Annotate

mod_s2s_keysize_policy/README.markdown @ 5405:c7a5caad28ef

mod_http_oauth2: Enforce response type encoded in client_id The client promises to only use this response type, so we should hold them to that. This makes it fail earlier if the response type is disabled or the client is trying to use one that it promised not to use. Better than failing after login and consent.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:31:25 +0200
parent 1895:101078d9cc27
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1895
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 ---
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 summary: Distrust servers with too small keys
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 ...
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 Introduction
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 ============
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 This module sets the security status of s2s connections to invalid if
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 their key is too small and their certificate was issued after 2014, per
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 CA/B Forum guidelines.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 Details
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 =======
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 Certificate Authorities were no longer allowed to issue certificates
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 with public keys smaller than 2048 bits (for RSA) after December 31
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 2013. This module was written to enforce this, as there were some CAs
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 that were slow to comply. As of 2015, it might not be very relevant
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 anymore, but still useful for anyone who wants to increase their
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 security levels.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 When a server is determined to have a "too small" key, this module sets
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 its chain and identity status to "invalid", so Prosody will treat it as
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 a self-signed certificate istead.
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 "Too small"
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 -----------
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 The definition of "too small" is based on the key type and is taken from
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 [RFC 4492].
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 Type bits
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 ------ ------
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 RSA 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 DSA 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 DH 2048
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 EC 233
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 Compatibility
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 =============
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for
101078d9cc27 mod_s2s_keysize_policy: Add a README
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19).