Mercurial > prosody-modules
comparison mod_s2s_keysize_policy/README.markdown @ 1895:101078d9cc27
mod_s2s_keysize_policy: Add a README
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 04 Oct 2015 23:24:19 +0200 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 1894:93c5479c6f2f | 1895:101078d9cc27 |
|---|---|
| 1 --- | |
| 2 summary: Distrust servers with too small keys | |
| 3 ... | |
| 4 | |
| 5 Introduction | |
| 6 ============ | |
| 7 | |
| 8 This module sets the security status of s2s connections to invalid if | |
| 9 their key is too small and their certificate was issued after 2014, per | |
| 10 CA/B Forum guidelines. | |
| 11 | |
| 12 Details | |
| 13 ======= | |
| 14 | |
| 15 Certificate Authorities were no longer allowed to issue certificates | |
| 16 with public keys smaller than 2048 bits (for RSA) after December 31 | |
| 17 2013. This module was written to enforce this, as there were some CAs | |
| 18 that were slow to comply. As of 2015, it might not be very relevant | |
| 19 anymore, but still useful for anyone who wants to increase their | |
| 20 security levels. | |
| 21 | |
| 22 When a server is determined to have a "too small" key, this module sets | |
| 23 its chain and identity status to "invalid", so Prosody will treat it as | |
| 24 a self-signed certificate istead. | |
| 25 | |
| 26 "Too small" | |
| 27 ----------- | |
| 28 | |
| 29 The definition of "too small" is based on the key type and is taken from | |
| 30 [RFC 4492]. | |
| 31 | |
| 32 Type bits | |
| 33 ------ ------ | |
| 34 RSA 2048 | |
| 35 DSA 2048 | |
| 36 DH 2048 | |
| 37 EC 233 | |
| 38 | |
| 39 Compatibility | |
| 40 ============= | |
| 41 | |
| 42 Works with Prosody 0.9 and later. Requires LuaSec with [support for | |
| 43 inspecting public keys](https://github.com/brunoos/luasec/pull/19). |