Comparison

mod_tls_policy/README.markdown @ 1842:98ad01cc83cf

mod_tls_policy: Add README
author Kim Alvefur <zash@zash.se>
date Sat, 12 Sep 2015 21:02:33 +0200
child 1843:032b209bb8ff
comparison
equal deleted inserted replaced
1841:0a7053d14b43 1842:98ad01cc83cf
1 % Cipher policy enforcement with application level error reporting
2
3 # Introduction
4
5 This module arose from discussions at the XMPP Summit about enforcing
6 better ciphers in TLS. It may seem attractive to disallow some
7 insecure ciphers or require forward secrecy, but doing this at the TLS
8 level would the user with an unhelpful "Encryption failed" message.
9 This module does this enforcing at the application level, allowing
10 better error messages.
11
12 # Configuration
13
14 First, download and add the module to `module_enabled`. Then you can
15 decide on what policy you want to have.
16
17 Requiring ciphers with forward secrecy is the most simple to set up.
18
19 ``` lua
20 tls_policy = "FS" -- allow only ciphers that enable forward secrecy
21 ```
22
23 A more complicated example:
24
25 ``` lua
26 tls_policy = {
27 c2s = {
28 encryption = "AES"; -- Require AES (or AESGCM) encryption
29 protocol = "TLSv1.2"; -- and TLSv1.2
30 bits = 128; -- and at least 128 bits (FIXME: remember what this meant)
31 }
32 s2s = {
33 cipher = "AESGCM"; -- Require AESGCM ciphers
34 protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2
35 authentication = "RSA"; -- with RSA authentication
36 };
37 }
38 ```
39
40 # Compatibility
41
42 Requires LuaSec 0.5
43