Spade
Mini Shell
<!DOCTYPE html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible"
content="IE=edge,chrome=1" />
<title>LiteSpeed Web Server Users' Manual - Listeners
SSL</title>
<meta name="description" content="LiteSpeed Web Server
Users' Manual - Listeners SSL." />
<meta name="viewport" content="width=device-width,
initial-scale=1.0" />
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="img/favicon.ico"
/>
<link rel="stylesheet" type="text/css"
href="css/hdoc.css">
</head>
<body>
<div class="pagewrapper clearfix"><aside
class="sidetree ls-col-1-5">
<figure>
<img src="img/lsws_logo.svg" alt="lightspeed web
server logo"
width="100px"/>
</figure>
<h2 class="ls-text-thin">
LiteSpeed Web Server
<br />
<span class="current"><a
href="index.html">Users' Manual</a></span>
</h2>
<h3 class="ls-text-muted">Version 6.3
— Rev. 0</h3>
<hr/>
<div>
<ul>
<li><a href="license.html">License
Enterprise</a></li>
<li><a
href="intro.html">Introduction</a></li>
<li><a
href="install.html">Installation</a></li>
<li>
<a href="admin.html">Administration</a>
<ul class="menu level2">
<li><a href="ServerStat_Help.html">Service
Manager</a></li>
<li><a
href="Real_Time_Stats_Help.html">Real-Time
Stats</a></li>
</ul>
</li>
<li><a
href="security.html">Security</a></li>
<li>
<a href="config.html">Configuration</a>
<ul class="level2">
<li><a href="ServGeneral_Help.html">Server
General</a></li>
<li><a href="ServLog_Help.html">Server
Log</a></li>
<li><a href="ServTuning_Help.html">Server
Tuning</a></li>
<li><a href="ServSecurity_Help.html">Server
Security</a></li>
<li><a href="Cache_Help.html">Page
Cache</a></li>
<li><a
href="PageSpeed_Config.html">PageSpeed
Config</a></li>
<li><a href="ExtApp_Help.html">External
Apps</a></li>
<ul class="level3">
<li><a href="External_FCGI.html">Fast CGI
App</a></li>
<li><a
href="External_FCGI_Auth.html">Fast CGI
Authorizer</a></li>
<li><a href="External_LSAPI.html">LSAPI
App</a></li>
<li><a
href="External_Servlet.html">Servlet
Engine</a></li>
<li><a href="External_WS.html">Web
Server</a></li>
<li><a href="External_PL.html">Piped
logger</a></li>
<li><a href="External_LB.html">Load
Balancer</a></li>
</ul>
<li><a
href="ScriptHandler_Help.html">Script
Handler</a></li>
<li><a
href="PHP_Help.html">PHP</a></li>
<li><a href="App_Server_Help.html">App
Server Settings</a></li>
<li><a
href="Listeners_General_Help.html">Listener
General</a></li>
<li><span class="current"><a
href="Listeners_SSL_Help.html">Listener
SSL</a></span></li>
<li><a href="Templates_Help.html">Virtual
Host Templates</a></li>
<li><a
href="VirtualHosts_Help.html">Virtual Host
Basic</a></li>
<li><a href="VHGeneral_Help.html">Virtual
Host General</a></li>
<li><a href="VHSecurity_Help.html">Virtual
Host Security</a></li>
<li><a href="VHSSL_Help.html">Virtual Host
SSL</a></li>
<li>
<a href="VHPageSpeed_Config.html">Virtual Host
PageSpeed Config</a>
</li>
<li><a
href="Rewrite_Help.html">Rewrite</a></li>
<li><a
href="Context_Help.html">Context</a></li>
<ul class="level3">
<li><a href="Static_Context.html">Static
Context</a></li>
<li>
<a href="Java_Web_App_Context.html">Java Web
App Context</a>
</li>
<li><a
href="Servlet_Context.html">Servlet
Context</a></li>
