X-Git-Url: https://git.tld-linux.org/?p=packages%2Flighttpd.git;a=blobdiff_plain;f=lighttpd-ssl.conf;fp=lighttpd-ssl.conf;h=0000000000000000000000000000000000000000;hp=7e89b248e4040156a7a86ee15f6fe87033fe9be5;hb=8239b3691d1ae536833b6d53a2efd289956ccbcd;hpb=2bc378a1b82f8e82ab66bd2a656282134a6d05e0 diff --git a/lighttpd-ssl.conf b/lighttpd-ssl.conf deleted file mode 100644 index 7e89b24..0000000 --- a/lighttpd-ssl.conf +++ /dev/null @@ -1,52 +0,0 @@ -# lighttpd support for SSLv2 and SSLv3 -# -# Documentation: http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL - -# (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from: -# https://www.ssllabs.com/projects/best-practices/index.html) -# - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4, -# so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4) -# - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, -# so you might want to support 3DES for now - just remove the '!3DES' parts below). -# - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA' -# if you don't want that. -# - SRP and PSK are not supported anyway, excluding those ('!kSRP !kPSK') just keeps the list smaller (easier to review) -# Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes) -# -# If you know you have RSA keys (standard), you can use: -#ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK" -# The more generic version (without the restriction to RSA keys) is -#ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK" - -# Make the server prefer the order of the server side cipher suite instead of the client suite. -# This option is enabled by default, but only used if ssl.cipher-list is set. -# -#ssl.honor-cipher-order = "enable" -# - -$SERVER["socket"] == ":443" { - ssl.engine = "enable" - - # unsafe protocols - ssl.use-sslv2 = "disable" - ssl.use-sslv3 = "disable" - - # https://wiki.mozilla.org/Security/Server_Side_TLS - # forward secrecy - ssl.honor-cipher-order = "enable" - ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" - - # ssl.pemfile: path to the PEM file for SSL support (Should contain both - # the private key and the certificate) - ## If you have a .crt and a .key file, cat them together into a - ## single PEM file: - ## $ cat lighttpd.key lighttpd.crt > lighttpd.pem - ssl.pemfile = "/etc/lighttpd/server.pem" - - # ssl.ca-file: path to the CA file for support of chained certificates -# ssl.ca-file = "/etc/certs/ca-certificates.crt" - - $HTTP["useragent"] =~ "MSIE" { - server.max-keep-alive-requests = 0 - } -}