OpenLiteSpeed Web Server Users' Manual
Version 1.4 Rev. 2
- License
- Introduction
- Installation
- Administration
- Security
- Configuration
- Server General
- Server Log
- Server Tuning
- Server Security
- External Apps
- Script Handler
- Rack/Rails Settings
- Module Configuration
- Listener General
- Listener SSL
- Templates
- Virtual Host Basic
- Virtual Host General
- Virtual Host Security
- Virtual Host SSL
- Rewrite
- Context
- Static Context
- Java Web App Context
- Servlet Context
- Fast CGI Context
- LSAPI Context
- Proxy Context
- CGI Context
- Load Balancer Context
- Redirect Context
- Rack/Rails Context
- Module Handler Context
- Web Socket Proxy
- Web Console
Listeners SSL
Table of Contents
Private Key File | Certificate File | Chained Certificate | CA Certificate Path | CA Certificate File |
Protocol Version | Ciphers | Enable ECDH Key Exchange | Enable DH Key Exchange | DH Parameter |
SSL Renegotiation Protection | Enable Session Cache | Enable Session Tickets | Enable SPDY/HTTP2 |
Enable OCSP Stapling | OCSP Response Max Age (secs) | OCSP Responder | OCSP CA Certificates |
Client Verification | Verify Depth | Client Revocation Path | Client Revocation File |
SSL Private Key & Certificate  |
| Description: Every SSL listener requires a paired SSL private key and SSL certificate. Multiple SSL listeners can share the same key and certificate. You can generate SSL private keys yourself using an SSL software package, such as OpenSSL. SSL certificates can also be purchased from an authorized certificate issuer like VeriSign or Thawte. You can also sign the certificate yourself. Self-signed certificates will not be trusted by web browsers and should not be used on public websites containing critical data. However, a self-signed certificate is good enough for internal use, e.g. for encrypting traffic to LiteSpeed Web Server's WebAdmin Console. |
Private Key File |
| Description: The filename of the SSL private key file. The key file should not be encrypted. |
| Syntax: Filename which can be an absolute path or a relative path to $SERVER_ROOT. |
| Tips: [Security] The private key file should be placed in a secured directory that allows read-only access to the user the server runs as. |
Certificate File |
| Description: The filename of the SSL certificate file. |
| Syntax: Filename which can be an absolute path or a relative path to $SERVER_ROOT. |
| Tips: [Security] The certificate file should be placed in a secured directory, which allows read-only access to the user that the server runs as. |
Chained Certificate |
| Description: Specifies whether the certificate is a chained certificate or not. The file that stores a certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA. |
| Syntax: Select from radio box |
CA Certificate Path |
| Description: Specifies the directory where the certificates of certification authorities (CAs) are kept. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate. |
| Syntax: path |
CA Certificate File |
| Description: Specifies the file that contains all certificates of certification authorities (CAs) for chained certificates. This file is simply the concatenation of PEM-encoded certificate files, in order of preference. This can be used as an alternative or in addition to CA Certificate Path. Those certificates are used for client certificate authentication and constructing the server certificate chain, which will be sent to browsers in addition to the server certificate. |
| Syntax: Filename which can be an absolute path or a relative path to $SERVER_ROOT. |
Protocol Version |
| Description: Specifies which version of the SSL protocol will be used. You can choose from SSL v3.0 and TLS v1.0. Since OpenSSL 1.0.1, TLS v1.1 and TLS v1.2 are also supported. |
| Tips: Leaving this field blank will enable TLS v1.0, TLS v1.1, and TLS v1.2 by default. |
Ciphers |
| Description: Specifies the cipher suite to be used when negotiating the SSL handshake. LSWS supports cipher suites implemented in SSL v3.0, TLS v1.0, and TLS v1.2. |
| Syntax: Colon-separated string of cipher specifications. |
| Example: ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH |
| Tips: [Security] We recommend leaving this field blank to use our default cipher which follows SSL cipher best practices. |
Enable ECDH Key Exchange |
| Description: Allows use of Elliptic Curve Diffie-Hellman key exchange for further SSL encryption. |
| Syntax: Select from radio box |
| Tips: [Security] ECDH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure. [Performance] Enabling ECDH key exchange will increase CPU load and is slower than using just an RSA key. |
Enable DH Key Exchange |
| Description: Allows use of Diffie-Hellman key exchange for further SSL encryption. |
| Syntax: Select from radio box |
