[Solved] TLS 1.2 on lighttpd 1.4.19
Added by service-it-01@foto.com almost 7 years ago
Hello,
I'm trying to disable TLS 1.0 and 1.1 by forcing TLS 1.2 on lighttpd 1.4.19 with the following command lines (found on https://cipherli.st/) :
#### SSL engine
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/xx.pem"
ssl.ca-file = "/etc/lighttpd/ssl/ca-bundle"
*#ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"*
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
}
But the ssl.cipher-list is in error when I try to reload :
(network.c.345) SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
If I hide it, it works perfectly.
Does the ssl.cipher-list parameters are wrong or my lighttpd version is too old ?
If you have any suggestion :)
Replies (2)
RE: TLS 1.2 on lighttpd 1.4.19 - Added by gstrauss almost 7 years ago
lighttpd 1.4.19 was released over 10 years ago!!!
The version of openssl against which your lighttpd 1.4.19 is linked might be too old to support TLS 1.2.
If you choose to use a newer lighttpd linked against a more modern openssl, then you can use ssl.openssl.ssl-conf-cmd, which was added in lighttpd 1.4.48 and allows you to disable TLS 1.0 and TLS 1.1 among other things. See examples in Docs_SSL. No, this is not available before lighttpd 1.4.48.
RE: [Solved] TLS 1.2 on lighttpd 1.4.19 - Added by service-it-01@foto.com almost 7 years ago
Thank you gstrauss! :)
Yes I know, I forgot to mention that it's running on ubuntu 7.04... I have try to update it to a newer version but it doesn't work, even gcc is too old. (I'm definitely not at all a linux expert, far from it!)
I will ask for external help to update the server!