[ssl] document new options in config example

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2814 152afb58-edef-0310-8abb-c4023f1b3aa9
11 years ago · d964e49874
1 changed files with 18 additions and 1 deletions
--- a/doc/config/lighttpd.conf
+++ b/doc/config/lighttpd.conf
@ -394,8 +394,25 @@ server.upload-dirs = ( "/var/tmp" )
 ##   $SERVER["socket"] == "10.0.0.1:443" {
 ##     ssl.engine                  = "enable"
 ##     ssl.pemfile                 = "/etc/ssl/private/www.example.com.pem"
+##     #
+##     # Mitigate BEAST attack:
+##     #
+##     # A stricter base cipher suite. For details see:
 ##     # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
-##     ssl.ciphers                 = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+##     #
+##     ssl.ciphers                 = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+##     #
+##     # Make the server prefer the order of the server side cipher suite instead of the client suite.
+##     # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
+##     # This option is enabled by default, but only used if ssl.ciphers is set.
+##     #
+##     # ssl.honor-cipher-order = "enable"
+##     #
+##     # Mitigate CVE-2009-3555 by disabling client triggered renegotation
+##     # This is enabled by default.
+##     #
+##     # ssl.disable-client-renegotiation = "enable"
+##     #
 ##     server.name                 = "www.example.com"
 ##
 ##     server.document-root        = "/srv/www/vhosts/example.com/www/"