/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-02-28 10:59:18 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 331.
  • Revision ID: teddy@recompile.se-20160228105918-tb8pt2p5j0tkcls3
Handle GnuTLS errors and partial sends in gnutls "module".

* mandos (GnuTLS.E_INTERRUPTED, GnuTLS.E_AGAIN): New.
  (GnuTLS.Error): Set error code as "code" attribute.
  (GnuTLS.ClientSession.send): Handle partial sends with a loop.
  (GnuTLS._retry_on_error): New function.
  (GnuTLS.record_send, GnuTLS.handshake, GnuTLS.bye): Set "errcheck"
                                                      attribute to
                                                    "_retry_on_error".
  (ClientHandler.handle): Remove loop for handling partial sends;
                          GnuTLS.ClientSession.send() will do that.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2013-10-20">
 
5
<!ENTITY TIMESTAMP "2015-07-20">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
36
38
      <year>2012</year>
37
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
38
42
      <holder>Teddy Hogeborn</holder>
39
43
      <holder>Björn Påhlsson</holder>
40
44
    </copyright>
97
101
      </arg>
98
102
      <sbr/>
99
103
      <arg>
 
104
        <option>--dh-params <replaceable>FILE</replaceable></option>
 
105
      </arg>
 
106
      <sbr/>
 
107
      <arg>
100
108
        <option>--delay <replaceable>SECONDS</replaceable></option>
101
109
      </arg>
102
110
      <sbr/>
219
227
            assumed to separate the address from the port number.
220
228
          </para>
221
229
          <para>
222
 
            This option is normally only useful for testing and
223
 
            debugging.
 
230
            Normally, Zeroconf would be used to locate Mandos servers,
 
231
            in which case this option would only be used when testing
 
232
            and debugging.
224
233
          </para>
225
234
        </listitem>
226
235
      </varlistentry>
259
268
          <para>
260
269
            <replaceable>NAME</replaceable> can be the string
261
270
            <quote><literal>none</literal></quote>; this will make
262
 
            <command>&COMMANDNAME;</command> not bring up
263
 
            <emphasis>any</emphasis> interfaces specified
264
 
            <emphasis>after</emphasis> this string.  This is not
265
 
            recommended, and only meant for advanced users.
 
271
            <command>&COMMANDNAME;</command> only bring up interfaces
 
272
            specified <emphasis>before</emphasis> this string.  This
 
273
            is not recommended, and only meant for advanced users.
266
274
          </para>
267
275
        </listitem>
268
276
      </varlistentry>
310
318
        <listitem>
311
319
          <para>
312
320
            Sets the number of bits to use for the prime number in the
313
 
            TLS Diffie-Hellman key exchange.  Default is 1024.
 
321
            TLS Diffie-Hellman key exchange.  The default value is
 
322
            selected automatically based on the OpenPGP key.  Note
 
323
            that if the <option>--dh-params</option> option is used,
 
324
            the values from that file will be used instead.
 
325
          </para>
 
326
        </listitem>
 
327
      </varlistentry>
 
328
      
 
329
      <varlistentry>
 
330
        <term><option>--dh-params=<replaceable
 
331
        >FILE</replaceable></option></term>
 
332
        <listitem>
 
333
          <para>
 
334
            Specifies a PEM-encoded PKCS#3 file to read the parameters
 
335
            needed by the TLS Diffie-Hellman key exchange from.  If
 
336
            this option is not given, or if the file for some reason
 
337
            could not be used, the parameters will be generated on
 
338
            startup, which will take some time and processing power.
 
339
            Those using servers running under time, power or processor
 
340
            constraints may want to generate such a file in advance
 
341
            and use this option.
314
342
          </para>
315
343
        </listitem>
316
344
      </varlistentry>
443
471
  
444
472
  <refsect1 id="environment">
445
473
    <title>ENVIRONMENT</title>
 
474
    <variablelist>
 
475
      <varlistentry>
 
476
        <term><envar>MANDOSPLUGINHELPERDIR</envar></term>
 
477
        <listitem>
 
478
          <para>
 
479
            This environment variable will be assumed to contain the
 
480
            directory containing any helper executables.  The use and
 
481
            nature of these helper executables, if any, is
 
482
            purposefully not documented.
 
483
        </para>
 
484
        </listitem>
 
485
      </varlistentry>
 
486
    </variablelist>
446
487
    <para>
447
 
      This program does not use any environment variables, not even
448
 
      the ones provided by <citerefentry><refentrytitle
 
488
      This program does not use any other environment variables, not
 
489
      even the ones provided by <citerefentry><refentrytitle
449
490
      >cryptsetup</refentrytitle><manvolnum>8</manvolnum>
450
491
    </citerefentry>.
451
492
    </para>
747
788
    <para>
748
789
      It will also help if the checker program on the server is
749
790
      configured to request something from the client which can not be
750
 
      spoofed by someone else on the network, unlike unencrypted
751
 
      <acronym>ICMP</acronym> echo (<quote>ping</quote>) replies.
 
791
      spoofed by someone else on the network, like SSH server key
 
792
      fingerprints, and unlike unencrypted <acronym>ICMP</acronym>
 
793
      echo (<quote>ping</quote>) replies.
752
794
    </para>
753
795
    <para>
754
796
      <emphasis>Note</emphasis>: This makes it completely insecure to