/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • mto: (237.7.304 trunk)
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.
Filename Latest Rev Last Changed Committer Comment Size
..
.bzr-builddeb 185 16 years ago Teddy Hogeborn * .bzr-builddeb/default.conf: New. * Makefile (in Diff
debian 185 16 years ago Teddy Hogeborn * .bzr-builddeb/default.conf: New. * Makefile (in Diff
network-hooks.d 237.16.10 13 years ago Teddy Hogeborn * network-hooks.d: New directory. * network-hooks. Diff
plugins.d 13 16 years ago Björn Påhlsson Added following support: Pluginbased client handle Diff
.bzrignore 237.7.133 12 years ago Teddy Hogeborn * .bzrignore (statedir): Added. 188 bytes Diff Download File
clients.conf 237.7.157 12 years ago Teddy Hogeborn * clients.conf: Convert all time intervals to new 3.1 KB Diff Download File
common.ent 324 10 years ago Teddy Hogeborn * Makefile (version): Changed to "1.6.9". * NEWS ( 93 bytes Diff Download File
COPYING 24.1.51 16 years ago Björn Påhlsson Added configuration files support for mandos-clien 34.2 KB Diff Download File
DBUS-API 237.7.280 10 years ago Teddy Hogeborn Emit D-Bus "org.freedesktop.DBus.Properties.Proper 6.6 KB Diff Download File
dbus-mandos.conf 24.1.186 13 years ago Björn Påhlsson transitional stuff actually working documented cha 820 bytes Diff Download File
default-mandos 185 16 years ago Teddy Hogeborn * .bzr-builddeb/default.conf: New. * Makefile (in 174 bytes Diff Download File
init.d-mandos 237.7.196 10 years ago Teddy Hogeborn Update init script to modern standards. * init.d- 4.3 KB Diff Download File
File initramfs-tools-hook 237.7.265 10 years ago Teddy Hogeborn mandos-client: Fix bug with GPGME 1.5.0. * initra 6.2 KB Diff Download File
initramfs-tools-hook-conf 256 15 years ago Teddy Hogeborn * initramfs-tools-hook-conf: Security bug fix: Add 407 bytes Diff Download File
File initramfs-tools-script 237.7.35 13 years ago Teddy Hogeborn * initramfs-tools-script: Abort if plugin-runner i 3.6 KB Diff Download File
File initramfs-unpack 237.7.172 11 years ago Teddy Hogeborn * initramfs-unpack: Bug fix: Made executable. 2.2 KB Diff Download File
INSTALL 237.23.1 10 years ago Teddy Hogeborn Require Python 2.7. This is in preparation for th 5.3 KB Diff Download File
intro.xml 237.7.290 9 years ago Teddy Hogeborn Add ":!RSA" to GnuTLS priority string, to disallow 15.9 KB Diff Download File
legalnotice.xml 174 16 years ago Teddy Hogeborn * legalnotice.xml: Copy DocBook 4.4-formatted text 1 KB Diff Download File
Makefile 324 10 years ago Teddy Hogeborn * Makefile (version): Changed to "1.6.9". * NEWS ( 16.1 KB Diff Download File
File mandos 237.7.290 9 years ago Teddy Hogeborn Add ":!RSA" to GnuTLS priority string, to disallow 119 KB Diff Download File
mandos-clients.conf.xml 237.7.256 10 years ago Teddy Hogeborn mandos-keygen: Generate "checker" option to use SS 18.5 KB Diff Download File
File mandos-ctl 324 10 years ago Teddy Hogeborn * Makefile (version): Changed to "1.6.9". * NEWS ( 18.7 KB Diff Download File
mandos-ctl.xml 237.7.156 12 years ago Teddy Hogeborn * Makefile (check): Also check mandos-ctl. * mando 16.3 KB Diff Download File
File mandos-keygen 237.7.288 9 years ago Teddy Hogeborn mandos-keygen: Fix some stylistic quoting issues. 10.4 KB Diff Download File
mandos-keygen.xml 237.7.256 10 years ago Teddy Hogeborn mandos-keygen: Generate "checker" option to use SS 15.2 KB Diff Download File
File mandos-monitor 324 10 years ago Teddy Hogeborn * Makefile (version): Changed to "1.6.9". * NEWS ( 29.9 KB Diff Download File
mandos-monitor.xml 237.7.261 10 years ago Teddy Hogeborn mandos-monitor: New "verbose" mode to see less imp 6.1 KB Diff Download File
mandos-options.xml 237.7.290 9 years ago Teddy Hogeborn Add ":!RSA" to GnuTLS priority string, to disallow 5.4 KB Diff Download File
mandos.conf 237.7.255 10 years ago Teddy Hogeborn mandos: New "--no-zeroconf" option. Also make "-- 1.6 KB Diff Download File
mandos.conf.xml 237.7.182 11 years ago Teddy Hogeborn * debian/control (Build-Depends): Changed debhelpe 8.7 KB Diff Download File
mandos.lsm 324 10 years ago Teddy Hogeborn * Makefile (version): Changed to "1.6.9". * NEWS ( 906 bytes Diff Download File
mandos.service 237.7.282 10 years ago Teddy Hogeborn * mandos.service ([Unit]/Documentation): New. 708 bytes Diff Download File
mandos.xml 237.7.289 9 years ago Teddy Hogeborn mandos.xml (SEE ALSO): Update links. Update link 23.7 KB Diff Download File
NEWS 324 10 years ago Teddy Hogeborn * Makefile (version): Changed to "1.6.9". * NEWS ( 12.5 KB Diff Download File
overview.xml 183 16 years ago Teddy Hogeborn * Makefile (install-client-nokey): Do "&&" instead 926 bytes Diff Download File
plugin-runner.c 237.7.264 10 years ago Teddy Hogeborn plugin-runner: Bug Fix: Fix some memory leaks. * 35.6 KB Diff Download File
plugin-runner.conf 237.2.105 15 years ago Teddy Hogeborn * initramfs-tools-hook: Bug fix: Add "--userid" an 380 bytes Diff Download File
plugin-runner.xml 237.7.92 12 years ago Teddy Hogeborn Updated year in copyright notices. 20.5 KB Diff Download File
README 237.7.98 12 years ago Teddy Hogeborn * README: Hint that the intro(8mandos) manual page 409 bytes Diff Download File
TODO 237.7.290 9 years ago Teddy Hogeborn Add ":!RSA" to GnuTLS priority string, to disallow 5.4 KB Diff Download File