prosody
9c794d5f6f8d
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 12097:9c794d5f6f8d

core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
author Kim Alvefur <zash@zash.se>
date Wed, 03 Nov 2021 12:23:29 +0100
parent 12096:dfb29b5b0a57
child 12098:9591b838e3b0
comparison
equal deleted inserted replaced
12096:dfb29b5b0a57 12097:9c794d5f6f8d
246 }; 246 };
247 dane = configmanager.get("*", "use_dane"); 247 dane = configmanager.get("*", "use_dane");
248 } 248 }
249 249
250 local mozilla_ssl_configs = { 250 local mozilla_ssl_configs = {
251 -- As of 2019-12-22 251 -- https://wiki.mozilla.org/Security/Server_Side_TLS
252 -- As of 2021-11-03
252 modern = { 253 modern = {
253 protocol = "tlsv1_3"; 254 protocol = "tlsv1_3";
254 options = { cipher_server_preference = false }; 255 options = { cipher_server_preference = false };
255 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these 256 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
257 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
258 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
256 }; 259 };
257 intermediate = { 260 intermediate = {
258 protocol = "tlsv1_2+"; 261 protocol = "tlsv1_2+";
259 dhparam = nil; -- ffdhe2048.txt 262 dhparam = nil; -- ffdhe2048.txt
260 options = { cipher_server_preference = false }; 263 options = { cipher_server_preference = false };
266 "ECDHE-ECDSA-CHACHA20-POLY1305"; 269 "ECDHE-ECDSA-CHACHA20-POLY1305";
267 "ECDHE-RSA-CHACHA20-POLY1305"; 270 "ECDHE-RSA-CHACHA20-POLY1305";
268 "DHE-RSA-AES128-GCM-SHA256"; 271 "DHE-RSA-AES128-GCM-SHA256";
269 "DHE-RSA-AES256-GCM-SHA384"; 272 "DHE-RSA-AES256-GCM-SHA384";
270 }; 273 };
274 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
275 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
271 }; 276 };
272 old = { 277 old = {
273 protocol = "tlsv1+"; 278 protocol = "tlsv1+";
274 dhparam = nil; -- openssl dhparam 1024 279 dhparam = nil; -- openssl dhparam 1024
275 options = { cipher_server_preference = true }; 280 options = { cipher_server_preference = true };
299 "AES256-SHA256"; 304 "AES256-SHA256";
300 "AES128-SHA"; 305 "AES128-SHA";
301 "AES256-SHA"; 306 "AES256-SHA";
302 "DES-CBC3-SHA"; 307 "DES-CBC3-SHA";
303 }; 308 };
309 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
304 }; 310 };
305 }; 311 };
306 312
307 313
308 if luasec_has.curves then 314 if luasec_has.curves then