Change TLS default policy to disable DSA, CCM-8, and static RSA

Disables static RSA by default. The advantage here is twofold: enforcing forward
security and protecting TLS servers from oracle attacks since by default they
will never negotiate a suite which forces them to act as a decryption
oracle. Some applications/users may be forced to enable RSA in order to speak
with old or misconfigured peers, but these can be the exception not the default.

Disable DSA and CCM-8 by default: if you need to enable these things, you know it.

Adds TLS policy hooks to enforce DSA key sizes, default 2048 bits.

Remove an incorrect warning about DTLS in the manual; the sequence number window
check prevents this scenario from occuring.

1 files changed, 9 insertions, 3 deletions

diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index f387361f6..efef7e1f7 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -151,11 +151,12 @@ class BOTAN_DLL Policy
       * Return the minimum ECDH group size we're willing to use
       * for key exchange
       *
-      * Default 256, allowing P-256 and larger
-      * P-256 is the smallest curve we will negotiate
+      * Default 255, allowing x25519 and larger
+      * x25519 is the smallest curve we will negotiate
+      * P-521 is the largest
       */
       virtual size_t minimum_ecdh_group_size() const;
-      
+
       /**
       * Return the minimum bit size we're willing to accept for RSA
       * key exchange or server signatures.
@@ -170,6 +171,11 @@ class BOTAN_DLL Policy
       virtual size_t minimum_rsa_bits() const;
 
       /**
+      * Minimum DSA group size, default 2048 bits
+      */
+      virtual size_t minimum_dsa_group_size() const;
+
+      /**
       * Throw an exception if you don't like the peer's key.
       * Default impl checks the key size against minimum_rsa_bits, minimum_ecdsa_group_size,
       * or minimum_ecdh_group_size depending on the key's type.