<li><a href="FCGI_Context.html">Fast CGI
Context</a></li>
<li><a href="LSAPI_Context.html">LSAPI
Context</a></li>
<li><a href="Proxy_Context.html">Proxy
Context</a></li>
<li><a href="CGI_Context.html">CGI
Context</a></li>
<li><a href="LB_Context.html">Load
Balancer Context</a></li>
<li><a
href="Redirect_Context.html">Redirect
Context</a></li>
<li><a href="App_Server_Context.html">App
Server Context</a></li>
<li><a
href="Rails_Context.html">Rack/Rails
Context</a></li>
</ul>
<li><a
href="VHAddOns_Help.html">Add-ons</a></li>
</ul>
</li>
<li>
<a href="webconsole.html">Web Console</a>
<ul class="level2">
<li><a href="AdminGeneral_Help.html">Admin
Console General</a></li>
<li><a href="AdminSecurity_Help.html">Admin
Console Security</a></li>
<li>
<a href="AdminListeners_General_Help.html">
Admin Listener General
</a>
</li>
<li>
<a href="AdminListeners_SSL_Help.html">Admin
Listener SSL</a>
</li>
</ul>
</li>
</ul>
</div>
</aside>
<article class="contentwrapper ls-col-3-5 clearfix"><div
class="nav-bar ls-spacer-micro-top"><div
class="prev">« <a
href="Listeners_General_Help.html">Listeners
General</a></div><div class="center"><a
href="config.html">Configuration</a></div><div
class="next"><a
href="Templates_Help.html">Virtual Host Templates</a>
»</div></div>
<h1>Listeners SSL</h1><h2 id="top">Table of
Contents</h2><section class="toc"><section
class="toc-row"><header><a
href="#sslCert">SSL Private Key &
Certificate</a></header><p>
<a href="#keyFile">Private Key File</a> | <a
href="#certFile">Certificate File</a> | <a
href="#certChain">Chained Certificate</a> | <a
href="#CACertPath">CA Certificate Path</a> | <a
href="#CACertFile">CA Certificate
File</a></p></section>
<section class="toc-row"><header><a
href="#sslProtocolSetting">SSL
Protocol</a></header><p>
<a href="#ciphers">Ciphers</a> | <a
href="#enableECDHE">Enable ECDH Key Exchange</a> | <a
href="#enableDHE">Enable DH Key Exchange</a> | <a
href="#DHParam">DH
Parameter</a></p></section>
<section class="toc-row"><header>Security &
Features</header><p>
<a href="#renegProtection">SSL Renegotiation
Protection</a> | <a href="#sslSessionCache">Enable
Session Cache</a> | <a
href="#sslSessionTickets">Enable Session Tickets</a> |
<a href="#enableSpdy">ALPN</a> | <a
href="#allowQuic">Open HTTP3/QUIC (UDP)
port</a></p></section>
<section class="toc-row"><header><a
href="#sslOCSP">OCSP
Stapling</a></header><p>
<a href="#enableStapling">Enable OCSP Stapling</a> |
<a href="#ocspRespMaxAge">OCSP Response Max Age
(secs)</a> | <a href="#ocspResponder">OCSP
Responder</a> | <a href="#ocspCACerts">OCSP CA
Certificates</a></p></section>
<section class="toc-row"><header>Client
Verification</header><p>
<a href="#clientVerify">Client Verification</a> |
<a href="#verifyDepth">Verify Depth</a> | <a
href="#crlPath">Client Revocation Path</a> | <a
href="#crlFile">Client Revocation
File</a></p></section>
</section>
<section><div class="helpitem"><article
class="ls-helpitem"><div><header
id="sslCert"><h3>SSL Private Key &
Certificate<span class="ls-permlink"><a
href="#sslCert"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Every
SSL listener requires a paired SSL private key and SSL certificate.
