Mercurial > prosody-modules
annotate mod_tls_policy/README.markdown @ 2467:290fef768a81
mod_http_upload: Forget upload slot under some error conditions
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Jan 2017 17:22:37 +0100 |
parents | ad24f8993385 |
children |
rev | line source |
---|---|
1845
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
1 --- |
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
2 summary: Cipher policy enforcement with application level error reporting |
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
3 ... |
1842 | 4 |
5 # Introduction | |
6 | |
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
7 This module arose from discussions at the XMPP Summit about enforcing |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
8 better ciphers in TLS. It may seem attractive to disallow some insecure |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
9 ciphers or require forward secrecy, but doing this at the TLS level |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
10 would the user with an unhelpful "Encryption failed" message. This |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
11 module does this enforcing at the application level, allowing better |
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
12 error messages. |
1842 | 13 |
14 # Configuration | |
15 | |
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
16 First, download and add the module to `module_enabled`. Then you can |
1842 | 17 decide on what policy you want to have. |
18 | |
19 Requiring ciphers with forward secrecy is the most simple to set up. | |
20 | |
21 ``` lua | |
22 tls_policy = "FS" -- allow only ciphers that enable forward secrecy | |
23 ``` | |
24 | |
25 A more complicated example: | |
26 | |
27 ``` lua | |
28 tls_policy = { | |
29 c2s = { | |
30 encryption = "AES"; -- Require AES (or AESGCM) encryption | |
31 protocol = "TLSv1.2"; -- and TLSv1.2 | |
32 bits = 128; -- and at least 128 bits (FIXME: remember what this meant) | |
33 } | |
34 s2s = { | |
35 cipher = "AESGCM"; -- Require AESGCM ciphers | |
36 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2 | |
37 authentication = "RSA"; -- with RSA authentication | |
38 }; | |
39 } | |
40 ``` | |
41 | |
42 # Compatibility | |
43 | |
44 Requires LuaSec 0.5 | |
45 |