[packages/lighttpd] Update ssl.conf from https://ssl-config.mozilla.org

glen glen at pld-linux.org
Sun May 28 13:40:51 CEST 2023 

commit 3abef207cd0e762f12c538a2469f0b35c20d337b
Author: Elan Ruusamäe <glen at pld-linux.org>
Date:   Sun May 28 14:26:03 2023 +0300

    Update ssl.conf from https://ssl-config.mozilla.org

 ssl.conf | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)
---
diff --git a/ssl.conf b/ssl.conf
index 1f04915..341de48 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -4,20 +4,35 @@
 # https://www.ssllabs.com/projects/best-practices/index.html
 # https://cipherli.st/
 # https://wiki.mozilla.org/Security/Server_Side_TLS
-# https://mozilla.github.io/server-side-tls/ssl-config-generator/
+#
+# generated 2023-05-28, Mozilla Guideline v5.7, lighttpd 1.4.70, OpenSSL 3.1.0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=lighttpd&version=1.4.70&config=intermediate&openssl=3.1.0&guideline=5.7
 
-$SERVER["socket"] == ":443" {
-	protocol = "https://"
-	ssl.engine = "enable"
+$HTTP["scheme"] == "http" {
+	url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
+}
 
+# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
+# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
+# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
+$SERVER["socket"] ==     ":443" { ssl.engine = "enable" }
+$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
+
+$HTTP["scheme"] == "https" {
+	protocol = "https://"
 	# ssl.pemfile: path to the PEM file for SSL support
 	# (Should contain both the private key and the certificate)
 	## If you have a .crt and a .key file, cat them together into a single PEM file:
 	## $ cat lighttpd.key lighttpd.crt > lighttpd.pem
 	ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
+#	ssl.privkey = "/path/to/private_key"
 	# ssl.ca-file: path to the CA file for support of chained certificates
 #	ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
 
+	# OCSP stapling (input file must be maintained by external script)
+	# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
+#	ssl.stapling-file = "/path/to/cert-staple.der"
+
 	# Compression is by default off at compile-time, but use if needed
 #	ssl.use-compression = "disable"
 
@@ -26,16 +41,16 @@ $SERVER["socket"] == ":443" {
 #		"HTTPS" => "on"
 #	)
 
-	# https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
-	# intermediate configuration, tweak to your needs
-	#
-	ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
-	ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
+	ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
+	# TLS modules besides mod_openssl might name ciphers differently
+	# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
+	ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")
 
 	# HTTP Strict Transport Security (63072000 seconds is around 2 years)
-	# setenv.add-response-header  = (
-	# 	"Strict-Transport-Security" => "max-age=63072000"
-	# )
+	setenv.add-response-header = (
+		"Strict-Transport-Security" => "max-age=63072000"
+	)
 
 	$HTTP["useragent"] =~ "MSIE" {
 		server.max-keep-alive-requests = 0
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/lighttpd.git/commitdiff/331a1d2828d14f0d46c776b13bcb513308a24533

More information about the pld-cvs-commit mailing list