Re: [Pound Mailing List] SSL Parameter

Thu, 21 May 2015 05:38:33 -0700 

Hi,

i just updated it to :

Version 2.7f
  Configuration switches:
    --enable-cert1l
    --with-dh=2048


But when i use this Options

DisableSSLv2 DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1

it shows this error : unknown directive

thanks



2015-05-21 13:17 GMT+02:00 Scott McKeown <sc...@loadbalancer.org>:

> Hi Daniel,
>
> First off what version on Pound are you running?
>
> There were a few patch files written a while back that should resolve most
> of these issues and if I remember correctly are in the latest build:
>
> Try adding the following options into your configuration file:
> SSLHonorCipherOrder 1 SSLAllowClientRenegotiation 0 DisableSSLv2
> DisableSSLv3 SSLNoFragment 0 SSLNoCompression 1
>
> You may also need to change your Cipher List to some thing like:
>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH
>
>
>
> On 21 May 2015 at 11:54, Daniel <i...@cookblook.com> wrote:
>
>> Hello,
>>
>> i just made a test via ssllabs.com. And i got a grade F for my SSL
>> connection.
>>
>> The issues are :
>>
>> This server supports insecure Diffie-Hellman (DH) key exchange
>> parameters. Grade set to F.
>> This server supports 512-bit export suites and might be vulnerable to the
>> FREAK attack. Grade set to F.
>> This server is vulnerable to the POODLE attack. If possible, disable SSL
>> 3 to mitigate. Grade capped to C.
>> This server accepts the RC4 cipher, which is weak. Grade capped to B.
>>
>> My pound.cfg is this in the https section:
>>
>> ListenHTTPS
>>     HeadRemove "X-Forwarded-Proto"
>>     AddHeader  "X-Forwarded-Proto: https"
>>     Address    0.0.0.0
>>     Port       443
>>     Cert       "/etc/ssl/mydomain.com/mydomain.com.pem"
>>     Ciphers
>>  
>> "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3"
>>     Service
>>         HeadRequire "Host: mydomain.com"
>>         Redirect "https://www.mydomain.com";
>>     End
>>     Service
>>         BackEnd
>>             Address 127.0.0.1
>>             Port    6081
>>         End
>>     End
>> End
>>
>> Can anyone advise what i need to change to get a better rating and make
>> it more secure?
>>
>> thanks,
>>
>> Daniel
>>
>>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org
> http://www.loadbalancer.org
> Tel (UK) - +44 (0) 3303801064 (24x7)
> Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
>

Reply via email to