Nevermind. I found the solution. I added !DES to the list of Ciphers to exclude and it excluded those two CBC3 based ciphers.
Ciphers "ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:!3DES:!DES:!MD5:!PSK:!RC4:!DH:!LOW:+HIGH:+MEDIUM" On Tue, Dec 12, 2017 at 4:04 PM, Brad Allison <[email protected]> wrote: > Here's my Ciphers in pound.cfg: > > Ciphers "ALL:!ADH:!EXPORT:!SSLv2:!aNULL:!eNULL:!DES:!MD5:!PSK:! > RC4:!DH:!LOW:+HIGH:+MEDIUM" > > > Then I do a sslscan on the pound server and save the data to > /tmp/sslscan.out, > > First I check for MD5: > > brad.allison@devops-west:/usr/local/devops/bin> grep MD5 /tmp/sslscan.out > | wc -l > 0 > > > Then I check for RC4: > > brad.allison@devops-west:/usr/local/devops/bin> grep RC4 /tmp/sslscan.out > | wc -l > 0 > > > Then I check for DES: > > brad.allison@devops-west:/usr/local/devops/bin> grep DES /tmp/sslscan.out > | wc -l > 6 > > brad.allison@devops-west:/usr/local/devops/bin> grep DES /tmp/sslscan.out > Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA > Accepted TLSv1 112 bits DES-CBC3-SHA > Accepted TLS11 112 bits ECDHE-RSA-DES-CBC3-SHA > Accepted TLS11 112 bits DES-CBC3-SHA > Accepted TLS12 112 bits ECDHE-RSA-DES-CBC3-SHA > Accepted TLS12 112 bits DES-CBC3-SHA > > > > So why is it allowing DES support when I have !DES in my Ciphers list? > > -brad >
