Re: [openlitespeed-development] Version 1.4.25 can't disable TLSv1

[George Wang]

Did some tests, TLSv1 has been successfully disabled.

I think it is because your vhost level SSL configuration has TLSv1 enabled. Your test is using SNI, the SSL configuration has been switch to vhost SSL.

Best regards,

George Wang

On 5/25/2017 8:01 PM, aisonet wrote:

Hello,

Per Trustwave requirements I need to disable TLSv1 on a host but it doesnt work:

In the vhost file I have:

sslProtocol             12

And in the GUI it shows just TLS 1.1 and 1.2 checked, but both trustwave and my test still shows TLSv1 is still responding, might this be a bug?

[root@www html]#  openssl s_client  -servername hostimchecking.com -connect hostimchecking.com:443 -tls1

CONNECTED(00000003)

depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

verify return:1

depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

verify return:1

depth=0 C = US, OU = Domain Control Validated, CN = hostimchecking.com

verify return:1

---

Certificate chain

 0 s:/C=US/OU=Domain Control Validated/CN=hostimchecking.com

   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

---

Server certificate

-----BEGIN CERTIFICATE-----

......

-----END CERTIFICATE-----

subject=/C=US/OU=Domain Control Validated/CN=hostimchecking.com

issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

---

No client certificate CA names sent

Server Temp Key: ECDH, prime256v1, 256 bits

---

SSL handshake has read 3114 bytes and written 322 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : ECDHE-RSA-AES256-SHA

    Session-ID: E1AC34371ACA1D68C319FE2EFD4C5A8AFEA446F72C88B4AEEED7FF96C37E4193

    Session-ID-ctx:

    Master-Key: 4BC0229AB191E4684CA95CC3A66943BF50691C2F53D8EE3CF62C19B1D31AD54AC4A111CDAF5AFDD020D701F0A2AA8194

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket lifetime hint: 3600 (seconds)

    TLS session ticket:

--
You received this message because you are subscribed to the Google Groups "OpenLiteSpeed Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openlitespeed-deve...@googlegroups.com.
To post to this group, send email to openlitespee...@googlegroups.com.
Visit this group at https://groups.google.com/group/openlitespeed-development.
For more options, visit https://groups.google.com/d/optout.