Lighttpd

Please try answer in https://redmine.lighttpd.net/boards/2/topics/5797 which asked the same question almost 3 years ago.

You mentioned https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html above.
You might also look at https://neverendingsecurity.wordpress.com/tag/lighttpd/

I just listed my settings and the site where I got them because I ALREADY APPLIED all the instructions those sources recommend with no success, i.e.: lighttpd continues to accept TLS 1.0 protocol, and the first answer you pointed (3 years old) was the first I visited and it does not solve.

So it sounds like you've disabled the TLS v1.0 ciphers, but you also need to disable the TLS v1.0 protocol? Do I understand this correctly?

The next version of openssl deprecates the current interface for setting protocols, moving to a SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version(). I want to take a closer look, but am thinking about adding an interface to these in lighttpd, and translating to SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2 in earlier versions of openssl.

Do you compile lighttpd from source? Can you test a patch? Or are you only allowed to use a released version of lighttpd?

http://security.stackexchange.com/questions/83462/disabling-tls-protocol-in-protocol-level-or-in-cipher-list-level-whats-the-dif

The above link suggests that if you disable all ciphers other than ciphers that work only with TLS 1.2, that lower protocols will fail the handshake. This might be a short-term solution for you.

Hi! I finally GOT IT!

It was 2 things:

1) I was editing the settings in the section $HTTP["host"] =~ "^(www\.)?example\.com?$ , but it must change the ciphers in the $PORT 443$ settings too.

2) By trial and error, I eliminated ciphers that are no longer accepted by PCI DSS (short term solution to disable TLS1.0)

Lighttpd: (/usr/local/etc/lighttpd/lighttpd.conf)

(..)

$SERVER["socket"] == ":443" {

        ssl.engine = "enable" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.use-compression = "disable" 
    ssl.disable-client-renegotiation = "enable" 

        ssl.honor-cipher-order = "enable" 

        # PCI DSS compliant cipher list July/2016 (TLS 1.0 disabled) *please remember to remove "\" char when copying 
        ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:\
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:\
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:\
ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:\
DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\
!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" 

    ssl.dh-file = "dhparam4096.pem" 
    ssl.ec-curve = "secp384r1" 

    ssl.ca-file = "example.com-CA.pem" 
    ssl.pemfile = "example.com.pem" 

        setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
        "X-Frame-Options" => "DENY",
        "X-Content-Type-Options" => "nosniff" 
        )

}

(..)

$HTTP["host"] =~ "^(www\.)?example\.com?$" {
    ssl.use-compression = "disable" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.disable-client-renegotiation = "enable" 

    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_lighttpd.html
    ssl.honor-cipher-order = "enable" 
    ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:\
!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" 

    ssl.dh-file = "dhparam4096.pem" 
    ssl.ec-curve = "secp384r1" 

    ssl.ca-file = "example.com-CA.pem" 
    ssl.pemfile = "example.com.pem" 

    setenv.add-response-header = (
        "Strict-Transport-Security" => "max-age=63072000; includeSubdomains; preload",
        "X-Frame-Options" => "DENY",
        "X-Content-Type-Options" => "nosniff" 
    )
}

(..)

Thanks for the update! I had overlooked that you weren't configuring the SSL/TLS socket. The socket must be configured with SSL/TLS settings, and not the Host. The Host header comes after TLS negotiation (unless SNI is sent, but that is still too late)

Yes hehe that's the "why" my changes on cipher list (in HOST) was taking no effect, and thank you for the tips :-)

gstrauss wrote:

Thanks for the update! I had overlooked that you weren't configuring the SSL/TLS socket. The socket must be configured with SSL/TLS settings, and not the Host. The Host header comes after TLS negotiation (unless SNI is sent, but that is still too late)

Hi,
Am trying to disable TLS1.0 through lighttpd.conf and have followed the below as mentioned in the post
https://redmine.lighttpd.net/projects/lighttpd/activity?from=2016-07-20
When I try this and run sslscan,I get the below result

Supported Server Cipher(s):
ERROR: Could not open a connection to host 10.94.223.42 on port 443

Please help with your valuable suggestions.

Thanks in advance

<cringe>

Please help with your valuable suggestions.

1) Don't post to an issue that has been resolved for over 5 months. Post a new issue to the support forum, and reference the related issue with a link to show that you tried to search for related issues.
2) When you do post somewhere, at least post a well-formed question. Posting "it doesn't work" is USELESS! You posted the equivalent of "I get connection refused; it's not working." Congratulations. It's not working and you have not provided any useful information that someone might be able to use to help you. Please use your favorite search engine and look at a few articles on 'how to ask a good technical question'.

Try to get a simple set up working before you make any customization. Then, make one small change at a time and test it. If a small change makes things that were working now no longer work, then look around for answers, and ask questions with that specific piece of information in your question.

lighttpd 1.4.48 supports ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") See lighttpd TLS documentation

@gstraus
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")

with this enabled if i send commands below
openssl s_client -connect google.com:443 -tls1
openssl s_client -connect google.com:443 -tls1_1

lighty still showing the googles certs

is there any combination with this command.

• Do not post before reading the lighttpd TLS documentation
• Do not post before reading the openssl s_client manual page.
• Do not post before reviewing the output of your openssl s_client commands.
  This is not the place to ask questions about openssl s_client.