Re: [openlitespeed-development] v1.4.25 SSL Cipher your best practices has issue
George Wang
This should have been disabled a while ago. not sure why your
1.4.25 still using it.
according to
https://github.com/litespeedtech/openlitespeed/blob/v1_4/src/sslpp/sslcontext.cpp
the default cipher is
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:"
"DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:"
"kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:"
"ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:"
"ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:"
"ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:"
"DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:"
"DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:"
"DHE-RSA-AES256-SHA:"
"AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:"
"CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:"
"!MD5:!PSK:!aECDH"
Best regards,
George Wang
Per a trustwave scan it appears v1.4.25 SSL Cipher when you dont specify any ciphers and let OLS use your "best practices", it has an issue and has block cipher algorithms with block size of 64 bits (like DES and 3DES) enabled, or birthday attack known as Sweet32, CVE-2016-2183.--
SSLlabs.com reports the same:
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ( 0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK112
Just wanted to report this as a bug and to fix it asap.
You received this message because you are subscribed to the Google Groups "OpenLiteSpeed Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openlitespeed-deve...@googlegroups.com.
To post to this group, send email to openlitespee...@googlegroups.com.
Visit this group at https://groups.google.com/group/openlitespeed-development.
For more options, visit https://groups.google.com/d/optout.