Add cert chains for apache and lighttpd
authorSebastian Wagner <sebix@sebix.at>
Sat, 24 Jan 2015 13:00:08 +0000 (14:00 +0100)
committerSebastian Wagner <sebix@sebix.at>
Sat, 24 Jan 2015 13:00:08 +0000 (14:00 +0100)
src/configuration/Webservers/lighttpd/10-ssl.conf
src/practical_settings/webserver.tex

index 5e4a7b8..4a467fc 100644 (file)
@@ -5,10 +5,12 @@ $SERVER["socket"] == "0.0.0.0:443" {
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
+       ssl.ca-file = "/etc/ssl/certs/server.crt"
 
        ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
        setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
        # use this only if all subdomains support HTTPS!
        # setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")
-}
\ No newline at end of file
+}
+
index d39de0c..6a3b8b8 100644 (file)
@@ -14,7 +14,7 @@ synonyms~\footnote{https://www.mail-archive.com/openssl-dev@openssl.org/msg33405
 \subsubsection{Settings}
 Enabled modules \emph{SSL} and \emph{Headers} are required.
 
-\configfile{default-ssl}{162-170}{SSL configuration for an Apache vhost}
+\configfile{default-ssl}{42-43,52-52,62-62,162-170}{SSL configuration for an Apache vhost}
 
 \subsubsection{Additional settings}
 You might want to redirect everything to \emph{https://} if possible. In Apache
@@ -46,7 +46,7 @@ See appendix \ref{cha:tools}
 
 
 \subsubsection{Settings}
-\configfile{10-ssl.conf}{3-14}{SSL configuration for lighttpd}
+\configfile{10-ssl.conf}{3-15}{SSL configuration for lighttpd}
 
 Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-Hellman key agreement protocols are supported.
 By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given.