annotate mod_tls_policy/README.markdown @ 1843:032b209bb8ff

mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
author Kim Alvefur <zash@zash.se>
date Sat, 12 Sep 2015 21:04:43 +0200
parents 98ad01cc83cf
children ad24f8993385
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1842
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 % Cipher policy enforcement with application level error reporting
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 # Introduction
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
1843
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
5 This module arose from discussions at the XMPP Summit about enforcing
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
6 better ciphers in TLS. It may seem attractive to disallow some insecure
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
7 ciphers or require forward secrecy, but doing this at the TLS level
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
8 would the user with an unhelpful "Encryption failed" message. This
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
9 module does this enforcing at the application level, allowing better
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
10 error messages.
1842
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 # Configuration
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
1843
032b209bb8ff mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents: 1842
diff changeset
14 First, download and add the module to `module_enabled`. Then you can
1842
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 decide on what policy you want to have.
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 Requiring ciphers with forward secrecy is the most simple to set up.
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 ``` lua
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 tls_policy = "FS" -- allow only ciphers that enable forward secrecy
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 ```
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 A more complicated example:
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 ``` lua
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 tls_policy = {
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 c2s = {
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 encryption = "AES"; -- Require AES (or AESGCM) encryption
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 protocol = "TLSv1.2"; -- and TLSv1.2
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 bits = 128; -- and at least 128 bits (FIXME: remember what this meant)
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 }
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 s2s = {
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 cipher = "AESGCM"; -- Require AESGCM ciphers
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 authentication = "RSA"; -- with RSA authentication
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 };
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 }
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 ```
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 # Compatibility
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 Requires LuaSec 0.5
98ad01cc83cf mod_tls_policy: Add README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43