Startup troubles
Teddy Hogeborn
teddy at recompile.se
Tue Jun 5 23:07:02 CEST 2012
Dick Middleton <dick at fouter.net> writes:
> > Can the gnutls-cli command connect to a running gnutls-serv? Does
> > gnutls-serv handle the --priority
> > "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP" option?
>
> I can't get these utilities to talk. That is almost certainly because
> I have no idea what I'm doing :-(
>
> gnutls-serv accepts the --priority option without complaint. Is that
> the only option I need?
>
> On the client side I'm just passing the mandos key files:
>
> --pgpcertfile /etc/keys/mandos/pubkey.txt
> --pgpkeyfile /etc/keys/mandos/seckey.txt
No, the server side needs the keys. The client side needs only
--priority "SECURE256:..." and also maybe "--insecure".
Please note: To duplicate the situation exactly, the "gnutls-serv"
command should be run on the Mandos *client*, and the "gnutls-cli"
command should be run on the Mandos *server*. (It is a bit
counter-intuitive, but we designed it that way; the Mandos server and
Mandos client runs the TLS protocol "backwards" so the Mandos client
could have certificates and the Mandos server wouldn't need them.)
> but they don't complete the handshake.
> Error: Could not negotiate a supported cipher suite
That's odd. It works here.
> I'm guessing I need to set other options to do this.
No, that should work.
> Another question. What happens after timeout expires (client
> disappears)?
> Does the server just disable the client
Yes.
> i.e. can it be re-enabled with mandos-cli?
Yes. You can do it interactively using "mandos-monitor", use
"mandos-cli --enable" from the command line or a script, or use the
D-Bus interface to access the Client object and either set the "Enabled"
property to "True" or call the "Enable()" method.
> I'm using this on a workstation rather than server so it disappears
> often for indefinite periods. Can the timeout/checking be disabled?
Yes; set the "checker" option for the client in clients.conf to ":" or
"true". Since ":" and "true" are shell commands that always succeed,
this will make the checker always succeed, and the timeout will never
time out.
/Teddy Hogeborn
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20120605/0856313d/attachment.pgp>
More information about the Mandos-Dev
mailing list