Hello
According to "internet.nl", the tests I run on my domain indicate that I am using SHA1 for Key Exchange.
My version is the last, 1.9 and I only accept TLS 1.3 and 1.2.
The description of "internel.nl" is:
Hash function for key exchange
Verdict:
Your web server supports one or more insufficiently secure hash functions for key exchange
We check if your web server supports secure hash functions to create the digital signature during key exchange.
The web server uses a digital signature during the key exchange to prove ownership of the secret key corresponding to the certificate. The web server creates this digital signature by signing the output of a hash function.
Note that this subtest is only relevant for TLS 1.2. The supported hash functions can be configured via a separate TLS setting (e.g. SignatureAlgorithms in OpenSSL) and are not part of the cipher suite configuration.
For more details on the status of SHA-1 and MD5, see RFC 9155. We do not test for MD5 because it is only supported by very outdated software.
See 'Transport Layer Security (TLS), Security guidelines version 2025-05' from NCSC-NL, paragraph 3.3.5.
My question is whether this is configurable on OpenLiteSpeed, so that only sha256 is used.?
Thanks
According to "internet.nl", the tests I run on my domain indicate that I am using SHA1 for Key Exchange.
My version is the last, 1.9 and I only accept TLS 1.3 and 1.2.
The description of "internel.nl" is:
Hash function for key exchange
Verdict:
Your web server supports one or more insufficiently secure hash functions for key exchange
We check if your web server supports secure hash functions to create the digital signature during key exchange.
The web server uses a digital signature during the key exchange to prove ownership of the secret key corresponding to the certificate. The web server creates this digital signature by signing the output of a hash function.
Note that this subtest is only relevant for TLS 1.2. The supported hash functions can be configured via a separate TLS setting (e.g. SignatureAlgorithms in OpenSSL) and are not part of the cipher suite configuration.
For more details on the status of SHA-1 and MD5, see RFC 9155. We do not test for MD5 because it is only supported by very outdated software.
See 'Transport Layer Security (TLS), Security guidelines version 2025-05' from NCSC-NL, paragraph 3.3.5.
My question is whether this is configurable on OpenLiteSpeed, so that only sha256 is used.?
Thanks
