/mandos/release : revision 237.21.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

Committer: Teddy Hogeborn
Date: 2012-05-26 22:21:17 UTC
mto: (237.7.139 trunk)
mto: This revision was merged to the branch mainline in revision 301.
Revision ID: teddy@recompile.se-20120526222117-2n4oeb3hqyq4rjdh

* mandos: Implement "--socket" option.
  (IPv6_TCPServer.__init__): Take new "socketfd" parameter; use it.
  (MandosServer.__init__): Take new "socketfd" parameter.  Pass it on
                           to IPv6_TCPServer constructor.
  (main): Take new "--socket" option.  Also take "socket" parameter in
          "mandos.conf" configuration file.  If set, pass the value to
          MandosServer constructor.
* mandos-options.xml (socket): Document new "socket" option.
* mandos-conf.xml (OPTIONS): - '' -
* mandos.xml (SYNOPSIS, OPTIONS): Document new "--socket" option.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.maintscript

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

initramfs-unpack

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-client">

<!ENTITY TIMESTAMP "2023-10-21">

<!ENTITY TIMESTAMP "2012-01-01">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

><replaceable>PORT</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--interface

<replaceable>NAME</replaceable><arg rep='repeat'

>,<replaceable>NAME</replaceable></arg></option></arg>

<arg choice="plain"><option>-i <replaceable>NAME</replaceable

><arg rep='repeat'>,<replaceable>NAME</replaceable></arg

></option></arg>

<arg choice="plain"><option>-i

</group>

<sbr/>

<group>

</group>

<sbr/>

<group>

100

<arg choice="plain"><option>--tls-privkey

101

102

<arg choice="plain"><option>-t

103

104

</group>

105

<sbr/>

106

<group>

107

<arg choice="plain"><option>--tls-pubkey

108

109

<arg choice="plain"><option>-T

110

111

</group>

112

<sbr/>

113

<arg>

114

<option>--priority <replaceable>STRING</replaceable></option>

115

</arg>

119

</arg>

120

<sbr/>

121

<arg>

122

<option>--dh-params <replaceable>FILE</replaceable></option>

123

</arg>

124

<sbr/>

125

<arg>

126

<option>--delay <replaceable>SECONDS</replaceable></option>

127

</arg>

128

<sbr/>

166

137

communicates with <citerefentry><refentrytitle

167

138

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>

168

139

to get a password. In slightly more detail, this client program

169

brings up network interfaces, uses the interfaces’ IPv6

170

link-local addresses to get network connectivity, uses Zeroconf

171

to find servers on the local network, and communicates with

172

servers using TLS with a raw public key to ensure authenticity

173

and confidentiality. This client program keeps running, trying

174

all servers on the network, until it receives a satisfactory

175

reply or a TERM signal. After all servers have been tried, all

140

brings up a network interface, uses the interface’s IPv6

141

link-local address to get network connectivity, uses Zeroconf to

142

find servers on the local network, and communicates with servers

143

using TLS with an OpenPGP key to ensure authenticity and

144

confidentiality. This client program keeps running, trying all

145

servers on the network, until it receives a satisfactory reply

146

or a TERM signal. After all servers have been tried, all

176

147

servers are periodically retried. If no servers are found it

177

148

will wait indefinitely for new servers to appear.

178

149

</para>

179

150

<para>

180

The network interfaces are selected like this: If any interfaces

181

are specified using the <option>--interface</option> option,

182

those interface are used. Otherwise,

183

<command>&COMMANDNAME;</command> will use all interfaces that

184

are not loopback interfaces, are not point-to-point interfaces,

185

are capable of broadcasting and do not have the NOARP flag (see

151

The network interface is selected like this: If an interface is

152

specified using the <option>--interface</option> option, that

153

interface is used. Otherwise, <command>&COMMANDNAME;</command>

154

will choose any interface that is up and running and is not a

155

loopback interface, is not a point-to-point interface, is

156

capable of broadcasting and does not have the NOARP flag (see

186

157

<citerefentry><refentrytitle>netdevice</refentrytitle>

187

158

<manvolnum>7</manvolnum></citerefentry>). (If the

188

159

<option>--connect</option> option is used, point-to-point

189

interfaces and non-broadcast interfaces are accepted.) If any

190

used interfaces are not up and running, they are first taken up

191

(and later taken down again on program exit).

160

interfaces and non-broadcast interfaces are accepted.) If no

161

acceptable interfaces are found, re-run the check but without

162

the <quote>up and running</quote> requirement, and manually take

163

the selected interface up (and later take it down on program

164

exit).

