/mandos/trunk

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-options.xml

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
debian/upstream

debian/upstream/signing-key.asc

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

mandos-options.xml

49

49

<para id="priority">

50

50

GnuTLS priority string for the <acronym>TLS</acronym> handshake.

51

51

The default is <quote><literal

52

>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224</literal></quote>.

52

>SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA</literal>

53

<literal>:+SIGN-DSA-SHA256</literal></quote>.

53

54

See <citerefentry><refentrytitle

54

55

>gnutls_priority_init</refentrytitle>

55

56

<manvolnum>3</manvolnum></citerefentry> for the syntax.

56

57

<emphasis>Warning</emphasis>: changing this may make the

57

58

<acronym>TLS</acronym> handshake fail, making server-client

58

communication impossible.

59

communication impossible. Changing this option may also make the

60

network traffic decryptable by an attacker.

59

61

</para>

60

62

61

63

<para id="servicename">

111

113

implies this option.

112

114

</para>

113

115

116

<para id="zeroconf">

117

This option controls whether the server will announce its

118

existence using Zeroconf. Default is to use Zeroconf. If

119

Zeroconf is not used, a <option>port</option> number or a

120

<option>socket</option> is required.

121

</para>

122

114

123

</section>

Older »