Because the CBC3 indicates it's 3DES, not DES. https://community.qualys.com/thread/15817
Joe Sent from my iPhone On Dec 12, 2017, at 4:11 PM, Brad Allison <brad.alli...@gmail.com<mailto:brad.alli...@gmail.com>> wrote: Here's my Ciphers in pound.cfg: Ciphers "ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:!DES:!MD5:!PSK:!RC4:!DH:!LOW:+HIGH:+MEDIUM" Then I do a sslscan on the pound server and save the data to /tmp/sslscan.out, First I check for MD5: brad.allison@devops-west:/usr/local/devops/bin> grep MD5 /tmp/sslscan.out | wc -l 0 Then I check for RC4: brad.allison@devops-west:/usr/local/devops/bin> grep RC4 /tmp/sslscan.out | wc -l 0 Then I check for DES: brad.allison@devops-west:/usr/local/devops/bin> grep DES /tmp/sslscan.out | wc -l 6 brad.allison@devops-west:/usr/local/devops/bin> grep DES /tmp/sslscan.out Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLSv1 112 bits DES-CBC3-SHA Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLS11 112 bits DES-CBC3-SHA Accepted TLS12 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLS12 112 bits DES-CBC3-SHA So why is it allowing DES support when I have !DES in my Ciphers list? -brad
