/mandos/release : revision 147

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/password-request.xml

Committer: Teddy Hogeborn
Date: 2008-09-03 17:11:32 UTC
Revision ID: teddy@fukt.bsnet.se-20080903171132-usevhlf0gi9rxqc3

* plugins.d/password-request.c (init_gnutls_global): Improved wording
                                                     in debug message.
                                                     Bug fix: Make
                                                     debug message
                                                     print to stderr,
                                                     not stdout.

* plugins.d/password-request.xml (SECURITY): Add text.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2011-11-27">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "password-request">

<!ENTITY TIMESTAMP "2008-09-03">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Client for <application>Mandos</application>

Client for mandos

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--connect

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>ADDRESS</replaceable><literal>:</literal

<replaceable>IPADDR</replaceable><literal>:</literal

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--keydir

<replaceable>DIRECTORY</replaceable></option></arg>

<arg choice="plain"><option>-d

<replaceable>DIRECTORY</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<arg choice="plain"><option>-i

</arg>

<sbr/>

100

<arg>

<option>--delay <replaceable>SECONDS</replaceable></option>

</arg>

<sbr/>

100

<arg>

101

<option>--retry <replaceable>SECONDS</replaceable></option>

102

</arg>

103

<sbr/>

104

<arg>

105

<option>--network-hook-dir

106

107

</arg>

108

<sbr/>

109

<arg>

110

101

<option>--debug</option>

111

102

</arg>

112

103

</cmdsynopsis>

129

120

</group>

130

121

</cmdsynopsis>

131

122

</refsynopsisdiv>

132

123

133

124

134

125

<title>DESCRIPTION</title>

135

126

<para>

136

127

<command>&COMMANDNAME;</command> is a client program that

137

128

communicates with <citerefentry><refentrytitle

138

129

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

139

to get a password. In slightly more detail, this client program

140

brings up a network interface, uses the interface’s IPv6

141

link-local address to get network connectivity, uses Zeroconf to

142

find servers on the local network, and communicates with servers

143

using TLS with an OpenPGP key to ensure authenticity and

144

confidentiality. This client program keeps running, trying all

145

servers on the network, until it receives a satisfactory reply

146

or a TERM signal. After all servers have been tried, all

147

servers are periodically retried. If no servers are found it

148

will wait indefinitely for new servers to appear.

149

</para>

150

<para>

151

The network interface is selected like this: If an interface is

152

specified using the <option>--interface</option> option, that

153

interface is used. Otherwise, <command>&COMMANDNAME;</command>

154

will choose any interface that is up and running and is not a

155

loopback interface, is not a point-to-point interface, is

156

capable of broadcasting and does not have the NOARP flag (see

157

<citerefentry><refentrytitle>netdevice</refentrytitle>

158

<manvolnum>7</manvolnum></citerefentry>). (If the

159

<option>--connect</option> option is used, point-to-point

160

interfaces and non-broadcast interfaces are accepted.) If no

161

acceptable interfaces are found, re-run the check but without

162

the <quote>up and running</quote> requirement, and manually take

163

the selected interface up (and later take it down on program

164

exit).

165

</para>

166

<para>

167

Before a network interface is selected, all <quote>network

168

hooks</quote> are run; see <xref linkend="network-hooks"/>.

130

to get a password. It uses IPv6 link-local addresses to get

131

network connectivity, Zeroconf to find servers, and TLS with an

132

OpenPGP key to ensure authenticity and confidentiality. It

133

keeps running, trying all servers on the network, until it

134

receives a satisfactory reply or a TERM signal is recieved.

169

135

</para>

170

136

<para>

171

137

This program is not meant to be run directly; it is really meant

225

191

</varlistentry>

226

192

227

193

228

<term><option>--interface=<replaceable

229

>NAME</replaceable></option></term>

194

<term><option>--keydir=<replaceable

195

>DIRECTORY</replaceable></option></term>

196

<term><option>-d

197

<replaceable>DIRECTORY</replaceable></option></term>

198

199

<para>

200

Directory to read the OpenPGP key files

201

<filename>pubkey.txt</filename> and

202

<filename>seckey.txt</filename> from. The default is

203

<filename>/conf/conf.d/mandos</filename> (in the initial

204

<acronym>RAM</acronym> disk environment).

