Mercurial Mercurial > prosody > prosody-modules / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_keysize_policy/README.markdown
author Matthew Wild <mwild1@gmail.com>
Sat, 24 Sep 2022 09:26:26 +0100
changeset 5063 5f1120c284c5
parent 1899 101078d9cc27
permissions -rw-r--r--
mod_cloud_notify_extensions: Add note about dependency Noting here because people might not click through to see it on the mod_cloud_notify_encrypted page.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1899
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     1
 
---
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     2
 
summary: Distrust servers with too small keys
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     3
 
...
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     4
 












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5


Introduction












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     6


============












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     7














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     8


This module sets the security status of s2s connections to invalid if












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9


their key is too small and their certificate was issued after 2014, per












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10


CA/B Forum guidelines.












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    11














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    12


Details












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    13


=======












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    14














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    15


Certificate Authorities were no longer allowed to issue certificates












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    16


with public keys smaller than 2048 bits (for RSA) after December 31












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    17


2013. This module was written to enforce this, as there were some CAs












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    18


that were slow to comply. As of 2015, it might not be very relevant












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    19


anymore, but still useful for anyone who wants to increase their












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    20


security levels.












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    21














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    22


When a server is determined to have a "too small" key, this module sets












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    23


its chain and identity status to "invalid", so Prosody will treat it as












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    24


a self-signed certificate istead.












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    25














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    26


"Too small"












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    27


-----------












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    28














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    29


The definition of "too small" is based on the key type and is taken from












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    30


[RFC 4492].












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    31














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    32


  Type     bits












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    33


  ------ ------












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    34


  RSA      2048












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    35


  DSA      2048












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    36


  DH       2048












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    37


  EC        233












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    38














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    39


Compatibility












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    40


=============












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    41














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    42


Works with Prosody 0.9 and later. Requires LuaSec with [support for












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    43


inspecting public keys](https://github.com/brunoos/luasec/pull/19).














prosody-modules