Mercurial Mercurial > prosody > prosody-modules / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_keysize_policy/README.markdown
author Matthew Wild <mwild1@gmail.com>
Mon, 08 Jan 2024 17:28:39 +0000
changeset 5822 d3b69859553a
parent 1899 101078d9cc27
permissions -rw-r--r--
mod_password_policy: Change error type from 'cancel' to 'modify' This makes more sense, as the problem relates to the data that has been entered, and therefore the request could be retried with different data.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1899
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     1
 
---
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     2
 
summary: Distrust servers with too small keys
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     3
 
...
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset 
     4
 












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     5


Introduction












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     6


============












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     7














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     8


This module sets the security status of s2s connections to invalid if












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




     9


their key is too small and their certificate was issued after 2014, per












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    10


CA/B Forum guidelines.












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    11














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    12


Details












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    13


=======












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    14














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    15


Certificate Authorities were no longer allowed to issue certificates












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    16


with public keys smaller than 2048 bits (for RSA) after December 31












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    17


2013. This module was written to enforce this, as there were some CAs












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    18


that were slow to comply. As of 2015, it might not be very relevant












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    19


anymore, but still useful for anyone who wants to increase their












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    20


security levels.












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    21














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    22


When a server is determined to have a "too small" key, this module sets












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    23


its chain and identity status to "invalid", so Prosody will treat it as












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    24


a self-signed certificate istead.












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    25














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    26


"Too small"












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    27


-----------












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    28














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    29


The definition of "too small" is based on the key type and is taken from












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    30


[RFC 4492].












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    31














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    32


  Type     bits












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    33


  ------ ------












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    34


  RSA      2048












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    35


  DSA      2048












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    36


  DH       2048












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    37


  EC        233












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    38














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    39


Compatibility












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    40


=============












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    41














101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    42


Works with Prosody 0.9 and later. Requires LuaSec with [support for












101078d9cc27
mod_s2s_keysize_policy: Add a README



Kim Alvefur <zash@zash.se>


parents: 

diff
changeset




    43


inspecting public keys](https://github.com/brunoos/luasec/pull/19).














prosody-modules