man: Add hints on using --pfs option

I ran "openconnect --pfs" to connect to 37 semi-randomly chosen servers: 33 servers failed with a TLS fatal alert 3 servers successfully negotiated the connection 1 server no longer existed According to Cisco, PFS support is about a year old in the 9.1 branch[1], two years old in the 8.4 branch[2], and absent in 8.6/9.0. So, if this means that some ~90% of users will not have much luck with --pfs, we can at least offer some information to help their system administrators configure it. [1] http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-685480o [2] http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-580804 Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
sailfishos-mirror · Jun 10, 2014 · f6e4fdc · f6e4fdc
1 parent 64c20a5
commit f6e4fdc
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/openconnect.8.in b/openconnect.8.in
@@ -320,6 +320,11 @@ long-term key is compromised, any session keys established before the compromise
 will be unaffected. If this option is provided and the server does not support PFS
 in the TLS channel the connection will fail.
 
+PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher
+suite may need to be manually enabled by the administrator using the
+.B ssl encryption
+setting.
+
 .TP
 .B \-\-no\-dtls
 Disable DTLS