SSLHonorCipherOrder

Discussion in 'General' started by raymond, Mar 27, 2014.

  1. raymond

    raymond New Member

  2. mistwang

    mistwang LiteSpeed Staff

    LiteSpeed SSL always follow server's preference.
  3. raymond

    raymond New Member

    Thank you for the information. I thought the order of the cipher has got something to do with an odd result of a SSL tester. Hopefully you can shed some light on it.

    I would like to use the cipher suites that CloudFlare uses which is:

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!CAMELLIA

    https://support.cloudflare.com/hc/e...at-cipher-suites-does-CloudFlare-use-for-SSL-

    However the test results are a bit different. Compare:

    1. https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.com&s=198.41.212.157
    2. https://www.ssllabs.com/ssltest/analyze.html?d=raymond.cc

    Firstly the cipher order is a bit different.

    For Cloudflare, TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_SHA are stated under "Suites used only for BEAST mitigation (TLS 1.0 and earlier)".

    While my server, the two above ciphers are in order 2 and 5.

    Secondly, the handshake simulation is different for Safari 6 and 7 that uses TLS 1.2.

    CloudFlare uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA while my server uses TLS_ECDHE_RSA_WITH_RC4_128_SHA.

    Could LiteSpeed be the cause of this difference?

    Update: I found that CloudFlare has patched their OpenSSL which disables RC4 for connections using TLS v1.1 and above. http://blog.cloudflare.com/killing-rc4

    Patch is here: https://raw.github.com/cloudflare/openssl-deprecate-rc4/master/disable_rc4.patch

    Is it possible to use this patch in LiteSpeed?
    Last edited: Mar 28, 2014
  4. mistwang

    mistwang LiteSpeed Staff

    If the patch get into the official OpenSSL release, we will use it.
  5. raymond

    raymond New Member

    Is there any possibility to manually use this patch on current the LiteSpeed?
  6. mistwang

    mistwang LiteSpeed Staff

    no. litespeed static linked with official openSSL lib.

Share This Page