prosody
dfb29b5b0a57
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 12096:dfb29b5b0a57

core.certmanager: Presets based on Mozilla SSL Configuration Generator ssl_preset = "modern"
author Kim Alvefur <zash@zash.se>
date Sun, 22 Dec 2019 02:25:37 +0100
parent 11709:5810166f35d5
child 12097:9c794d5f6f8d
comparison
equal deleted inserted replaced
12095:c1d2bc6603ae 12096:dfb29b5b0a57
245 "!aNULL", -- Ciphers that does not authenticate the connection 245 "!aNULL", -- Ciphers that does not authenticate the connection
246 }; 246 };
247 dane = configmanager.get("*", "use_dane"); 247 dane = configmanager.get("*", "use_dane");
248 } 248 }
249 249
250 local mozilla_ssl_configs = {
251 -- As of 2019-12-22
252 modern = {
253 protocol = "tlsv1_3";
254 options = { cipher_server_preference = false };
255 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
256 };
257 intermediate = {
258 protocol = "tlsv1_2+";
259 dhparam = nil; -- ffdhe2048.txt
260 options = { cipher_server_preference = false };
261 ciphers = {
262 "ECDHE-ECDSA-AES128-GCM-SHA256";
263 "ECDHE-RSA-AES128-GCM-SHA256";
264 "ECDHE-ECDSA-AES256-GCM-SHA384";
265 "ECDHE-RSA-AES256-GCM-SHA384";
266 "ECDHE-ECDSA-CHACHA20-POLY1305";
267 "ECDHE-RSA-CHACHA20-POLY1305";
268 "DHE-RSA-AES128-GCM-SHA256";
269 "DHE-RSA-AES256-GCM-SHA384";
270 };
271 };
272 old = {
273 protocol = "tlsv1+";
274 dhparam = nil; -- openssl dhparam 1024
275 options = { cipher_server_preference = true };
276 ciphers = {
277 "ECDHE-ECDSA-AES128-GCM-SHA256";
278 "ECDHE-RSA-AES128-GCM-SHA256";
279 "ECDHE-ECDSA-AES256-GCM-SHA384";
280 "ECDHE-RSA-AES256-GCM-SHA384";
281 "ECDHE-ECDSA-CHACHA20-POLY1305";
282 "ECDHE-RSA-CHACHA20-POLY1305";
283 "DHE-RSA-AES128-GCM-SHA256";
284 "DHE-RSA-AES256-GCM-SHA384";
285 "DHE-RSA-CHACHA20-POLY1305";
286 "ECDHE-ECDSA-AES128-SHA256";
287 "ECDHE-RSA-AES128-SHA256";
288 "ECDHE-ECDSA-AES128-SHA";
289 "ECDHE-RSA-AES128-SHA";
290 "ECDHE-ECDSA-AES256-SHA384";
291 "ECDHE-RSA-AES256-SHA384";
292 "ECDHE-ECDSA-AES256-SHA";
293 "ECDHE-RSA-AES256-SHA";
294 "DHE-RSA-AES128-SHA256";
295 "DHE-RSA-AES256-SHA256";
296 "AES128-GCM-SHA256";
297 "AES256-GCM-SHA384";
298 "AES128-SHA256";
299 "AES256-SHA256";
300 "AES128-SHA";
301 "AES256-SHA";
302 "DES-CBC3-SHA";
303 };
304 };
305 };
306
307
250 if luasec_has.curves then 308 if luasec_has.curves then
251 for i = #core_defaults.curveslist, 1, -1 do 309 for i = #core_defaults.curveslist, 1, -1 do
252 if not luasec_has.curves[ core_defaults.curveslist[i] ] then 310 if not luasec_has.curves[ core_defaults.curveslist[i] ] then
253 t_remove(core_defaults.curveslist, i); 311 t_remove(core_defaults.curveslist, i);
254 end 312 end
277 mode = mode, 335 mode = mode,
278 -- We can't read the password interactively when daemonized 336 -- We can't read the password interactively when daemonized
279 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; 337 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
280 }); 338 });
281 cfg:apply(global_ssl_config); 339 cfg:apply(global_ssl_config);
340 local preset = configmanager.get("*", "ssl_preset") or "intermediate";
341 cfg:apply(mozilla_ssl_configs[preset]);
282 342
283 for i = select('#', ...), 1, -1 do 343 for i = select('#', ...), 1, -1 do
284 cfg:apply(select(i, ...)); 344 cfg:apply(select(i, ...));
285 end 345 end
286 local user_ssl_config = cfg:final(); 346 local user_ssl_config = cfg:final();