Bug #2565
closedconfig file options for disabling use of TLS versions
Description
lighttpd currently has the options ssl.use-sslv2 and ssl.use-sslv3 to control the use of SSL versions but there are no options to control the use of TLS versions. IMO adding more options in the same manner seems like a poor way of doing things. It would be better to add a new option that can control all current versions of SSL (v2 / v3) and TLS (1 / 1.1 / 1.2) and be future proof for TLS1.3 and so on.
Updated by stbuehler over 10 years ago
- Status changed from New to Wontfix
tell the openssl guys to support version selection through the cipher string - that is the only way it can be really future proof.
Updated by brad@comstyle.com over 10 years ago
stbuehler wrote:
tell the openssl guys to support version selection through the cipher string - that is the only way it can be really future proof.
Every other web server, SMTP server, proxy and so on has options for controlling this behavior except for lighttpd.
Updated by gstrauss almost 8 years ago
FYI: in the not-yet-released openssl 1.1.0: SSL_CONF_cmd https://www.openssl.org/docs/man1.1.0/ssl/SSL_CONF_cmd.html
Updated by gstrauss over 3 years ago
- Status changed from Wontfix to Fixed
- Target version set to 1.4.x
- ASK QUESTIONS IN Forums set to No
lighttpd 1.4.48 (release Nov 2017) provides a new directive to configure openssl: ssl.openssl.ssl-conf-cmd
Also available in: Atom