192

165

</para>

193

166

<para>

194

Before network interfaces are selected, all <quote>network

167

Before a network interface is selected, all <quote>network

195

168

hooks</quote> are run; see <xref linkend="network-hooks"/>.

196

169

</para>

197

170

<para>

198

171

This program is not meant to be run directly; it is really meant

199

to be run by other programs in the initial

200

<acronym>RAM</acronym> disk environment; see <xref

201

linkend="overview"/>.

172

to run as a plugin of the <application>Mandos</application>

173

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

174

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

175

initial <acronym>RAM</acronym> disk environment because it is

176

specified as a <quote>keyscript</quote> in the <citerefentry>

177

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

178

</citerefentry> file.

202

179

</para>

203

180

</refsect1>

204

181

216

193

<title>OPTIONS</title>

217

194

<para>

218

195

This program is commonly not invoked from the command line; it

219

is normally started by another program as described in <xref

220

linkend="description"/>. Any command line options this program

221

accepts are therefore normally provided by the invoking program,

222

and not directly.

196

is normally started by the <application>Mandos</application>

197

plugin runner, see <citerefentry><refentrytitle

198

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

199

</citerefentry>. Any command line options this program accepts

200

are therefore normally provided by the plugin runner, and not

201

directly.

223

202

</para>

224

203

225

204

239

218

assumed to separate the address from the port number.

240

219

</para>

241

220

<para>

242

Normally, Zeroconf would be used to locate Mandos servers,

243

in which case this option would only be used when testing

244

and debugging.

221

This option is normally only useful for testing and

222

debugging.

245

223

</para>

246

224

</listitem>

247

225

</varlistentry>

248

226

249

227

250

228

<term><option>--interface=<replaceable

251

>NAME</replaceable><arg rep='repeat'>,<replaceable

252

>NAME</replaceable></arg></option></term>

229

>NAME</replaceable></option></term>

253

230

<term><option>-i

254

<replaceable>NAME</replaceable><arg rep='repeat'>,<replaceable

255

>NAME</replaceable></arg></option></term>

231

256

232

257

233

<para>

258

Comma separated list of network interfaces that will be

259

brought up and scanned for Mandos servers to connect to.

260

The default is the empty string, which will automatically

261

use all appropriate interfaces.

234

Network interface that will be brought up and scanned for

235

Mandos servers to connect to. The default is the empty

236

string, which will automatically choose an appropriate

237

interface.

262

238

</para>

263

239

<para>

264

If the <option>--connect</option> option is used, and

265

exactly one interface name is specified (except

266

<quote><literal>none</literal></quote>), this specifies

267

the interface to use to connect to the address given.

240

If the <option>--connect</option> option is used, this

241

specifies the interface to use to connect to the address

242

given.

268

243

</para>

269

244

<para>

270

245

Note that since this program will normally run in the

271

246

initial RAM disk environment, the interface must be an

272

247

interface which exists at that stage. Thus, the interface

273

can normally not be a pseudo-interface such as

274

<quote>br0</quote> or <quote>tun0</quote>; such interfaces

275

will not exist until much later in the boot process, and

276

can not be used by this program, unless created by a

277

<quote>network hook</quote> — see <xref

278

linkend="network-hooks"/>.

248

can not be a pseudo-interface such as <quote>br0</quote>

249

or <quote>tun0</quote>; such interfaces will not exist

250

until much later in the boot process, and can not be used

251

by this program, unless created by a <quote>network

252

hook</quote> — see <xref linkend="network-hooks"/>.

279

253

</para>

280

254

<para>

281

255

<replaceable>NAME</replaceable> can be the string

282

<quote><literal>none</literal></quote>; this will make

283

<command>&COMMANDNAME;</command> only bring up interfaces

284

specified <emphasis>before</emphasis> this string. This

285

is not recommended, and only meant for advanced users.

256

<quote><literal>none</literal></quote>; this will not use

257

any specific interface, and will not bring up an interface

258

on startup. This is not recommended, and only meant for

259

advanced users.

286

260

</para>

287

261

</listitem>

288

262

</varlistentry>

316

290

</varlistentry>

317

291

318

292

319

<term><option>--tls-pubkey=<replaceable

320

>FILE</replaceable></option></term>

321

<term><option>-T

322

323

324

<para>

325

TLS raw public key file name. The default name is

326

<quote><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

327

></quote>.

