summaryrefslogtreecommitdiff
path: root/data/templates/ocserv
diff options
context:
space:
mode:
authorAlex W <embezzle.dev@proton.me>2024-04-29 20:53:51 +0100
committerAlex W <embezzle.dev@proton.me>2024-04-29 20:53:51 +0100
commit9ff74d4370f0a5f66c303074796dab8b1ca5c4a5 (patch)
tree60d235ab78dfe2e3bd22f0ba417c7e1506ceb0ef /data/templates/ocserv
parentaa15f74818ca2cb35696315cc5cb0c57335f6911 (diff)
downloadvyos-1x-9ff74d4370f0a5f66c303074796dab8b1ca5c4a5.tar.gz
vyos-1x-9ff74d4370f0a5f66c303074796dab8b1ca5c4a5.zip
openconnect: T4982: Support defining minimum TLS version in openconnect VPN
Diffstat (limited to 'data/templates/ocserv')
-rw-r--r--data/templates/ocserv/ocserv_config.j28
1 files changed, 8 insertions, 0 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index b5e890c32..81f777031 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -61,7 +61,15 @@ keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 30
+{% if tls_version_min == '1.0' %}
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+{% elif tls_version_min == '1.1' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0"
+{% elif tls_version_min == '1.2' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
+{% elif tls_version_min == '1.3' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"
+{% endif %}
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800