Skip to content

Commit

Permalink
http/tls: update to new mozilla recommendations
Browse files Browse the repository at this point in the history
This updates to the Mozilla page (https://wiki.mozilla.org/Security/Server_Side_TLS) v5.7
  • Loading branch information
daurnimator committed Aug 28, 2023
1 parent ddab283 commit c672f2b
Showing 1 changed file with 31 additions and 57 deletions.
88 changes: 31 additions & 57 deletions http/tls.lua
Original file line number Diff line number Diff line change
Expand Up @@ -19,91 +19,52 @@ end

-- "Modern" cipher list
local modern_cipher_list = cipher_list {
"ECDHE-ECDSA-AES256-GCM-SHA384";
"ECDHE-RSA-AES256-GCM-SHA384";
"ECDHE-ECDSA-CHACHA20-POLY1305";
"ECDHE-RSA-CHACHA20-POLY1305";
"ECDHE-ECDSA-AES128-GCM-SHA256";
"ECDHE-RSA-AES128-GCM-SHA256";
"ECDHE-ECDSA-AES256-SHA384";
"ECDHE-RSA-AES256-SHA384";
"ECDHE-ECDSA-AES128-SHA256";
"ECDHE-RSA-AES128-SHA256";
"TLS_AES_128_GCM_SHA256";
"TLS_AES_256_GCM_SHA384";
"TLS_CHACHA20_POLY1305_SHA256";
}

-- "Intermediate" cipher list
local intermediate_cipher_list = cipher_list {
"ECDHE-ECDSA-CHACHA20-POLY1305";
"ECDHE-RSA-CHACHA20-POLY1305";
"ECDHE-ECDSA-AES128-GCM-SHA256";
"ECDHE-RSA-AES128-GCM-SHA256";
"ECDHE-ECDSA-AES256-GCM-SHA384";
"ECDHE-RSA-AES256-GCM-SHA384";
"ECDHE-ECDSA-CHACHA20-POLY1305";
"ECDHE-RSA-CHACHA20-POLY1305";
"DHE-RSA-AES128-GCM-SHA256";
"DHE-RSA-AES256-GCM-SHA384";
"ECDHE-ECDSA-AES128-SHA256";
"ECDHE-RSA-AES128-SHA256";
"ECDHE-ECDSA-AES128-SHA";
"ECDHE-RSA-AES256-SHA384";
"ECDHE-RSA-AES128-SHA";
"ECDHE-ECDSA-AES256-SHA384";
"ECDHE-ECDSA-AES256-SHA";
"ECDHE-RSA-AES256-SHA";
"DHE-RSA-AES128-SHA256";
"DHE-RSA-AES128-SHA";
"DHE-RSA-AES256-SHA256";
"DHE-RSA-AES256-SHA";
"ECDHE-ECDSA-DES-CBC3-SHA";
"ECDHE-RSA-DES-CBC3-SHA";
"EDH-RSA-DES-CBC3-SHA";
"AES128-GCM-SHA256";
"AES256-GCM-SHA384";
"AES128-SHA256";
"AES256-SHA256";
"AES128-SHA";
"AES256-SHA";
"DES-CBC3-SHA";
"!DSS";
"DHE-RSA-CHACHA20-POLY1305";
}

