/mandos/trunk

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-options.xml

Committer: Teddy Hogeborn
Date: 2019-02-10 03:50:20 UTC
Revision ID: teddy@recompile.se-20190210035020-nttr1tybgwwixueu

http://bugs.debian.org/879538

http://bugs.debian.org/916673

Show debconf note about new TLS key IDs

If mandos-client did not see TLS keys and had to create them, or if
mandos sees GnuTLS version 3.6.6 or later, show an important notice on
package installation about the importance of adding the new key_id
options to clients.conf on the Mandos server.

* debian/control (Package: mandos, Package: mandos-client): Depend on
                                                            debconf.
* debian/mandos-client.lintian-overrides: Override warnings.
* debian/mandos-client.postinst (create_keys): Show notice if new TLS
                                               key files were created.
* debian/mandos-client.templates: New.
* debian/mandos.lintian-overrides: Override warnings.
* debian/mandos.postinst (configure): If GnuTLS 3.6.6 or later is
                                      detected, show an important
                                      notice (once) about the new
                                      key_id option required in
                                      clients.conf.
* debian/mandos.templates: New.

files added:
bugs.xml

debian/mandos-client.examples

debian/mandos-client.templates

debian/mandos.templates

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-script-stop

initramfs-unpack

intro.xml

mandos-to-cryptroot-unlock

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

dbus-mandos.conf

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos-options.xml

48

48

49

49

<para id="priority">

50

50

GnuTLS priority string for the <acronym>TLS</acronym> handshake.

51

The default is <quote><literal

52

>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP</literal></quote>. See

53

<citerefentry><refentrytitle>gnutls_priority_init</refentrytitle>

51

The default is

52

<quote><literal>SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA</literal></quote>

53

when using raw public keys in TLS, and

54

<quote><literal>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256</literal></quote>

55

when using OpenPGP keys in TLS,. See <citerefentry><refentrytitle

56

>gnutls_priority_init</refentrytitle>

54

57

<manvolnum>3</manvolnum></citerefentry> for the syntax.

55

58

<emphasis>Warning</emphasis>: changing this may make the

56

59

<acronym>TLS</acronym> handshake fail, making server-client

57

communication impossible.

60

communication impossible. Changing this option may also make the

61

network traffic decryptable by an attacker.

58

62

</para>

59

63

60

64

<para id="servicename">

86

90

advanced users should consider changing this option</emphasis>.

87

91

</para>

88

92

93

<para id="restore">

94

This option controls whether the server will restore its state

95

from the last time it ran. Default is to restore last state.

96

</para>

97

98

<para id="statedir">

99

Directory to save (and restore) state in. Default is

100

<quote><filename

101

class="directory">/var/lib/mandos</filename></quote>.

102

</para>

103

104

<para id="socket">

105

If this option is used, the server will not create a new network

106

socket, but will instead use the supplied file descriptor. By

107

default, the server will create a new network socket.

108

</para>

109

110

<para id="foreground">

111

This option will make the server run in the foreground and not

112

write a PID file. The default is to <emphasis>not</emphasis> run

113

in the foreground, except in <option>debug</option> mode, which

114

implies this option.

115

</para>

116

117

<para id="zeroconf">

118

This option controls whether the server will announce its

119

existence using Zeroconf. Default is to use Zeroconf. If

120

Zeroconf is not used, a <option>port</option> number or a

121

<option>socket</option> is required.

122

</para>

123

89

124

</section>

Older »