changes in SYSTEM semantics to allow appending rules to the default policy.

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-01-14 13:41:48 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2014-01-14 13:48:25 +0100
commit: 19eef2f07625649f9674e911d3811c0eaaa13a9a (patch)
tree: 6a733c5a1b87b6b119ac09f70a02f2869519ca23 /doc
parent: 245204f434262ef80ef59323ba15d6912294986f (diff)
download: gnutls-19eef2f07625649f9674e911d3811c0eaaa13a9a.tar.gz
10 files changed, 17 insertions, 12 deletions
diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 68a15ec246..85ae38b0f7 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -894,8 +894,10 @@ additional algorithm or special keywords.
 @item SYSTEM @tab
 Means that a compile-time specified configuration file will be used
 to read the priorities. That is used to impose system-specific policies.
-It may be followed by a priority string that will be used as backup, e.g.,
-"SYSTEM:NORMAL".
+It may be followed by additional options that will be appended to the
+system string (e.g., "SYSTEM:+SRP"). If there is no available system priority
+string then the default acceptable security level by GnuTLS will be
+set (i.e., NORMAL).
 
 @item PERFORMANCE @tab
 All the known to be secure ciphersuites are enabled,
@@ -1142,8 +1144,11 @@ or by using the priority functions as in @ref{Listing the ciphersuites in a prio
 
 Example priority strings are:
 @example
+The system imposed security level:
+    "SYSTEM"
+
 The default priority without the HMAC-MD5:
-    "SYSTEM:NORMAL:-MD5"
+    "NORMAL:-MD5"
 
 Specifying RSA with AES-128-CBC:
     "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
diff --git a/doc/examples/ex-cert-select-pkcs11.c b/doc/examples/ex-cert-select-pkcs11.c
index aa76662ccf..bf66b4fbbf 100644
--- a/doc/examples/ex-cert-select-pkcs11.c
+++ b/doc/examples/ex-cert-select-pkcs11.c
@@ -89,7 +89,7 @@ int main(void)
         gnutls_certificate_allocate_credentials(&xcred);
 
         /* priorities */
-        gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
+        gnutls_priority_init(&priorities_cache, "SYSTEM", NULL);
 
         /* sets the trusted cas file
          */
diff --git a/doc/examples/ex-cert-select.c b/doc/examples/ex-cert-select.c
index 99cd126d91..25d0045e38 100644
--- a/doc/examples/ex-cert-select.c
+++ b/doc/examples/ex-cert-select.c
@@ -103,7 +103,7 @@ int main(void)
         gnutls_certificate_allocate_credentials(&xcred);
 
         /* priorities */
-        gnutls_priority_init(&priorities_cache, "NORMAL", NULL);
+        gnutls_priority_init(&priorities_cache, "SYSTEM", NULL);
 
 
         /* sets the trusted cas file
diff --git a/doc/examples/ex-client-dtls.c b/doc/examples/ex-client-dtls.c
index cb9375d2ab..bd978c6b83 100644
--- a/doc/examples/ex-client-dtls.c
+++ b/doc/examples/ex-client-dtls.c
@@ -48,7 +48,7 @@ int main(void)
         gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
 
         /* Use default priorities */
-        ret = gnutls_priority_set_direct(session, "NORMAL", &err);
+        ret = gnutls_priority_set_direct(session, "SYSTEM", &err);
         if (ret < 0) {
                 if (ret == GNUTLS_E_INVALID_REQUEST) {
                         fprintf(stderr, "Syntax error at: %s\n", err);
diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c
index 722b79a0ae..8b2bb6b0be 100644
--- a/doc/examples/ex-client-srp.c
+++ b/doc/examples/ex-client-srp.c
@@ -51,7 +51,7 @@ int main(void)
         /* Set the priorities.
          */
         gnutls_priority_set_direct(session,
-                                   "NORMAL:+SRP:+SRP-RSA:+SRP-DSS", NULL);
+                                   "SYSTEM:+SRP:+SRP-RSA:+SRP-DSS", NULL);
 
