ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.pemfile = "/etc/lighttpd/server.pem"
+ ssl.ca-file = "/etc/ssl/certs/server.crt"
ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
ssl.honor-cipher-order = "enable"
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000") # six months
# use this only if all subdomains support HTTPS!
# setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")
-}
\ No newline at end of file
+}
+
\subsubsection{Settings}
Enabled modules \emph{SSL} and \emph{Headers} are required.
-\configfile{default-ssl}{162-170}{SSL configuration for an Apache vhost}
+\configfile{default-ssl}{42-43,52-52,62-62,162-170}{SSL configuration for an Apache vhost}
\subsubsection{Additional settings}
You might want to redirect everything to \emph{https://} if possible. In Apache
\subsubsection{Settings}
-\configfile{10-ssl.conf}{3-14}{SSL configuration for lighttpd}
+\configfile{10-ssl.conf}{3-15}{SSL configuration for lighttpd}
Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols are supported.
By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given.