From 00b558aab9e9d6f61ded2644bfcdeaaa74b49195 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Elan=20Ruusam=C3=A4e?= <glen@pld-linux.org>
Date: Tue, 14 Feb 2023 00:48:07 +0200
Subject: [PATCH] Deprecated TLS options have been removed.

- ssl.honor-cipher-order
- ssl.dh-file
- ssl.ec-curve
- ssl.disable-client-renegotiation
- ssl.use-sslv2
- ssl.use-sslv3

See https://wiki.lighttpd.net/Docs_SSL for replacements with
`ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
---
 ssl.conf | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/ssl.conf b/ssl.conf
index 15bfb6a..692860c 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -9,7 +9,6 @@
 $SERVER["socket"] == ":443" {
 	protocol = "https://"
 	ssl.engine = "enable"
-	ssl.disable-client-renegotiation = "enable"
 
 	# ssl.pemfile: path to the PEM file for SSL support
 	# (Should contain both the private key and the certificate)
@@ -19,12 +18,6 @@ $SERVER["socket"] == ":443" {
 	# ssl.ca-file: path to the CA file for support of chained certificates
 #	ssl.ca-file = "/etc/lighttpd/ssl/chain.pem"
 
-	# for DH/DHE ciphers, dhparam should be >= 2048-bit
-	# Generate with:
-	# openssl dhparam -out dh2048.pem -outform PEM -2 2048
-#	ssl.dh-file = "/etc/lighttpd/ssl/dhparam.pem"
-	# ECDH/ECDHE ciphers curve strength (see `openssl ecparam -list_curves`)
-#	ssl.ec-curve = "secp384r1"
 	# Compression is by default off at compile-time, but use if needed
 #	ssl.use-compression = "disable"
 
@@ -36,12 +29,8 @@ $SERVER["socket"] == ":443" {
 	# https://ssl-config.mozilla.org/#server=lighttpd&server-version=1.4.54&config=intermediate
 	# intermediate configuration, tweak to your needs
 	#
-	ssl.use-sslv2 = "disable"
-	ssl.use-sslv3 = "disable"
-	# intermediate configuration, tweak to your needs
 	ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
 	ssl.cipher-list           = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
-	ssl.honor-cipher-order    = "disable"
 
 	# HTTP Strict Transport Security (63072000 seconds
 	# setenv.add-response-header  = (
-- 
2.44.0