summaryrefslogtreecommitdiff
path: root/doc/config/lighttpd.conf
diff options
context:
space:
mode:
Diffstat (limited to 'doc/config/lighttpd.conf')
-rw-r--r--doc/config/lighttpd.conf19
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/config/lighttpd.conf b/doc/config/lighttpd.conf
index efe96be..47d6729 100644
--- a/doc/config/lighttpd.conf
+++ b/doc/config/lighttpd.conf
@@ -394,6 +394,25 @@ server.upload-dirs = ( "/var/tmp" )
## $SERVER["socket"] == "10.0.0.1:443" {
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
+## #
+## # Mitigate BEAST attack:
+## #
+## # A stricter base cipher suite. For details see:
+## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
+## #
+## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+## #
+## # Make the server prefer the order of the server side cipher suite instead of the client suite.
+## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
+## # This option is enabled by default, but only used if ssl.cipher-list is set.
+## #
+## # ssl.honor-cipher-order = "enable"
+## #
+## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
+## # This is enabled by default.
+## #
+## # ssl.disable-client-renegotiation = "enable"
+## #
## server.name = "www.example.com"
##
## server.document-root = "/srv/www/vhosts/example.com/www/"