/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-ctl">
5
 
<!ENTITY TIMESTAMP "2019-03-09">
 
5
<!ENTITY TIMESTAMP "2012-06-22">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
34
34
      <year>2010</year>
35
35
      <year>2011</year>
36
36
      <year>2012</year>
37
 
      <year>2013</year>
38
 
      <year>2014</year>
39
 
      <year>2015</year>
40
 
      <year>2016</year>
41
 
      <year>2017</year>
42
 
      <year>2018</year>
43
 
      <year>2019</year>
44
37
      <holder>Teddy Hogeborn</holder>
45
38
      <holder>Björn Påhlsson</holder>
46
39
    </copyright>
55
48
  <refnamediv>
56
49
    <refname><command>&COMMANDNAME;</command></refname>
57
50
    <refpurpose>
58
 
      Control or query the operation of the Mandos server
 
51
      Control the operation of the Mandos server
59
52
    </refpurpose>
60
53
  </refnamediv>
61
54
  
63
56
    <cmdsynopsis>
64
57
      <command>&COMMANDNAME;</command>
65
58
      <group>
66
 
          <arg choice="plain"><option>--verbose</option></arg>
67
 
          <arg choice="plain"><option>-v</option></arg>
68
 
          <sbr/>
69
 
          <arg choice="plain"><option>--dump-json</option></arg>
70
 
          <arg choice="plain"><option>-j</option></arg>
71
 
      </group>
72
 
      <arg><option>--debug</option></arg>
73
 
      <group>
74
 
        <arg rep='repeat' choice='plain'>
75
 
          <replaceable>CLIENT</replaceable>
76
 
        </arg>
77
 
      </group>
78
 
    </cmdsynopsis>
79
 
    <cmdsynopsis>
80
 
      <command>&COMMANDNAME;</command>
81
 
      <group choice="req">
82
 
        <group>
83
 
          <arg choice="plain"><option>--enable</option></arg>
84
 
          <arg choice="plain"><option>-e</option></arg>
85
 
          <sbr/>
86
 
          <arg choice="plain"><option>--disable</option></arg>
87
 
          <arg choice="plain"><option>-d</option></arg>
88
 
        </group>
89
 
        <sbr/>
90
 
        <group>
91
 
          <arg choice="plain"><option>--bump-timeout</option></arg>
92
 
          <arg choice="plain"><option>-b</option></arg>
93
 
        </group>
94
 
        <sbr/>
95
 
        <group>
96
 
          <arg choice="plain"><option>--start-checker</option></arg>
97
 
          <arg choice="plain"><option>--stop-checker</option></arg>
98
 
        </group>
99
 
        <sbr/>
100
 
        <group>
101
 
          <arg choice="plain"><option>--checker
102
 
          <replaceable>COMMAND</replaceable></option></arg>
103
 
          <arg choice="plain"><option>-c
104
 
          <replaceable>COMMAND</replaceable></option></arg>
105
 
        </group>
106
 
        <sbr/>
107
 
        <group>
108
 
          <arg choice="plain"><option>--timeout
109
 
          <replaceable>TIME</replaceable></option></arg>
110
 
          <arg choice="plain"><option>-t
111
 
          <replaceable>TIME</replaceable></option></arg>
112
 
        </group>
113
 
        <sbr/>
114
 
        <group>
115
 
          <arg choice="plain"><option>--extended-timeout
116
 
          <replaceable>TIME</replaceable></option></arg>
117
 
        </group>
118
 
        <sbr/>
119
 
        <group>
120
 
          <arg choice="plain"><option>--interval
121
 
          <replaceable>TIME</replaceable></option></arg>
122
 
          <arg choice="plain"><option>-i
123
 
          <replaceable>TIME</replaceable></option></arg>
124
 
        </group>
125
 
        <sbr/>
126
 
        <group>
127
 
          <arg choice="plain"><option>--approve-by-default</option
128
 
          ></arg>
129
 
          <sbr/>
130
 
          <arg choice="plain"><option>--deny-by-default</option></arg>
131
 
        </group>
132
 
        <sbr/>
133
 
        <group>
134
 
          <arg choice="plain"><option>--approval-delay
135
 
          <replaceable>TIME</replaceable></option></arg>
136
 
        </group>
137
 
        <sbr/>
138
 
        <group>
139
 
          <arg choice="plain"><option>--approval-duration
140
 
          <replaceable>TIME</replaceable></option></arg>
141
 
        </group>
142
 
        <sbr/>
143
 
        <group>
144
 
          <arg choice="plain"><option>--host
145
 
          <replaceable>STRING</replaceable></option></arg>
146
 
          <arg choice="plain"><option>-H
147
 
          <replaceable>STRING</replaceable></option></arg>
