/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

  • Committer: Teddy Hogeborn
  • Date: 2015-07-20 03:03:33 UTC
  • Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte
Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos">
5
 
<!ENTITY TIMESTAMP "2012-01-01">
 
5
<!ENTITY TIMESTAMP "2015-07-20">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
36
36
      <year>2010</year>
37
37
      <year>2011</year>
38
38
      <year>2012</year>
 
39
      <year>2013</year>
39
40
      <holder>Teddy Hogeborn</holder>
40
41
      <holder>Björn Påhlsson</holder>
41
42
    </copyright>
100
101
      <sbr/>
101
102
      <arg><option>--statedir
102
103
      <replaceable>DIRECTORY</replaceable></option></arg>
 
104
      <sbr/>
 
105
      <arg><option>--socket
 
106
      <replaceable>FD</replaceable></option></arg>
 
107
      <sbr/>
 
108
      <arg><option>--foreground</option></arg>
 
109
      <sbr/>
 
110
      <arg><option>--no-zeroconf</option></arg>
103
111
    </cmdsynopsis>
104
112
    <cmdsynopsis>
105
113
      <command>&COMMANDNAME;</command>
299
307
          <xi:include href="mandos-options.xml" xpointer="statedir"/>
300
308
        </listitem>
301
309
      </varlistentry>
 
310
      
 
311
      <varlistentry>
 
312
        <term><option>--socket
 
313
        <replaceable>FD</replaceable></option></term>
 
314
        <listitem>
 
315
          <xi:include href="mandos-options.xml" xpointer="socket"/>
 
316
        </listitem>
 
317
      </varlistentry>
 
318
      
 
319
      <varlistentry>
 
320
        <term><option>--foreground</option></term>
 
321
        <listitem>
 
322
          <xi:include href="mandos-options.xml"
 
323
                      xpointer="foreground"/>
 
324
        </listitem>
 
325
      </varlistentry>
 
326
      
 
327
      <varlistentry>
 
328
        <term><option>--no-zeroconf</option></term>
 
329
        <listitem>
 
330
          <xi:include href="mandos-options.xml" xpointer="zeroconf"/>
 
331
        </listitem>
 
332
      </varlistentry>
 
333
      
302
334
    </variablelist>
303
335
  </refsect1>
304
336
  
381
413
      extended timeout, checker program, and interval between checks
382
414
      can be configured both globally and per client; see
383
415
      <citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>
384
 
      <manvolnum>5</manvolnum></citerefentry>.  A client successfully
385
 
      receiving its password will also be treated as a successful
386
 
      checker run.
 
416
      <manvolnum>5</manvolnum></citerefentry>.
387
417
    </para>
388
418
  </refsect1>
389
419
  
496
526
        </listitem>
497
527
      </varlistentry>
498
528
      <varlistentry>
499
 
        <term><filename>/var/run/mandos.pid</filename></term>
 
529
        <term><filename>/run/mandos.pid</filename></term>
500
530
        <listitem>
501
531
          <para>
502
532
            The file containing the process id of the
503
533
            <command>&COMMANDNAME;</command> process started last.
 
534
            <emphasis >Note:</emphasis> If the <filename
 
535
            class="directory">/run</filename> directory does not
 
536
            exist, <filename>/var/run/mandos.pid</filename> will be
 
537
            used instead.
504
538
          </para>
505
539
        </listitem>
506
540
      </varlistentry>
551
585
      There is no fine-grained control over logging and debug output.
552
586
    </para>
553
587
    <para>
554
 
      Debug mode is conflated with running in the foreground.
555
 
    </para>
556
 
    <para>
557
588
      This server does not check the expire time of clients’ OpenPGP
558
589
      keys.
559
590
    </para>
675
706
      </varlistentry>
676
707
      <varlistentry>
677
708
        <term>
678
 
          <ulink url="http://www.gnu.org/software/gnutls/"
679
 
          >GnuTLS</ulink>
 
709
          <ulink url="http://gnutls.org/">GnuTLS</ulink>
680
710
        </term>
681
711
      <listitem>
682
712
        <para>
720
750
      </varlistentry>
721
751
      <varlistentry>
722
752
        <term>
723
 
          RFC 4346: <citetitle>The Transport Layer Security (TLS)
724
 
          Protocol Version 1.1</citetitle>
 
753
          RFC 5246: <citetitle>The Transport Layer Security (TLS)
 
754
          Protocol Version 1.2</citetitle>
725
755
        </term>
726
756
      <listitem>
727
757
        <para>
728
 
          TLS 1.1 is the protocol implemented by GnuTLS.
 
758
          TLS 1.2 is the protocol implemented by GnuTLS.
729
759
        </para>
730
760
      </listitem>
731
761
      </varlistentry>
741
771
      </varlistentry>
742
772
      <varlistentry>
743
773
        <term>
744
 
          RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer
745
 
          Security</citetitle>
 
774
          RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer
 
775
          Security (TLS) Authentication</citetitle>
746
776
        </term>
747
777
      <listitem>
748
778
        <para>