My suggestion to anyone who needs PCI-DSS compliance is to run my branch here: https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b
Zip here: https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip This is based on 2.7b, and includes a bunch of patches that I usually include in pound, to do things like SNI, CertDir includes, IncludeDir, PCRE redirects, etc. If you don't feel comfortable running a 2.7 branch, or don't want to include those patches, I've rolled a new branch: https://github.com/goochjj/pound/tree/pcidss/v2.6 Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip Which includes only the XSRF, SSLv2, SSL compression and cipher enhancements against a 2.6 baseline. Joe > -----Original Message----- > From: Andreas Hilboll [mailto:[email protected]] > Sent: Monday, April 29, 2013 4:34 AM > To: [email protected] > Cc: Lubomir Rintel > Subject: Re: [Pound Mailing List] PCI-DSS Compliance with Pound > > Hi Lubomir, > > thanks! > > > For 2011-3389, I need to disable ciphers deemed unsecure. The > solution > > for Apache would be this: > > > > SSLHonorCipherOrder On > > SSLCipherSuite RC4-SHA:HIGH:!ADH > > > > > > Pound 2.7a contains a fix, at GoodData we use the following > configuration: > > > > Ciphers "!EXPORT:!SSLv2:!MD5:!aNULL:!NULL:!LOW:RC4:RSA:ALL" > > SSLHonorCipherOrder 1 > > > > So this won't work on 2.6? Is there a patch available for 2.6? I'm not > too keen on using a version which is labeled "experimental". > > > > For 2012-4929, I need to turn off SSL Compression. > > > > > > This is what we use to address the issue (not sure what's needed in > > order to get that patch merged): > > > > http://www.apsis.ch/pound/pound_list/archive/2013/2013- > 02/136076601000 > > 0#1360766010000 > > From the message I can't tell whether the patch is for 2.6 or 2.7. Can > you enlighten me? I'd really like to stick to 2.6. > > > You need to rebuild your package. > > No problem, as I'm already doing that (I need a larger MAXBUF setting > than used in the Debian packageS). > > Thanks again, > Andreas. > > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
