Mercurial > prosody-modules

annotate mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5627:3a5cf8d80089

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Tweak method of centering the UI The percentage here was relative to the viewport width, which on some very wide screens may put the UI slightly outside of the view, requiring scrolling to see. By using a unit relative to the height of the viewport, this is avoided and should work better. But no guarantees, it's still possible to resize the browser or adjust font sizes so that the UI goes out of view.
author Kim Alvefur <zash@zash.se>
date Mon, 31 Jul 2023 07:28:09 +0200
parents 27ffa6521d4e
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_s2s_keysize_policy.lua
1204
fc42f8484451 mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents: 1203
diff changeset
2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 module:set_global();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local datetime_parse = require"util.datetime".parse;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local function parse_x509_datetime(s)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local month, day, hour, min, sec, year = s:match(pat); month = months[month];
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 -- From RFC 4492
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local weak_key_size = {
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 RSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 DSA = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 DH = 2048,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 EC = 233,
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 }
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 module:hook("s2s-check-certificate", function(event)
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 local host, session, cert = event.host, event.session, event.cert;
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 if cert and cert.pubkey then
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local _, key_type, key_size = cert:pubkey();
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 if key_size < ( weak_key_size[key_type] or 0 ) then
1325
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
29 local issued = parse_x509_datetime(cert:notbefore());
b21236b6b8d8 Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents: 1324
diff changeset
30 if issued > weak_key_cutoff then
2424
27ffa6521d4e mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
31 session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
1203
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 session.cert_chain_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 session.cert_identity_status = "invalid";
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 else
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 end
5294c8c1861c mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end);