prosody
dfb29b5b0a57

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Changeset

12096:dfb29b5b0a57

core.certmanager: Presets based on Mozilla SSL Configuration Generator ssl_preset = "modern"
author Kim Alvefur <zash@zash.se>
date Sun, 22 Dec 2019 02:25:37 +0100
parents 12095:c1d2bc6603ae
children 12097:9c794d5f6f8d
files CHANGES core/certmanager.lua
diffstat 2 files changed, 61 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES	Wed Dec 22 14:40:42 2021 +0000
+++ b/CHANGES	Sun Dec 22 02:25:37 2019 +0100
@@ -26,6 +26,7 @@
 -   SCRAM-SHA-256
 -   Direct TLS (including https) certificates updated on reload
 -   Pluggable authorization providers (mod_authz_)
+-   Easy use of Mozilla TLS recommendations presets
 
 ### HTTP
 
--- a/core/certmanager.lua	Wed Dec 22 14:40:42 2021 +0000
+++ b/core/certmanager.lua	Sun Dec 22 02:25:37 2019 +0100
@@ -247,6 +247,64 @@
 	dane = configmanager.get("*", "use_dane");
 }
 
+local mozilla_ssl_configs = {
+	-- As of 2019-12-22
+	modern = {
+		protocol = "tlsv1_3";
+		options = { cipher_server_preference = false };
+		ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
+	};
+	intermediate = {
+		protocol = "tlsv1_2+";
+		dhparam = nil; -- ffdhe2048.txt
+		options = { cipher_server_preference = false };
+		ciphers = {
+			"ECDHE-ECDSA-AES128-GCM-SHA256";
+			"ECDHE-RSA-AES128-GCM-SHA256";
+			"ECDHE-ECDSA-AES256-GCM-SHA384";
+			"ECDHE-RSA-AES256-GCM-SHA384";
+			"ECDHE-ECDSA-CHACHA20-POLY1305";
+			"ECDHE-RSA-CHACHA20-POLY1305";
+			"DHE-RSA-AES128-GCM-SHA256";
+			"DHE-RSA-AES256-GCM-SHA384";
+		};
+	};
+	old = {
+		protocol = "tlsv1+";
+		dhparam = nil; -- openssl dhparam 1024
+		options = { cipher_server_preference = true };
+		ciphers = {
+			"ECDHE-ECDSA-AES128-GCM-SHA256";
+			"ECDHE-RSA-AES128-GCM-SHA256";
+			"ECDHE-ECDSA-AES256-GCM-SHA384";
+			"ECDHE-RSA-AES256-GCM-SHA384";
+			"ECDHE-ECDSA-CHACHA20-POLY1305";
+			"ECDHE-RSA-CHACHA20-POLY1305";
+			"DHE-RSA-AES128-GCM-SHA256";
+			"DHE-RSA-AES256-GCM-SHA384";
+			"DHE-RSA-CHACHA20-POLY1305";
+			"ECDHE-ECDSA-AES128-SHA256";
+			"ECDHE-RSA-AES128-SHA256";
+			"ECDHE-ECDSA-AES128-SHA";
+			"ECDHE-RSA-AES128-SHA";
+			"ECDHE-ECDSA-AES256-SHA384";
+			"ECDHE-RSA-AES256-SHA384";
+			"ECDHE-ECDSA-AES256-SHA";
+			"ECDHE-RSA-AES256-SHA";
+			"DHE-RSA-AES128-SHA256";
+			"DHE-RSA-AES256-SHA256";
+			"AES128-GCM-SHA256";
+			"AES256-GCM-SHA384";
+			"AES128-SHA256";
+			"AES256-SHA256";
+			"AES128-SHA";
+			"AES256-SHA";
+			"DES-CBC3-SHA";
+		};
+	};
+};
+
+
 if luasec_has.curves then
 	for i = #core_defaults.curveslist, 1, -1 do
 		if not luasec_has.curves[ core_defaults.curveslist[i] ] then
@@ -279,6 +337,8 @@
 		password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
 	});
 	cfg:apply(global_ssl_config);
+	local preset = configmanager.get("*", "ssl_preset") or "intermediate";
+	cfg:apply(mozilla_ssl_configs[preset]);
 
 	for i = select('#', ...), 1, -1 do
 		cfg:apply(select(i, ...));