Multiple SSL listeners can share the same key and
certificate.<br/><br/> You can generate SSL private keys
yourself using an SSL software package, such as OpenSSL. SSL certificates
can also be purchased from an authorized certificate issuer like VeriSign
or Thawte. You can also sign the certificate yourself. Self-signed
certificates will not be trusted by web browsers and should not be used on
public websites containing critical data. However, a self-signed
certificate is good enough for internal use, e.g. for encrypting traffic to
LiteSpeed Web Server's WebAdmin Console.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="keyFile"><h3>Private Key File<span
class="ls-permlink"><a
href="#keyFile"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
filename of the SSL private key file. The key file should not be
encrypted.</p> <h4>Syntax</h4><p>Filename which can
be an absolute path or a relative path to $SERVER_ROOT.</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> The private key file
should be placed in a secured directory that allows read-only access to the
user the server runs as.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="certFile"><h3>Certificate File<span
class="ls-permlink"><a
href="#certFile"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>The
filename of the SSL certificate file.</p>
<h4>Syntax</h4><p>Filename which can be an absolute path
or a relative path to $SERVER_ROOT.</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> The certificate file
should be placed in a secured directory, which allows read-only access to
the user that the server runs as.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="certChain"><h3>Chained Certificate<span
class="ls-permlink"><a
href="#certChain"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether the certificate is a chained certificate or not. The file that
stores a certificate chain must be in PEM format, and the certificates must
be in the chained order, from the lowest level (the actual client or server
certificate) to the highest level (root) CA.</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="CACertPath"><h3>CA Certificate Path<span
class="ls-permlink"><a
href="#CACertPath"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the directory where the certificates of certification authorities (CAs) are
kept. Those certificates are used for client certificate authentication and
constructing the server certificate chain, which will be sent to browsers
in addition to the server certificate.</p>
<h4>Syntax</h4><p>path</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="CACertFile"><h3>CA Certificate File<span
class="ls-permlink"><a
href="#CACertFile"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the file that contains all certificates of certification authorities (CAs)
for chained certificates. This file is simply the concatenation of
PEM-encoded certificate files, in order of preference. This can be used as
an alternative or in addition to <span class="tagl"><a
href="#CACertPath">CA Certificate Path</a></span>.
Those certificates are used for client certificate authentication and
constructing the server certificate chain, which will be sent to browsers
in addition to the server certificate.</p>
<h4>Syntax</h4><p>Filename which can be an absolute path
or a relative path to $SERVER_ROOT.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="sslProtocolSetting"><h3>SSL Protocol<span
class="ls-permlink"><a
href="#sslProtocolSetting"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Customizes
SSL protocols accepted by the listener.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="ciphers"><h3>Ciphers<span
class="ls-permlink"><a
href="#ciphers"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the cipher suite to be used when negotiating the SSL handshake. LSWS
supports cipher suites implemented in SSL v3.0, TLS v1.0, TLS v1.2, and TLS
v1.3.</p> <h4>Syntax</h4><p>Colon-separated string
of cipher specifications.</p> <h4>Example</h4><div
class="ls-example">ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH</div><h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> We recommend leaving
this field blank to use our default cipher which follows SSL cipher best
practices.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableECDHE"><h3>Enable ECDH Key Exchange<span
class="ls-permlink"><a
href="#enableECDHE"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Allows
use of Elliptic Curve Diffie-Hellman key exchange for further SSL
encryption.</p> <h4>Syntax</h4><p>Select from radio
box</p> <h4>Tips</h4><p><span
title="Security"
class="ls-icon-security"></span> ECDH key exchange is
more secure than using just an RSA key. ECDH and DH key exchange are
equally secure.<br/><br/> <span
title="Performance"
class="ls-icon-performance"></span> Enabling ECDH key
exchange will increase CPU load and is slower than using just an RSA
