SSLCipher override


A customer has requested a cipher list that doesn't show any WEAK ciphers at the Qualys SSLabs test. I configured one in httpd.conf and it should work fine, however, LiteSpeed is adding ECDHE-RSA-AES128-SHA even though I don't have it in my list:
2019-09-25 20:24:01.153263 [NOTICE] [23591] [/usr/local/lsws/conf/httpd.conf:60] SSLCipher may break Internet Explorer 11 handshake, add cipher 'ECDHE-RSA-AES128-SHA' to the list to avoid handshake failure.
Any idea how I can disable this? Client doesn't care about blocking IE11, they just don't want to see WEAK ciphers in the test.
Their security team contacted me again today regarding this matter. Any chance I can somehow disable the automatic adding of ECDHE-RSA-AES128-SHA even though I didn't add it to my ciphers list?


LiteSpeed Staff
Please try latest 5.4.5 debug build, it wont add the cipher automatically, just print a notice log now.
/usr/local/lsws/admin/misc/ -d -f -v 5.4.5

This change will be in 5.4.5 build 3 as well.