Mercurial > prosody-modules
annotate mod_tls_policy/README.markdown @ 5951:d6a695abb33c
mod_ping_muc: Delay ping a configurable amount of time
If a server is restarting, checking immediately before it has a chance
to complete its restart and get ready would often fail, preventing the
possibility of transparent restarts as supported by Prosody's mod_muc.
Reconnecting immediately when a connection is closed for being idle, or
because the remote server is trying to reclaim some resources, is also
counter-productive as the connection may fail.
Also, if there is some Internet routing problem affecting s2s, it may
help to wait a bit before checking, in case the problem resolved itself
in the mean time.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 11 Aug 2024 16:10:24 +0200 |
| parents | ad24f8993385 |
| children |
| rev | line source |
|---|---|
|
1845
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
1 --- |
|
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
2 summary: Cipher policy enforcement with application level error reporting |
|
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
3 ... |
| 1842 | 4 |
| 5 # Introduction | |
| 6 | |
|
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
7 This module arose from discussions at the XMPP Summit about enforcing |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
8 better ciphers in TLS. It may seem attractive to disallow some insecure |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
9 ciphers or require forward secrecy, but doing this at the TLS level |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
10 would the user with an unhelpful "Encryption failed" message. This |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
11 module does this enforcing at the application level, allowing better |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
12 error messages. |
| 1842 | 13 |
| 14 # Configuration | |
| 15 | |
|
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
16 First, download and add the module to `module_enabled`. Then you can |
| 1842 | 17 decide on what policy you want to have. |
| 18 | |
| 19 Requiring ciphers with forward secrecy is the most simple to set up. | |
| 20 | |
| 21 ``` lua | |
| 22 tls_policy = "FS" -- allow only ciphers that enable forward secrecy | |
| 23 ``` | |
| 24 | |
| 25 A more complicated example: | |
| 26 | |
| 27 ``` lua | |
| 28 tls_policy = { | |
| 29 c2s = { | |
| 30 encryption = "AES"; -- Require AES (or AESGCM) encryption | |
| 31 protocol = "TLSv1.2"; -- and TLSv1.2 | |
| 32 bits = 128; -- and at least 128 bits (FIXME: remember what this meant) | |
| 33 } | |
| 34 s2s = { | |
| 35 cipher = "AESGCM"; -- Require AESGCM ciphers | |
| 36 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2 | |
| 37 authentication = "RSA"; -- with RSA authentication | |
| 38 }; | |
| 39 } | |
| 40 ``` | |
| 41 | |
| 42 # Compatibility | |
| 43 | |
| 44 Requires LuaSec 0.5 | |
| 45 |