Litespeed 5.0, apache configs and TLS

bobykus · Apr 21, 2015

With 4.2.x we have

SSLProtocol All -SSLv2 -SSLv3 -TLSv1

in httpd.conf which allows only modern ssl proto.

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-21 14:09 CEST
Nmap scan report for ....
Host is up (0.0017s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong

With the same configuration and litespeed 5 all ssl proto allowed, even in

/config/confMgr.php?m=sl_ssl&p=lsecure

Protocol Version is TLS 1.1 and 1.2 only. Please help.

wanah · Apr 22, 2015

Hello,
I didn't know about the nmap script to test available ciphers, very handy thanks !

I've just tested on our server and we have exactly the same result. SSLv3 is enabled with LS 5.0 (I've just force updated it) and not on LS 4.2.

On LS 4.2 :

Code:

|   SSLv3: No supported ciphers found

On LS 5.0 :

Code:

|   SSLv3
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL

Could this also be the reason why SSL doesn't work in SPDY enabled browsers ?

mistwang · Apr 22, 2015

We will have it addressed soon, we are out at Magento Imagine conference now.

wanah · Apr 22, 2015

Thanks for the update. We will try to be patient

(but it won't be easy as LS 5.0 brings so many good things !)

mistwang · Apr 24, 2015

It should have been addressed with 5.0 build 1. Just do

to update as usual.

MattW · Apr 24, 2015

This is still crashing, we can give you root access. Will start a PM with you

mistwang · Apr 28, 2015

Build 2 is available now, please "lsup.sh -f -v 5.0" to get it.

Litespeed 5.0, apache configs and TLS

bobykus

Well-Known Member

wanah

Well-Known Member

mistwang

LiteSpeed Staff

wanah

Well-Known Member

mistwang

LiteSpeed Staff

MattW

Well-Known Member

mistwang

LiteSpeed Staff