[packages/lighttpd] - we want perfect forward secrecy, too
arekm
arekm at pld-linux.org
Mon Oct 20 15:34:35 CEST 2014
commit 97d7578ba35f5ab3ee0c2572c3b1879033b7f1e8
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Mon Oct 20 15:34:32 2014 +0200
- we want perfect forward secrecy, too
lighttpd-ssl.conf | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
---
diff --git a/lighttpd-ssl.conf b/lighttpd-ssl.conf
index 5f60997..c5554ee 100644
--- a/lighttpd-ssl.conf
+++ b/lighttpd-ssl.conf
@@ -24,13 +24,18 @@
#ssl.honor-cipher-order = "enable"
#
-# unsafe protocols
-ssl.use-sslv2 = "disable"
-ssl.use-sslv3 = "disable"
-
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
+ # unsafe protocols
+ ssl.use-sslv2 = "disable"
+ ssl.use-sslv3 = "disable"
+
+ # https://wiki.mozilla.org/Security/Server_Side_TLS
+ # forward secrecy
+ ssl.honor-cipher-order = "enable"
+ ssl.cipher-list = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
+
# ssl.pemfile: path to the PEM file for SSL support (Should contain both
# the private key and the certificate)
## If you have a .crt and a .key file, cat them together into a
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/lighttpd.git/commitdiff/97d7578ba35f5ab3ee0c2572c3b1879033b7f1e8
More information about the pld-cvs-commit
mailing list