnect protocol
  • Bugfix case where GnuTLS is trying to describe “DTLS” cipher, when we're actually using ESP
  • Cleanup some version checks for no-longer-supported GnuTLS versions, per 32358559

Rationale:

  • Sometimes servers are broken, or offer old/insecure/dubious ciphersuite possibilities that don't match our default allowed ciphersuites
  • We want OpenConnect to have sane, secure defaults, but testing this with all combinations of (OpenConnect version, TLS library version, legacy server) is very hard
  • Most end users don't know how to build OpenConnect from source, or want to learn. They just want to get connected, even if they have to use and old/insecure/dubious ciphersuite combinations.
  • Telling users that they need to recompile to use a particular ciphersuite seems unnecessary. It also exacerbates the problem of figuring out what ciphersuites would work for a particular combination of VPN server and TLS library, especially when the end user is unable to share the identity of the VPN server in question.

(More discussion at #21 (comment 299083798).)

Edited by Daniel Lenski

Merge request reports