/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 325.
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2012-05-26">
 
5
<!ENTITY TIMESTAMP "2015-07-20">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
36
36
      <year>2010</year>
37
37
      <year>2011</year>
38
38
      <year>2012</year>
 
39
      <year>2013</year>
39
40
      <holder>Teddy Hogeborn</holder>
40
41
      <holder>Björn Påhlsson</holder>
41
42
    </copyright>
103
104
      <sbr/>
104
105
      <arg><option>--socket
105
106
      <replaceable>FD</replaceable></option></arg>
 
107
      <sbr/>
 
108
      <arg><option>--foreground</option></arg>
 
109
      <sbr/>
 
110
      <arg><option>--no-zeroconf</option></arg>
106
111
    </cmdsynopsis>
107
112
    <cmdsynopsis>
108
113
      <command>&COMMANDNAME;</command>
311
316
        </listitem>
312
317
      </varlistentry>
313
318
      
 
319
      <varlistentry>
 
320
        <term><option>--foreground</option></term>
 
321
        <listitem>
 
322
          <xi:include href="mandos-options.xml"
 
323
                      xpointer="foreground"/>
 
324
        </listitem>
 
325
      </varlistentry>
 
326
      
 
327
      <varlistentry>
 
328
        <term><option>--no-zeroconf</option></term>
 
329
        <listitem>
 
330
          <xi:include href="mandos-options.xml" xpointer="zeroconf"/>
 
331
        </listitem>
 
332
      </varlistentry>
 
333
      
314
334
    </variablelist>
315
335
  </refsect1>
316
336
  
506
526
        </listitem>
507
527
      </varlistentry>
508
528
      <varlistentry>
509
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
529
        <term><filename>/run/mandos.pid</filename></term>
510
530
        <listitem>
511
531
          <para>
512
532
            The file containing the process id of the
513
533
            <command>&COMMANDNAME;</command> process started last.
 
534
            <emphasis >Note:</emphasis> If the <filename
 
535
            class="directory">/run</filename> directory does not
 
536
            exist, <filename>/var/run/mandos.pid</filename> will be
 
537
            used instead.
514
538
          </para>
515
539
        </listitem>
516
540
      </varlistentry>
561
585
      There is no fine-grained control over logging and debug output.
562
586
    </para>
563
587
    <para>
564
 
      Debug mode is conflated with running in the foreground.
565
 
    </para>
566
 
    <para>
567
588
      This server does not check the expire time of clients’ OpenPGP
568
589
      keys.
569
590
    </para>
685
706
      </varlistentry>
686
707
      <varlistentry>
687
708
        <term>
688
 
          <ulink url="http://www.gnu.org/software/gnutls/"
689
 
          >GnuTLS</ulink>
 
709
          <ulink url="http://gnutls.org/">GnuTLS</ulink>
690
710
        </term>
691
711
      <listitem>
692
712
        <para>
730
750
      </varlistentry>
731
751
      <varlistentry>
732
752
        <term>
733
 
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
734
 
          Protocol Version 1.1</citetitle>
 
753
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
 
754
          Protocol Version 1.2</citetitle>
735
755
        </term>
736
756
      <listitem>
737
757
        <para>
738
 
          TLS 1.1 is the protocol implemented by GnuTLS.
 
758
          TLS 1.2 is the protocol implemented by GnuTLS.
739
759
        </para>
740
760
      </listitem>
741
761
      </varlistentry>
751
771
      </varlistentry>
752
772
      <varlistentry>
753
773
        <term>
754
 
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
755
 
          Security</citetitle>
 
774
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
 
775
          Security (TLS) Authentication</citetitle>
756
776
        </term>
757
777
      <listitem>
758
778
        <para>