diff options
author | Renato Botelho <garga@FreeBSD.org> | 2015-03-11 14:09:22 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2015-03-11 14:09:22 -0300 |
commit | 0d443728d5ba55565f23ee71db117dbc1e1bb496 (patch) | |
tree | 5476dcc893595f66db33d516794fbee141bd77de /etc/inc/system.inc | |
parent | 3a0a59c812f5719ff672c52f0f77c699513b713f (diff) | |
download | pfsense-0d443728d5ba55565f23ee71db117dbc1e1bb496.zip pfsense-0d443728d5ba55565f23ee71db117dbc1e1bb496.tar.gz |
Explicit disable ssl.use-compression on lighty config. It should fix #4230
Diffstat (limited to 'etc/inc/system.inc')
-rw-r--r-- | etc/inc/system.inc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 1cfdfb5..3d032d4 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1464,6 +1464,9 @@ EOD; // where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway. $lighty_config .= "ssl.honor-cipher-order = \"enable\"\n"; + // Explicit disable compression to mitigate CRIME attack + $lighty_config .= "ssl.use-compression = \"disable\"\n"; + $lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n"; if (!(empty($ca) || (strlen(trim($ca)) == 0))) { |