328

</para>

329

</listitem>

330

</varlistentry>

331

332

333

<term><option>--tls-privkey=<replaceable

334

>FILE</replaceable></option></term>

335

<term><option>-t

336

337

338

<para>

339

TLS secret key file name. The default name is

340

<quote><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

341

></quote>.

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

293

<term><option>--priority=<replaceable

348

294

>STRING</replaceable></option></term>

349

295

358

304

359

305

<para>

360

306

Sets the number of bits to use for the prime number in the

361

TLS Diffie-Hellman key exchange. The default value is

362

selected automatically based on the GnuTLS security

363

profile set in its priority string. Note that if the

364

<option>--dh-params</option> option is used, the values

365

from that file will be used instead.

366

</para>

367

</listitem>

368

</varlistentry>

369

370

371

<term><option>--dh-params=<replaceable

372

>FILE</replaceable></option></term>

373

374

<para>

375

Specifies a PEM-encoded PKCS#3 file to read the parameters

376

needed by the TLS Diffie-Hellman key exchange from. If

377

this option is not given, or if the file for some reason

378

could not be used, the parameters will be generated on

379

startup, which will take some time and processing power.

380

Those using servers running under time, power or processor

381

constraints may want to generate such a file in advance

382

and use this option.

307

TLS Diffie-Hellman key exchange. Default is 1024.

383

308

</para>

384

309

</listitem>

385

310

</varlistentry>

389

314

>SECONDS</replaceable></option></term>

390

315

391

316

<para>

392

After bringing a network interface up, the program waits

317

After bringing the network interface up, the program waits

393

318

for the interface to arrive in a <quote>running</quote>

394

319

state before proceeding. During this time, the kernel log

395

320

level will be lowered to reduce clutter on the system

476

401

<title>OVERVIEW</title>

477

402

<xi:include href="../overview.xml"/>

478

403

<para>

479

This program is the client part. It is run automatically in an

480

initial <acronym>RAM</acronym> disk environment.

481

</para>

482

<para>

483

In an initial <acronym>RAM</acronym> disk environment using

484

<citerefentry><refentrytitle>systemd</refentrytitle>

485

<manvolnum>1</manvolnum></citerefentry>, this program is started

486

by the <application>Mandos</application> <citerefentry>

487

<refentrytitle>password-agent</refentrytitle>

488

<manvolnum>8mandos</manvolnum></citerefentry>, which in turn is

489

started automatically by the <citerefentry>

490

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

491

</citerefentry> <quote>Password Agent</quote> system.

492

</para>

493

<para>

494

In the case of a non-<citerefentry>

495

<refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum>

496

</citerefentry> environment, this program is started as a plugin

497

of the <application>Mandos</application> <citerefentry>

498

<refentrytitle>plugin-runner</refentrytitle>

499

<manvolnum>8mandos</manvolnum></citerefentry>, which runs in the

500

initial <acronym>RAM</acronym> disk environment because it is

501

specified as a <quote>keyscript</quote> in the <citerefentry>

502

<refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

503

</citerefentry> file.

404

This program is the client part. It is a plugin started by

405

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

406

<manvolnum>8mandos</manvolnum></citerefentry> which will run in

407

an initial <acronym>RAM</acronym> disk environment.

504

408

</para>

505

409

<para>

506

410

This program could, theoretically, be used as a keyscript in

507

411

<filename>/etc/crypttab</filename>, but it would then be

508

412

impossible to enter a password for the encrypted root disk at

509

413

the console, since this program does not read from the console

510

at all.

414

at all. This is why a separate plugin runner (<citerefentry>

415

<refentrytitle>plugin-runner</refentrytitle>

416

<manvolnum>8mandos</manvolnum></citerefentry>) is used to run

417

both this program and others in in parallel,

418

<emphasis>one</emphasis> of which (<citerefentry>

419

<refentrytitle>password-prompt</refentrytitle>

420

<manvolnum>8mandos</manvolnum></citerefentry>) will prompt for

421

passwords on the system console.

511

422

</para>

512

423

</refsect1>

513

424

526

437

527

438

528

439

<title>ENVIRONMENT</title>

529

530

531

<term><envar>MANDOSPLUGINHELPERDIR</envar></term>

532

533

<para>

534

This environment variable will be assumed to contain the

535

directory containing any helper executables. The use and

536

nature of these helper executables, if any, is purposely

537

not documented.