key.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableDHE"><h3>Enable DH Key Exchange<span
class="ls-permlink"><a
href="#enableDHE"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Allows
use of Diffie-Hellman key exchange for further SSL encryption.</p>
<h4>Syntax</h4><p>Select from radio box</p>
<h4>Tips</h4><p><span title="Security"
class="ls-icon-security"></span> DH key exchange is more
secure than using just an RSA key. ECDH and DH key exchange are equally
secure.<br/><br/> <span title="Performance"
class="ls-icon-performance"></span> Enabling DH key
exchange will increase CPU load and is slower than ECDH key exchange and
RSA. ECDH key exchange is preferred when available.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="DHParam"><h3>DH Parameter<span
class="ls-permlink"><a
href="#DHParam"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the location of the Diffie-Hellman parameter file necessary for DH key
exchange.</p> <h4>Syntax</h4><p>Filename which can
be an absolute path or a relative path to $SERVER_ROOT.</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="renegProtection"><h3>SSL Renegotiation
Protection<span class="ls-permlink"><a
href="#renegProtection"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
whether to enable SSL Renegotiation Protection to defend against SSL
handshake-based attacks. The default value is "Yes".</p>
<h4>Syntax</h4><p>Select from radio box</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> This setting can be enabled
at the listener and virtual host levels.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="sslSessionCache"><h3>Enable Session Cache<span
class="ls-permlink"><a
href="#sslSessionCache"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enables
session id caching using OpenSSL's default setting. Default value is
"No".</p> <h4>Syntax</h4><p>Select from
radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="sslSessionTickets"><h3>Enable Session
Tickets<span class="ls-permlink"><a
href="#sslSessionTickets"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Enables
session tickets using OpenSSL's default session ticket setting.
Server-level setting must be set to "Yes" for Virtual Host
setting to take effect.<br/><br/> Default values:<br/>
<b>Server-level:</b> Yes<br/>
<b>VH-Level:</b> Yes</p>
<h4>Syntax</h4><p>Select from radio box</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableSpdy"><h3>ALPN<span
class="ls-permlink"><a
href="#enableSpdy"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Selectively
enable HTTP/3, HTTP/2, and SPDY HTTP network
protocols.<br/><br/> If you wish to disable SPDY, HTTP/2, and
HTTP3, check "None" and leave all other boxes
unchecked.<br/><br/> Default value: All enabled</p>
<h4>Syntax</h4><p>Select from checkbox</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> This setting can be set at
the listener and virtual host levels.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="allowQuic"><h3>Open HTTP3/QUIC (UDP) port<span
class="ls-permlink"><a
href="#allowQuic"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Allows
the use of the HTTP3/QUIC network protocol for virtual hosts mapped to this
listener. For this setting to take effect, <span
class="tagl"><a
href="ServTuning_Help.html#quicEnable">Enable
HTTP3/QUIC</a></span> must also be set to <span
class="val">Yes</span> at the server level. Default
value is <span class="val">Yes</span>.</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> When this setting is set to
<span class="val">Yes</span>, HTTP3/QUIC can still be
disabled at the virtual host level through the <span
class="tagl"><a
href="VHSSL_Help.html#vhEnableQuic">Enable
HTTP3/QUIC</a></span> setting.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="sslOCSP"><h3>OCSP Stapling<span
class="ls-permlink"><a
href="#sslOCSP"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Online
Certificate Status Protocol (OCSP) is a more efficient method of checking
whether a digital certificate is valid. It works by communicating with
another server — the OCSP responder — to get verification that the
certificate is valid instead of checking through certificate revocation
lists (CRL).<br/><br/> OCSP stapling is a further improvement
on this protocol, allowing the server to check with the OCSP responder at
regular intervals instead of every time a certificate is requested. See the
<a href="http://en.wikipedia.org/wiki/OCSP_Stapling"
target="_blank" rel="noopener noreferrer">OCSP
Wikipedia page</a> for more details.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="enableStapling"><h3>Enable OCSP Stapling<span
class="ls-permlink"><a
href="#enableStapling"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Determines
whether to enable OCSP stapling, a more efficient way of verifying public
key certificates.</p> <h4>Syntax</h4><p>Select from
