SSLHonorCipherOrder

raymond

Active Member
#3
Thank you for the information. I thought the order of the cipher has got something to do with an odd result of a SSL tester. Hopefully you can shed some light on it.

I would like to use the cipher suites that CloudFlare uses which is:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA

https://support.cloudflare.com/hc/e...at-cipher-suites-does-CloudFlare-use-for-SSL-

However the test results are a bit different. Compare:

1. https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.com&s=198.41.212.157
2. https://www.ssllabs.com/ssltest/analyze.html?d=raymond.cc

Firstly the cipher order is a bit different.

For Cloudflare, TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_SHA are stated under "Suites used only for BEAST mitigation (TLS 1.0 and earlier)".

While my server, the two above ciphers are in order 2 and 5.

Secondly, the handshake simulation is different for Safari 6 and 7 that uses TLS 1.2.

CloudFlare uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA while my server uses TLS_ECDHE_RSA_WITH_RC4_128_SHA.

Could LiteSpeed be the cause of this difference?

Update: I found that CloudFlare has patched their OpenSSL which disables RC4 for connections using TLS v1.1 and above. http://blog.cloudflare.com/killing-rc4

Patch is here: https://raw.github.com/cloudflare/openssl-deprecate-rc4/master/disable_rc4.patch

Is it possible to use this patch in LiteSpeed?
 
Last edited:
Top