| Tips: [Security] DH key exchange is more secure than using just an RSA key. ECDH and DH key exchange are equally secure. [Performance] Enabling DH key exchange will increase CPU load and is slower than ECDH key exchange and RSA. ECDH key exchange is preferred when available. |
DH Parameter |
| Description: Specifies the location of the Diffie-Hellman parameter file necessary for DH key exchange. |
| Syntax: Filename which can be an absolute path or a relative path to $SERVER_ROOT. |
SSL Renegotiation Protection |
| Description: Specifies whether to enable SSL Renegotiation Protection to defend against SSL handshake-based attacks. The default value is "Yes". |
| Syntax: Select from radio box |
Enable Session Cache |
| Description: Enables session id caching. If "Not Set", defaults to "No". (Openssl Default) |
| Syntax: Select from radio box |
Enable Session Tickets |
| Description: Enables session tickets. If "Not Set", the server will use openSSL's default ticket. |
| Syntax: Select from radio box |
Enable SPDY/HTTP2 |
| Description: HTTP/2 and SPDY are new versions of the HTTP network protocol with the goal of reducing page load times. More information can be found at http://en.wikipedia.org/wiki/HTTP/2. |
| Syntax: Check the protocol(s) you wish to enable. Leaving all boxes unchecked will enable SPDY and HTTP/2 support (the default). If you wish to disable SPDY and HTTP/2, check "None" only and leave all other boxes unchecked. |
OCSP Stapling |
| Description: Online Certificate Status Protocol (OCSP) is a more efficient method of checking whether a digital certificate is valid. It works by communicating with another server — the OCSP responder — to get verification that the certificate is valid instead of checking through certificate revocation lists (CRL). OCSP stapling is a further improvement on this protocol, allowing the server to check with the OCSP responder at regular intervals instead of every time a certificate is requested. See the OCSP Wikipedia page for more details. |
Enable OCSP Stapling |
| Description: Determines whether to enable OCSP stapling, a more efficient way of verifying public key certificates. |
| Syntax: Select from radio box |
OCSP Response Max Age (secs) |
| Description: This option sets the maximum allowable age for an OCSP response. If an OCSP response is older than this maximum age, the server will contact the OCSP responder for a new response. The default value is 86400. Maximum age can be turned off by setting this value to -1. |
| Syntax: Integer of seconds |
OCSP Responder |
| Description: Specifies the URL of the OCSP responder to be used. If not set, the server will attempt to contact the OCSP responder detailed in the certificate authority's issuer certificate. Some issuer certificates may not have an OCSP responder URL specified. |
| Syntax: URL starting with http:// |
| Example: http://rapidssl-ocsp.geotrust.com |
OCSP CA Certificates |
| Description: Specifies the location of the file where OCSP certificate authority (CA) certificates are stored. These certificates are used to check responses from the OCSP responder (and make sure those responses are not spoofed or otherwise compromised). This file should contain the whole certificate chain. If this file does not contain the root certificate, LSWS should be able to find the root certificate in your system directory without you adding it to the file, but, if this validation fails, you should try adding your root certificate to this file. This setting is optional. If this setting is not set, the server will automatically check CA Certificate File. |
| Syntax: Filename which can be an absolute path or a relative path to $SERVER_ROOT. |
Client Verification |
Description: Specifies the type of client certifcate authentication. Available types are:
|
| Syntax: Select from drop down list |
| Tips: "None" or "Require" are recommended. |
Verify Depth |
| Description: Specifies how deeply a certificate should be verified before determining that the client does not have a valid certificate. The default is "1". |
| Syntax: Select from drop down list |
Client Revocation Path |
| Description: Specifies the directory containing PEM-encoded CA CRL files for revoked client certificates. The files in this directory have to be PEM-encoded. These files are accessed through hash filenames, hash-value.rN. Please refer to openSSL or Apache mod_ssl documentation regarding creating the hash filename. |
| Syntax: path |
Client Revocation File |
| Description: Specifies the file containing PEM-encoded CA CRL files enumerating revoked client certificates. This can be used as an alternative or in addition to Client Revocation Path. |
| Syntax: Filename which can be an absolute path or a relative path to $SERVER_ROOT. |