/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY CONFNAME "mandos.conf">
5
5
<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">
6
 
<!ENTITY TIMESTAMP "2009-02-13">
 
6
<!ENTITY TIMESTAMP "2015-07-20">
7
7
<!ENTITY % common SYSTEM "common.ent">
8
8
%common;
9
9
]>
20
20
        <firstname>Björn</firstname>
21
21
        <surname>Påhlsson</surname>
22
22
        <address>
23
 
          <email>belorn@fukt.bsnet.se</email>
 
23
          <email>belorn@recompile.se</email>
24
24
        </address>
25
25
      </author>
26
26
      <author>
27
27
        <firstname>Teddy</firstname>
28
28
        <surname>Hogeborn</surname>
29
29
        <address>
30
 
          <email>teddy@fukt.bsnet.se</email>
 
30
          <email>teddy@recompile.se</email>
31
31
        </address>
32
32
      </author>
33
33
    </authorgroup>
34
34
    <copyright>
35
35
      <year>2008</year>
36
36
      <year>2009</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
37
40
      <holder>Teddy Hogeborn</holder>
38
41
      <holder>Björn Påhlsson</holder>
39
42
    </copyright>
153
156
        </listitem>
154
157
      </varlistentry>
155
158
      
 
159
      <varlistentry>
 
160
        <term><option>restore<literal> = </literal>{ <literal
 
161
          >1</literal> | <literal>yes</literal> | <literal
 
162
          >true</literal> | <literal>on</literal> | <literal
 
163
          >0</literal> | <literal>no</literal> | <literal
 
164
          >false</literal> | <literal>off</literal> }</option></term>
 
165
        <listitem>
 
166
          <xi:include href="mandos-options.xml" xpointer="restore"/>
 
167
        </listitem>
 
168
      </varlistentry>
 
169
      
 
170
      <varlistentry>
 
171
        <term><option>statedir<literal> = </literal><replaceable
 
172
        >DIRECTORY</replaceable></option></term>
 
173
        <listitem>
 
174
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
 
175
        </listitem>
 
176
      </varlistentry>
 
177
      
 
178
      <varlistentry>
 
179
        <term><option>socket<literal> = </literal><replaceable
 
180
        >NUMBER</replaceable></option></term>
 
181
        <listitem>
 
182
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
183
        </listitem>
 
184
      </varlistentry>
 
185
      
156
186
    </variablelist>
157
187
  </refsect1>
158
188
  
192
222
interface = eth0
193
223
address = fe80::aede:48ff:fe71:f6f2
194
224
port = 1025
195
 
debug = true
196
 
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP
 
225
debug = True
 
226
priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA
197
227
servicename = Daena
198
228
use_dbus = False
199
229
use_ipv6 = True
 
230
restore = True
 
231
statedir = /var/lib/mandos
200
232
      </programlisting>
201
233
    </informalexample>
202
234
  </refsect1>
204
236
  <refsect1 id="see_also">
205
237
    <title>SEE ALSO</title>
206
238
    <para>
 
239
      <citerefentry><refentrytitle>intro</refentrytitle>
 
240
      <manvolnum>8mandos</manvolnum></citerefentry>,
207
241
      <citerefentry><refentrytitle>gnutls_priority_init</refentrytitle
208
242
      ><manvolnum>3</manvolnum></citerefentry>,
209
243
      <citerefentry><refentrytitle>mandos</refentrytitle>
237
271
              <para>
238
272
                The clients use IPv6 link-local addresses, which are
239
273
                immediately usable since a link-local addresses is
240
 
                automatically assigned to a network interfaces when it
 
274
                automatically assigned to a network interface when it
241
275
                is brought up.
242
276
              </para>
243
277
            </listitem>