update with upstream

author mh <mh@immerda.ch>

Mon, 2 Jul 2012 19:56:08 +0000 (15:56 -0400)

committer mh <mh@immerda.ch>

Mon, 2 Jul 2012 19:56:08 +0000 (15:56 -0400)
author mh <mh@immerda.ch>
Mon, 2 Jul 2012 19:56:08 +0000 (15:56 -0400)
committer mh <mh@immerda.ch>
Mon, 2 Jul 2012 19:56:08 +0000 (15:56 -0400)
diff --git a/files/lighttpd.conf b/files/lighttpd.conf

index 25ff3309fd0bfdee0c1ed8a8fa4ea9539b12246f..91c962541667daba91ee64616405f78f3a8fca5e 100644 (file)
--- a/files/lighttpd.conf
+++ b/files/lighttpd.conf
@@ -388,6 +388,25 @@ server.upload-dirs = ( "/var/tmp" )
  ##
  ##   ssl.engine = "enable"
  ##   ssl.pemfile = "/path/to/server.pem"
+##   #
+##   # Mitigate BEAST attack:
+##   #
+##   # A stricter base cipher suite. For details see:
+##   # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
+##   #
+##   ssl.cipher-list             = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+##   #
+##   # Make the server prefer the order of the server side cipher suite instead of the client suite.
+##   # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
+##   # This option is enabled by default, but only used if ssl.cipher-list is set.
+##   #
+##   # ssl.honor-cipher-order = "enable"
+##   #
+##   # Mitigate CVE-2009-3555 by disabling client triggered renegotation
+##   # This is enabled by default.
+##   #
+##   # ssl.disable-client-renegotiation = "enable"
+##   #
  ##
  ## The HTTPS protocol does not allow you to use name-based virtual
  ## hosting with SSL. If you want to run multiple SSL servers with
author	mh <mh@immerda.ch>
	Mon, 2 Jul 2012 19:56:08 +0000 (15:56 -0400)
committer	mh <mh@immerda.ch>
	Mon, 2 Jul 2012 19:56:08 +0000 (15:56 -0400)