205

</para>

206

</listitem>

207

</varlistentry>

208

209

210

<term><option>--interface=

211

230

212

<term><option>-i

231

213

232

214

233

215

<para>

234

216

Network interface that will be brought up and scanned for

235

Mandos servers to connect to. The default is the empty

236

string, which will automatically choose an appropriate

237

interface.

217

Mandos servers to connect to. The default it

218

<quote><literal>eth0</literal></quote>.

238

219

</para>

239

220

<para>

240

221

If the <option>--connect</option> option is used, this

241

222

specifies the interface to use to connect to the address

242

223

given.

243

224

</para>

244

<para>

245

Note that since this program will normally run in the

246

initial RAM disk environment, the interface must be an

247

interface which exists at that stage. Thus, the interface

248

can not be a pseudo-interface such as <quote>br0</quote>

249

or <quote>tun0</quote>; such interfaces will not exist

250

until much later in the boot process, and can not be used

251

by this program, unless created by a <quote>network

252

hook</quote> — see <xref linkend="network-hooks"/>.

253

</para>

254

<para>

255

<replaceable>NAME</replaceable> can be the string

256

<quote><literal>none</literal></quote>; this will not use

257

any specific interface, and will not bring up an interface

258

on startup. This is not recommended, and only meant for

259

advanced users.

260

</para>

261

225

</listitem>

262

226

</varlistentry>

263

227

268

232

269

233

270

234

<para>

271

OpenPGP public key file name. The default name is

272

<quote><filename>/conf/conf.d/mandos/pubkey.txt</filename

273

></quote>.

235

OpenPGP public key file base name. This will be combined

236

with the directory from the <option>--keydir</option>

237

option to form an absolute file name. The default name is

238

<quote><literal>pubkey.txt</literal></quote>.

274

239

</para>

275

240

</listitem>

276

241

</varlistentry>

277

242

278

243

279

244

<term><option>--seckey=<replaceable

280

245

>FILE</replaceable></option></term>

282

247

283

248

284

249

<para>

285

OpenPGP secret key file name. The default name is

286

<quote><filename>/conf/conf.d/mandos/seckey.txt</filename

287

></quote>.

250

OpenPGP secret key file base name. This will be combined

251

with the directory from the <option>--keydir</option>

252

option to form an absolute file name. The default name is

253

<quote><literal>seckey.txt</literal></quote>.

288

254

</para>

289

255

</listitem>

290

256

</varlistentry>

297

263

xpointer="priority"/>

298

264

</listitem>

299

265

</varlistentry>

300

266

301

267

302

268

<term><option>--dh-bits=<replaceable

303

269

>BITS</replaceable></option></term>

308

274

</para>

309

275

</listitem>

310

276

</varlistentry>

311

312

313

<term><option>--delay=<replaceable

314

>SECONDS</replaceable></option></term>

315

316

<para>

317

After bringing the network interface up, the program waits

318

for the interface to arrive in a <quote>running</quote>

319

state before proceeding. During this time, the kernel log

320

level will be lowered to reduce clutter on the system

321

console, alleviating any other plugins which might be

322

using the system console. This option sets the upper

323

limit of seconds to wait. The default is 2.5 seconds.

324

</para>

325

</listitem>

326

</varlistentry>

327

328

329

<term><option>--retry=<replaceable

330

>SECONDS</replaceable></option></term>

331

332

<para>

333

All Mandos servers are tried repeatedly until a password

334

is received. This value specifies, in seconds, how long

335

between each successive try <emphasis>for the same

336

server</emphasis>. The default is 10 seconds.

337

</para>

338

</listitem>

339

</varlistentry>

340

341

342

<term><option>--network-hook-dir=<replaceable

343

>DIR</replaceable></option></term>

344

345

<para>

346

Network hook directory. The default directory is

347

<quote><filename class="directory"

348

>/lib/mandos/network-hooks.d</filename></quote>.

349

</para>

350

</listitem>

351

</varlistentry>

352

277

353

278

354

279

<term><option>--debug</option></term>

384

309

</para>

385

310

</listitem>

386

311

</varlistentry>

387

312

388

313

389

314

<term><option>--version</option></term>

390

315

396

321

</varlistentry>

397

322

</variablelist>

398

323

</refsect1>

399

324

400

325

401

326

<title>OVERVIEW</title>

402

327

<xi:include href="../overview.xml"/>

411

336

<filename>/etc/crypttab</filename>, but it would then be

412

337

impossible to enter a password for the encrypted root disk at

413

338

the console, since this program does not read from the console

414

at all. This is why a separate plugin runner (<citerefentry>

415

<refentrytitle>plugin-runner</refentrytitle>

416

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

417

both this program and others in in parallel,

418

<emphasis>one</emphasis> of which (<citerefentry>

419

<refentrytitle>password-prompt</refentrytitle>

420

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

421

passwords on the system console.

