+
−---
+
−summary: Cipher policy enforcement with application level error reporting
+
−...
+
−
+
−# Introduction
+
−
+
−This module arose from discussions at the XMPP Summit about enforcing
+
−better ciphers in TLS. It may seem attractive to disallow some insecure
+
−ciphers or require forward secrecy, but doing this at the TLS level
+
−would the user with an unhelpful "Encryption failed" message. This
+
−module does this enforcing at the application level, allowing better
+
−error messages.
+
−
+
−# Configuration
+
−
+
−First, download and add the module to `module_enabled`.  Then you can
+
−decide on what policy you want to have.
+
−
+
−Requiring ciphers with forward secrecy is the most simple to set up.
+
−
+
−``` lua
+
−tls_policy = "FS" -- allow only ciphers that enable forward secrecy
+
−```
+
−
+
−A more complicated example:
+
−
+
−``` lua
+
−tls_policy = {
+
−  c2s = {
+
−    encryption = "AES"; -- Require AES (or AESGCM) encryption
+
−    protocol = "TLSv1.2"; -- and TLSv1.2
+
−    bits = 128; -- and at least 128 bits (FIXME: remember what this meant)
+
−  }
+
−  s2s = {
+
−    cipher = "AESGCM"; -- Require AESGCM ciphers
+
−    protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2
+
−    authentication = "RSA"; -- with RSA authentication
+
−  };
+
−}
+
−```
+
−
+
−# Compatibility
+
−
+
−Requires LuaSec 0.5
+
−