         /* put the SRP credentials to the current session
          */
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index 4d1753ae7f..b26a473ae2 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -61,7 +61,7 @@ int main(void)
                                strlen("my_host_name"));
 
         /* Use default priorities */
-        ret = gnutls_priority_set_direct(session, "NORMAL", &err);
+        ret = gnutls_priority_set_direct(session, "SYSTEM", &err);
         if (ret < 0) {
                 if (ret == GNUTLS_E_INVALID_REQUEST) {
                         fprintf(stderr, "Syntax error at: %s\n", err);
diff --git a/doc/examples/ex-serv-anon.c b/doc/examples/ex-serv-anon.c
index fd24cbfa1f..b0706079e1 100644
--- a/doc/examples/ex-serv-anon.c
+++ b/doc/examples/ex-serv-anon.c
@@ -89,7 +89,7 @@ int main(void)
         for (;;) {
                 gnutls_init(&session, GNUTLS_SERVER);
                 gnutls_priority_set_direct(session,
-                                           "NORMAL:+ANON-ECDH:+ANON-DH",
+                                           "SYSTEM:+ANON-ECDH:+ANON-DH",
                                            NULL);
                 gnutls_credentials_set(session, GNUTLS_CRD_ANON, anoncred);
 
diff --git a/doc/examples/ex-serv-pgp.c b/doc/examples/ex-serv-pgp.c
index b68a6bfec2..8219a8a006 100644
--- a/doc/examples/ex-serv-pgp.c
+++ b/doc/examples/ex-serv-pgp.c
@@ -103,7 +103,7 @@ int main(void)
         for (;;) {
                 gnutls_init(&session, GNUTLS_SERVER);
                 gnutls_priority_set_direct(session,
-                                           "NORMAL:+CTYPE-OPENPGP", NULL);
+                                           "SYSTEM:+CTYPE-OPENPGP", NULL);
 
                 /* request client certificate if any.
                  */
diff --git a/doc/examples/ex-serv-psk.c b/doc/examples/ex-serv-psk.c
index 7244787619..42bc6181e7 100644
--- a/doc/examples/ex-serv-psk.c
+++ b/doc/examples/ex-serv-psk.c
@@ -98,7 +98,7 @@ int main(void)
         generate_dh_params();
 
         gnutls_priority_init(&priority_cache,
-                             "NORMAL:+PSK:+ECDHE-PSK:+DHE-PSK", NULL);
+                             "SYSTEM:+PSK:+ECDHE-PSK:+DHE-PSK", NULL);
 
         gnutls_certificate_set_dh_params(x509_cred, dh_params);
 
diff --git a/doc/examples/ex-serv-srp.c b/doc/examples/ex-serv-srp.c
index 44b0a711ad..152e6c273b 100644
--- a/doc/examples/ex-serv-srp.c
+++ b/doc/examples/ex-serv-srp.c
@@ -85,7 +85,7 @@ int main(void)
         for (;;) {
                 gnutls_init(&session, GNUTLS_SERVER);
                 gnutls_priority_set_direct(session,
-                                           "NORMAL:-KX-ALL:+SRP:+SRP-DSS:+SRP-RSA",
+                                           "SYSTEM:-KX-ALL:+SRP:+SRP-DSS:+SRP-RSA",
                                            NULL);
                 gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
                 /* for the certificate authenticated ciphersuites.
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-01-14 13:41:48 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2014-01-14 13:48:25 +0100
commit	19eef2f07625649f9674e911d3811c0eaaa13a9a (patch)
tree	6a733c5a1b87b6b119ac09f70a02f2869519ca23 /doc
parent	245204f434262ef80ef59323ba15d6912294986f (diff)
download	gnutls-19eef2f07625649f9674e911d3811c0eaaa13a9a.tar.gz