SSLCipher override

[georgetasioulis]

Hello,

A customer has requested a cipher list that doesn't show any WEAK ciphers at the Qualys SSLabs test. I configured one in httpd.conf and it should work fine, however, LiteSpeed is adding ECDHE-RSA-AES128-SHA even though I don't have it in my list:

2019-09-25 20:24:01.153263 [NOTICE] [23591] [/usr/local/lsws/conf/httpd.conf:60] SSLCipher may break Internet Explorer 11 handshake, add cipher 'ECDHE-RSA-AES128-SHA' to the list to avoid handshake failure.

Any idea how I can disable this? Client doesn't care about blocking IE11, they just don't want to see WEAK ciphers in the test.

 

[georgetasioulis]

Their security team contacted me again today regarding this matter. Any chance I can somehow disable the automatic adding of ECDHE-RSA-AES128-SHA even though I didn't add it to my ciphers list?

 

[mistwang]

Please try latest 5.4.5 debug build, it wont add the cipher automatically, just print a notice log now.
/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.4.5

This change will be in 5.4.5 build 3 as well.

 

[georgetasioulis]

Thank you, it works great now!