Disable weak SSL ciphers in lighttpd

lighttpdssl

The testing tool https://www.ssllabs.com/ssltest/index.html tells me that my server is offering/supporting:

SSL_RSA_WITH_DES_CBC_SHA (0x9) WEAK 56
SSL_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits (p: 128, g: 128, Ys: 128) FS WEAK 56
RC4 Yes NOT DESIRABLE

At least these two weak ciphers. I'd like to support only strong ciphers. I've tried specifying

ssl.cipher-list = "HIGH:MEDIUM:!ADH"

But that has not helped. How do I tell lighthttpd not to use weak ciphers for SSL?

If I can also address "Forward Secrecy (Experimental) No NOT DESIRABLE" at the same time, great.

Best Answer

Finally, here is the ultimate "secret sauce":

Pass the SSL Labs Test on Lighttpd (Mitigate the CRIME and BEAST attack, Disable SSLv2 and Enable Perfect Forward Secrecy).

Please read the link for concrete configuration directives.

Related Question