diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-10-29 06:34:21 +0300 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-04-03 03:25:19 +0300 |
commit | 6bca5df8f20af28cefba24a8b2c557713c1cbbcf (patch) | |
tree | 58874365b3bd6ea45e02bf96c53110fe57aed845 | |
parent | 4ab91583948212a38fc1f15f4618670b55963653 (diff) |
lighttpd hide empty cipher list
lighttpd show CipherString only if output.ciphers is not empty
-rw-r--r-- | src/templates/partials/lighttpd.hbs | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/templates/partials/lighttpd.hbs b/src/templates/partials/lighttpd.hbs index 37de26a..0d5b06c 100644 --- a/src/templates/partials/lighttpd.hbs +++ b/src/templates/partials/lighttpd.hbs @@ -43,9 +43,11 @@ ssl.openssl.ssl-conf-cmd = ("MinProtocol" => {{#if (includes "TLSv1" output.prot ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3{{#unless (includes "TLSv1" output.protocols)}}, -TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}}, -TLSv1.1{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}}, -TLSv1.2{{/unless}}") {{/if}} ssl.openssl.ssl-conf-cmd += ("Options" => "{{#if output.serverPreferredOrder}}+{{else}}-{{/if}}ServerPreference") + {{#if output.ciphers.length}} # TLS modules besides mod_openssl might name ciphers differently # See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL ssl.openssl.ssl-conf-cmd += ("CipherString" => "{{{join output.ciphers ":"}}}") + {{/if}} # OCSP stapling (input file must be maintained by external script) # https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling #ssl.stapling-file = "/path/to/cert-staple.der" @@ -53,7 +55,9 @@ ssl.openssl.ssl-conf-cmd += ("CipherString" => "{{{join output.ciphers ":"}}}") ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable" ssl.honor-cipher-order = "{{#if output.serverPreferredOrder}}enable{{else}}disable{{/if}}" + {{#if output.ciphers.length}} ssl.cipher-list = "{{{join output.ciphers ":"}}}" + {{/if}} {{/if}} {{else}} $SERVER["socket"] == ":443" { @@ -91,7 +95,9 @@ $SERVER["socket"] == ":443" { ssl.use-sslv3 = "disable" {{/if}} ssl.honor-cipher-order = "{{#if output.serverPreferredOrder}}enable{{else}}disable{{/if}}" + {{#if output.ciphers.length}} ssl.cipher-list = "{{{join output.ciphers ":"}}}" + {{/if}} } #$SERVER["socket"] == "[::]:443" { ... } # repeat entire $SERVER["socket"] == ":443" { ... } config above for IPv6 {{/if}} |