SSL Configuration - Full Chain and Ciphers

U

usOC22

New Member
#1
#1
Having difficulty changing my configuration for the following:

  • Add the Full Chain into the certificate
  • Specify the Ciphers so that 'weak' ones are not enabled

Following advice from other posts the below was done but it's not working! Can anyone help please?

Screenshot 2024-05-23 at 12.51.49 PM.png
 
Last edited:
U

usOC22

New Member
#3
#3
Cold-Egg said:
Do you mean the TLS 1.0 and 1.1 are still enabled? or the cipher is using 128?
Is there any screenshot of SSL Lab Test?
Click to expand...
Hi @Cold-Egg - thanks for responding! So, the TLS 1.0 and 1.1 disabling worked just fine but adding the Full Chain into the certificate and specifying the Ciphers to use did not.

Here's what I'm trying to address in the SSL Lab Test:

CleanShot 2024-05-23 at 18.11.19@2x.png
 
N

nfn

Member
#5
#5
See these recommendations from Mozilla:

https://ssl-config.mozilla.org/

I use the intermediate configuration and I get A+ on ssllabs

Code: 
Protocol: TLSv1.2 TLSv1.3;

Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
 
U

usOC22

New Member
#6
#6
nfn said:
See these recommendations from Mozilla:

https://ssl-config.mozilla.org/

I use the intermediate configuration and I get A+ on ssllabs

Code: 
Protocol: TLSv1.2 TLSv1.3;

Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
Click to expand...

Thanks @nfn - how do you apply that in the openlitespeed admin?
 
Cold-Egg

Cold-Egg

Administrator
#8
#8
According to many contexts: ciphers that use RSA key exchange or CBC mode are considered less secure.

If you use an RSA key, please generate it with more than 3072 bits, or use the ECC cert with 384+ bit, then it should clean up some warnings. The only warning I can't get rid of is CBC cipher even if I set `!CBC`. Maybe you can looking to this part further.
 
gizmo

gizmo

New Member
#9
#9
Hi @usOC22 and @Cold-Egg,

In case you still haven't had any success with this, I found a solution that works and gets rid of CBC ciphers!
Set Ciphers in Virtual Hosts > SSL to this: EECDH+ECDSA+AESGCM
(It won't work under Listeners Ciphers since Virtual Hosts default config overrides it)

1741701453245.png

SSL Labs Test result:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1741701407673.png

Alternatively, you can try this: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
(This was taken from https://ssl-config.mozilla.org/ Apache intermediate config, but removed all the RSA and DHE stuff)

It will add TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 to the above.
 
You must log in or register to reply here.
Top