-- "Old" cipher list
local old_cipher_list = cipher_list {
"ECDHE-ECDSA-CHACHA20-POLY1305";
"ECDHE-RSA-CHACHA20-POLY1305";
"ECDHE-RSA-AES128-GCM-SHA256";
"ECDHE-ECDSA-AES128-GCM-SHA256";
"ECDHE-RSA-AES256-GCM-SHA384";
"ECDHE-RSA-AES128-GCM-SHA256";
"ECDHE-ECDSA-AES256-GCM-SHA384";
"ECDHE-RSA-AES256-GCM-SHA384";
"ECDHE-ECDSA-CHACHA20-POLY1305";
"ECDHE-RSA-CHACHA20-POLY1305";
"DHE-RSA-AES128-GCM-SHA256";
"DHE-DSS-AES128-GCM-SHA256";
"kEDH+AESGCM";
"ECDHE-RSA-AES128-SHA256";
"DHE-RSA-AES256-GCM-SHA384";
"DHE-RSA-CHACHA20-POLY1305";
"ECDHE-ECDSA-AES128-SHA256";
"ECDHE-RSA-AES128-SHA";
"ECDHE-RSA-AES128-SHA256";
"ECDHE-ECDSA-AES128-SHA";
"ECDHE-RSA-AES256-SHA384";
"ECDHE-RSA-AES128-SHA";
"ECDHE-ECDSA-AES256-SHA384";
"ECDHE-RSA-AES256-SHA";
"ECDHE-RSA-AES256-SHA384";
"ECDHE-ECDSA-AES256-SHA";
"ECDHE-RSA-AES256-SHA";
"DHE-RSA-AES128-SHA256";
"DHE-RSA-AES128-SHA";
"DHE-DSS-AES128-SHA256";
"DHE-RSA-AES256-SHA256";
"DHE-DSS-AES256-SHA";
"DHE-RSA-AES256-SHA";
"ECDHE-RSA-DES-CBC3-SHA";
"ECDHE-ECDSA-DES-CBC3-SHA";
"EDH-RSA-DES-CBC3-SHA";
"AES128-GCM-SHA256";
"AES256-GCM-SHA384";
"AES128-SHA256";
"AES256-SHA256";
"AES128-SHA";
"AES256-SHA";
"AES";
"DES-CBC3-SHA";
"HIGH";
"SEED";
"!aNULL";
"!eNULL";
"!EXPORT";
Expand Down Expand Up @@ -458,6 +419,15 @@ local spec_to_openssl = {
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "ECDHE-PSK-CHACHA20-POLY1305";
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = "DHE-PSK-CHACHA20-POLY1305";
TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = "RSA-PSK-CHACHA20-POLY1305";


-- TLS v1.3 cipher suites

TLS_AES_128_GCM_SHA256 = "TLS_AES_128_GCM_SHA256";
TLS_AES_256_GCM_SHA384 = "TLS_AES_256_GCM_SHA384";
TLS_CHACHA20_POLY1305_SHA256 = "TLS_CHACHA20_POLY1305_SHA256";
TLS_AES_128_CCM_SHA256 = "TLS_AES_128_CCM_SHA256";
TLS_AES_128_CCM_8_SHA256 = "TLS_AES_128_CCM_8_SHA256";
}

-- Banned ciphers from https://http2.github.io/http2-spec/#BadCipherSuites
Expand Down Expand Up @@ -750,13 +720,17 @@ local default_tls_options = openssl_ctx.OP_NO_COMPRESSION
+ openssl_ctx.OP_SINGLE_ECDH_USE
+ openssl_ctx.OP_NO_SSLv2
+ openssl_ctx.OP_NO_SSLv3
+ openssl_ctx.OP_NO_SSLv3
+ openssl_ctx.OP_NO_TLSv1
+ openssl_ctx.OP_NO_TLSv1_1
+ openssl_ctx.OP_NO_TICKET

local function new_client_context()
local ctx = openssl_ctx.new("TLS", false)
ctx:setCipherList(intermediate_cipher_list)
ctx:setOptions(default_tls_options)
if ctx.setGroups then
ctx:setGroups("P-521:P-384:P-256")
ctx:setGroups("P-521:P-384:P-256:X25519")
else
ctx:setEphemeralKey(openssl_pkey.new{ type = "EC", curve = "prime256v1" })
end
Expand All @@ -771,7 +745,7 @@ local function new_server_context()
ctx:setCipherList(intermediate_cipher_list)
ctx:setOptions(default_tls_options)
if ctx.setGroups then
ctx:setGroups("P-521:P-384:P-256")
ctx:setGroups("P-521:P-384:P-256:X25519")
else
ctx:setEphemeralKey(openssl_pkey.new{ type = "EC", curve = "prime256v1" })
end
Expand Down

0 comments on commit c672f2b

Please sign in to comment.