# HG changeset patch # User Kim Alvefur # Date 1380474639 -7200 # Node ID 5294c8c1861ca3bfda8ce9452d3dc7c10d5eba77 # Parent 2cce28fe806b77f2f044942fec4fda5b861d3f48 mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013 diff -r 2cce28fe806b -r 5294c8c1861c mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua Sun Sep 29 19:10:39 2013 +0200 @@ -0,0 +1,40 @@ +-- mod_s2s_keysize_policy.lua + +module:set_global(); + +local datetime_parse = require"util.datetime".parse; +local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$"; +local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}; +local function parse_x509_datetime(s) + local month, day, hour, min, sec, year = s:match(pat); month = months[month]; + return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec)); +end + +local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z"); + +-- From RFC 4492 +local weak_key_size = { + RSA = 2048, + DSA = 2048, + DH = 2048, + EC = 233, +} + +module:hook("s2s-check-certificate", function(event) + local host, session, cert = event.host, event.session, event.cert; + if cert and cert.pubkey then + local _, key_type, key_size = cert:pubkey(); + if key_size < ( weak_key_size[key_type] or 0 ) then + local issued = parse_x509_datetime(cert:notbefore()); + if issued > weak_key_cutoff then + session.log("error", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); + session.cert_chain_status = "invalid"; + session.cert_identity_status = "invalid"; + else + session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); + end + else + session.log("info", "%s has a %s-bit %s key", host, key_size, key_type); + end + end +end);