src/configuration/Webservers/lighttpd/10-ssl-dh.conf

   1 # /usr/share/doc/lighttpd/ssl.txt
   2
   3 $SERVER["socket"] == "0.0.0.0:443" {
   4         ssl.engine = "enable"
   5         ssl.use-sslv2 = "disable"
   6         ssl.use-sslv3 = "disable"
   7         ssl.pemfile = "/etc/lighttpd/server.pem"
   8
   9         ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
  10         ssl.honor-cipher-order = "enable"
  11     # use group16 dh parameters
  12         ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
  13         ssl.ec-curve = "secp384r1"
  14         setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
  15         # use this only if all subdomains support HTTPS!
  16         # setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")
  17 }