[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openconnect-devel
Subject:    Re: [PATCH] DTLS: Add ECDHE-RSA-AES256-SHA384 as a v1.2 cipher suite
From:       Jason Gunthorpe <jgg () ziepe ! ca>
Date:       2020-07-31 23:45:45
Message-ID: 20200731234545.GL24045 () ziepe ! ca
[Download RAW message or body]

On Fri, Jul 31, 2020 at 04:33:08PM -0700, Daniel Lenski wrote:

> 1) the TLS ciphers list (to allow SHA384 as MAC; IMO this should have
> already been included alongside +SHA256 in
> https://gitlab.com/openconnect/openconnect/-/commit/5a3f242e7f778836f1645fb6479953e369a8f81e)
> 2) the DTLS v1.2 ciphers list (to allow one specific cipher suite
> there: ECDHE-RSA-AES256-SHA384)
> 
> We already have a way for the user to override (1) for corner cases
> like yours. In https://gitlab.com/openconnect/openconnect/-/merge_requests/71,
> I added the `--gnutls-priority` option specifically to be used for
> cases like yours, so recompilation isn't necessary.
> 
> However, we *don't* have a good way to override (2) dynamically, at
> least not for Cisco servers, because the DTLS cipher "negotiation"
> (scare quotes intentional) happens in such a weird non-standard way.

Yes, arguably the list in #2 should map all of the cisco suite names
to gnutls parameters and the policy string should control which are
allowed.

> I'm in favor of merging this patch since I don't see any cases where
> it silently *degrades* security. (One other thing I'd note is that
> this DTLS cipher should *already* be supported *anyway* if you build
> OpenConnect with OpenSSL instead of GnuTLS.)

Ah! I didn't try openssl because for whatever reason building and
running the dtls check in openconnect fails on the openssl in Ubuntu
20.04 LTS

Jason

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic