Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Turris OS packages Turris OS packages
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 78
    • Issues 78
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Turris
  • Turris OS
  • Turris OS packagesTurris OS packages
  • Issues
  • #706
Closed
Open
Created Dec 05, 2020 by Vojtech Myslivec@vmyslivecContributor

Restrict lighttpd to strong TLS cipher suites

Follow-up from #559 (closed), github PR #59 and github PR #63.

Since lighttpd version 1.4.56, the reasonable default TLS configuration is:

"MinProtocol" => "TLSv1.2"
"CipherString" => "HIGH"

We can consider to restrict list of cipher suites to only strong ciphers, as OpenSSL HIGH consist of not-so-high cipher suites as well...

List of cipher suites could be something like:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-CCM8
DHE-RSA-AES256-CCM8
DHE-RSA-CHACHA20-POLY1305

together with strong DH parameters (> 1024 bit).

Edited Dec 05, 2020 by Vojtech Myslivec
Assignee
Assign to
Time tracking