- 
Committer:
Teddy Hogeborn
- 
Date:
2015-03-10 18:03:38 UTC
- 
Revision ID:
teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.
If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.
There is a "PFS" priority string specifier, but we can't use it because:
1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".
2. It is only available since GnuTLS 3.2.4.
Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.
 
 
|  .. | 
|  po | 199 | 17 years ago | Teddy Hogeborn | * Makefile: Bug fix: fix syntax error.
* debian/c |  |   |  | 
|  source | 452.1.1 | 15 years ago | Teddy Hogeborn | * debian/source/format: New; contains "3.0 (quilt) |  |   |  | 
|  upstream | 678 | 11 years ago | Teddy Hogeborn | Fix location and format of signing key file.
* de |  |   |  | 
|  changelog | 237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9".
* NEWS ( | 17.3 KB |   |   | 
|  compat | 626 | 12 years ago | Teddy Hogeborn | * Makefile (CFLAGS, LDFLAGS): Keep default flags f | 2 bytes |   |   | 
|  control | 737 | 11 years ago | Teddy Hogeborn | Update Debian package standards version to 3.9.6. | 2.7 KB |   |   | 
|  copyright | 659 | 11 years ago | Teddy Hogeborn | * debian/copyright: Change year to "2014".
* mando | 1 KB |   |   | 
|  mandos-client.dirs | 302 | 16 years ago | Teddy Hogeborn | * Makefile (install-client-nokey): Move "initramfs | 147 bytes |   |   | 
|  mandos-client.docs | 594 | 13 years ago | Teddy Hogeborn | * debian/copyright (Copyright): Join the two lines | 17 bytes |   |   | 
|  mandos-client.examples | 594 | 13 years ago | Teddy Hogeborn | * debian/copyright (Copyright): Join the two lines | 16 bytes |   |   | 
|  mandos-client.links | 191 | 17 years ago | Teddy Hogeborn | * debian/mandos-client.docs: New.  Add README and | 93 bytes |   |   | 
|  mandos-client.lintian-overrides | 652 | 11 years ago | Teddy Hogeborn | Bug fix from libdir change: make plugins get setui | 1.4 KB |   |   | 
|  mandos-client.postinst | 505.1.13 | 14 years ago | Teddy Hogeborn | Miscellaneous fixes prompted by lintian:
* debian | 2 KB |   |   | 
|  mandos-client.postrm | 505.1.13 | 14 years ago | Teddy Hogeborn | Miscellaneous fixes prompted by lintian:
* debian | 1.2 KB |   |   | 
|  mandos-client.README.Debian | 641 | 11 years ago | Teddy Hogeborn | Doc fix: Refer to architecture libdir.
* debian/m | 4 KB |   |   | 
|  mandos.dirs | 639 | 12 years ago | Teddy Hogeborn | Bug fix: Make sure systemd service file is install | 124 bytes |   |   | 
|  mandos.docs | 423 | 15 years ago | Teddy Hogeborn | Documentation changes:
* DBUS-API: New file docum | 26 bytes |   |   | 
|  mandos.lintian-overrides | 221 | 17 years ago | Teddy Hogeborn | * debian/changelog: New Debian revision.
* debian | 203 bytes |   |   | 
|  mandos.postinst | 690 | 11 years ago | Teddy Hogeborn | Fix typo in code comment.
* debian/mandos.postins | 1.8 KB |   |   | 
|  mandos.prerm | 505.1.13 | 14 years ago | Teddy Hogeborn | Miscellaneous fixes prompted by lintian:
* debian | 875 bytes |   |   | 
|  mandos.README.Debian | 505.1.2 | 14 years ago | Teddy Hogeborn | Change "fukt.bsnet.se" to "recompile.se" throughou | 445 bytes |   |   | 
|  rules | 683 | 11 years ago | Teddy Hogeborn | Do not run self-tests when building arch-indep Deb | 918 bytes |   |   | 
|  watch | 654 | 11 years ago | Teddy Hogeborn | Fix running of self-tests.
* debian/control (Buil | 132 bytes |   |   |