Mercurial > prosody-modules
annotate mod_tls_policy/README.markdown @ 1843:032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 12 Sep 2015 21:04:43 +0200 |
parents | 98ad01cc83cf |
children | ad24f8993385 |
rev | line source |
---|---|
1842 | 1 % Cipher policy enforcement with application level error reporting |
2 | |
3 # Introduction | |
4 | |
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
5 This module arose from discussions at the XMPP Summit about enforcing |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
6 better ciphers in TLS. It may seem attractive to disallow some insecure |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
7 ciphers or require forward secrecy, but doing this at the TLS level |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
8 would the user with an unhelpful "Encryption failed" message. This |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
9 module does this enforcing at the application level, allowing better |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
10 error messages. |
1842 | 11 |
12 # Configuration | |
13 | |
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
14 First, download and add the module to `module_enabled`. Then you can |
1842 | 15 decide on what policy you want to have. |
16 | |
17 Requiring ciphers with forward secrecy is the most simple to set up. | |
18 | |
19 ``` lua | |
20 tls_policy = "FS" -- allow only ciphers that enable forward secrecy | |
21 ``` | |
22 | |
23 A more complicated example: | |
24 | |
25 ``` lua | |
26 tls_policy = { | |
27 c2s = { | |
28 encryption = "AES"; -- Require AES (or AESGCM) encryption | |
29 protocol = "TLSv1.2"; -- and TLSv1.2 | |
30 bits = 128; -- and at least 128 bits (FIXME: remember what this meant) | |
31 } | |
32 s2s = { | |
33 cipher = "AESGCM"; -- Require AESGCM ciphers | |
34 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2 | |
35 authentication = "RSA"; -- with RSA authentication | |
36 }; | |
37 } | |
38 ``` | |
39 | |
40 # Compatibility | |
41 | |
42 Requires LuaSec 0.5 | |
43 |