339

at all. This is why a separate plugin does that, which will be

340

run in parallell to this one by the plugin runner.

422

341

</para>

423

342

</refsect1>

424

343

429

348

server could be found and the password received from it could be

430

349

successfully decrypted and output on standard output. The

431

350

program will exit with a non-zero exit status only if a critical

432

error occurs. Otherwise, it will forever connect to any

433

discovered <application>Mandos</application> servers, trying to

434

get a decryptable password and print it.

351

error occurs. Otherwise, it will forever connect to new

352

<application>Mandos</application> servers as they appear, trying

353

to get a decryptable password.

435

354

</para>

436

355

</refsect1>

437

356

445

364

</para>

446

365

</refsect1>

447

366

448

449

<title>NETWORK HOOKS</title>

450

<para>

451

If a network interface like a bridge or tunnel is required to

452

find a Mandos server, this requires the interface to be up and

453

running before <command>&COMMANDNAME;</command> starts looking

454

for Mandos servers. This can be accomplished by creating a

455

<quote>network hook</quote> program, and placing it in a special

456

directory.

457

</para>

458

<para>

459

Before the network is used (and again before program exit), any

460

runnable programs found in the network hook directory are run

461

with the argument <quote><literal>start</literal></quote> or

462

<quote><literal>stop</literal></quote>. This should bring up or

463

down, respectively, any network interface which

464

<command>&COMMANDNAME;</command> should use.

465

</para>

466

467

<title>REQUIREMENTS</title>

468

<para>

469

A network hook must be an executable file, and its name must

470

consist entirely of upper and lower case letters, digits,

471

underscores, and hyphens.

472

</para>

473

<para>

474

A network hook will receive one argument, which can be one of

475

the following:

476

</para>

477

478

479

<term><literal>start</literal></term>

480

481

<para>

482

This should make the network hook create (if necessary)

483

and bring up a network interface.

484

</para>

485

</listitem>

486

</varlistentry>

487

488

489

490

<para>

491

This should make the network hook take down a network

492

interface, and delete it if it did not exist previously.

493

</para>

494

</listitem>

495

</varlistentry>

496

497

<term><literal>files</literal></term>

498

499

<para>

500

This should make the network hook print, <emphasis>on

501

separate lines</emphasis>, all the files needed for it

502

to run. (These files will be copied into the initial

503

RAM filesystem.) Intended use is for a network hook

504

which is a shell script to print its needed binaries.

505

</para>

506

<para>

507

It is not necessary to print any non-executable files

508

already in the network hook directory, these will be

509

copied implicitly if they otherwise satisfy the name

510

requirement.

511

</para>

512

</listitem>

513

</varlistentry>

514

</variablelist>

515

<para>

516

The network hook will be provided with a number of environment

517

variables:

518

</para>

519

520

521

<term><envar>MANDOSNETHOOKDIR</envar></term>

522

523

<para>

524

The network hook directory, specified to

525

<command>&COMMANDNAME;</command> by the

526

<option>--network-hook-dir</option> option. Note: this

527

should <emphasis>always</emphasis> be used by the

528

network hook to refer to itself or any files it may

529

require.

530

</para>

531

</listitem>

532

</varlistentry>

533

534

<term><envar>DEVICE</envar></term>

535

536

<para>

537

The network interface, as specified to

538

<command>&COMMANDNAME;</command> by the

539

<option>--interface</option> option. If this is not the

540

interface a hook will bring up, there is no reason for a

541

hook to continue.

542

</para>

543

</listitem>

544

</varlistentry>

545

546

547

548

<para>

549

This will be the same as the first argument;

550

i.e. <quote><literal>start</literal></quote>,

551

<quote><literal>stop</literal></quote>, or

552

<quote><literal>files</literal></quote>.

553

</para>

554

</listitem>

555

</varlistentry>

556

557

<term><envar>VERBOSITY</envar></term>

558

559

<para>

560

This will be the <quote><literal>1</literal></quote> if

561

the <option>--debug</option> option is passed to

562

<command>&COMMANDNAME;</command>, otherwise

563

<quote><literal>0</literal></quote>.