148
 
        </group>
149
 
        <sbr/>
150
 
        <group>
151
 
          <arg choice="plain"><option>--secret
152
 
          <replaceable>FILENAME</replaceable></option></arg>
153
 
          <arg choice="plain"><option>-s
154
 
          <replaceable>FILENAME</replaceable></option></arg>
155
 
        </group>
156
 
        <sbr/>
157
 
        <group>
158
 
          <arg choice="plain"><option>--approve</option></arg>
159
 
          <arg choice="plain"><option>-A</option></arg>
160
 
          <sbr/>
161
 
          <arg choice="plain"><option>--deny</option></arg>
162
 
          <arg choice="plain"><option>-D</option></arg>
163
 
        </group>
164
 
      </group>
165
 
      <sbr/>
166
 
      <arg><option>--debug</option></arg>
167
 
      <group choice="req">
168
 
        <arg choice="plain"><option>--all</option></arg>
169
 
        <arg choice="plain"><option>-a</option></arg>
170
 
        <arg rep='repeat' choice='plain'>
171
 
          <replaceable>CLIENT</replaceable>
172
 
        </arg>
173
 
      </group>
174
 
    </cmdsynopsis>
175
 
    <cmdsynopsis>
176
 
      <command>&COMMANDNAME;</command>
177
 
      <group>
 
59
        <arg choice="plain"><option>--enable</option></arg>
 
60
        <arg choice="plain"><option>-e</option></arg>
 
61
        <sbr/>
 
62
        <arg choice="plain"><option>--disable</option></arg>
 
63
        <arg choice="plain"><option>-d</option></arg>
 
64
      </group>
 
65
      <sbr/>
 
66
      <group>
 
67
        <arg choice="plain"><option>--bump-timeout</option></arg>
 
68
        <arg choice="plain"><option>-b</option></arg>
 
69
      </group>
 
70
      <sbr/>
 
71
      <group>
 
72
        <arg choice="plain"><option>--start-checker</option></arg>
 
73
      </group>
 
74
      <sbr/>
 
75
      <group>
 
76
        <arg choice="plain"><option>--stop-checker</option></arg>
 
77
      </group>
 
78
      <sbr/>
 
79
      <group>
 
80
        <arg choice="plain"><option>--remove</option></arg>
 
81
        <arg choice="plain"><option>-r</option></arg>
 
82
      </group>
 
83
      <sbr/>
 
84
      <group>
 
85
        <arg choice="plain"><option>--checker
 
86
        <replaceable>COMMAND</replaceable></option></arg>
 
87
        <arg choice="plain"><option>-c
 
88
        <replaceable>COMMAND</replaceable></option></arg>
 
89
      </group>
 
90
      <sbr/>
 
91
      <group>
 
92
        <arg choice="plain"><option>--timeout
 
93
        <replaceable>TIME</replaceable></option></arg>
 
94
        <arg choice="plain"><option>-t
 
95
        <replaceable>TIME</replaceable></option></arg>
 
96
      </group>
 
97
      <sbr/>
 
98
      <group>
 
99
        <arg choice="plain"><option>--extended-timeout
 
100
        <replaceable>TIME</replaceable></option></arg>
 
101
      </group>
 
102
      <sbr/>
 
103
      <group>
 
104
        <arg choice="plain"><option>--interval
 
105
        <replaceable>TIME</replaceable></option></arg>
 
106
        <arg choice="plain"><option>-i
 
107
        <replaceable>TIME</replaceable></option></arg>
 
108
      </group>
 
109
      <sbr/>
 
110
      <group>
 
111
        <arg choice="plain"><option>--approve-by-default</option
 
112
        ></arg>
 
113
        <sbr/>
 
114
        <arg choice="plain"><option>--deny-by-default</option></arg>
 
115
      </group>
 
116
      <sbr/>
 
117
      <group>
 
118
        <arg choice="plain"><option>--approval-delay
 
119
        <replaceable>TIME</replaceable></option></arg>
 
120
      </group>
 
121
      <sbr/>
 
122
      <group>
 
123
        <arg choice="plain"><option>--approval-duration
 
124
        <replaceable>TIME</replaceable></option></arg>
 
125
      </group>
 
126
      <sbr/>
 
127
      <group>
 
128
        <arg choice="plain"><option>--interval
 
129
        <replaceable>TIME</replaceable></option></arg>
 
130
        <arg choice="plain"><option>-i
 
131
        <replaceable>TIME</replaceable></option></arg>
 
132
      </group>
 
133
      <sbr/>
 
134
      <group>
 
135
        <arg choice="plain"><option>--host
 
136
        <replaceable>STRING</replaceable></option></arg>
 
137
        <arg choice="plain"><option>-H
 
138
        <replaceable>STRING</replaceable></option></arg>
 
139
      </group>
 
140
      <sbr/>
 
141
