OpenConnect force clients to use special cipher

Farhad Sakhaei

12/1/23, 7:18 AM

I use ocserv on Centos as Openconnect VPN and I use config file for setting up the server
I need to force clients to use special cipher like AES-256-GCM
because it seems that VPN blocks on some 4G net by a strange firewall and I need to bypass that firewall
I use /etc/ocserv/ocserv.conf but it seems there isn't any setting for such things

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
switch-to-tcp-timeout = 25
try-mtu-discovery = true
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
rekey-method = ssl
tunnel-all-dns = true
mtu = 1492
cisco-client-compat = true
dtls-psk = true
dtls-legacy = true

386

1 + 0

ssl

encryption

mtu

openconnect

cipher

Score:1

Server

SINA GH

12/26/23, 7:07 AM

You can't change client cipher suite unless you rewrite client app. im dealing with same issue here, government blocks tls connection based on cipher suites that AnyConnect or OpenConnect offers to server.

One way is to proxy your tls session and use allowed ciphers (like ones that chrome or firefox using) to negotiate with ocserv, probably you need to develop this yourself, uTls in Go would be a good start to investigate.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: OpenConnect force clients to use special cipher

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.