the default strings will enforce PFS

src/ocserv-args.def

@@ -226,13 +226,15 @@ server-key = /path/to/key.pem
 
 # GnuTLS priority string; note that SSL 3.0 is disabled by default
 # as there are no openconnect (and possibly anyconnect clients) using
-# that protocol.
-tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
+# that protocol. The default string below enforces perfect forward secrecy (PFS) 
+# on the main channel.
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
 
 # More combinations in priority strings are available, check
 # http://gnutls.org/manual/html_node/Priority-Strings.html
-# E.g., to enforce perfect forward secrecy (PFS) on the main channel:
-#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+# E.g., to old default without perfect forward secrecy (PFS)
+# on the main channel:
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
 
 # The time (in seconds) that a client is allowed to stay connected prior
 # to authentication