Merge pull request #92 from sebix/master
authorAaron Zauner <azet@azet.org>
Fri, 13 Feb 2015 06:49:29 +0000 (07:49 +0100)
committerAaron Zauner <azet@azet.org>
Fri, 13 Feb 2015 06:49:29 +0000 (07:49 +0100)
Add certificate chain files to configs of apache and lighttpd

src/configuration/Webservers/lighttpd/10-ssl.conf
src/practical_settings/webserver.tex

index 5e4a7b8..4a467fc 100644 (file)
@@ -5,10 +5,12 @@ $SERVER["socket"] == "0.0.0.0:443" {
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
+       ssl.ca-file = "/etc/ssl/certs/server.crt"
 
        ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
        setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
        # use this only if all subdomains support HTTPS!
        # setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")
-}
\ No newline at end of file
+}
+
index d39de0c..6a3b8b8 100644 (file)
@@ -14,7 +14,7 @@ synonyms~\footnote{https://www.mail-archive.com/openssl-dev@openssl.org/msg33405
 \subsubsection{Settings}
 Enabled modules \emph{SSL} and \emph{Headers} are required.
 
-\configfile{default-ssl}{162-170}{SSL configuration for an Apache vhost}
+\configfile{default-ssl}{42-43,52-52,62-62,162-170}{SSL configuration for an Apache vhost}
 
 \subsubsection{Additional settings}
 You might want to redirect everything to \emph{https://} if possible. In Apache
@@ -46,7 +46,7 @@ See appendix \ref{cha:tools}
 
 
 \subsubsection{Settings}
-\configfile{10-ssl.conf}{3-14}{SSL configuration for lighttpd}
+\configfile{10-ssl.conf}{3-15}{SSL configuration for lighttpd}
 
 Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols are supported.
 By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given.