Software / code / prosody-modules
Annotate
mod_tls_policy/README.markdown @ 5571:ca3c2d11823c
mod_pubsub_feeds: Track latest timestamp seen in feeds instead of last poll
This should ensure that an entry that has a publish timestmap after the
previously oldest post, but before the time of the last poll check, is
published to the node.
Previously if an entry would be skipped if it was published at 13:00
with a timestamp of 12:30, where the last poll was at 12:45.
For feeds that lack a timestamp, it now looks for the first post that is
not published, assuming that the feed is in reverse chronological order,
then iterates back up from there.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 25 Jun 2023 16:27:55 +0200 |
| parent | 1845:ad24f8993385 |
| rev | line source |
|---|---|
|
1845
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
1 --- |
|
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
2 summary: Cipher policy enforcement with application level error reporting |
|
ad24f8993385
mod_tls_policy/README: Fix summary so modules.prosody.im understands it
Kim Alvefur <zash@zash.se>
parents:
1843
diff
changeset
|
3 ... |
| 1842 | 4 |
| 5 # Introduction | |
| 6 | |
|
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
7 This module arose from discussions at the XMPP Summit about enforcing |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
8 better ciphers in TLS. It may seem attractive to disallow some insecure |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
9 ciphers or require forward secrecy, but doing this at the TLS level |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
10 would the user with an unhelpful "Encryption failed" message. This |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
11 module does this enforcing at the application level, allowing better |
|
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
12 error messages. |
| 1842 | 13 |
| 14 # Configuration | |
| 15 | |
|
1843
032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
Kim Alvefur <zash@zash.se>
parents:
1842
diff
changeset
|
16 First, download and add the module to `module_enabled`. Then you can |
| 1842 | 17 decide on what policy you want to have. |
| 18 | |
| 19 Requiring ciphers with forward secrecy is the most simple to set up. | |
| 20 | |
| 21 ``` lua | |
| 22 tls_policy = "FS" -- allow only ciphers that enable forward secrecy | |
| 23 ``` | |
| 24 | |
| 25 A more complicated example: | |
| 26 | |
| 27 ``` lua | |
| 28 tls_policy = { | |
| 29 c2s = { | |
| 30 encryption = "AES"; -- Require AES (or AESGCM) encryption | |
| 31 protocol = "TLSv1.2"; -- and TLSv1.2 | |
| 32 bits = 128; -- and at least 128 bits (FIXME: remember what this meant) | |
| 33 } | |
| 34 s2s = { | |
| 35 cipher = "AESGCM"; -- Require AESGCM ciphers | |
| 36 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2 | |
| 37 authentication = "RSA"; -- with RSA authentication | |
| 38 }; | |
| 39 } | |
| 40 ``` | |
| 41 | |
| 42 # Compatibility | |
| 43 | |
| 44 Requires LuaSec 0.5 | |
| 45 |
