To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
- Committer: Teddy Hogeborn
- Date: 2015-03-10 18:03:38 UTC
- Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.
If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.
There is a "PFS" priority string specifier, but we can't use it because:
1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".
2. It is only available since GnuTLS 3.2.4.
Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.
If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.
There is a "PFS" priority string specifier, but we can't use it because:
1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".
2. It is only available since GnuTLS 3.2.4.
Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 .. |
|||||||
.bzr-builddeb
|
185 | 17 years ago | Teddy Hogeborn | * .bzr-builddeb/default.conf: New. * Makefile (in |
|
||
|
debian
|
185 | 17 years ago | Teddy Hogeborn | * .bzr-builddeb/default.conf: New. * Makefile (in |
|
||
|
network-hooks.d
|
505.3.10 | 13 years ago | Teddy Hogeborn | * network-hooks.d: New directory. * network-hooks. |
|
||
|
plugins.d
|
13 | 17 years ago | Björn Påhlsson | Added following support: Pluginbased client handle |
|
||
.bzrignore |
585 | 13 years ago | Teddy Hogeborn | * .bzrignore (statedir): Added. | 188 bytes |
|
|
|
clients.conf |
609 | 13 years ago | Teddy Hogeborn | * clients.conf: Convert all time intervals to new | 3.1 KB |
|
|
|
common.ent |
237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9". * NEWS ( | 93 bytes |
|
|
|
COPYING |
24.1.51 | 17 years ago | Björn Påhlsson | Added configuration files support for mandos-clien | 34.2 KB |
|
|
|
DBUS-API |
732 | 11 years ago | Teddy Hogeborn | Emit D-Bus "org.freedesktop.DBus.Properties.Proper | 6.6 KB |
|
|
|
dbus-mandos.conf |
24.1.186 | 14 years ago | Björn Påhlsson | transitional stuff actually working documented cha | 820 bytes |
|
|
|
default-mandos |
185 | 17 years ago | Teddy Hogeborn | * .bzr-builddeb/default.conf: New. * Makefile (in | 174 bytes |
|
|
|
init.d-mandos |
648 | 11 years ago | Teddy Hogeborn | Update init script to modern standards. * init.d- | 4.3 KB |
|
|
initramfs-tools-hook |
717 | 11 years ago | Teddy Hogeborn | mandos-client: Fix bug with GPGME 1.5.0. * initra | 6.2 KB |
|
|
|
initramfs-tools-hook-conf |
237.2.19 | 16 years ago | Teddy Hogeborn | * initramfs-tools-hook-conf: Security bug fix: Add | 407 bytes |
|
|
|
initramfs-tools-script |
487 | 14 years ago | Teddy Hogeborn | * initramfs-tools-script: Abort if plugin-runner i | 3.6 KB |
|
|
|
initramfs-unpack |
624 | 12 years ago | Teddy Hogeborn | * initramfs-unpack: Bug fix: Made executable. | 2.2 KB |
|
|
|
INSTALL |
723.1.1 | 11 years ago | Teddy Hogeborn | Require Python 2.7. This is in preparation for th | 5.3 KB |
|
|
|
intro.xml |
742 | 10 years ago | Teddy Hogeborn | Add ":!RSA" to GnuTLS priority string, to disallow | 15.9 KB |
|
|
|
legalnotice.xml |
174 | 17 years ago | Teddy Hogeborn | * legalnotice.xml: Copy DocBook 4.4-formatted text | 1 KB |
|
|
|
Makefile |
237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9". * NEWS ( | 16.1 KB |
|
|
|
mandos |
742 | 10 years ago | Teddy Hogeborn | Add ":!RSA" to GnuTLS priority string, to disallow | 119 KB |
|
|
|
mandos-clients.conf.xml |
708 | 11 years ago | Teddy Hogeborn | mandos-keygen: Generate "checker" option to use SS | 18.5 KB |
|
|
|
mandos-ctl |
237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9". * NEWS ( | 18.7 KB |
|
|
|
mandos-ctl.xml |
608 | 13 years ago | Teddy Hogeborn | * Makefile (check): Also check mandos-ctl. * mando | 16.3 KB |
|
|
|
mandos-keygen |
740 | 10 years ago | Teddy Hogeborn | mandos-keygen: Fix some stylistic quoting issues. | 10.4 KB |
|
|
|
mandos-keygen.xml |
708 | 11 years ago | Teddy Hogeborn | mandos-keygen: Generate "checker" option to use SS | 15.2 KB |
|
|
|
mandos-monitor |
237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9". * NEWS ( | 29.9 KB |
|
|
|
mandos-monitor.xml |
713 | 11 years ago | Teddy Hogeborn | mandos-monitor: New "verbose" mode to see less imp | 6.1 KB |
|
|
|
mandos-options.xml |
742 | 10 years ago | Teddy Hogeborn | Add ":!RSA" to GnuTLS priority string, to disallow | 5.4 KB |
|
|
|
mandos.conf |
707 | 11 years ago | Teddy Hogeborn | mandos: New "--no-zeroconf" option. Also make "-- | 1.6 KB |
|
|
|
mandos.conf.xml |
634 | 12 years ago | Teddy Hogeborn | * debian/control (Build-Depends): Changed debhelpe | 8.7 KB |
|
|
|
mandos.lsm |
237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9". * NEWS ( | 906 bytes |
|
|
|
mandos.service |
734 | 11 years ago | Teddy Hogeborn | * mandos.service ([Unit]/Documentation): New. | 708 bytes |
|
|
|
mandos.xml |
741 | 10 years ago | Teddy Hogeborn | mandos.xml (SEE ALSO): Update links. Update link | 23.7 KB |
|
|
|
NEWS |
237.4.55 | 11 years ago | Teddy Hogeborn | * Makefile (version): Changed to "1.6.9". * NEWS ( | 12.5 KB |
|
|
|
overview.xml |
183 | 17 years ago | Teddy Hogeborn | * Makefile (install-client-nokey): Do "&&" instead | 926 bytes |
|
|
|
plugin-runner.c |
716 | 11 years ago | Teddy Hogeborn | plugin-runner: Bug Fix: Fix some memory leaks. * | 35.6 KB |
|
|
|
plugin-runner.conf |
342 | 16 years ago | Teddy Hogeborn | * initramfs-tools-hook: Bug fix: Add "--userid" an | 380 bytes |
|
|
|
plugin-runner.xml |
544 | 13 years ago | Teddy Hogeborn | Updated year in copyright notices. | 20.5 KB |
|
|
|
README |
550 | 13 years ago | Teddy Hogeborn | * README: Hint that the intro(8mandos) manual page | 409 bytes |
|
|
|
TODO |
742 | 10 years ago | Teddy Hogeborn | Add ":!RSA" to GnuTLS priority string, to disallow | 5.4 KB |
|
|