SSL Configuration - Full Chain and Ciphers

[usOC22]

Having difficulty changing my configuration for the following:

• Add the Full Chain into the certificate
• Specify the Ciphers so that 'weak' ones are not enabled

Following advice from other posts the below was done but it's not working! Can anyone help please?

 

[Cold-Egg]

Do you mean the TLS 1.0 and 1.1 are still enabled? or the cipher is using 128?
Is there any screenshot of SSL Lab Test?

 

[usOC22]

Do you mean the TLS 1.0 and 1.1 are still enabled? or the cipher is using 128?
Is there any screenshot of SSL Lab Test?

Hi @Cold-Egg - thanks for responding! So, the TLS 1.0 and 1.1 disabling worked just fine but adding the Full Chain into the certificate and specifying the Ciphers to use did not.

Here's what I'm trying to address in the SSL Lab Test:

 

[usOC22]

Is anyone else able to help with this at all? Thanks!

 

[nfn]

See these recommendations from Mozilla:

https://ssl-config.mozilla.org/

I use the intermediate configuration and I get A+ on ssllabs

Protocol: TLSv1.2 TLSv1.3;

Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

 

[usOC22]

See these recommendations from Mozilla:

https://ssl-config.mozilla.org/

I use the intermediate configuration and I get A+ on ssllabs

Protocol: TLSv1.2 TLSv1.3;

Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

Thanks @nfn - how do you apply that in the openlitespeed admin?

 

[usOC22]

Is anyone able to help with this or should I email support@litespeedtech.com for assistance? Thanks!

 

[Cold-Egg]

According to many contexts: ciphers that use RSA key exchange or CBC mode are considered less secure.

If you use an RSA key, please generate it with more than 3072 bits, or use the ECC cert with 384+ bit, then it should clean up some warnings. The only warning I can't get rid of is CBC cipher even if I set `!CBC`. Maybe you can looking to this part further.