564

</para>

565

</listitem>

566

</varlistentry>

567

568

<term><envar>DELAY</envar></term>

569

570

<para>

571

This will be the same as the <option>--delay</option>

572

option passed to <command>&COMMANDNAME;</command>.

573

</para>

574

</listitem>

575

</varlistentry>

576

</variablelist>

577

<para>

578

A hook may not read from standard input, and should be

579

restrictive in printing to standard output or standard error

580

unless <varname>VERBOSITY</varname> is

581

<quote><literal>1</literal></quote>.

582

</para>

583

</refsect2>

584

</refsect1>

585

586

367

587

368

<title>FILES</title>

588

369

589

370

600

381

</para>

601

382

</listitem>

602

383

</varlistentry>

603

604

<term><filename

605

class="directory">/lib/mandos/network-hooks.d</filename></term>

606

607

<para>

608

Directory where network hooks are located. Change this

609

with the <option>--network-hook-dir</option> option. See

610

<xref linkend="network-hooks"/>.

611

</para>

612

</listitem>

613

</varlistentry>

614

384

</variablelist>

615

385

</refsect1>

616

386

619

389

620

390

621

391

622

392

623

393

624

394

<title>EXAMPLE</title>

625

395

<para>

639

409

</informalexample>

640

410

641

411

<para>

642

Search for Mandos servers (and connect to them) using another

643

interface:

412

Search for Mandos servers on another interface:

644

413

</para>

645

414

<para>

646

415

649

418

</informalexample>

650

419

651

420

<para>

652

Run in debug mode, and use a custom key:

421

Run in debug mode, and use a custom key directory:

653

422

</para>

654

423

<para>

655

656

657

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

658

424

425

<userinput>&COMMANDNAME; --debug --keydir keydir</userinput>

659

426

</para>

660

427

</informalexample>

661

428

662

429

<para>

663

Run in debug mode, with a custom key, and do not use Zeroconf

664

to locate a server; connect directly to the IPv6 link-local

430

Run in debug mode, with a custom key directory, and do not use

431

Zeroconf to locate a server; connect directly to the IPv6

665

432

address <quote><systemitem class="ipaddress"

666

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

667

using interface eth2:

433

>2001:db8:f983:bd0b:30de:ae4a:71f2:f672</systemitem></quote>,

434

port 4711, using interface eth2:

668

435

</para>

669

436

<para>

670

437

671

438

672

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

439

<userinput>&COMMANDNAME; --debug --keydir keydir --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2</userinput>

673

440

674

441

</para>

675

442

</informalexample>

676

443

</refsect1>

677

444

678

445

679

446

<title>SECURITY</title>

680

447

<para>

681

448

This program is set-uid to root, but will switch back to the

682

original (and presumably non-privileged) user and group after

683

bringing up the network interface.

449

original user and group after bringing up the network interface.

684

450

</para>

685

451

<para>

686

452

To use this program for its intended purpose (see <xref

700

466

The only remaining weak point is that someone with physical

701

467

access to the client hard drive might turn off the client

702

468

computer, read the OpenPGP keys directly from the hard drive,

703

and communicate with the server. To safeguard against this, the

704

server is supposed to notice the client disappearing and stop

705

giving out the encrypted data. Therefore, it is important to

706

set the timeout and checker interval values tightly on the

707

server. See <citerefentry><refentrytitle

469

and communicate with the server. The defense against this is

470

that the server is supposed to notice the client disappearing

471

and will stop giving out the encrypted data. Therefore, it is

472

important to set the timeout and checker interval values tightly

473

on the server. See <citerefentry><refentrytitle

708

474

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

709

475

</para>

710

476

<para>

711

It will also help if the checker program on the server is

712

configured to request something from the client which can not be

713

spoofed by someone else on the network, unlike unencrypted

714

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

715

</para>

716

<para>

717

<emphasis>Note</emphasis>: This makes it completely insecure to

718

have <application >Mandos</application> clients which dual-boot

719

to another operating system which is <emphasis>not</emphasis>

720

trusted to keep the initial <acronym>RAM</acronym> disk image

721

confidential.

477

<emphasis>Note</emphasis>: This makes it impossible to have

478

<application >Mandos</application> clients which dual-boot to

479

another operating system which does <emphasis>not</emphasis> run

480

a <application>Mandos</application> client.

