SSL BEAST vulnerability (?) in Litespeed 4.2.1

Discussion in 'Bug Reports' started by foxyfred, Dec 19, 2012.

  1. foxyfred

    foxyfred New Member

    I'm trying to get our server to prefer the RC4 cipher over others so that we defend against the BEAST vulnerability. Using Qualys' SSL tool, here's what I get when I scan our server:

    http://cl.ly/image/2C261x0x3927

    RC4 should be at the top of that list. We have changed the SSL listener settings so that only "HIGH" and "MEDIUM" ciphers are used, but still see this issue. Any ideas?
  2. foxyfred

    foxyfred New Member

    OK, managed to fix this by manually editing the Litespeed listener configuration. I used the ciphers recommended for fixing the BEAST vulnerability in Apache:

    Code:
    <listener>
    <!-- ... -->
          <ciphers>ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL</ciphers>
    </listener>
    
    The web interface seems useless in this case. Hope this helps someone figure this out in the future!
  3. mistwang

    mistwang LiteSpeed Staff

    Just remember that your modification could be overwritten next time you update configuration of SSL from web console.

    You can try the latest build 4.2.1, it should give RC4 priority when you configure SSL from web web console.

    /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.1

Share This Page