lighttpd: fix dh-file and ec-curve setting
authorAdi Kriegisch <adi@kriegisch.at>
Tue, 15 Jul 2014 09:17:33 +0000 (11:17 +0200)
committerAdi Kriegisch <adi@kriegisch.at>
Tue, 15 Jul 2014 09:17:33 +0000 (11:17 +0200)
src/configuration/Webservers/lighttpd/10-ssl-dh.conf
src/practical_settings/webserver.tex

index 6851665..b1a64d6 100644 (file)
@@ -8,9 +8,10 @@ $SERVER["socket"] == "0.0.0.0:443" {
 
        ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
-       ssl.dh-file = "/etc/lighttpd/ssl/dh2048.pem"
-       ssl.ec-curve = "secp521r1"
+    # use group16 dh parameters
+       ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
+       ssl.ec-curve = "secp384r1"
        setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
        # use this only if all subdomains support HTTPS!
        # setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000; includeSubDomains")
-}
\ No newline at end of file
+}
index 87ab63c..3bbdaea 100644 (file)
@@ -52,7 +52,7 @@ Starting with lighttpd version 1.4.29 Diffie-Hellman and Elliptic-Curve Diffie-H
 By default, elliptic curve "prime256v1" (also "secp256r1") will be used, if no other is given.
 To select special curves, it is possible to set them using the configuration options \verb|ssl.dh-file| and \verb|ssl.ec-curve|.
 
-\configfile{10-ssl-dh.conf}{11-12}{SSL EC/DH configuration for lighttpd}
+\configfile{10-ssl-dh.conf}{11-13}{SSL EC/DH configuration for lighttpd}
 
 Please read section \ref{section:DH} for more information on Diffie Hellman key exchange and elliptic curves.