LiteSpeed Support Forums - SSL BEAST vulnerability (?) in Litespeed 4.2.1

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)

- Bug Reports (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=9)

- - SSL BEAST vulnerability (?) in Litespeed 4.2.1 (http://www.litespeedtech.com/support/forum/showthread.php?t=6485)

foxyfred

12-19-2012 02:16 PM

SSL BEAST vulnerability (?) in Litespeed 4.2.1

I'm trying to get our server to prefer the RC4 cipher over others so that we defend against the BEAST vulnerability. Using Qualys' SSL tool, here's what I get when I scan our server:

http://cl.ly/image/2C261x0x3927

RC4 should be at the top of that list. We have changed the SSL listener settings so that only "HIGH" and "MEDIUM" ciphers are used, but still see this issue. Any ideas?

foxyfred

12-20-2012 10:51 AM

OK, managed to fix this by manually editing the Litespeed listener configuration. I used the ciphers recommended for fixing the BEAST vulnerability in Apache:

Code:

<listener>

<!-- ... -->

      <ciphers>ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL</ciphers>

</listener>

The web interface seems useless in this case. Hope this helps someone figure this out in the future!

mistwang

12-20-2012 12:23 PM

Just remember that your modification could be overwritten next time you update configuration of SSL from web console.

You can try the latest build 4.2.1, it should give RC4 priority when you configure SSL from web web console.

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.1

All times are GMT -7. The time now is 12:29 PM.