diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2011-04-19 17:06:00 -0400 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2011-04-19 17:06:00 -0400 |
commit | 673ee7b1e8fcdcce197d5099e90f93f316893b8d (patch) | |
tree | e12b75e00d74514ef839eeb3b4a283546f66085b /etc/inc/system.inc | |
parent | 6c9cf4662eaa2db6cd8eea770f7364aaa9feae99 (diff) | |
download | pfsense-673ee7b1e8fcdcce197d5099e90f93f316893b8d.zip pfsense-673ee7b1e8fcdcce197d5099e90f93f316893b8d.tar.gz |
Harden SSL settings a bit. Verified OK with @cmb and @billm
Diffstat (limited to 'etc/inc/system.inc')
-rw-r--r-- | etc/inc/system.inc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 2e64099..c55a0c0 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1086,6 +1086,11 @@ EOD; $lighty_config .= "## ssl configuration\n"; $lighty_config .= "ssl.engine = \"enable\"\n"; $lighty_config .= "ssl.pemfile = \"{$g['varetc_path']}/{$cert_location}\"\n\n"; + + // Harden SSL a bit for PCI conformance testing + $lighty_config .= "ssl.use-sslv2 = \"disable\"\n"; + $lighty_config .= "ssl.cipher-list = \"TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH\"\n"; + if(!(empty($ca) || (strlen(trim($ca)) == 0))) $lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n"; } |