Hi, i just updated it to :
Version 2.7f Configuration switches: --enable-cert1l --with-dh=2048 But when i use this Options DisableSSLv2 DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 it shows this error : unknown directive thanks 2015-05-21 13:17 GMT+02:00 Scott McKeown <sc...@loadbalancer.org>: > Hi Daniel, > > First off what version on Pound are you running? > > There were a few patch files written a while back that should resolve most > of these issues and if I remember correctly are in the latest build: > > Try adding the following options into your configuration file: > SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2 > DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1 > > You may also need to change your Cipher List to some thing like: > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH > > > > On 21 May 2015 at 11:54, Daniel <i...@cookblook.com> wrote: > >> Hello, >> >> i just made a test via ssllabs.com. And i got a grade F for my SSL >> connection. >> >> The issues are : >> >> This server supports insecure Diffie-Hellman (DH) key exchange >> parameters. Grade set to F. >> This server supports 512-bit export suites and might be vulnerable to the >> FREAK attack. Grade set to F. >> This server is vulnerable to the POODLE attack. If possible, disable SSL >> 3 to mitigate. Grade capped to C. >> This server accepts the RC4 cipher, which is weak. Grade capped to B. >> >> My pound.cfg is this in the https section: >> >> ListenHTTPS >> HeadRemove "X-Forwarded-Proto" >> AddHeader "X-Forwarded-Proto: https" >> Address 0.0.0.0 >> Port 443 >> Cert "/etc/ssl/mydomain.com/mydomain.com.pem" >> Ciphers >> >> "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3" >> Service >> HeadRequire "Host: mydomain.com" >> Redirect "https://www.mydomain.com" >> End >> Service >> BackEnd >> Address 127.0.0.1 >> Port 6081 >> End >> End >> End >> >> Can anyone advise what i need to change to get a better rating and make >> it more secure? >> >> thanks, >> >> Daniel >> >> > > > -- > With Kind Regards. > > Scott McKeown > Loadbalancer.org > http://www.loadbalancer.org > Tel (UK) - +44 (0) 3303801064 (24x7) > Tel (US) - +1 888.867.9504 (Toll Free)(24x7) >