TLS/SSL cipher removed in version 5.4.5 build 3

[Hedloff]

In build 3 of version 5.4.5 you have this in changelog:

[Tuning] No longer add ECDHE-RSA-AES128-SHA cipher automatically.

But is it not supported anymore? We still have this in Apache config, but it's not working when we updated from build 1.
And why is it removed when version is updated?

 

[Hedloff]

I downgraded to build 2 and now cipher is loaded.
How can we fix this in build 3?

 

[Pong]

Some user believes the cipher ECDHE-RSA-AES128-SHA is weak. https://www.litespeedtech.com/support/forum/threads/sslcipher-override.17904/#post-109080

Build 3 just remove the auto adding function. You can just manually add to cpanel cipher yourself.

 

[Hedloff]

Well, then you have a bug in that build.
Please get it fixed.

We have it added in Apache config in cPanel, but it's not used when we update to build 3.

I know some users think it's weak, but many still uses Internet Explorer 11 and other old browsers.

 

[smegg1964]

Some user believes the cipher ECDHE-RSA-AES128-SHA is weak. https://www.litespeedtech.com/support/forum/threads/sslcipher-override.17904/#post-109080

Build 3 just remove the auto adding function. You can just manually add to cpanel cipher yourself.

We have the same issue as mentioned by @Hedloff .
Unsure how you can remove this due to one person saying it shows a weak cipher in a SSL lab test. We all know it is weak.
This build however crippled plenty of our servers where still many use Windows 7 and IE 11.

I'd recommend you add it back and people who wish to have it disabled can do so manually.

 

[Hedloff]

Really hope you can get this fixed in the next build so we can update without issues for our customers!

 

[NiteWave]

We have it added in Apache config in cPanel, but it's not used when we update to build 3.

please double confirm this.

I asked a few users to do following(and I did test on one of our server):
in WHM Home »Service Configuration »Apache Configuration »Global Configuration -> SSL Cipher Suite, please check if ECDHE-RSA-AES128-SHA in it, if not, append it to the end of the list, then restart lsws, to see if the issue will be gone.
and confirmed it's working. for build 3.

 

[Pong]

also @smegg1964,

Unsure how you can remove this

ECDHE-RSA-AES128-SHA is not in cpanel default cipher list at all. LSWS did not remove that from cipher list, but only took initiative step to automatically add it when detecting it is missing. Now LSWS won't automatically add that cipher to cpanel anymore, user just need to manually add it to cpanel default list.

 

[Pong]

Please check here for the cipher explanation. https://docs.litespeedtech.com/cpanel/tunings/#customize-ssl-ciphers

 

[Hedloff]

Here is our cipher in WHM:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Then update to build 3 and do a new test on sslabs and IE11 is not supported anymore and customers start calling.
So I can confirm it's a bug. Please get it fixed!

 

[NiteWave]

ECDHE-RSA-AES128-SHA256 is in list, but ECDHE-RSA-AES128-SHA not! they are different cipher.