Hi Daniel,
SSLHonorCipherOrder 1
Disable SSLv3
Ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
Regards,
Michael
Von: Daniel [mailto:i...@cookblook.com]
Gesendet: Donnerstag, 21. Mai 2015 12:54
An: pound
Betreff: [Pound Mailing List] SSL Parameter
Hello,
i just made a test via ssllabs.com<http://ssllabs.com>. And i got a grade F for
my SSL connection.
The issues are :
This server supports insecure Diffie-Hellman (DH) key exchange parameters.
Grade set to F.
This server supports 512-bit export suites and might be vulnerable to the FREAK
attack. Grade set to F.
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to
mitigate. Grade capped to C.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
My pound.cfg is this in the https section:
ListenHTTPS
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Address 0.0.0.0
Port 443
Cert
"/etc/ssl/mydomain.com/mydomain.com.pem<http://mydomain.com/mydomain.com.pem>"
Ciphers
"DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3"
Service
HeadRequire "Host: mydomain.com<http://mydomain.com>"
Redirect "https://www.mydomain.com";
End
Service
BackEnd
Address 127.0.0.1
Port 6081
End
End
End
Can anyone advise what i need to change to get a better rating and make it more
secure?
thanks,
Daniel
