Browse Source

[doc] update ssl.cipher-list recommendation

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2918 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.34
Stefan Bühler 8 years ago
parent
commit
cdcd49b547
  1. 20
      doc/config/lighttpd.conf

20
doc/config/lighttpd.conf

@ -403,15 +403,23 @@ server.upload-dirs = ( "/var/tmp" )
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
## #
## # Mitigate BEAST attack:
## # (Following SSL/TLS Deployment Best Practices 1.3 / 17 September 2013 from:
## # https://www.ssllabs.com/projects/best-practices/index.html)
## # - BEAST is considered mitigaed on client side now, and new weaknesses have been found in RC4,
## # so it is strongly advised to disable RC4 ciphers (HIGH doesn't include RC4)
## # - It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP,
## # so you might want to support 3DES for now - just remove the '!3DES' parts below).
## # - The examples below prefer ciphersuites with "Forward Secrecy" (and ECDHE over DHE (alias EDH)), remove '+kEDH +kRSA'
## # if you don't want that.
## # - SRP and PSK are not supported anyway, excluding those just keeps the list smaller (easier to review)
## # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
## #
## # A stricter base cipher suite. For details see:
## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
## #
## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
## # If you know you have RSA keys (standard), you can use:
## ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP"
## # The more generic version (without the restriction to RSA keys) is
## # ssl.cipher-list = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
## #
## # Make the server prefer the order of the server side cipher suite instead of the client suite.
## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
## # This option is enabled by default, but only used if ssl.cipher-list is set.
## #
## # ssl.honor-cipher-order = "enable"

Loading…
Cancel
Save