diff options
author | Stefan Bühler <stbuehler@web.de> | 2011-12-06 11:26:51 +0000 |
---|---|---|
committer | Stefan Bühler <stbuehler@web.de> | 2011-12-06 11:26:51 +0000 |
commit | d964e498742c10bdeda3648f226521c11940c76e (patch) | |
tree | ae22e01c9a8fcf74226e5423aa829472de96dc76 /doc | |
parent | 38e3e4a65aee6b8659ee456b39365b3446267b21 (diff) | |
download | lighttpd-git-d964e498742c10bdeda3648f226521c11940c76e.tar.gz |
[ssl] document new options in config example
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2814 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'doc')
-rw-r--r-- | doc/config/lighttpd.conf | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/doc/config/lighttpd.conf b/doc/config/lighttpd.conf index e5c6722b..98309544 100644 --- a/doc/config/lighttpd.conf +++ b/doc/config/lighttpd.conf @@ -394,8 +394,25 @@ server.upload-dirs = ( "/var/tmp" ) ## $SERVER["socket"] == "10.0.0.1:443" { ## ssl.engine = "enable" ## ssl.pemfile = "/etc/ssl/private/www.example.com.pem" +## # +## # Mitigate BEAST attack: +## # +## # A stricter base cipher suite. For details see: ## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html -## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" +## # +## # Make the server prefer the order of the server side cipher suite instead of the client suite. +## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms). +## # This option is enabled by default, but only used if ssl.ciphers is set. +## # +## # ssl.honor-cipher-order = "enable" +## # +## # Mitigate CVE-2009-3555 by disabling client triggered renegotation +## # This is enabled by default. +## # +## # ssl.disable-client-renegotiation = "enable" +## # ## server.name = "www.example.com" ## ## server.document-root = "/srv/www/vhosts/example.com/www/" |