diff options
| author | Kim Alvefur <zash@zash.se> | 2019-12-22 02:25:37 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2019-12-22 02:25:37 +0100 |
| commit | d2ff8032626bb17d332b4e9047c8cc0f0b39fec7 (patch) | |
| tree | 476329da68d610468cef75f135f4bf9e6405dc77 /core | |
| parent | bd455426f6ade80b80ab44f3ae3e946e44303120 (diff) | |
| download | prosody-d2ff8032626bb17d332b4e9047c8cc0f0b39fec7.tar.gz prosody-d2ff8032626bb17d332b4e9047c8cc0f0b39fec7.zip | |
core.certmanager: Presets based on Mozilla SSL Configuration Generator
ssl_preset = "modern"
Diffstat (limited to 'core')
| -rw-r--r-- | core/certmanager.lua | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua index 7c7fc150..bdfefce3 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -247,6 +247,64 @@ local core_defaults = { dane = configmanager.get("*", "use_dane"); } +local mozilla_ssl_configs = { + -- As of 2019-12-22 + modern = { + protocol = "tlsv1_3"; + options = { cipher_server_preference = false }; + ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these + }; + intermediate = { + protocol = "tlsv1_2+"; + dhparam = nil; -- ffdhe2048.txt + options = { cipher_server_preference = false }; + ciphers = { + "ECDHE-ECDSA-AES128-GCM-SHA256"; + "ECDHE-RSA-AES128-GCM-SHA256"; + "ECDHE-ECDSA-AES256-GCM-SHA384"; + "ECDHE-RSA-AES256-GCM-SHA384"; + "ECDHE-ECDSA-CHACHA20-POLY1305"; + "ECDHE-RSA-CHACHA20-POLY1305"; + "DHE-RSA-AES128-GCM-SHA256"; + "DHE-RSA-AES256-GCM-SHA384"; + }; + }; + old = { + protocol = "tlsv1+"; + dhparam = nil; -- openssl dhparam 1024 + options = { cipher_server_preference = true }; + ciphers = { + "ECDHE-ECDSA-AES128-GCM-SHA256"; + "ECDHE-RSA-AES128-GCM-SHA256"; + "ECDHE-ECDSA-AES256-GCM-SHA384"; + "ECDHE-RSA-AES256-GCM-SHA384"; + "ECDHE-ECDSA-CHACHA20-POLY1305"; + "ECDHE-RSA-CHACHA20-POLY1305"; + "DHE-RSA-AES128-GCM-SHA256"; + "DHE-RSA-AES256-GCM-SHA384"; + "DHE-RSA-CHACHA20-POLY1305"; + "ECDHE-ECDSA-AES128-SHA256"; + "ECDHE-RSA-AES128-SHA256"; + "ECDHE-ECDSA-AES128-SHA"; + "ECDHE-RSA-AES128-SHA"; + "ECDHE-ECDSA-AES256-SHA384"; + "ECDHE-RSA-AES256-SHA384"; + "ECDHE-ECDSA-AES256-SHA"; + "ECDHE-RSA-AES256-SHA"; + "DHE-RSA-AES128-SHA256"; + "DHE-RSA-AES256-SHA256"; + "AES128-GCM-SHA256"; + "AES256-GCM-SHA384"; + "AES128-SHA256"; + "AES256-SHA256"; + "AES128-SHA"; + "AES256-SHA"; + "DES-CBC3-SHA"; + }; + }; +}; + + if luasec_has.curves then for i = #core_defaults.curveslist, 1, -1 do if not luasec_has.curves[ core_defaults.curveslist[i] ] then @@ -279,6 +337,8 @@ local function create_context(host, mode, ...) password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; }); cfg:apply(global_ssl_config); + local preset = configmanager.get("*", "ssl_preset") or "intermediate"; + cfg:apply(mozilla_ssl_configs[preset]); for i = select('#', ...), 1, -1 do cfg:apply(select(i, ...)); |