538

</para>

539

</listitem>

540

</varlistentry>

541

</variablelist>

542

440

<para>

543

This program does not use any other environment variables, not

544

even the ones provided by <citerefentry><refentrytitle

441

This program does not use any environment variables, not even

442

the ones provided by <citerefentry><refentrytitle

545

443

>cryptsetup</refentrytitle><manvolnum>8</manvolnum>

546

444

</citerefentry>.

547

445

</para>

609

507

It is not necessary to print any non-executable files

610

508

already in the network hook directory, these will be

611

509

copied implicitly if they otherwise satisfy the name

612

requirements.

510

requirement.

613

511

</para>

614

512

</listitem>

615

513

</varlistentry>

649

547

<term><envar>DEVICE</envar></term>

650

548

651

549

<para>

652

The network interfaces, as specified to

550

The network interface, as specified to

653

551

<command>&COMMANDNAME;</command> by the

654

<option>--interface</option> option, combined to one

655

string and separated by commas. If this is set, and

656

does not contain the interface a hook will bring up,

657

there is no reason for a hook to continue.

552

<option>--interface</option> option. If this is not the

553

interface a hook will bring up, there is no reason for a

554

hook to continue.

658

555

</para>

659

556

</listitem>

660

557

</varlistentry>

734

631

</listitem>

735

632

</varlistentry>

736

633

737

<term><filename>/conf/conf.d/mandos/tls-pubkey.pem</filename

738

></term>

739

<term><filename>/conf/conf.d/mandos/tls-privkey.pem</filename

740

></term>

741

742

<para>

743

Public and private raw key files, in <quote>PEM</quote>

744

format. These are the default file names, they can be

745

changed with the <option>--tls-pubkey</option> and

746

<option>--tls-privkey</option> options.

747

</para>

748

</listitem>

749

</varlistentry>

750

751

634

<term><filename

752

635

class="directory">/lib/mandos/network-hooks.d</filename></term>

753

636

761

644

</variablelist>

762

645

</refsect1>

763

646

764

765

766

<xi:include href="../bugs.xml"/>

767

</refsect1>

647

648

649

650

651

768

652

769

653

770

654

<title>EXAMPLE</title>

771

655

<para>

772

656

Note that normally, command line options will not be given

773

directly, but passed on via the program responsible for starting

774

this program; see <xref linkend="overview"/>.

657

directly, but via options for the Mandos <citerefentry

658

><refentrytitle>plugin-runner</refentrytitle>

659

<manvolnum>8mandos</manvolnum></citerefentry>.

775

660

</para>

776

661

777

662

<para>

778

Normal invocation needs no options, if the network interfaces

779

can be automatically determined:

663

Normal invocation needs no options, if the network interface

664

is <quote>eth0</quote>:

780

665

</para>

781

666

<para>

782

667

<userinput>&COMMANDNAME;</userinput>

784

669

</informalexample>

785

670

786

671

<para>

787

Search for Mandos servers (and connect to them) using one

788

specific interface:

672

Search for Mandos servers (and connect to them) using another

673

interface:

789

674

</para>

790

675

<para>

791

676

794

679

</informalexample>

795

680

796

681

<para>

797

Run in debug mode, and use custom keys:

682

Run in debug mode, and use a custom key:

798

683

</para>

799

684

<para>

800

685

801

686

802

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem</userinput>

687

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt</userinput>

803

688

804

689

</para>

805

690

</informalexample>

806

691

807

692

<para>

808

Run in debug mode, with custom keys, and do not use Zeroconf

693

Run in debug mode, with a custom key, and do not use Zeroconf

809

694

to locate a server; connect directly to the IPv6 link-local

810

695

address <quote><systemitem class="ipaddress"

811

696

>fe80::aede:48ff:fe71:f6f2</systemitem></quote>, port 4711,

814

699

<para>

815

700

816

701

817

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --tls-pubkey keydir/tls-pubkey.pem --tls-privkey keydir/tls-privkey.pem --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

702

<userinput>&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect fe80::aede:48ff:fe71:f6f2:4711 --interface eth2</userinput>

818

703

819

704

</para>

820

705

</informalexample>

823

708

824

709

<title>SECURITY</title>

825

710

<para>

826

This program assumes that it is set-uid to root, and will switch

827

back to the original (and presumably non-privileged) user and

828

group after bringing up the network interface.

711

This program is set-uid to root, but will switch back to the

712

original (and presumably non-privileged) user and group after

713

bringing up the network interface.

