diff options
author | Jim P <jim@pingle.org> | 2013-07-14 13:14:07 -0700 |
---|---|---|
committer | Jim P <jim@pingle.org> | 2013-07-14 13:14:07 -0700 |
commit | 3487a5c26feb4233cb5826a88bd3ca9a4807c287 (patch) | |
tree | a2b89e61edd1b409d5ccc5a279e89c86d0f9fe8f | |
parent | 23ea4d2a6a6f7131fb4083cc9dda9cc3618d9d53 (diff) | |
parent | 9e5ae41ab20fcf26b76f0df348cf3274aba6beca (diff) | |
download | pfsense-3487a5c26feb4233cb5826a88bd3ca9a4807c287.zip pfsense-3487a5c26feb4233cb5826a88bd3ca9a4807c287.tar.gz |
Merge pull request #683 from dhatz/RELENG_2_1
support mitigating BEAST attack, see http://forum.pfsense.org/index.php/topic,63001.0.html
-rw-r--r-- | etc/inc/system.inc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 7674e14..18ae4f1 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1125,7 +1125,8 @@ EOD; // Harden SSL a bit for PCI conformance testing $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; - $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n"; + $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; + $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; |