mod_tls_policy

Introduction

This module arose from discussions at the XMPP Summit about enforcing better ciphers in TLS. It may seem attractive to disallow some insecure ciphers or require forward secrecy, but doing this at the TLS level would the user with an unhelpful “Encryption failed” message. This module does this enforcing at the application level, allowing better error messages.

Configuration

First, download and add the module to module_enabled. Then you can decide on what policy you want to have.

Requiring ciphers with forward secrecy is the most simple to set up.

tls_policy = "FS" -- allow only ciphers that enable forward secrecy

A more complicated example:

tls_policy = {
  c2s = {
    encryption = "AES"; -- Require AES (or AESGCM) encryption
    protocol = "TLSv1.2"; -- and TLSv1.2
    bits = 128; -- and at least 128 bits (FIXME: remember what this meant)
  }
  s2s = {
    cipher = "AESGCM"; -- Require AESGCM ciphers
    protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2
    authentication = "RSA"; -- with RSA authentication
  };
}

Compatibility

Requires LuaSec 0.5


Installation

With the plugin installer in Prosody 0.12 you can use:

sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_tls_policy

For earlier versions see the documentation for installing 3rd party modules