829

714

</para>

830

715

<para>

831

716

To use this program for its intended purpose (see <xref

844

729

<para>

845

730

The only remaining weak point is that someone with physical

846

731

access to the client hard drive might turn off the client

847

computer, read the OpenPGP and TLS keys directly from the hard

848

drive, and communicate with the server. To safeguard against

849

this, the server is supposed to notice the client disappearing

850

and stop giving out the encrypted data. Therefore, it is

851

important to set the timeout and checker interval values tightly

852

on the server. See <citerefentry><refentrytitle

732

computer, read the OpenPGP keys directly from the hard drive,

733

and communicate with the server. To safeguard against this, the

734

server is supposed to notice the client disappearing and stop

735

giving out the encrypted data. Therefore, it is important to

736

set the timeout and checker interval values tightly on the

737

server. See <citerefentry><refentrytitle

853

738

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

854

739

</para>

855

740

<para>

856

741

It will also help if the checker program on the server is

857

742

configured to request something from the client which can not be

858

spoofed by someone else on the network, like SSH server key

859

fingerprints, and unlike unencrypted <acronym>ICMP</acronym>

860

echo (<quote>ping</quote>) replies.

743

spoofed by someone else on the network, unlike unencrypted

744

<acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.

861

745

</para>

862

746

<para>

863

747

<emphasis>Note</emphasis>: This makes it completely insecure to

879

763

<manvolnum>5</manvolnum></citerefentry>,

880

764

<citerefentry><refentrytitle>mandos</refentrytitle>

881

765

<manvolnum>8</manvolnum></citerefentry>,

882

<citerefentry><refentrytitle>password-agent</refentrytitle>

766

<citerefentry><refentrytitle>password-prompt</refentrytitle>

883

767

<manvolnum>8mandos</manvolnum></citerefentry>,

884

768

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

885

769

<manvolnum>8mandos</manvolnum></citerefentry>

898

782

</varlistentry>

899

783

900

784

<term>

901

<ulink url="https://www.avahi.org/">Avahi</ulink>

785

<ulink url="http://www.avahi.org/">Avahi</ulink>

902

786

</term>

903

787

904

788

<para>

909

793

</varlistentry>

910

794

911

795

<term>

912

<ulink url="https://www.gnutls.org/">GnuTLS</ulink>

796

<ulink url="http://www.gnu.org/software/gnutls/"

797

>GnuTLS</ulink>

913

798

</term>

914

799

915

800

<para>

916

801

GnuTLS is the library this client uses to implement TLS for

917

802

communicating securely with the server, and at the same time

918

send the public key to the server.

803

send the public OpenPGP key to the server.

919

804

</para>

920

805

</listitem>

921

806

</varlistentry>

922

807

923

808

<term>

924

<ulink url="https://www.gnupg.org/related_software/gpgme/"

809

<ulink url="http://www.gnupg.org/related_software/gpgme/"

925

810

>GPGME</ulink>

926

811

</term>

927

812

955

840

<para>

956

841

This client uses IPv6 link-local addresses, which are

957

842

immediately usable since a link-local addresses is

958

automatically assigned to a network interface when it

843

automatically assigned to a network interfaces when it

959

844

is brought up.

960

845

</para>

961

846

</listitem>

965

850

</varlistentry>

966

851

967

852

<term>

968

RFC 5246: <citetitle>The Transport Layer Security (TLS)

969

Protocol Version 1.2</citetitle>

853

RFC 4346: <citetitle>The Transport Layer Security (TLS)

854

Protocol Version 1.1</citetitle>

970

855

</term>

971

856

972

857

<para>

973

TLS 1.2 is the protocol implemented by GnuTLS.

858

TLS 1.1 is the protocol implemented by GnuTLS.

974

859

</para>

975

860

</listitem>

976

861

</varlistentry>

987

872

</varlistentry>

988

873

989

874

<term>

990

RFC 7250: <citetitle>Using Raw Public Keys in Transport

991

Layer Security (TLS) and Datagram Transport Layer Security

992

(DTLS)</citetitle>

993

</term>

994

995

<para>

996

This is implemented by GnuTLS in version 3.6.6 and is, if

997

present, used by this program so that raw public keys can be

998

used.

999

</para>

1000

</listitem>

1001

</varlistentry>

1002

1003

<term>

1004

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

875

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

1005

876

Security</citetitle>

1006

877

</term>

1007

878

1008

879

<para>

1009

This is implemented by GnuTLS before version 3.6.0 and is,

1010

if present, used by this program so that OpenPGP keys can be

1011

used.

880

This is implemented by GnuTLS and used by this program so

881

that OpenPGP keys can be used.

1012

882

</para>

1013

883

</listitem>

1014

884

</varlistentry>

Older »