/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 325.
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
6
 
<!ENTITY TIMESTAMP "2008-09-30">
 
6
<!ENTITY TIMESTAMP "2015-07-20">
7
7
<!ENTITY % common SYSTEM "common.ent">
8
8
%common;
9
9
]>
20
20
        <firstname>Björn</firstname>
21
21
        <surname>Påhlsson</surname>
22
22
        <address>
23
 
          <email>belorn@fukt.bsnet.se</email>
 
23
          <email>belorn@recompile.se</email>
24
24
        </address>
25
25
      </author>
26
26
      <author>
27
27
        <firstname>Teddy</firstname>
28
28
        <surname>Hogeborn</surname>
29
29
        <address>
30
 
          <email>teddy@fukt.bsnet.se</email>
 
30
          <email>teddy@recompile.se</email>
31
31
        </address>
32
32
      </author>
33
33
    </authorgroup>
34
34
    <copyright>
35
35
      <year>2008</year>
 
36
      <year>2009</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
36
40
      <holder>Teddy Hogeborn</holder>
37
41
      <holder>Björn Påhlsson</holder>
38
42
    </copyright>
130
134
        </listitem>
131
135
      </varlistentry>
132
136
      
 
137
      <varlistentry>
 
138
        <term><option>use_dbus<literal> = </literal>{ <literal
 
139
          >1</literal> | <literal>yes</literal> | <literal
 
140
          >true</literal> | <literal>on</literal> | <literal
 
141
          >0</literal> | <literal>no</literal> | <literal
 
142
          >false</literal> | <literal>off</literal> }</option></term>
 
143
        <listitem>
 
144
          <xi:include href="mandos-options.xml" xpointer="dbus"/>
 
145
        </listitem>
 
146
      </varlistentry>
 
147
      
 
148
      <varlistentry>
 
149
        <term><option>use_ipv6<literal> = </literal>{ <literal
 
150
          >1</literal> | <literal>yes</literal> | <literal
 
151
          >true</literal> | <literal>on</literal> | <literal
 
152
          >0</literal> | <literal>no</literal> | <literal
 
153
          >false</literal> | <literal>off</literal> }</option></term>
 
154
        <listitem>
 
155
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
 
156
        </listitem>
 
157
      </varlistentry>
 
158
      
 
159
      <varlistentry>
 
160
        <term><option>restore<literal> = </literal>{ <literal
 
161
          >1</literal> | <literal>yes</literal> | <literal
 
162
          >true</literal> | <literal>on</literal> | <literal
 
163
          >0</literal> | <literal>no</literal> | <literal
 
164
          >false</literal> | <literal>off</literal> }</option></term>
 
165
        <listitem>
 
166
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
167
        </listitem>
 
168
      </varlistentry>
 
169
      
 
170
      <varlistentry>
 
171
        <term><option>statedir<literal> = </literal><replaceable
 
172
        >DIRECTORY</replaceable></option></term>
 
173
        <listitem>
 
174
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
175
        </listitem>
 
176
      </varlistentry>
 
177
      
 
178
      <varlistentry>
 
179
        <term><option>socket<literal> = </literal><replaceable
 
180
        >NUMBER</replaceable></option></term>
 
181
        <listitem>
 
182
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
183
        </listitem>
 
184
      </varlistentry>
 
185
      
133
186
    </variablelist>
134
187
  </refsect1>
135
188
  
167
220
[DEFAULT]
168
221
# A configuration example
169
222
interface = eth0
170
 
address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672
 
223
address = fe80::aede:48ff:fe71:f6f2
171
224
port = 1025
172
 
debug = true
173
 
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
 
225
debug = True
 
226
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA
174
227
servicename = Daena
 
228
use_dbus = False
 
229
use_ipv6 = True
 
230
restore = True
 
231
statedir = /var/lib/mandos
175
232
      </programlisting>
176
233
    </informalexample>
177
234
  </refsect1>
179
236
  <refsect1 id="see_also">
180
237
    <title>SEE ALSO</title>
181
238
    <para>
 
239
      <citerefentry><refentrytitle>intro</refentrytitle>
 
240
      <manvolnum>8mandos</manvolnum></citerefentry>,
182
241
      <citerefentry><refentrytitle>gnutls_priority_init</refentrytitle
183
242
      ><manvolnum>3</manvolnum></citerefentry>,
184
243
      <citerefentry><refentrytitle>mandos</refentrytitle>
212
271
              <para>
213
272
                The clients use IPv6 link-local addresses, which are
214
273
                immediately usable since a link-local addresses is
215
 
                automatically assigned to a network interfaces when it
 
274
                automatically assigned to a network interface when it
216
275
                is brought up.
217
276
              </para>
218
277
            </listitem>