/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
6
 
<!ENTITY TIMESTAMP "2008-12-28">
 
6
<!ENTITY TIMESTAMP "2015-07-20">
7
7
<!ENTITY % common SYSTEM "common.ent">
8
8
%common;
9
9
]>
20
20
        <firstname>Björn</firstname>
21
21
        <surname>Påhlsson</surname>
22
22
        <address>
23
 
          <email>belorn@fukt.bsnet.se</email>
 
23
          <email>belorn@recompile.se</email>
24
24
        </address>
25
25
      </author>
26
26
      <author>
27
27
        <firstname>Teddy</firstname>
28
28
        <surname>Hogeborn</surname>
29
29
        <address>
30
 
          <email>teddy@fukt.bsnet.se</email>
 
30
          <email>teddy@recompile.se</email>
31
31
        </address>
32
32
      </author>
33
33
    </authorgroup>
34
34
    <copyright>
35
35
      <year>2008</year>
 
36
      <year>2009</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
36
40
      <holder>Teddy Hogeborn</holder>
37
41
      <holder>Björn Påhlsson</holder>
38
42
    </copyright>
141
145
        </listitem>
142
146
      </varlistentry>
143
147
      
 
148
      <varlistentry>
 
149
        <term><option>use_ipv6<literal> = </literal>{ <literal
 
150
          >1</literal> | <literal>yes</literal> | <literal
 
151
          >true</literal> | <literal>on</literal> | <literal
 
152
          >0</literal> | <literal>no</literal> | <literal
 
153
          >false</literal> | <literal>off</literal> }</option></term>
 
154
        <listitem>
 
155
          <xi:include href="mandos-options.xml" xpointer="ipv6"/>
 
156
        </listitem>
 
157
      </varlistentry>
 
158
      
 
159
      <varlistentry>
 
160
        <term><option>restore<literal> = </literal>{ <literal
 
161
          >1</literal> | <literal>yes</literal> | <literal
 
162
          >true</literal> | <literal>on</literal> | <literal
 
163
          >0</literal> | <literal>no</literal> | <literal
 
164
          >false</literal> | <literal>off</literal> }</option></term>
 
165
        <listitem>
 
166
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
167
        </listitem>
 
168
      </varlistentry>
 
169
      
 
170
      <varlistentry>
 
171
        <term><option>statedir<literal> = </literal><replaceable
 
172
        >DIRECTORY</replaceable></option></term>
 
173
        <listitem>
 
174
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
175
        </listitem>
 
176
      </varlistentry>
 
177
      
 
178
      <varlistentry>
 
179
        <term><option>socket<literal> = </literal><replaceable
 
180
        >NUMBER</replaceable></option></term>
 
181
        <listitem>
 
182
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
183
        </listitem>
 
184
      </varlistentry>
 
185
      
144
186
    </variablelist>
145
187
  </refsect1>
146
188
  
178
220
[DEFAULT]
179
221
# A configuration example
180
222
interface = eth0
181
 
address = 2001:db8:f983:bd0b:30de:ae4a:71f2:f672
 
223
address = fe80::aede:48ff:fe71:f6f2
182
224
port = 1025
183
 
debug = true
184
 
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
 
225
debug = True
 
226
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA
185
227
servicename = Daena
186
228
use_dbus = False
 
229
use_ipv6 = True
 
230
restore = True
 
231
statedir = /var/lib/mandos
187
232
      </programlisting>
188
233
    </informalexample>
189
234
  </refsect1>
191
236
  <refsect1 id="see_also">
192
237
    <title>SEE ALSO</title>
193
238
    <para>
 
239
      <citerefentry><refentrytitle>intro</refentrytitle>
 
240
      <manvolnum>8mandos</manvolnum></citerefentry>,
194
241
      <citerefentry><refentrytitle>gnutls_priority_init</refentrytitle
195
242
      ><manvolnum>3</manvolnum></citerefentry>,
196
243
      <citerefentry><refentrytitle>mandos</refentrytitle>
224
271
              <para>
225
272
                The clients use IPv6 link-local addresses, which are
226
273
                immediately usable since a link-local addresses is
227
 
                automatically assigned to a network interfaces when it
 
274
                automatically assigned to a network interface when it
228
275
                is brought up.
229
276
              </para>
230
277
            </listitem>