projects / packages / lighttpd.git / blame
| Commit | Line | Data |
|---|---|---|
| e026bd5c ER |
1 | # lighttpd support for SSLv2 and SSLv3 |
| 2 | # | |
| bce8a1c7 | 3 | # Documentation: http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL |
| e026bd5c | 4 | |
| b0de199c ER |
5 | # (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from: |
| 6 | # https://www.ssllabs.com/projects/best-practices/index.html) | |
| 7 | # - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4, | |
| 8 | # so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4) | |
| 9 | # - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, | |
| 10 | # so you might want to support 3DES for now - just remove the '!3DES' parts below). | |
| 11 | # - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA' | |
| 12 | # if you don't want that. | |
| 13 | # - SRP and PSK are not supported anyway, excluding those ('!kSRP !kPSK') just keeps the list smaller (easier to review) | |
| 14 | # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes) | |
| 15 | # | |
| 16 | # If you know you have RSA keys (standard), you can use: | |
| 17 | #ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" | |
| 18 | # The more generic version (without the restriction to RSA keys) is | |
| 19 | #ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" | |
| 20 | ||
| 21 | # Make the server prefer the order of the server side cipher suite instead of the client suite. | |
| 22 | # This option is enabled by default, but only used if ssl.cipher-list is set. | |
| 23 | # | |
| 24 | #ssl.honor-cipher-order = "enable" | |
| 25 | # | |
| bd6c17df | 26 | |
| e026bd5c ER |
27 | $SERVER["socket"] == ":443" { |
| 28 | ssl.engine = "enable" | |
| b0de199c | 29 | |
| 97d7578b AM |
30 | # unsafe protocols |
| 31 | ssl.use-sslv2 = "disable" | |
| 32 | ssl.use-sslv3 = "disable" | |
| 33 | ||
| 34 | # https://wiki.mozilla.org/Security/Server_Side_TLS | |
| 35 | # forward secrecy | |
| 36 | ssl.honor-cipher-order = "enable" | |
| 1008e814 | 37 | ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" |
| 97d7578b | 38 | |
| 9ff27247 ER |
39 | # ssl.pemfile: path to the PEM file for SSL support (Should contain both |
| 40 | # the private key and the certificate) | |
| b0de199c ER |
41 | ## If you have a .crt and a .key file, cat them together into a |
| 42 | ## single PEM file: | |
| 43 | ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem | |
| e026bd5c | 44 | ssl.pemfile = "/etc/lighttpd/server.pem" |
| b0de199c | 45 | |
| 9ff27247 | 46 | # ssl.ca-file: path to the CA file for support of chained certificates |
| 34b8d937 ER |
47 | # ssl.ca-file = "/etc/certs/ca-certificates.crt" |
| 48 | ||
| e026bd5c | 49 | $HTTP["useragent"] =~ "MSIE" { |
| cf9b1bc9 | 50 | server.max-keep-alive-requests = 0 |
| e026bd5c ER |
51 | } |
| 52 | } |