timdoug's tidbits


How to install a fully patched and up-to-date lighttpd on Debian unstable that passes Qualys SSL Labs' tests

...well, except for the cipher suites that require an OpenSSL >= 1.0.0, but that's an adventure for another day.

wget http://redmine.lighttpd.net/attachments/download/1395/ssl-compression.diff
wget http://ftp.us.debian.org/debian/pool/main/l/lighttpd/lighttpd_1.4.31-3.debian.tar.gz
wget http://ftp.us.debian.org/debian/pool/main/l/lighttpd/lighttpd_1.4.31.orig.tar.gz
tar xvzf lighttpd_1.4.31.orig.tar.gz
cd lighttpd-1.4.31/
tar xvzf ../lighttpd_1.4.31-3.debian.tar.gz
vi debian/control [and get rid of the dpkg-dev version dependency]
vi debian/rules [and get rid of the "export=config" line and the previous backslash]
patch -p1 <../ssl-compression.diff
debuild -us -uc
[then install all of the dependencies it barks about and try again...]
cd ..
sudo dpkg -i lighttpd_1.4.31-3_amd64.deb
sudo /etc/init.d/lighttpd restart
And make sure these options are in your lighttpd ssl.conf:
    ssl.cipher-list = "RC4-SHA:AES256-SHA:AES128-SHA:DES-CBC3-SHA"
    ssl.honor-cipher-order = "enable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
    ssl.use-compression = "disable"

[/debian] permanent link

© 2006-24 timdoug | email: "me" at this domain
So necessary