GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-03-16 06:49:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

the default strings will enforce PFS

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2014-12-25 10:56:19 +02:00
parent 6d331584c1
commit 80459cfbd5
2 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
doc/sample.config
View File

@@ -139,11 +139,17 @@ server-key = ../tests/server-key.pem
# The revocation list of the certificates issued by the 'ca-cert' above. # The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /path/to/crl.pem #crl = /path/to/crl.pem
# GnuTLS priority string # GnuTLS priority string; note that SSL 3.0 is disabled by default
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" # as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The default string below enforces perfect forward secrecy (PFS)
# on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# To enforce perfect forward secrecy (PFS) on the main channel. # More combinations in priority strings are available, check
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., to old default without perfect forward secrecy (PFS)
# on the main channel:
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
# The time (in seconds) that a client is allowed to stay connected prior # The time (in seconds) that a client is allowed to stay connected prior
# to authentication # to authentication

10
src/ocserv-args.def
View File

@@ -226,13 +226,15 @@ server-key = /path/to/key.pem
# GnuTLS priority string; note that SSL 3.0 is disabled by default # GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using # as there are no openconnect (and possibly anyconnect clients) using
# that protocol. # that protocol. The default string below enforces perfect forward secrecy (PFS)
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128" # on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# More combinations in priority strings are available, check # More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html # http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., to enforce perfect forward secrecy (PFS) on the main channel: # E.g., to old default without perfect forward secrecy (PFS)
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" # on the main channel:
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-ARCFOUR-128"
# The time (in seconds) that a client is allowed to stay connected prior # The time (in seconds) that a client is allowed to stay connected prior
# to authentication # to authentication