diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-03-11 00:24:59 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-03-11 00:24:59 -0500 |
commit | bd583dc2f036938a24b1041f91ffb7c01e27fdc9 (patch) | |
tree | 91d994a84303905a659de6cc0115549cac6f7c68 | |
parent | 9229598abb38c1083c3881d7ce57de6ac407fcb4 (diff) | |
download | pfsense-bd583dc2f036938a24b1041f91ffb7c01e27fdc9.zip pfsense-bd583dc2f036938a24b1041f91ffb7c01e27fdc9.tar.gz |
Update cipher-list in web interface to prefer PFS. Ticket #4230
-rw-r--r-- | etc/inc/system.inc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index c93eca7..710690f 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1355,11 +1355,13 @@ EOD; fclose($fd); } + // where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway. + $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; + if (isset($config['system']['webgui']['beast_protection'])) { - $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; $lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n"; } else { - $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:!aNULL:!eNULL:!3DES:@STRENGTH\"\n"; + $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n"; } if(!(empty($ca) || (strlen(trim($ca)) == 0))) |