SSL Configuration - Full Chain and Ciphers

#1
Having difficulty changing my configuration for the following:

  • Add the Full Chain into the certificate
  • Specify the Ciphers so that 'weak' ones are not enabled

Following advice from other posts the below was done but it's not working! Can anyone help please?

Screenshot 2024-05-23 at 12.51.49 PM.png
 
Last edited:
#3
Do you mean the TLS 1.0 and 1.1 are still enabled? or the cipher is using 128?
Is there any screenshot of SSL Lab Test?
Hi @Cold-Egg - thanks for responding! So, the TLS 1.0 and 1.1 disabling worked just fine but adding the Full Chain into the certificate and specifying the Ciphers to use did not.

Here's what I'm trying to address in the SSL Lab Test:

CleanShot 2024-05-23 at 18.11.19@2x.png
 
#5
See these recommendations from Mozilla:

https://ssl-config.mozilla.org/

I use the intermediate configuration and I get A+ on ssllabs

Code:
Protocol: TLSv1.2 TLSv1.3;

Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
 
#6
See these recommendations from Mozilla:

https://ssl-config.mozilla.org/

I use the intermediate configuration and I get A+ on ssllabs

Code:
Protocol: TLSv1.2 TLSv1.3;

Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

Thanks @nfn - how do you apply that in the openlitespeed admin?
 

Cold-Egg

Administrator
#8
According to many contexts: ciphers that use RSA key exchange or CBC mode are considered less secure.

If you use an RSA key, please generate it with more than 3072 bits, or use the ECC cert with 384+ bit, then it should clean up some warnings. The only warning I can't get rid of is CBC cipher even if I set `!CBC`. Maybe you can looking to this part further.
 
Top