%%----------------------------------------------------------------------
\subsection{Apache}
-\subsubsection{Tested with Version} \todo{FIXME: add}
+\subsubsection{Tested with Versions} \todo{FIXME: add}
+%\begin{itemize}
+%\end{itemize}
\subsubsection{Settings}
+Enabled modules \emph{SSL} and \emph{Headers} are required.
+
%-All +TLSv1.1 +TLSv1.2
\begin{lstlisting}[breaklines]
+ SSLCertificateFile server.crt
+ SSLCertificateKeyFile server.key
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
</VirtualHost>
\end{lstlisting}
-\subsubsection{Justification for special settings (if needed)}
-
\subsubsection{References}
+\begin{itemize}
+ \item Apache SSL/TLS Encryption: \url{http://httpd.apache.org/docs/2.2/ssl/}
+\end{itemize}
\subsubsection{How to test}
%%\begin{description}
-\subsubsection{Tested with Version}
-
-\todo{version?}
+The config option \emph{honor-cipher-order} is available since 1.4.30, the supported ciphers depend on the used OpenSSL-version (at runtime). ECDH has to be available in OpenSSL at compile-time, which should be default. SSL compression should by deactivated by default at compile-time (if not, it's active).
-\subsubsection{Settings}
+Support for other SSL-libraries like GnuTLS will be available in the upcoming 2.x branch, which is currently under developement.
+\subsubsection{Tested with Versions}
+\begin{itemize}
+\item lighttpd/1.4.31-4 with OpenSSL 1.0.1e on Debian Wheezy
+\item lighttpd/1.4.33 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
+\item lighttpd/1.4.28-2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
+\end{itemize}
-%% Complete ssl.cipher-list with same algo than Apache
-\todo{FIXME: this string seems to be wrongly formatted??}
+\subsubsection{Settings}
\begin{lstlisting}[breaklines]
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
- #ssl.use-compression obsolete >= 1.4.3.1
ssl.pemfile = "/etc/lighttpd/server.pem"
- ssl.cipher-list = '@@@CIPHERSTRINGB@@@'
+ ssl.cipher-list = "@@@CIPHERSTRINGB@@@"
ssl.honor-cipher-order = "enable"
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000")
}
\subsubsection{Additional settings}
-As for any other webserver, you might want to automatically redirect http traffic toward httpS://
+As for any other webserver, you should redirect automatically HTTP traffic towards HTTPS. It is also recommended to set the environment variable \emph{HTTPS}, so the applications run by the webserver can easily detect, that HTTPS is in use.
\begin{lstlisting}[breaklines]
$HTTP["scheme"] == "http" {
url.redirect = (".*" => "https://%0$0")
}
}
+ # Set the environment variable properly
+ setenv.add-environment = (
+ "HTTPS" => "on"
+ )
+ }
\end{lstlisting}
-\subsubsection{References} \todo{add references to lighttpd SSL settins documentation}.
-
-lighttpd httpS:// redirection: \url{http://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps}
-
+\subsubsection{References}
+\begin{itemize}
+ \item HTTPS redirection: \url{http://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps}
+ \item Lighttpd Docs SSL: \url{http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs\_SSL}
+ \item Release 1.4.30 (How to mitigate BEAST attack) \url{http://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1\_4\_30}
+ \item SSL Compression disabled by default: \url{http://redmine.lighttpd.net/issues/2445}
+\end{itemize}
\subsubsection{How to test}
See section \ref{section:Tools}
-% describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
%\end{description}