v8.20 (#6481)

- DietPi-LetsEncrypt | Updated the Lighttpd SSL config syntax and options according to latest Mozilla SSL config generator recommendation with intermediate client compatibility. Many thanks to @JappeHallunken for implementing this enhancement: #6481

CHANGELOG.txt

@@ -2,6 +2,7 @@ v8.20
 (2023-07-29)
 
 Enhancements:
+- DietPi-LetsEncrypt | Updated the Lighttpd SSL config syntax and options according to latest Mozilla SSL config generator recommendation with intermediate client compatibility. Many thanks to @JappeHallunken for implementing this enhancement: https://github.com/MichaIng/DietPi/pull/6481
 - DietPi-Software | WiFi Hotspot: The default DHCP server settings have been cleaned up and enhanced, with the default lease time increased from 10 minutes to 12 hours, the max lease time increased from 2 hours to 1 day, and the IP range extended up to 192.168.42.250.
 
 Bug fixes:

dietpi/dietpi-letsencrypt

@@ -125,19 +125,16 @@ server.modules += ( "mod_openssl" )
 	ssl.pemfile = "$fp_cert_dir/fullchain.pem"
 	ssl.privkey = "$fp_cert_dir/privkey.pem"
 
-	# For DH/DHE ciphers, dhparam should be >= 2048-bit
-	#ssl.dh-file = "/path/to/dhparam.pem"
-	# ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
-	ssl.ec-curve = "secp384r1"
-
 	# Environment flag for HTTPS enabled
 	setenv.add-environment = ( "HTTPS" => "on" )
 
 	# Intermediate configuration, tweak to your needs
-	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
-	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
-	ssl.honor-cipher-order = "disable"
-	ssl.disable-client-renegotiation = "enable"
+	ssl.openssl.ssl-conf-cmd = (
+		"MinProtocol" => "TLSv1.2",
+		"Options" => "-SessionTicket",
+		"Options" => "-ServerPreference",
+		"CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+	)
 }
 # IPv6
 \$SERVER["socket"] == "[::]:443" {
@@ -146,19 +143,16 @@ server.modules += ( "mod_openssl" )
 	ssl.pemfile = "$fp_cert_dir/fullchain.pem"
 	ssl.privkey = "$fp_cert_dir/privkey.pem"
 
-	# For DH/DHE ciphers, dhparam should be >= 2048-bit
-	#ssl.dh-file = "/path/to/dhparam.pem"
-	# ECDH/ECDHE ciphers curve strength, see "openssl ecparam -list_curves"
-	ssl.ec-curve = "secp384r1"
-
 	# Environment flag for HTTPS enabled
 	setenv.add-environment = ( "HTTPS" => "on" )
 
 	# Intermediate configuration, tweak to your needs
-	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2", "Options" => "-SessionTicket")
-	ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
-	ssl.honor-cipher-order = "disable"
-	ssl.disable-client-renegotiation = "enable"
+	ssl.openssl.ssl-conf-cmd = (
+		"MinProtocol" => "TLSv1.2",
+		"Options" => "-SessionTicket",
+		"Options" => "-ServerPreference",
+		"CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
+	)
 }
 _EOF_
 			# Bullseye: Install dedicated TLS module package and keep session tickets enabled, which is safe since Lighttpd v1.4.56: https://github.com/MichaIng/DietPi/issues/4294#issuecomment-826802056