support mitigating BEAST attack

According to http://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_30 "...by setting ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" you can mitigate BEAST attacks."
author: dhatz <dhatz-fw@hyper.net> 2013-07-01 04:16:33 +0300
committer: dhatz <dhatz-fw@hyper.net> 2013-07-01 04:16:33 +0300
commit: 9e5ae41ab20fcf26b76f0df348cf3274aba6beca (patch)
tree: af45b128bcb1117195ce644570aeaf253a48ed2f /etc
parent: db83bdf9b39d76665a69994ee139a40d58294f54 (diff)
download: pfsense-9e5ae41ab20fcf26b76f0df348cf3274aba6beca.zip
pfsense-9e5ae41ab20fcf26b76f0df348cf3274aba6beca.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index bbf0180..aa90d48 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -1118,7 +1118,8 @@ EOD;
 
 		// Harden SSL a bit for PCI conformance testing
 		$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
-		$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
+		$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
+		$lighty_config .= "ssl.cipher-list = \"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM\"\n";
 
 		if(!(empty($ca) || (strlen(trim($ca)) == 0)))
 			$lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n";
author	dhatz <dhatz-fw@hyper.net>	2013-07-01 04:16:33 +0300
committer	dhatz <dhatz-fw@hyper.net>	2013-07-01 04:16:33 +0300
commit	9e5ae41ab20fcf26b76f0df348cf3274aba6beca (patch)
tree	af45b128bcb1117195ce644570aeaf253a48ed2f /etc
parent	db83bdf9b39d76665a69994ee139a40d58294f54 (diff)
download	pfsense-9e5ae41ab20fcf26b76f0df348cf3274aba6beca.zip pfsense-9e5ae41ab20fcf26b76f0df348cf3274aba6beca.tar.gz