Mercurial > prosody-modules
comparison mod_tls_policy/README.markdown @ 1842:98ad01cc83cf
mod_tls_policy: Add README
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 12 Sep 2015 21:02:33 +0200 |
| parents | |
| children | 032b209bb8ff |
comparison
equal
deleted
inserted
replaced
| 1841:0a7053d14b43 | 1842:98ad01cc83cf |
|---|---|
| 1 % Cipher policy enforcement with application level error reporting | |
| 2 | |
| 3 # Introduction | |
| 4 | |
| 5 This module arose from discussions at the XMPP Summit about enforcing | |
| 6 better ciphers in TLS. It may seem attractive to disallow some | |
| 7 insecure ciphers or require forward secrecy, but doing this at the TLS | |
| 8 level would the user with an unhelpful "Encryption failed" message. | |
| 9 This module does this enforcing at the application level, allowing | |
| 10 better error messages. | |
| 11 | |
| 12 # Configuration | |
| 13 | |
| 14 First, download and add the module to `module_enabled`. Then you can | |
| 15 decide on what policy you want to have. | |
| 16 | |
| 17 Requiring ciphers with forward secrecy is the most simple to set up. | |
| 18 | |
| 19 ``` lua | |
| 20 tls_policy = "FS" -- allow only ciphers that enable forward secrecy | |
| 21 ``` | |
| 22 | |
| 23 A more complicated example: | |
| 24 | |
| 25 ``` lua | |
| 26 tls_policy = { | |
| 27 c2s = { | |
| 28 encryption = "AES"; -- Require AES (or AESGCM) encryption | |
| 29 protocol = "TLSv1.2"; -- and TLSv1.2 | |
| 30 bits = 128; -- and at least 128 bits (FIXME: remember what this meant) | |
| 31 } | |
| 32 s2s = { | |
| 33 cipher = "AESGCM"; -- Require AESGCM ciphers | |
| 34 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2 | |
| 35 authentication = "RSA"; -- with RSA authentication | |
| 36 }; | |
| 37 } | |
| 38 ``` | |
| 39 | |
| 40 # Compatibility | |
| 41 | |
| 42 Requires LuaSec 0.5 | |
| 43 |