prosody
8b68e8faab52
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 13503:8b68e8faab52

core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param This removes one manual (yet undocumented) step that was supposed to be done to get a complete 'intermediate' configuration. This file can be found on the Internet by searching for "ffdhe2048" and can be verified by comparing the hexadecimal representation of p from the RFC with the output of `openssl asn1parse`. Given the preference and prevalence of ECDHE, it seems likely that few would have noticed this.
author Kim Alvefur <zash@zash.se>
date Fri, 12 Jul 2024 15:06:42 +0200
parent 13303:05c0ac580552
child 13703:99d2100d2918
comparison
equal deleted inserted replaced
13502:61da4491eebc 13503:8b68e8faab52
211 "!aNULL", -- Ciphers that does not authenticate the connection 211 "!aNULL", -- Ciphers that does not authenticate the connection
212 }; 212 };
213 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; 213 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
214 } 214 }
215 215
216 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
217 local ffdhe2048 = [[
218 -----BEGIN DH PARAMETERS-----
219 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
220 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
221 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
222 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
223 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
224 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
225 -----END DH PARAMETERS-----
226 ]]
227
216 local mozilla_ssl_configs = { 228 local mozilla_ssl_configs = {
217 -- https://wiki.mozilla.org/Security/Server_Side_TLS 229 -- https://wiki.mozilla.org/Security/Server_Side_TLS
218 -- Version 5.7 as of 2023-07-09 230 -- Version 5.7 as of 2023-07-09
219 modern = { 231 modern = {
220 protocol = "tlsv1_3"; 232 protocol = "tlsv1_3";
223 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; 235 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
224 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; 236 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
225 }; 237 };
226 intermediate = { 238 intermediate = {
227 protocol = "tlsv1_2+"; 239 protocol = "tlsv1_2+";
228 dhparam = nil; -- ffdhe2048.txt 240 dhparam = ffdhe2048;
229 options = { cipher_server_preference = false }; 241 options = { cipher_server_preference = false };
230 ciphers = { 242 ciphers = {
231 "ECDHE-ECDSA-AES128-GCM-SHA256"; 243 "ECDHE-ECDSA-AES128-GCM-SHA256";
232 "ECDHE-RSA-AES128-GCM-SHA256"; 244 "ECDHE-RSA-AES128-GCM-SHA256";
233 "ECDHE-ECDSA-AES256-GCM-SHA384"; 245 "ECDHE-ECDSA-AES256-GCM-SHA384";