Admin Listeners SSL
Table of Contents
Private Key File | Certificate File | Chained Certificate | CA Certificate Path | CA Certificate File
Protocol Version | Ciphers | Enable ECDH Key Exchange | Enable DH Key Exchange | DH Parameter
SSL Renegotiation Protection | Enable Session Cache | Enable Session Tickets | Enable SPDY/HTTP2/HTTP3 | Allow QUIC
Client Verification | Verify Depth | Client Revocation Path | Client Revocation File
SSL Private Key & Certificate⇑
Description
Every SSL listener requires a paired SSL private key and SSL certificate. Multiple SSL listeners can share the same key and certificate.
You can generate SSL private keys yourself using an SSL software package, such as OpenSSL. SSL certificates can also be purchased from an authorized certificate issuer like VeriSign or Thawte. You can also sign the certificate yourself. Self-signed certificates will not be trusted by web browsers and should not be used on public websites containing critical data. However, a self-signed certificate is good enough for internal use, e.g. for encrypting traffic to LiteSpeed Web Server's WebAdmin Console.
Private Key File⇑
Description
The filename of the SSL private key file. The key file should not be encrypted.
Syntax
Filename which can be an absolute path or a relative path to $SERVER_ROOT.
Tips
The private key file should be placed in a secured directory that allows read-only access to the user the server runs as.
Certificate File⇑
Description
The filename of the SSL certificate file.
Syntax
Filename which can be an absolute path or a relative path to $SERVER_ROOT.
Tips
The certificate file should be placed in a secured directory, which allows read-only access to the user that the server runs as.
Chained Certificate⇑
Description
Specifies whether the certificate is a chained certificate or not. The file that stores a certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA.
Syntax
Select from radio box
CA Certificate Path⇑
Description
Specifies the directory where the certificates of certification authorities (CAs) are kept. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate.
Syntax
path
CA Certificate File⇑
Description
Specifies the file that contains all certificates of certification authorities (CAs) for chained certificates. This file is simply the concatenation of PEM-encoded certificate files, in order of preference. This can be used as an alternative or in addition to CA Certificate Path. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate.
Syntax
Filename which can be an absolute path or a relative path to $SERVER_ROOT.
SSL Protocol⇑
Description
Customizes SSL protocols accepted by the listener.
Protocol Version⇑
Description
Specifies which version of the SSL protocol will be used. You can choose from SSL v3.0 and TLS v1.0. Since OpenSSL 1.0.1, TLS v1.1, TLS v1.2 are also supported. TLS v1.3 is also supported via BoringSSL.
Tips
Leaving this field blank will enable TLS v1.0, TLS v1.1, and TLS v1.2 by default. TLS v1.3 requires BoringSSL and will also be enabled if the underlying SSL library supports it.
Ciphers⇑
Description
Specifies the cipher suite to be used when negotiating the SSL handshake. LSWS supports cipher suites implemented in SSL v3.0, TLS v1.0, TLS v1.2, and TLS v1.3.
Syntax
Colon-separated string of cipher specifications.
Example
Tips
We recommend leaving this field blank to use our default cipher which follows SSL cipher best practices.
Enable ECDH Key Exchange⇑
Description
Allows use of Elliptic Curve Diffie-Hellman key exchange for further SSL encryption.
Syntax
Select from radio box
Tips
ECDH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure.
Enabling ECDH key exchange will increase CPU load and is slower than using just an RSA key.
Enable DH Key Exchange⇑
Description
Allows use of Diffie-Hellman key exchange for further SSL encryption.
Syntax
Select from radio box
Tips
DH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure.
Enabling DH key exchange will increase CPU load and is slower than ECDH key exchange and RSA. ECDH key exchange is preferred when available.
DH Parameter⇑
Description
Specifies the location of the Diffie-Hellman parameter file necessary for DH key exchange.
Syntax
Filename which can be an absolute path or a relative path to $SERVER_ROOT.
SSL Renegotiation Protection⇑
Description
Specifies whether to enable SSL Renegotiation Protection to defend against SSL handshake-based attacks. The default value is "Yes".
Syntax
Select from radio box
Tips
This setting can be enabled at the listener and virtual host levels.
Enable Session Cache⇑
Description
Enables session ID caching using OpenSSL's default setting. Server-level setting must be set to "Yes" for Virtual Host setting to take effect.
Default values:
Server-level: Yes
VH-Level: Yes
Syntax
Select from radio box
Enable Session Tickets⇑
Description
Enables session tickets using OpenSSL's default session ticket setting. Server-level setting must be set to "Yes" for Virtual Host setting to take effect.
Default values:
Server-level: Yes
VH-Level: Yes
Syntax
Select from radio box
Enable SPDY/HTTP2/HTTP3⇑
Description
Selectively enable HTTP/3, HTTP/2, and SPDY HTTP network protocols.
If you wish to disable SPDY, HTTP/2, and HTTP3, check "None" and leave all other boxes unchecked.
Default value: All enabled
Syntax
Select from checkbox
Tips
This setting can be set at the listener and virtual host levels.
Allow QUIC⇑
Description
Allows the use of the QUIC network protocol for virtual hosts mapped to this listener. For this setting to take effect, Enable QUIC must also be set to Yes at the server level. Default value is Yes.
Tips
When this setting is set to Yes, QUIC can still be disabled at the virtual host level through the Enable QUIC setting.
Client Verification⇑
Description
Specifies the type of client certifcate authentication. Available types are:
- None: No client certificate is required.
- Optional: Client certificate is optional.
- Require: The client must has valid certificate.
- Optional_no_ca: Same as optional.
Syntax
Select from drop down list
Tips
"None" or "Require" are recommended.
Verify Depth⇑
Description
Specifies how deeply a certificate should be verified before determining that the client does not have a valid certificate. The default is "1".
Syntax
Select from drop down list
Client Revocation Path⇑
Description
Specifies the directory containing PEM-encoded CA CRL files for revoked client certificates. The files in this directory have to be PEM-encoded. These files are accessed through hash filenames, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename.
Syntax
path
Client Revocation File⇑
Description
Specifies the file containing PEM-encoded CA CRL files enumerating revoked client certificates. This can be used as an alternative or in addition to Client Revocation Path.
Syntax
Filename which can be an absolute path or a relative path to $SERVER_ROOT.