diff options
author | Kim Alvefur <zash@zash.se> | 2019-12-22 02:25:37 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2019-12-22 02:25:37 +0100 |
commit | d2ff8032626bb17d332b4e9047c8cc0f0b39fec7 (patch) | |
tree | 476329da68d610468cef75f135f4bf9e6405dc77 | |
parent | bd455426f6ade80b80ab44f3ae3e946e44303120 (diff) | |
download | prosody-d2ff8032626bb17d332b4e9047c8cc0f0b39fec7.tar.gz prosody-d2ff8032626bb17d332b4e9047c8cc0f0b39fec7.zip |
core.certmanager: Presets based on Mozilla SSL Configuration Generator
ssl_preset = "modern"
-rw-r--r-- | CHANGES | 1 | ||||
-rw-r--r-- | core/certmanager.lua | 60 |
2 files changed, 61 insertions, 0 deletions
@@ -26,6 +26,7 @@ TRUNK - SCRAM-SHA-256 - Direct TLS (including https) certificates updated on reload - Pluggable authorization providers (mod_authz_) +- Easy use of Mozilla TLS recommendations presets ### HTTP diff --git a/core/certmanager.lua b/core/certmanager.lua index 7c7fc150..bdfefce3 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -247,6 +247,64 @@ local core_defaults = { dane = configmanager.get("*", "use_dane"); } +local mozilla_ssl_configs = { + -- As of 2019-12-22 + modern = { + protocol = "tlsv1_3"; + options = { cipher_server_preference = false }; + ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these + }; + intermediate = { + protocol = "tlsv1_2+"; + dhparam = nil; -- ffdhe2048.txt + options = { cipher_server_preference = false }; + ciphers = { + "ECDHE-ECDSA-AES128-GCM-SHA256"; + "ECDHE-RSA-AES128-GCM-SHA256"; + "ECDHE-ECDSA-AES256-GCM-SHA384"; + "ECDHE-RSA-AES256-GCM-SHA384"; + "ECDHE-ECDSA-CHACHA20-POLY1305"; + "ECDHE-RSA-CHACHA20-POLY1305"; + "DHE-RSA-AES128-GCM-SHA256"; + "DHE-RSA-AES256-GCM-SHA384"; + }; + }; + old = { + protocol = "tlsv1+"; + dhparam = nil; -- openssl dhparam 1024 + options = { cipher_server_preference = true }; + ciphers = { + "ECDHE-ECDSA-AES128-GCM-SHA256"; + "ECDHE-RSA-AES128-GCM-SHA256"; + "ECDHE-ECDSA-AES256-GCM-SHA384"; + "ECDHE-RSA-AES256-GCM-SHA384"; + "ECDHE-ECDSA-CHACHA20-POLY1305"; + "ECDHE-RSA-CHACHA20-POLY1305"; + "DHE-RSA-AES128-GCM-SHA256"; + "DHE-RSA-AES256-GCM-SHA384"; + "DHE-RSA-CHACHA20-POLY1305"; + "ECDHE-ECDSA-AES128-SHA256"; + "ECDHE-RSA-AES128-SHA256"; + "ECDHE-ECDSA-AES128-SHA"; + "ECDHE-RSA-AES128-SHA"; + "ECDHE-ECDSA-AES256-SHA384"; + "ECDHE-RSA-AES256-SHA384"; + "ECDHE-ECDSA-AES256-SHA"; + "ECDHE-RSA-AES256-SHA"; + "DHE-RSA-AES128-SHA256"; + "DHE-RSA-AES256-SHA256"; + "AES128-GCM-SHA256"; + "AES256-GCM-SHA384"; + "AES128-SHA256"; + "AES256-SHA256"; + "AES128-SHA"; + "AES256-SHA"; + "DES-CBC3-SHA"; + }; + }; +}; + + if luasec_has.curves then for i = #core_defaults.curveslist, 1, -1 do if not luasec_has.curves[ core_defaults.curveslist[i] ] then @@ -279,6 +337,8 @@ local function create_context(host, mode, ...) password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; }); cfg:apply(global_ssl_config); + local preset = configmanager.get("*", "ssl_preset") or "intermediate"; + cfg:apply(mozilla_ssl_configs[preset]); for i = select('#', ...), 1, -1 do cfg:apply(select(i, ...)); |