When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
The server sends the X-DTLS-App-ID header in the new protocol;
the X-DTLS-Session-ID is only used in the legacy protocol. The
server expects the Application identifier to be placed in a TLS
extension.
There the DTLS ciphersuite and DTLS version are negotiated and
we cannot accurately predict the actual tunnel size. In that
case the client must rely on the Base-MTU.
This was changed so that it is explicitly made incompatible with
existing openconnect patch. The new openconnect client patch for
PSK negotiation is incompatible with the protocol as implemented
in 0.11.4 and requires the option match-tls-and-dtls-ciphers for its
openssl variant.
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
If the client's X-DTLS-CipherSuite contains the PSK keyword,
the server will reply with "X-DTLS-CipherSuite: PSK" and will enable
DTLS-PSK negotiation on the DTLS channel. The ciphersuite set
in the DTLS channel, must match the one set in TLS one. That,
makes the protocol consistent in security properties (DTLS and TLS channel
will match cipher/mac combinations), and allows the protocol to use
any new DTLS versions, as well as new DTLS ciphersuites without
any code changes.
That change still requires to client to pretend it is resuming
by setting in the DTLS client hello the session ID provided by
X-DTLS-Session-ID.
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
