annotate mod_s2s_keysize_policy/README.markdown @ 4490:cf2bdb2aaa57

mod_s2s_auth_dane: Disable now redundant validation done in trunk Outgoing connections can now be validated natively in trunk since a38f9e09ca31 so we only need to check incoming connections.
author Kim Alvefur <zash@zash.se>
date Wed, 03 Mar 2021 11:43:38 +0100
parents 101078d9cc27
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1895
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 ---
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 summary: Distrust servers with too small keys
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 ...
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 Introduction
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 ============
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 This module sets the security status of s2s connections to invalid if
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 their key is too small and their certificate was issued after 2014, per
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 CA/B Forum guidelines.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 Details
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 =======
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 Certificate Authorities were no longer allowed to issue certificates
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 with public keys smaller than 2048 bits (for RSA) after December 31
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 2013. This module was written to enforce this, as there were some CAs
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 that were slow to comply. As of 2015, it might not be very relevant
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 anymore, but still useful for anyone who wants to increase their
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 security levels.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 When a server is determined to have a "too small" key, this module sets
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 its chain and identity status to "invalid", so Prosody will treat it as
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 a self-signed certificate istead.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 "Too small"
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 -----------
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 The definition of "too small" is based on the key type and is taken from
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 [RFC 4492].
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 Type bits
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 ------ ------
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 RSA 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 DSA 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 DH 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 EC 233
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 Compatibility
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 =============
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19).