Use TLS1.3 with Ocserv anyconnect on Debian

I already use ocserv Anyconnect on my Debian Bust for a couple of months. Now I want to try to upgrade Ocserv to support TLS1.3, So I decided to have a try and below are my result ~~ Enjoy

Upgrade your gnutls-bin to 3.6.7

// Install related dependencies 
// Updated June 23,2019

apt install libgnutls-dane0=3.6.7-4 libgnutls30=3.6.7-4 libunbound8=1.9.0-2 libc6=2.28-10 libhogweed4=3.4.1-1 libidn2-0=2.0.5-1 libnettle6=3.4.1-1 libp11-kit0=0.23.15-2 libtasn1-6=4.13-3 libunistring2=0.9.10-1

// Make sure `gnutls-bin` is up to date
apt upgrade gnutls-bin

If you got libc-bin error here are my solution

dpkg: warning: 'ldconfig' not found in PATH or not executable.
dpkg: 2 expected program(s) not found in PATH or not executable.
NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

nano /root/.bashrc

// inside .bashrc last line paste this 
export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/sbin:/usr/local/bin

// Save and restart
source /root/.bashrc

// Resintall libc-bin

dpkg -x libc-bin*.deb unpackdir/
cd unpackdir/sbin/
cp ldconfig /sbin/
apt install libc-bin

apt policy libc6 // If it said you need to have version >= 2.2x
// do this

apt install libc6=2.28-10

Install latest ocserv version

// check version 
apt policy ocserv
// return
  Installed: 0.12.2-3
  Candidate: 0.12.2-3
  Version table:
 *** 0.12.2-3 100
         90 sid/main amd64 Packages
         90 unstable/main amd64 Packages
        100 /var/lib/dpkg/status
     0.12.2-3~bpo9+1 100
        100 stretch-backports/main amd64 Packages

// Install with latest version
apt install ocserv=0.12.2-3

// Check installed version
ocserv -v 
// return
ocserv 0.12.2
Compiled with: seccomp, tcp-wrappers, oath, radius, gssapi, PAM, PKCS#11, AnyConnect
GnuTLS version: 3.6.7

Check your TLS connection

// Use openssl to test
openssl s_client -connect -tls1_3

// return 
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN =
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3743 bytes and written 589 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Use Openconnect client on Mac

// installation
brew install openconnect

// Export 
export LDFLAGS="-L/usr/local/opt/libffi/lib"

// connection
sudo openconnect <vpn address:port>

Use Openconenct GUI client on Windows

// Download GUI client for Windows

Cisco anyconnect client

CN route