From 36355e5065542a80eea4ca88e042bd9ecd9a86a3 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 2 Jul 2012 15:56:08 -0400 Subject: update with upstream --- files/lighttpd.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/files/lighttpd.conf b/files/lighttpd.conf index 25ff330..91c9625 100644 --- a/files/lighttpd.conf +++ b/files/lighttpd.conf @@ -388,6 +388,25 @@ server.upload-dirs = ( "/var/tmp" ) ## ## ssl.engine = "enable" ## ssl.pemfile = "/path/to/server.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: +## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html +## # +## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.cipher-list is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation +## # This is enabled by default. +## # +## # ssl.disable-client-renegotiation = "enable" +## # ## ## The HTTPS protocol does not allow you to use name-based virtual ## hosting with SSL. If you want to run multiple SSL servers with -- cgit v1.2.3