author | Matthew Wild <mwild1@gmail.com> |
Fri, 10 Mar 2017 10:19:05 +0000 | |
changeset 2611 | a7ef9b765891 |
parent 1849 | ad24f8993385 |
permissions | -rw-r--r-- |
1849
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1847
diff
changeset
|
1 |
--- |
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1847
diff
changeset
|
2 |
summary: Cipher policy enforcement with application level error reporting |
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1847
diff
changeset
|
3 |
... |
1846 | 4 |
|
5 |
# Introduction |
|
6 |
||
1847
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
7 |
This module arose from discussions at the XMPP Summit about enforcing |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
8 |
better ciphers in TLS. It may seem attractive to disallow some insecure |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
9 |
ciphers or require forward secrecy, but doing this at the TLS level |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
10 |
would the user with an unhelpful "Encryption failed" message. This |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
11 |
module does this enforcing at the application level, allowing better |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
12 |
error messages. |
1846 | 13 |
|
14 |
# Configuration |
|
15 |
||
1847
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1846
diff
changeset
|
16 |
First, download and add the module to `module_enabled`. Then you can |
1846 | 17 |
decide on what policy you want to have. |
18 |
||
19 |
Requiring ciphers with forward secrecy is the most simple to set up. |
|
20 |
||
21 |
``` lua |
|
22 |
tls_policy = "FS" -- allow only ciphers that enable forward secrecy |
|
23 |
``` |
|
24 |
||
25 |
A more complicated example: |
|
26 |
||
27 |
``` lua |
|
28 |
tls_policy = { |
|
29 |
c2s = { |
|
30 |
encryption = "AES"; -- Require AES (or AESGCM) encryption |
|
31 |
protocol = "TLSv1.2"; -- and TLSv1.2 |
|
32 |
bits = 128; -- and at least 128 bits (FIXME: remember what this meant) |
|
33 |
} |
|
34 |
s2s = { |
|
35 |
cipher = "AESGCM"; -- Require AESGCM ciphers |
|
36 |
protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2 |
|
37 |
authentication = "RSA"; -- with RSA authentication |
|
38 |
}; |
|
39 |
} |
|
40 |
``` |
|
41 |
||
42 |
# Compatibility |
|
43 |
||
44 |
Requires LuaSec 0.5 |
|
45 |