/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
debian/upstream

debian/upstream/signing-key.asc

initramfs-unpack

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2012-05-26">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

103

104

<sbr/>

104

105

<arg><option>--socket

105

106

107

<sbr/>

108

<arg><option>--foreground</option></arg>

109

<sbr/>

110

<arg><option>--no-zeroconf</option></arg>

106

111

</cmdsynopsis>

107

112

108

113

<command>&COMMANDNAME;</command>

311

316

</listitem>

312

317

</varlistentry>

313

318

319

320

<term><option>--foreground</option></term>

321

322

<xi:include href="mandos-options.xml"

323

xpointer="foreground"/>

324

</listitem>

325

</varlistentry>

326

327

328

<term><option>--no-zeroconf</option></term>

329

330

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

331

</listitem>

332

</varlistentry>

333

314

334

</variablelist>

315

335

</refsect1>

316

336

506

526

</listitem>

507

527

</varlistentry>

508

528

509

<term><filename>/var/run/mandos.pid</filename></term>

529

<term><filename>/run/mandos.pid</filename></term>

510

530

511

531

<para>

512

532

The file containing the process id of the

513

533

<command>&COMMANDNAME;</command> process started last.

534

<emphasis >Note:</emphasis> If the <filename

535

class="directory">/run</filename> directory does not

536

exist, <filename>/var/run/mandos.pid</filename> will be

537

used instead.

514

538

</para>

515

539

</listitem>

516

540

</varlistentry>

561

585

There is no fine-grained control over logging and debug output.

562

586

</para>

563

587

<para>

564

Debug mode is conflated with running in the foreground.

565

</para>

566

<para>

567

588

This server does not check the expire time of clients’ OpenPGP

568

589

keys.

569

590

</para>

685

706

</varlistentry>

686

707

687

708

<term>

688

<ulink url="http://www.gnu.org/software/gnutls/"

689

>GnuTLS</ulink>

709

<ulink url="http://gnutls.org/">GnuTLS</ulink>

690

710

</term>

691

711

692

712

<para>

730

750

</varlistentry>

731

751

732

752

<term>

733

RFC 4346: <citetitle>The Transport Layer Security (TLS)

734

Protocol Version 1.1</citetitle>

753

RFC 5246: <citetitle>The Transport Layer Security (TLS)

754

Protocol Version 1.2</citetitle>

735

755

</term>

736

756

737

757

<para>

738

TLS 1.1 is the protocol implemented by GnuTLS.

758

TLS 1.2 is the protocol implemented by GnuTLS.

739

759

</para>

740

760

</listitem>

741

761

</varlistentry>

751

771

</varlistentry>

752

772

753

773

<term>

754

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

755

Security</citetitle>

774

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

775

Security (TLS) Authentication</citetitle>

756

776

</term>

757

777

758

778

<para>

Older »