Harden SSL settings a bit. Verified OK with @cmb and @billm

This commit is contained in:
Scott Ullrich 2011-04-19 17:06:00 -04:00
parent 6c9cf4662e
commit 673ee7b1e8

View File

@ -1086,6 +1086,11 @@ EOD;
$lighty_config .= "## ssl configuration\n";
$lighty_config .= "ssl.engine = \"enable\"\n";
$lighty_config .= "ssl.pemfile = \"{$g['varetc_path']}/{$cert_location}\"\n\n";
// Harden SSL a bit for PCI conformance testing
$lighty_config .= "ssl.use-sslv2 = \"disable\"\n";
$lighty_config .= "ssl.cipher-list = \"TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH\"\n";
if(!(empty($ca) || (strlen(trim($ca)) == 0)))
$lighty_config .= "ssl.ca-file = \"{$g['varetc_path']}/{$ca_location}\"\n\n";
}