nuke it from orbit… http://lists.infradead.org/pipermail/openconnect-devel/2017-December/004614.html
vpn:# sudo systemctl disable ocserv.socket
Removed /etc/systemd/system/sockets.target.wants/ocserv.socket.
vpn:# sudo systemctl stop ocserv.socket
vpn:~# sudo service ocserv restart
Aug 17 08:43:01 vpn ocserv[17938]: GnuTLS error (at worker-vpn.c:607): Error in the pull function. erk? seemed to be when the client didn’t like the hash
An easy way to get the server’s SHA1 fingerprint is to use testssl.sh with the -S flag, it’ll show you the fingerprint:
openssl s_client -connect vpn.example.com:443 -showcerts 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' | openssl x509 -noout -fingerprint -sha1 | sed 's/Fingerprint=//' | sed 's/://g'