Software /
code /
prosody-modules
Comparison
mod_s2s_keysize_policy/README.markdown @ 1895:101078d9cc27
mod_s2s_keysize_policy: Add a README
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 04 Oct 2015 23:24:19 +0200 |
comparison
equal
deleted
inserted
replaced
1894:93c5479c6f2f | 1895:101078d9cc27 |
---|---|
1 --- | |
2 summary: Distrust servers with too small keys | |
3 ... | |
4 | |
5 Introduction | |
6 ============ | |
7 | |
8 This module sets the security status of s2s connections to invalid if | |
9 their key is too small and their certificate was issued after 2014, per | |
10 CA/B Forum guidelines. | |
11 | |
12 Details | |
13 ======= | |
14 | |
15 Certificate Authorities were no longer allowed to issue certificates | |
16 with public keys smaller than 2048 bits (for RSA) after December 31 | |
17 2013. This module was written to enforce this, as there were some CAs | |
18 that were slow to comply. As of 2015, it might not be very relevant | |
19 anymore, but still useful for anyone who wants to increase their | |
20 security levels. | |
21 | |
22 When a server is determined to have a "too small" key, this module sets | |
23 its chain and identity status to "invalid", so Prosody will treat it as | |
24 a self-signed certificate istead. | |
25 | |
26 "Too small" | |
27 ----------- | |
28 | |
29 The definition of "too small" is based on the key type and is taken from | |
30 [RFC 4492]. | |
31 | |
32 Type bits | |
33 ------ ------ | |
34 RSA 2048 | |
35 DSA 2048 | |
36 DH 2048 | |
37 EC 233 | |
38 | |
39 Compatibility | |
40 ============= | |
41 | |
42 Works with Prosody 0.9 and later. Requires LuaSec with [support for | |
43 inspecting public keys](https://github.com/brunoos/luasec/pull/19). |