722

481

</para>

723

482

</refsect1>

724

483

725

484

726

485

727

486

<para>

728

<citerefentry><refentrytitle>intro</refentrytitle>

729

<manvolnum>8mandos</manvolnum></citerefentry>,

730

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

731

<manvolnum>8</manvolnum></citerefentry>,

732

<citerefentry><refentrytitle>crypttab</refentrytitle>

733

<manvolnum>5</manvolnum></citerefentry>,

734

487

<citerefentry><refentrytitle>mandos</refentrytitle>

735

488

<manvolnum>8</manvolnum></citerefentry>,

736

489

<citerefentry><refentrytitle>password-prompt</refentrytitle>

738

491

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

739

492

<manvolnum>8mandos</manvolnum></citerefentry>

740

493

</para>

741

742

743

<term>

744

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

745

</term>

746

747

<para>

748

Zeroconf is the network protocol standard used for finding

749

Mandos servers on the local network.

750

</para>

751

</listitem>

752

</varlistentry>

753

754

<term>

755

<ulink url="http://www.avahi.org/">Avahi</ulink>

756

</term>

757

758

<para>

759

Avahi is the library this program calls to find Zeroconf

760

services.

761

</para>

762

</listitem>

763

</varlistentry>

764

765

<term>

766

<ulink url="http://www.gnu.org/software/gnutls/"

767

>GnuTLS</ulink>

768

</term>

769

770

<para>

771

GnuTLS is the library this client uses to implement TLS for

772

communicating securely with the server, and at the same time

773

send the public OpenPGP key to the server.

774

</para>

775

</listitem>

776

</varlistentry>

777

778

<term>

779

<ulink url="http://www.gnupg.org/related_software/gpgme/"

780

>GPGME</ulink>

781

</term>

782

783

<para>

784

GPGME is the library used to decrypt the OpenPGP data sent

785

by the server.

786

</para>

787

</listitem>

788

</varlistentry>

789

790

<term>

791

RFC 4291: <citetitle>IP Version 6 Addressing

792

Architecture</citetitle>

793

</term>

794

795

796

797

<term>Section 2.2: <citetitle>Text Representation of

798

Addresses</citetitle></term>

799

800

</varlistentry>

801

802

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

803

Address</citetitle></term>

804

805

</varlistentry>

806

807

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

808

Addresses</citetitle></term>

809

810

<para>

811

This client uses IPv6 link-local addresses, which are

812

immediately usable since a link-local addresses is

813

automatically assigned to a network interfaces when it

814

is brought up.

815

</para>

816

</listitem>

817

</varlistentry>

818

</variablelist>

819

</listitem>

820

</varlistentry>

821

822

<term>

823

RFC 4346: <citetitle>The Transport Layer Security (TLS)

824

Protocol Version 1.1</citetitle>

825

</term>

826

827

<para>

828

TLS 1.1 is the protocol implemented by GnuTLS.

829

</para>

830

</listitem>

831

</varlistentry>

832

833

<term>

834

RFC 4880: <citetitle>OpenPGP Message Format</citetitle>

835

</term>

836

837

<para>

838

The data received from the server is binary encrypted

839

OpenPGP data.

840

</para>

841

</listitem>

842

</varlistentry>

843

844

<term>

845

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

846

Security</citetitle>

847

</term>

848

849

<para>

850

This is implemented by GnuTLS and used by this program so

851

that OpenPGP keys can be used.

852

</para>

853

</listitem>

854

</varlistentry>

855

</variablelist>

494

495

496

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

497

</para></listitem>

498

499

500

<ulink url="http://www.avahi.org/">Avahi</ulink>

501

</para></listitem>

502

503

504

<ulink

505

url="http://www.gnu.org/software/gnutls/">GnuTLS</ulink>

506

</para></listitem>

507

508

509

<ulink

510

url="http://www.gnupg.org/related_software/gpgme/"

511

>GPGME</ulink>

512

</para></listitem>

513

514

515

<citation>RFC 4880: <citetitle>OpenPGP Message

516

Format</citetitle></citation>

517

</para></listitem>

518

519

520

<citation>RFC 5081: <citetitle>Using OpenPGP Keys for

521

Transport Layer Security</citetitle></citation>

522

</para></listitem>

523

524

525

<citation>RFC 4291: <citetitle>IP Version 6 Addressing

526

Architecture</citetitle>, section 2.5.6, Link-Local IPv6

527

Unicast Addresses</citation>

528

</para></listitem>

529

</itemizedlist>

856

530

</refsect1>

531

857

532

</refentry>

858

859

533

860

534

861

535

Older »