Mercurial > prosody-modules
annotate mod_s2s_keysize_policy/README.markdown @ 4490:cf2bdb2aaa57
mod_s2s_auth_dane: Disable now redundant validation done in trunk
Outgoing connections can now be validated natively in trunk since
a38f9e09ca31 so we only need to check incoming connections.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 03 Mar 2021 11:43:38 +0100 |
| parents | 101078d9cc27 |
| children |
| rev | line source |
|---|---|
|
1895
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 --- |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 summary: Distrust servers with too small keys |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 ... |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 Introduction |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 ============ |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 This module sets the security status of s2s connections to invalid if |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 their key is too small and their certificate was issued after 2014, per |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 CA/B Forum guidelines. |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 Details |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 ======= |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 Certificate Authorities were no longer allowed to issue certificates |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 with public keys smaller than 2048 bits (for RSA) after December 31 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 2013. This module was written to enforce this, as there were some CAs |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 that were slow to comply. As of 2015, it might not be very relevant |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 anymore, but still useful for anyone who wants to increase their |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 security levels. |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 When a server is determined to have a "too small" key, this module sets |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 its chain and identity status to "invalid", so Prosody will treat it as |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 a self-signed certificate istead. |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 "Too small" |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 ----------- |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 The definition of "too small" is based on the key type and is taken from |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 [RFC 4492]. |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 Type bits |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 ------ ------ |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 RSA 2048 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 DSA 2048 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 DH 2048 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 EC 233 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 Compatibility |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 ============= |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for |
|
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19). |