mod_tls_policy

Introduction

This module arose from discussions at the XMPP Summit about enforcing better ciphers in TLS. It may seem attractive to disallow some insecure ciphers or require forward secrecy, but doing this at the TLS level would the user with an unhelpful “Encryption failed” message. This module does this enforcing at the application level, allowing better error messages.

Configuration

First, download and add the module to module_enabled. Then you can decide on what policy you want to have.

Requiring ciphers with forward secrecy is the most simple to set up.

tls_policy = "FS" -- allow only ciphers that enable forward secrecy

A more complicated example:

tls_policy = {
  c2s = {
    encryption = "AES"; -- Require AES (or AESGCM) encryption
    protocol = "TLSv1.2"; -- and TLSv1.2
    bits = 128; -- and at least 128 bits (FIXME: remember what this meant)
  }
  s2s = {
    cipher = "AESGCM"; -- Require AESGCM ciphers
    protocol = "TLSv1.[12]"; -- and TLSv1.1 or 1.2
    authentication = "RSA"; -- with RSA authentication
  };
}

Compatibility

Requires LuaSec 0.5

Installation

With the plugin installer in Prosody 0.12 you can use:

sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_tls_policy

For earlier versions see the documentation for installing 3rd party modules

Latest changes

All community modules: Unify file extention of Markdown files to .md 2024-10-22
Switch method of checking for TLS-encrypted connection 2021-09-09
Change the FS shortcut to match on ciphers with (EC)DHE (produces nicer stream error) 2015-10-02
Fix summary so modules.prosody.im understands it 2015-09-13
Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks) 2015-09-12

mod_tls_policy

Introduction

Configuration

Compatibility

Installation

Latest changes

Details

Authors

Links