TLS/SSL cipher removed in version 5.4.5 build 3

Hedloff

Well-Known Member
#1
In build 3 of version 5.4.5 you have this in changelog:

[Tuning] No longer add ECDHE-RSA-AES128-SHA cipher automatically.

But is it not supported anymore? We still have this in Apache config, but it's not working when we updated from build 1.
And why is it removed when version is updated?
 

Hedloff

Well-Known Member
#4
Well, then you have a bug in that build.
Please get it fixed.

We have it added in Apache config in cPanel, but it's not used when we update to build 3.

I know some users think it's weak, but many still uses Internet Explorer 11 and other old browsers.
 
#5
Some user believes the cipher ECDHE-RSA-AES128-SHA is weak. https://www.litespeedtech.com/support/forum/threads/sslcipher-override.17904/#post-109080

Build 3 just remove the auto adding function. You can just manually add to cpanel cipher yourself.
We have the same issue as mentioned by @Hedloff .
Unsure how you can remove this due to one person saying it shows a weak cipher in a SSL lab test. We all know it is weak.
This build however crippled plenty of our servers where still many use Windows 7 and IE 11.

I'd recommend you add it back and people who wish to have it disabled can do so manually.
 

NiteWave

Administrator
#7
We have it added in Apache config in cPanel, but it's not used when we update to build 3.
please double confirm this.

I asked a few users to do following(and I did test on one of our server):
in WHM Home »Service Configuration »Apache Configuration »Global Configuration -> SSL Cipher Suite, please check if ECDHE-RSA-AES128-SHA in it, if not, append it to the end of the list, then restart lsws, to see if the issue will be gone.
and confirmed it's working. for build 3.
 

Pong

Administrator
Staff member
#8
also @smegg1964,
Unsure how you can remove this
ECDHE-RSA-AES128-SHA
is not in cpanel default cipher list at all. LSWS did not remove that from cipher list, but only took initiative step to automatically add it when detecting it is missing. Now LSWS won't automatically add that cipher to cpanel anymore, user just need to manually add it to cpanel default list.
 

Hedloff

Well-Known Member
#10
Here is our cipher in WHM:

Code:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Then update to build 3 and do a new test on sslabs and IE11 is not supported anymore and customers start calling.
So I can confirm it's a bug. Please get it fixed!
 
Top