Forums » Development »
[Solved] Provide sane SSL configuration by default
Added by eryretqwewrqr about 10 years ago
I haven't use lighttpd since quite some time, but I found out that lighty seems to provide an insecure SSL configuration by default through testing a few websites running lighttpd with the online tool https://www.ssllabs.com/ssltest/
It looks like lighttpd includes the insecure cipher "ADH-RC4-MD5" by default (TLS_DH_anon_WITH_RC4_128_MD5) which is for example mentioned here: http://redmine.lighttpd.net/projects/1/wiki/Docs_SSL#PCI-DSS-compliance
This information is already 7 years old (http://comments.gmane.org/gmane.comp.web.lighttpd/4289) so it is definitely time to review the ciphers!
Would it be possible to remove this insecure cipher from the default list?
The ideal would be to test a sane SSL configuration using for example the ssllabs.com tool and define that as a default in future versions of lighty.
RE: Provide sane SSL configuration by default - Added by darix about 10 years ago
- the default cipher suite depends on your copy of openssl.
- did you even read our suggested default config? 
RE: Provide sane SSL configuration by default - Added by eryretqwewrqr about 10 years ago
yep, I am sorry. I didn't read the default config.
I just set up a lighttpd on my own and the default config of both lighttpd as well as the debian default config look quite good!
RE: [Solved] Provide sane SSL configuration by default - Added by gstrauss over 2 years ago
lighttpd defaults to ssl.cipher-list = "HIGH" if one is not provided.
See lighttpd TLS documentation for a description of lighttpd TLS secure defaults.