Mercurial > prosody-modules
annotate mod_s2s_keysize_policy/README.markdown @ 5426:f75d95f27da7
mod_http_oauth2: Add function for filtering roles
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 07 May 2023 19:07:52 +0200 |
parents | 101078d9cc27 |
children |
rev | line source |
---|---|
1895
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 --- |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 summary: Distrust servers with too small keys |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 ... |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 Introduction |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 ============ |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 This module sets the security status of s2s connections to invalid if |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 their key is too small and their certificate was issued after 2014, per |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 CA/B Forum guidelines. |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 Details |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 ======= |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 Certificate Authorities were no longer allowed to issue certificates |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 with public keys smaller than 2048 bits (for RSA) after December 31 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 2013. This module was written to enforce this, as there were some CAs |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 that were slow to comply. As of 2015, it might not be very relevant |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 anymore, but still useful for anyone who wants to increase their |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 security levels. |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 When a server is determined to have a "too small" key, this module sets |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 its chain and identity status to "invalid", so Prosody will treat it as |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 a self-signed certificate istead. |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 "Too small" |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 ----------- |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 The definition of "too small" is based on the key type and is taken from |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 [RFC 4492]. |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 Type bits |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 ------ ------ |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 RSA 2048 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 DSA 2048 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 DH 2048 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 EC 233 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 Compatibility |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 ============= |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for |
101078d9cc27
mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19). |