Hello,
i just made a test via ssllabs.com. And i got a grade F for my SSL
connection.
The issues are :
This server supports insecure Diffie-Hellman (DH) key exchange parameters.
Grade set to F.
This server supports 512-bit export suites and might be vulnerable to the
FREAK attack. Grade set to F.
This server is vulnerable to the POODLE attack. If possible, disable SSL 3
to mitigate. Grade capped to C.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
My pound.cfg is this in the https section:
ListenHTTPS
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address 0.0.0.0
Port 443
Cert "/etc/ssl/mydomain.com/mydomain.com.pem"
Ciphers
"DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3"
Service
HeadRequire "Host: mydomain.com"
Redirect "https://www.mydomain.com";
End
Service
BackEnd
Address 127.0.0.1
Port 6081
End
End
End
Can anyone advise what i need to change to get a better rating and make it
more secure?
thanks,
Daniel
