summaryrefslogtreecommitdiffstats
path: root/etc/inc/system.inc
diff options
context:
space:
mode:
authorChris Buechler <cmb@pfsense.org>2015-03-11 00:24:59 -0500
committerChris Buechler <cmb@pfsense.org>2015-03-11 00:25:56 -0500
commit0f57551162abde8ac58c0b48c9d0595e08694682 (patch)
tree36a3d32784374e68c93fc4e633c69cad25e565b3 /etc/inc/system.inc
parent23cb405565539c2fa0c3db9eba052afce343f8a8 (diff)
downloadpfsense-0f57551162abde8ac58c0b48c9d0595e08694682.zip
pfsense-0f57551162abde8ac58c0b48c9d0595e08694682.tar.gz
Update cipher-list in web interface to prefer PFS. Ticket #4230
Diffstat (limited to 'etc/inc/system.inc')
-rw-r--r--etc/inc/system.inc6
1 files changed, 4 insertions, 2 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 112c218..03f18a1 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -1475,11 +1475,13 @@ EOD;
fclose($fd);
}
+ // where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway.
+ $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
+
if (isset($config['system']['webgui']['beast_protection'])) {
- $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
$lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
} else {
- $lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
+ $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n";
}
if (!(empty($ca) || (strlen(trim($ca)) == 0))) {
OpenPOWER on IntegriCloud