      <group>
 
142
        <arg choice="plain"><option>--secret
 
143
        <replaceable>FILENAME</replaceable></option></arg>
 
144
        <arg choice="plain"><option>-s
 
145
        <replaceable>FILENAME</replaceable></option></arg>
 
146
      </group>
 
147
      <sbr/>
 
148
      <group>
 
149
        <arg choice="plain"><option>--approve</option></arg>
 
150
        <arg choice="plain"><option>-A</option></arg>
 
151
        <sbr/>
178
152
        <arg choice="plain"><option>--deny</option></arg>
179
153
        <arg choice="plain"><option>-D</option></arg>
180
154
      </group>
181
 
      <group choice="req">
182
 
          <arg choice="plain"><option>--remove</option></arg>
183
 
          <arg choice="plain"><option>-r</option></arg>
184
 
      </group>
185
155
      <sbr/>
186
 
      <arg><option>--debug</option></arg>
187
156
      <group choice="req">
188
157
        <arg choice="plain"><option>--all</option></arg>
189
158
        <arg choice="plain"><option>-a</option></arg>
194
163
    </cmdsynopsis>
195
164
    <cmdsynopsis>
196
165
      <command>&COMMANDNAME;</command>
 
166
      <group>
 
167
        <arg choice="plain"><option>--verbose</option></arg>
 
168
        <arg choice="plain"><option>-v</option></arg>
 
169
      </group>
 
170
      <group>
 
171
        <arg rep='repeat' choice='plain'>
 
172
          <replaceable>CLIENT</replaceable>
 
173
        </arg>
 
174
      </group>
 
175
    </cmdsynopsis>
 
176
    <cmdsynopsis>
 
177
      <command>&COMMANDNAME;</command>
197
178
      <group choice="req">
198
179
        <arg choice="plain"><option>--is-enabled</option></arg>
199
180
        <arg choice="plain"><option>-V</option></arg>
200
181
      </group>
201
 
      <arg><option>--debug</option></arg>
202
182
      <arg choice='plain'><replaceable>CLIENT</replaceable></arg>
203
183
    </cmdsynopsis>
204
184
    <cmdsynopsis>
224
204
  <refsect1 id="description">
225
205
    <title>DESCRIPTION</title>
226
206
    <para>
227
 
      <command>&COMMANDNAME;</command> is a program to control or
228
 
      query the operation of the Mandos server
229
 
      <citerefentry><refentrytitle>mandos</refentrytitle><manvolnum
230
 
      >8</manvolnum></citerefentry>.
 
207
      <command>&COMMANDNAME;</command> is a program to control the
 
208
      operation of the Mandos server <citerefentry><refentrytitle
 
209
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
231
210
    </para>
232
211
    <para>
233
212
      This program can be used to change client settings, approve or
491
470
      </varlistentry>
492
471
      
493
472
      <varlistentry>
494
 
        <term><option>--dump-json</option></term>
495
 
        <term><option>-j</option></term>
496
 
        <listitem>
497
 
          <para>
498
 
            Dump client settings as JSON to standard output.
499
 
          </para>
500
 
        </listitem>
501
 
      </varlistentry>
502
 
      
503
 
      <varlistentry>
504
473
        <term><option>--is-enabled</option></term>
505
474
        <term><option>-V</option></term>
506
475
        <listitem>
512
481
      </varlistentry>
513
482
      
514
483
      <varlistentry>
515
 
        <term><option>--debug</option></term>
516
 
        <listitem>
517
 
          <para>
518
 
            Show debug output; currently, this means show D-Bus calls.
519
 
          </para>
520
 
        </listitem>
521
 
      </varlistentry>
522
 
      
523
 
      <varlistentry>
524
484
        <term><option>--check</option></term>
525
485
        <listitem>
526
486
          <para>
550
510
    </para>
551
511
  </refsect1>
552
512
  
553
 
  <refsect1 id="bugs">
554
 
    <title>BUGS</title>
555
 
    <xi:include href="bugs.xml"/>
556
 
  </refsect1>
 
513
<!--   <refsect1 id="bugs"> -->
 
514
<!--     <title>BUGS</title> -->
 
515
<!--     <para> -->
 
516
<!--     </para> -->
 
517
<!--   </refsect1> -->
557
518
  
558
519
  <refsect1 id="example">
559
520
    <title>EXAMPLE</title>
598
559
      <para>
599
560
 
600
561
<!-- do not wrap this line -->
601
 
<userinput>&COMMANDNAME; --timeout="PT5M" --interval="PT1M" foo1.example.org foo2.example.org</userinput>
 
562
<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>
602
563
 
603
564
      </para>
604
565
    </informalexample>