SSL BEAST vulnerability (?) in Litespeed 4.2.1

#1
I'm trying to get our server to prefer the RC4 cipher over others so that we defend against the BEAST vulnerability. Using Qualys' SSL tool, here's what I get when I scan our server:

http://cl.ly/image/2C261x0x3927

RC4 should be at the top of that list. We have changed the SSL listener settings so that only "HIGH" and "MEDIUM" ciphers are used, but still see this issue. Any ideas?
 
#2
OK, managed to fix this by manually editing the Litespeed listener configuration. I used the ciphers recommended for fixing the BEAST vulnerability in Apache:

Code:
<listener>
<!-- ... -->
      <ciphers>ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL</ciphers>
</listener>
The web interface seems useless in this case. Hope this helps someone figure this out in the future!
 

mistwang

LiteSpeed Staff
#3
Just remember that your modification could be overwritten next time you update configuration of SSL from web console.

You can try the latest build 4.2.1, it should give RC4 priority when you configure SSL from web web console.

/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.1
 
Top