Block Weak cipher OpenLiteSpeed
A customer was struggling due to a low pentest finding (from a third party) regarding the usage of Weak Cipher (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA.
A quick SSL Test is indeed showing such cipher usage, even if the overall result is a grade “A”:
The remediation is very easy and can be done from the OpenLitespeed admin portal:
Set the SSL -> Ciphers:
EECDH+AESGCM:EECDH+CHACHA20:EDH+AESGCM:EDH+CHACHA20:!ECDHE-ECDSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!MD5:!RC4:!DES:!3DES
Graceful restart:
Now you can run SSL Test again and it’s fixed:
Why hardening the web server mltters: fixing weak ciphers for stronger security
In today’s digital landscape, web servers are the backbone of online services. They handle sensitive data, authenticate users, and enable secure transactions. But without proper hardening, these servers can become prime targets for attackers. One of the most overlooked yet critical aspects of hardening is addressing weak SSL/TLS ciphers.
What Are Weak Ciphers and Why Are They Dangerous?
Ciphers are algorithms that encrypt data during transmission. SSL/TLS protocols rely on these ciphers to secure communication between clients and servers. However, not all ciphers are created equal. Older or weak ciphers—such as those using CBC mode with SHA-1 or outdated protocols like SSLv3 and TLS 1.0—are vulnerable to attacks like POODLE, BEAST, and Lucky13. Exploiting these weaknesses can allow attackers to decrypt sensitive information or hijack sessions.
The Business Impact of Weak Encryption: Block Weak cipher OpenLiteSpeed
Leaving weak ciphers enabled is not just a technical oversight; it’s a business risk. Regulatory frameworks such as PCI DSS, ISO 27001, and GDPR mandate strong encryption for data in transit. Failure to comply can lead to hefty fines, reputational damage, and loss of customer trust. Moreover, many modern browsers and APIs reject connections using deprecated ciphers, which can break functionality and disrupt services.
Steps to Harden Your Web Server
Hardening starts with a clear strategy:
- Audit Your Current Configuration
Use tools like Qualys SSL Labs or OpenSSL to scan your server and identify weak protocols and ciphers. Real-world testing is crucial because small misconfigurations can lead to serious vulnerabilities. - Disable Deprecated Protocols
Remove support for SSLv3 and TLS 1.0/1.1. These versions are outdated and fail to provide adequate security against modern threats. - Enforce Strong Cipher Suites
Configure your server to prefer modern ciphers such as AES-GCM and ChaCha20-Poly1305. Explicitly exclude weak options likeECDHE-ECDSA-AES128-SHAand RC4. This ensures forward secrecy and robust encryption. - Regularly Update and Test
Security is not a one-time effort. Recommended practices evolve as new vulnerabilities emerge. Schedule periodic reviews and apply patches promptly to maintain compliance and resilience.
Beyond Ciphers: A Holistic Approach
While fixing weak ciphers is essential, hardening should extend to other areas:
- Implement Web Application Firewalls (WAF) for additional protection against injection attacks.
- Enable HTTP Strict Transport Security (HSTS) to enforce HTTPS.
- Monitor logs and set up alerts for suspicious activity.
Hardening your web server by eliminating weak ciphers is a fundamental step towards securing your digital assets. It protects sensitive data, ensures compliance, and builds trust with users. In an era where cyber threats are constantly evolving, proactive measures like these are not optional—they’re essential.
OpenLiteSpeed and Its Benefits
OpenLiteSpeed isn’t just about easy cipher management—it offers a range of advantages that make it a top choice for modern web hosting. Its lightweight architecture delivers exceptional performance with minimal resource usage, making it ideal for high-traffic sites. Built-in HTTP/3 and QUIC support ensures faster, more secure connections, while the event-driven design handles thousands of concurrent requests efficiently. The intuitive WebAdmin interface simplifies complex tasks like SSL/TLS configuration, virtual host management, and performance tuning. Additionally, OpenLiteSpeed is open-source, actively maintained, and compatible with popular control panels, giving administrators flexibility without licensing costs. Security and speed combined make it a compelling solution.