Mercurial > prosody-hg
comparison core/certmanager.lua @ 12096:dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
ssl_preset = "modern"
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 22 Dec 2019 02:25:37 +0100 |
| parents | 5810166f35d5 |
| children | 9c794d5f6f8d |
comparison
equal
deleted
inserted
replaced
| 12095:c1d2bc6603ae | 12096:dfb29b5b0a57 |
|---|---|
| 245 "!aNULL", -- Ciphers that does not authenticate the connection | 245 "!aNULL", -- Ciphers that does not authenticate the connection |
| 246 }; | 246 }; |
| 247 dane = configmanager.get("*", "use_dane"); | 247 dane = configmanager.get("*", "use_dane"); |
| 248 } | 248 } |
| 249 | 249 |
| 250 local mozilla_ssl_configs = { | |
| 251 -- As of 2019-12-22 | |
| 252 modern = { | |
| 253 protocol = "tlsv1_3"; | |
| 254 options = { cipher_server_preference = false }; | |
| 255 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these | |
| 256 }; | |
| 257 intermediate = { | |
| 258 protocol = "tlsv1_2+"; | |
| 259 dhparam = nil; -- ffdhe2048.txt | |
| 260 options = { cipher_server_preference = false }; | |
| 261 ciphers = { | |
| 262 "ECDHE-ECDSA-AES128-GCM-SHA256"; | |
| 263 "ECDHE-RSA-AES128-GCM-SHA256"; | |
| 264 "ECDHE-ECDSA-AES256-GCM-SHA384"; | |
| 265 "ECDHE-RSA-AES256-GCM-SHA384"; | |
| 266 "ECDHE-ECDSA-CHACHA20-POLY1305"; | |
| 267 "ECDHE-RSA-CHACHA20-POLY1305"; | |
| 268 "DHE-RSA-AES128-GCM-SHA256"; | |
| 269 "DHE-RSA-AES256-GCM-SHA384"; | |
| 270 }; | |
| 271 }; | |
| 272 old = { | |
| 273 protocol = "tlsv1+"; | |
| 274 dhparam = nil; -- openssl dhparam 1024 | |
| 275 options = { cipher_server_preference = true }; | |
| 276 ciphers = { | |
| 277 "ECDHE-ECDSA-AES128-GCM-SHA256"; | |
| 278 "ECDHE-RSA-AES128-GCM-SHA256"; | |
| 279 "ECDHE-ECDSA-AES256-GCM-SHA384"; | |
| 280 "ECDHE-RSA-AES256-GCM-SHA384"; | |
| 281 "ECDHE-ECDSA-CHACHA20-POLY1305"; | |
| 282 "ECDHE-RSA-CHACHA20-POLY1305"; | |
| 283 "DHE-RSA-AES128-GCM-SHA256"; | |
| 284 "DHE-RSA-AES256-GCM-SHA384"; | |
| 285 "DHE-RSA-CHACHA20-POLY1305"; | |
| 286 "ECDHE-ECDSA-AES128-SHA256"; | |
| 287 "ECDHE-RSA-AES128-SHA256"; | |
| 288 "ECDHE-ECDSA-AES128-SHA"; | |
| 289 "ECDHE-RSA-AES128-SHA"; | |
| 290 "ECDHE-ECDSA-AES256-SHA384"; | |
| 291 "ECDHE-RSA-AES256-SHA384"; | |
| 292 "ECDHE-ECDSA-AES256-SHA"; | |
| 293 "ECDHE-RSA-AES256-SHA"; | |
| 294 "DHE-RSA-AES128-SHA256"; | |
| 295 "DHE-RSA-AES256-SHA256"; | |
| 296 "AES128-GCM-SHA256"; | |
| 297 "AES256-GCM-SHA384"; | |
| 298 "AES128-SHA256"; | |
| 299 "AES256-SHA256"; | |
| 300 "AES128-SHA"; | |
| 301 "AES256-SHA"; | |
| 302 "DES-CBC3-SHA"; | |
| 303 }; | |
| 304 }; | |
| 305 }; | |
| 306 | |
| 307 | |
| 250 if luasec_has.curves then | 308 if luasec_has.curves then |
| 251 for i = #core_defaults.curveslist, 1, -1 do | 309 for i = #core_defaults.curveslist, 1, -1 do |
| 252 if not luasec_has.curves[ core_defaults.curveslist[i] ] then | 310 if not luasec_has.curves[ core_defaults.curveslist[i] ] then |
| 253 t_remove(core_defaults.curveslist, i); | 311 t_remove(core_defaults.curveslist, i); |
| 254 end | 312 end |
| 277 mode = mode, | 335 mode = mode, |
| 278 -- We can't read the password interactively when daemonized | 336 -- We can't read the password interactively when daemonized |
| 279 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | 337 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
| 280 }); | 338 }); |
| 281 cfg:apply(global_ssl_config); | 339 cfg:apply(global_ssl_config); |
| 340 local preset = configmanager.get("*", "ssl_preset") or "intermediate"; | |
| 341 cfg:apply(mozilla_ssl_configs[preset]); | |
| 282 | 342 |
| 283 for i = select('#', ...), 1, -1 do | 343 for i = select('#', ...), 1, -1 do |
| 284 cfg:apply(select(i, ...)); | 344 cfg:apply(select(i, ...)); |
| 285 end | 345 end |
| 286 local user_ssl_config = cfg:final(); | 346 local user_ssl_config = cfg:final(); |