radio box</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="ocspRespMaxAge"><h3>OCSP Response Max Age
(secs)<span class="ls-permlink"><a
href="#ocspRespMaxAge"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>This
option sets the maximum allowable age for an OCSP response. If an OCSP
response is older than this maximum age, the server will contact the OCSP
responder for a new response. The default value is <span
class="val">86400</span>. Maximum age can be turned off
by setting this value to <span
class="val">-1</span>.</p>
<h4>Syntax</h4><p>Integer of seconds</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="ocspResponder"><h3>OCSP Responder<span
class="ls-permlink"><a
href="#ocspResponder"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the URL of the OCSP responder to be used. If not set, the server will
attempt to contact the OCSP responder detailed in the certificate
authority's issuer certificate. Some issuer certificates may not have
an OCSP responder URL specified.</p>
<h4>Syntax</h4><p>URL starting with <span
class="val">http://</span></p>
<h4>Example</h4><div
class="ls-example"><span
class="val">http://rapidssl-ocsp.geotrust.com
</span></div></article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="ocspCACerts"><h3>OCSP CA Certificates<span
class="ls-permlink"><a
href="#ocspCACerts"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p>Specifies
the location of the file where OCSP certificate authority (CA) certificates
are stored. These certificates are used to check responses from the OCSP
responder (and make sure those responses are not spoofed or otherwise
compromised). This file should contain the whole certificate chain. If this
file does not contain the root certificate, LSWS should be able to find the
root certificate in your system directory without you adding it to the
file, but, if this validation fails, you should try adding your root
certificate to this file.<br/><br/> This setting is optional.
If this setting is not set, the server will automatically check <span
class="tagl"><a href="#CACertFile">CA
Certificate File</a></span>.</p>
<h4>Syntax</h4><p>Filename which can be an absolute path
or a relative path to $SERVER_ROOT.</p> </article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="clientVerify"><h3>Client Verification<span
class="ls-permlink"><a
href="#clientVerify"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p><span
class="tag">Enterprise Edition Only</span> Specifies the
type of client certifcate authentication. Available types are: <ul>
<li><b>None:</b> No client certificate is
required.</li> <li><b>Optional:</b> Client
certificate is optional.</li> <li><b>Require:</b>
The client must has valid certificate.</li>
<li><b>Optional_no_ca:</b> Same as optional.</li>
</ul> The default is "None".</p>
<h4>Syntax</h4><p>Select from drop down list</p>
<h4>Tips</h4><p><span title="Information"
class="ls-icon-info"></span> "None" or
"Require" are recommended.</p> </article>
</div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="verifyDepth"><h3>Verify Depth<span
class="ls-permlink"><a
href="#verifyDepth"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p><span
class="tag">Enterprise Edition Only</span> Specifies how
deeply a certificate should be verified before determining that the client
does not have a valid certificate. The default is "1".</p>
<h4>Syntax</h4><p>Select from drop down list</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="crlPath"><h3>Client Revocation Path<span
class="ls-permlink"><a
href="#crlPath"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p><span
class="tag">Enterprise Edition Only</span> Specifies the
directory containing PEM-encoded CA CRL files for revoked client
certificates. The files in this directory have to be PEM-encoded. These
files are accessed through hash filenames, hash-value.rN. Please refer to
openSSL or Apache mod_ssl documentation regarding creating the hash
filename.</p> <h4>Syntax</h4><p>path</p>
</article> </div>
<div class="helpitem"><article
class="ls-helpitem"><div><header
id="crlFile"><h3>Client Revocation File<span
class="ls-permlink"><a
href="#crlFile"></a></span><span
class="top"><a
href="#top">⇑</a></span></h3></header></div><h4>Description</h4><p><span
class="tag">Enterprise Edition Only</span> Specifies the
file containing PEM-encoded CA CRL files enumerating revoked client
certificates. This can be used as an alternative or in addition to <span
class="tagl"><a href="#crlPath">Client
Revocation Path</a></span>.</p>
<h4>Syntax</h4><p>Filename which can be an absolute path
or a relative path to $SERVER_ROOT.</p> </article> </div>
</section>
</article><div class="ls-col-1-1"><footer
class="copyright">Copyright © 2003-2020. <a
href="https://www.litespeedtech.com">LiteSpeed Technologies
Inc.</a> All rights reserved.</footer>
</div></div>
</body>
</html>