/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-03-10 18:03:38 UTC
  • Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9
Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default.  The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
   enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2012-06-17">
 
5
<!ENTITY TIMESTAMP "2015-01-25">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
36
36
      <year>2010</year>
37
37
      <year>2011</year>
38
38
      <year>2012</year>
 
39
      <year>2013</year>
39
40
      <holder>Teddy Hogeborn</holder>
40
41
      <holder>Björn Påhlsson</holder>
41
42
    </copyright>
105
106
      <replaceable>FD</replaceable></option></arg>
106
107
      <sbr/>
107
108
      <arg><option>--foreground</option></arg>
 
109
      <sbr/>
 
110
      <arg><option>--no-zeroconf</option></arg>
108
111
    </cmdsynopsis>
109
112
    <cmdsynopsis>
110
113
      <command>&COMMANDNAME;</command>
233
236
        <term><option>--priority <replaceable>
234
237
        PRIORITY</replaceable></option></term>
235
238
        <listitem>
236
 
          <xi:include href="mandos-options.xml" xpointer="priority"/>
 
239
          <xi:include href="mandos-options.xml"
 
240
                      xpointer="priority_compat"/>
237
241
        </listitem>
238
242
      </varlistentry>
239
243
      
321
325
        </listitem>
322
326
      </varlistentry>
323
327
      
 
328
      <varlistentry>
 
329
        <term><option>--no-zeroconf</option></term>
 
330
        <listitem>
 
331
          <xi:include href="mandos-options.xml" xpointer="zeroconf"/>
 
332
        </listitem>
 
333
      </varlistentry>
 
334
      
324
335
    </variablelist>
325
336
  </refsect1>
326
337
  
516
527
        </listitem>
517
528
      </varlistentry>
518
529
      <varlistentry>
519
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
530
        <term><filename>/run/mandos.pid</filename></term>
520
531
        <listitem>
521
532
          <para>
522
533
            The file containing the process id of the
523
534
            <command>&COMMANDNAME;</command> process started last.
 
535
            <emphasis >Note:</emphasis> If the <filename
 
536
            class="directory">/run</filename> directory does not
 
537
            exist, <filename>/var/run/mandos.pid</filename> will be
 
538
            used instead.
524
539
          </para>
525
540
        </listitem>
526
541
      </varlistentry>
692
707
      </varlistentry>
693
708
      <varlistentry>
694
709
        <term>
695
 
          <ulink url="http://www.gnu.org/software/gnutls/"
696
 
          >GnuTLS</ulink>
 
710
          <ulink url="http://gnutls.org/">GnuTLS</ulink>
697
711
        </term>
698
712
      <listitem>
699
713
        <para>
737
751
      </varlistentry>
738
752
      <varlistentry>
739
753
        <term>
740
 
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
741
 
          Protocol Version 1.1</citetitle>
 
754
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
 
755
          Protocol Version 1.2</citetitle>
742
756
        </term>
743
757
      <listitem>
744
758
        <para>
745
 
          TLS 1.1 is the protocol implemented by GnuTLS.
 
759
          TLS 1.2 is the protocol implemented by GnuTLS.
746
760
        </para>
747
761
      </listitem>
748
762
      </varlistentry>
758
772
      </varlistentry>
759
773
      <varlistentry>
760
774
        <term>
761
 
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
762
 
          Security</citetitle>
 
775
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
 
776
          Security (TLS) Authentication</citetitle>
763
777
        </term>
764
778
      <listitem>
765
779
        <para>