On 14/07/2018 21:06, Nikos Mavrogiannopoulos wrote:
Unfortunately, it is only heuristics you can try here. It could be
that the middlebox doesn't understand a particular extension, or some
particular ciphersuite, or doesn't like the hello size. Try a smaller
ciphersuite list as:
"NORMAL:-SHA256:-SHA384:-3DES-CBC:-DHE-DSS:-SIGN-DSA-SHA1:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM"
And/or combinations of that list (i.e., re-enabling DSS/DSA if you
need it). That's the list of algorithms which are already disabled in
3.6.2 (some also from the unreleased 3.6.3) versions of gnutls. Would
that improve the situation? If not you can go further by trying
options for specific extensions such as %NO_ETM,
%DISABLE_SAFE_RENEGOTIATION, %NO_SESSION_HASH, %NO_TICKETS etc. If any
of these help improve the situation let me know.
Hi Nikos,
I tried various combinations and came to the conclusion that the only
extension that differ between gnutls-cli working (with the
--disable-extensions option) and failing was server_name. I then
noticed that gnutls-cli has the --disable-sni option. I therefore tried
the following:
gnutls-cli --no-ca-verification <hostname>, and the connection failed as
expected.
gnutls-cli --no-ca-verification --disable-sni <hostname>, and it works
(no need for Priority Strings by the way)
Then, to add confusion I added server_name to openssl's s_client Client
Hello:
openssl s_client -servername <hostname> -connect <hostname>:443, and
oddly that worked.
Therefore it seems the problem is down to the server_name TLS extension
but only when the client is gnutls. I compared the hex dumps (from
Wireshark) of the extension from gnutls-cli and openssl s_client and
they are identical. The only difference I noticed was the ordering of
the extensions - when using gnutls-cli the extension is 4th in the
extension list (behind extended_master_secret, encrypt_then_mac and
status_request) while for openssl s_client the server_name extension is
the 1st in the list. Could that make a difference?
Kind regards,
Gareth
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel
