From d4f8cb1ad30c15e34a47f2d5c27d0d6ca09b5e2f Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 18 Jul 2012 18:14:22 -0400
Subject: Expand cipher list and remove a cipher that Safari on iOS does not
 like after recent lighttpd changes. Fixes #2553

---
 etc/inc/system.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index fd00408..7148c1c 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -1046,7 +1046,7 @@ EOD;
 
 		// Harden SSL a bit for PCI conformance testing
 		$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
-		$lighty_config .= "ssl.cipher-list = \"TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH\"\n";
+		$lighty_config .= "ssl.cipher-list = \"DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!3DES:@STRENGTH\"\n";
 
 		if(!(empty($ca) || (strlen(trim($ca)) == 0)))
 			$lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n";
-- 
cgit v1.1