Software /
code /
prosody-modules
Annotate
mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5491:7842502c1157
mod_http_debug: Log some extended info about requests
If you point something external at this module, you don't get the
response body back, hence it can be useful to see some details in the
log as well.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 26 May 2023 15:37:15 +0200 |
parent | 2424:27ffa6521d4e |
rev | line source |
---|---|
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- mod_s2s_keysize_policy.lua |
1204
fc42f8484451
mod_s2s_keysize_policy: Add note about required LuaSec patch
Kim Alvefur <zash@zash.se>
parents:
1203
diff
changeset
|
2 -- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12 |
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 module:set_global(); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local datetime_parse = require"util.datetime".parse; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 local pat = "^([JFMAONSD][ceupao][glptbvyncr]) ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12}; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local function parse_x509_datetime(s) |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local month, day, hour, min, sec, year = s:match(pat); month = months[month]; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec)); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z"); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 -- From RFC 4492 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local weak_key_size = { |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 RSA = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 DSA = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 DH = 2048, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 EC = 233, |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 } |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 module:hook("s2s-check-certificate", function(event) |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 local host, session, cert = event.host, event.session, event.cert; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 if cert and cert.pubkey then |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 local _, key_type, key_size = cert:pubkey(); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 if key_size < ( weak_key_size[key_type] or 0 ) then |
1325
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
29 local issued = parse_x509_datetime(cert:notbefore()); |
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
30 if issued > weak_key_cutoff then |
2424
27ffa6521d4e
mod_s2s_keysize_policy: Lower log message to a warning since it is not really a fatal error
Kim Alvefur <zash@zash.se>
parents:
1325
diff
changeset
|
31 session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); |
1203
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 session.cert_chain_status = "invalid"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 session.cert_identity_status = "invalid"; |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 else |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 else |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 session.log("info", "%s has a %s-bit %s key", host, key_size, key_type); |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 end |
5294c8c1861c
mod_s2s_keysize_policy: Don't trust keys weaker than 2048 bit RSA after 31 December 2013
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 end); |